E N D
1. Auditing Overview for Employee Benefit Plans Pugh & Company, P.C.
2. 08/2010 PUGH & COMPANY, P.C. 2 Learning Objectives Provide an overview of the audit process including :
Risk assessment
Significant audit areas
Actuarial assumptions
SAS 70 reports
Terminating plans
3. 08/2010 PUGH & COMPANY, P.C. 3 Risk Assessment Summary of Risk Assessment Standards
Objectives of risk assessment standards
Understanding of the entity
Assessment of risk
Improve linkage between assessed risk and work performed
Assessment process
Continuous process - must occur throughout the audit
Evaluation of audit findings (questions to ask throughout the process)
Has audit risk been reduced to acceptably low level?
Has risk of material misstatement been reduced to an acceptably low level?
If the answer is no to either of these, the audit is not complete.
4. 08/2010 PUGH & COMPANY, P.C. 4 Risk Assessment Process Procedures Performed
Preliminary engagement activities.
Inquiries of plan management and others.
Preliminary analytical procedures.
Observation and inspection.
Discussion among the engagement team.
Understanding Obtained
Industry, regulatory, and other external factors.
Nature of the plan.
Objectives, strategies, and related business risks.
Measurement and review of the plan's financial performance.
Internal control.
Selection and application of accounting policies.
Fraud risk factors.
Decisions and Judgments Made
Decisions at the Financial Statement Level:
Materiality at the financial statement level.
Materiality for particular items of lesser amounts.
Risks of material misstatement at the financial statement level.
Overall audit strategy.
Decisions at the Account Balance, Transaction Class, and Relevant Assertion Level:
Tolerable misstatement.
Risks of material misstatement at the relevant assertion level, including identification of significant risks.
Nature, timing, and extent of further audit procedures (including tests of controls and substantive procedures).
5. 08/2010 PUGH & COMPANY, P.C. 5 Risk Assessment Materiality
Based on economic conditions you might expect a lower materiality level.
Lower materiality levels may add additional time to the job.
Need to be efficient in selecting audit steps in the risk assessment process.
6. 08/2010 PUGH & COMPANY, P.C. 6 Risk Assessment Materiality…
Documentation
Need to document basis for materiality
Need to document any changes in materiality that occur during the audit and how they were determined
Contributions (special bonus/special compensation)
Need to document lower level of planning materiality for certain items
Administrative expenses (declining profitability of plan sponsor)
7. 08/2010 PUGH & COMPANY, P.C. 7 Risk Assessment Understanding the Plan and Its Environment
The Plan
Review plan document
Consider summarizing significant information
Document flow of information
Plan sponsor
Record keeper
Custodian
Trustee
Actuary
8. 08/2010 PUGH & COMPANY, P.C. 8 Risk Assessment Understanding the Plan
Records
Where are they located?
How do we gain access to the data?
Specific plan investments
Are there hard to value assets?
GICs
Information technology
How is information communicated between
Plan sponsor?
Service organization?
Participants?
9. 08/2010 PUGH & COMPANY, P.C. 9 Risk Assessment Understanding the Plan Sponsor’s industry
Consider factors affecting the industry that could affect the plan
Decreased sales
Increased costs
Layoffs
Cash flow problems
Increase risk of bankruptcy
Increase incentive to minimize expenses through
Misallocation of required employer contributions
Misuse of forfeitures
Shifting plan administrative expenses directly to plan
10. 08/2010 PUGH & COMPANY, P.C. 10 Risk Assessment Understanding Plan Sponsor
Consider interviewing plan sponsor employees
Owners
Key Management
Participant (especially in ESOP)
Ask
? What do they know about the plan?
? How do they conduct transactions?
? What are their expectations?
? Should be done during fieldwork on financial statement audit when possible and incorporated into fraud interview process
11. 08/2010 PUGH & COMPANY, P.C. 11 Risk Assessment Understanding Plan Sponsor
Interview dos and don’ts
Dos
Face to face interviews
Interview personnel involved in all aspects of the plan’s operations
Share hypothetical situation to initiate fraud discussion
? Treatment of lost participants and the related fraud opportunities
? How and frequency of contribution reconciliations
Don’ts
Conduct the interview in the presence of other client employees
E-mail questions to management
Interview only the primary audit contact
Ask only yes and no questions
12. 08/2010 PUGH & COMPANY, P.C. 12 Risk Assessment Understanding the Design and Implementation of Internal Controls
Who is ultimately responsible for properly implementing and operating an employee benefit plan?
The plan sponsor
The responsibility of the plan can not be passed to the service providers
Implementation of appropriate monitoring controls is critical where plan operations is outsourced
13. 08/2010 PUGH & COMPANY, P.C. 13 Risk Assessment Understanding Internal Controls
Plan administration controls
Determining plan provisions
Establishment of the investment policy
Authorization of certain transactions
Monitoring and on-going evaluation of service providers
14. 08/2010 PUGH & COMPANY, P.C. 14 Risk Assessment Understanding Internal Controls…
Entity level controls – who is in charge of the plan
Monitoring (board of directors)
Personnel (hiring, training, evaluations)
Integrity and ethics (ethics policies)
Segregation of duties (protection of assets)
15. 08/2010 PUGH & COMPANY, P.C. 15 Risk Assessment Understanding Internal Controls…
Transaction level controls
Eligibility determination
Contributions
Distributions
Investment transactions
Allocation to participants accounts (currently a hot topic in the industry)
Forfeitures (currently a hot topic in the industry)
Plan fees (currently a hot topic in the industry)
Participant investment elections
Transfers, mergers, new plan setups
16. 08/2010 PUGH & COMPANY, P.C. 16 Risk Assessment Understanding Internal Controls…
Unique control environment
Important to understand and document who does what
Significant controls may be outsourced to third parties
Certain areas may have shared responsibilities
A control at one entity might mitigate risk in another area (e.g. vesting)
17. 08/2010 PUGH & COMPANY, P.C. 17 Risk Assessment Understanding Internal Controls…
Participant Controls
How many people open their statement, reconcile it to the payroll deductions, recalculate employer contributions, recalculated allocations, and review investment losses?
Can we rely on the participant to contribute to the internal control structure?
They may not understand the internal control process
They may not open their statement on a regular basis
They may not know what to look for
The internal control process is not their responsibility unless we directly ask them to review a confirmation
We should not rely on this to reduce control risk
18. 08/2010 PUGH & COMPANY, P.C. 18 Risk Assessment Documentation of Internal Controls
Identify individual audit areas and related control objectives
Consider classes of transactions
Activity in participant’s account
Existence and occurrence
Account balances
Investments
Receivables
Payables
Disclosures
19. 08/2010 PUGH & COMPANY, P.C. 19 Risk Assessment Documentation of Internal Controls…
Document controls
Client memo and flowcharts
Incorporate reference to SAS 70 controls when appropriate
Verification through walkthroughs
Consider flow of information between plan sponsor and the service organization for each individual audit area and control objective
Consider missing steps in the control process
20. 08/2010 PUGH & COMPANY, P.C. 20 Risk Assessment Documentation of Internal Controls…
Engagement team discussion
Fraud
Error
Ask “what could go wrong”?
Consider if you only had 8 hours to perform audit procedures - what would you want to do before you personally signed the opinion?
Must be tailored to each plan – cannot rely on one discussion for all plans
Consider the uniqueness of the various plans
21. 08/2010 PUGH & COMPANY, P.C. 21 Risk Assessment Challenges of an Employee Benefit Plan Audit
When assessing risk keep the following in mind
Many clients see the audit as a “necessary evil”
Many plan sponsors do not have the policies and procedures in place or do not have them sufficiently documented
Many plan sponsors that rely heavily on service providers may not be as rigorous in their procedures and oversight
Overuse or underuse of the SAS 70
22. 08/2010 PUGH & COMPANY, P.C. 22 Risk Assessment Policies and Procedures of the Plan Administrator Related to the Service Organization
Plan administrator should have an understanding of what the service organization does and what controls are in place
They should be reviewing the SAS 70 annually
23. 08/2010 PUGH & COMPANY, P.C. 23 Risk Assessment Policies and Procedures …
Reconciliation of participant accounts to service organization records should be performed on a timely basis
Payroll information should be reconciled to the contribution records
In total
By participant
Reconciling census data provided to service organization to appropriate payroll records
The audit can not be the control
24. 08/2010 PUGH & COMPANY, P.C. 24 Risk Assessment Policies and Procedures …
Consider who has access to the data provided to the service organization and the ability to make changes to override controls
CFO/Controller
Human resources
Payroll
IT
25. 08/2010 PUGH & COMPANY, P.C. 25 Risk Assessment Other Procedures of the Plan Administrator
Document transactions that are approved
Contributions
Use of forfeitures
Distributions
Meet with investment manager
Audit consequences
Document polices and procedures
Consider management points related to significant deficiencies
26. 08/2010 PUGH & COMPANY, P.C. 26 Significant Audit Areas Participant data
Payroll
Cash
Investments
Contributions received and receivable
Benefit payments
Investment income
Fees and Expenses
Actuarial Assumptions
Form 5500
SAS 70
Terminating Plans
27. 08/2010 PUGH & COMPANY, P.C. 27 Participant Data & Payroll Objectives include determining:
Whether all covered employees have been properly included in employee eligibility records
Whether accurate participant data for eligible employees were supplied to the plan administrator and, if applicable, the plan actuary
28. 08/2010 PUGH & COMPANY, P.C. 28 Participant Data & Payroll Types of data to be tested:
Demographic – birth date, hire date
Payroll data – wage rate, hours worked, earnings, contributions to the plan
29. 08/2010 PUGH & COMPANY, P.C. 29 Participant Data & Payroll Examples of substantive procedures
Recalculate payroll for selected participants for one or more pay periods
Trace individual payrolls from the payroll journal to the participants earnings records
Review personnel files for hiring notice, pay rate, birth date, termination date
30. 08/2010 PUGH & COMPANY, P.C. 30 Cash Typically small
If held under a trust agreement or under an insurance contract, confirmations are usually adequate
If held independent of a trust agreement or insurance contract, customary audit procedures considered appropriate
31. 08/2010 PUGH & COMPANY, P.C. 31 Investments Limited Scope Audit
Obtain and read a copy of the certification
Determine whether the entity issuing the certification is a qualifying institution under DOL regs
Compare the investment information certified by the trustee or custodian to the information contained in the plan’s financial statements and related disclosures
32. 08/2010 PUGH & COMPANY, P.C. 32 Investments If the auditor becomes aware that the certified information my be incomplete or inaccurate the auditor should instruct the plan administrator to:
Request that the trustee or custodian recertify or amend the certification for such investments at their appropriate year-end values or recertify or amend the certification to exclude such investments from the limited scope certification or
Instruct the auditor to perform full scope procedures on such investments excluded from the certification
If not done auditor should consider modifying his or her report
33. 08/2010 PUGH & COMPANY, P.C. 33 Investments Full Scope Audit
Determine nature and location of investments from minutes, agreements with custodians, advisors, etc.
Obtain or prepare a schedule of investments showing beginning balance, purchases sales, ending balance
Typical audit programs have specific procedures depending upon the type of investments held, such as mutual funds, limited partnerships and derivative.
34. 08/2010 PUGH & COMPANY, P.C. 34 Investments Full Scope Audit (cont.)
Confirm investments held by third-party custodians
Perform analytical procedures on average and ending balances
Test investment income
Test fair value
Test the calculation of unrealized gains and losses
35. 08/2010 PUGH & COMPANY, P.C. 35 Stable Value Funds & GIC’s GIC’s - Audit Considerations
Obtain, read and evaluate the GIC contract
Maturity dates, minimum crediting rates, rate resets.
Is the contract fully benefit responsive?
Contract is between plan and issuer. The contract cannot be sold or assigned without consent of the issuer.
Contract issuer must be obligated to (1) repay principal and interest, and (2) provide prospective crediting rate adjustments with an assurance the crediting rate will not be < 0%
Contract requires all participant-initiated transactions to occur at contract value
An event that limits the ability of the plan to transact at contract value with the issuer and with the participants must be probable of not occurring
The plan must allow participants reasonable access to their funds
Confirm principal and income with Insurance Company/Counterparty.
Assess credit quality of the issuer.
If a plan holds multiple contracts, each contract should be evaluated individually.
36. 08/2010 PUGH & COMPANY, P.C. 36 Contributions Received and Receivable Typical analytical procedures include:
Comparison to prior year
Average per participant
Other expectation such as % of compensation
Trace to plan sponsor audited financial statements
Vouch subsequent receipt
37. 08/2010 PUGH & COMPANY, P.C. 37 Contributions Received and Receivable Timeliness of remitting participant contributions
Contributions must be remitted ASAP
Failure to remit may be considered a Prohibited Transaction
15th business day of following month is not a safe harbor
38. 08/2010 PUGH & COMPANY, P.C. 38 Benefit Payments Determine participant eligibility (request, approval)
Recompute amount of benefit
Vouch payment
Typical analytical procedures include:
Comparison to prior year
Average per participant
Other expectations
39. 08/2010 PUGH & COMPANY, P.C. 39 Investment Income Objective to test whether net assets and transactions have been allocated to accounts properly in accordance with plan document.
Allocation of investment income to be tested even for limited scope audits.
40. 08/2010 PUGH & COMPANY, P.C. 40 Investment Income Consider reasonableness by comparing current year income and yield to that in the prior year and to investment reports from advisors, trustees, mutual fund companies and to industry indexes or other expectations.
SAS 70 may be used to reduce but not eliminate scope of testing
41. 08/2010 PUGH & COMPANY, P.C. 41 Fees and Expenses Most defined benefit plans and many defined contributions plans pay administrative expenses out of plan assets
Typically plan expenses are below materiality levels and therefore are not subject to significant detailed testing
Auditors should gain an understanding of what expenses are allowed by the plan
Many times expenses paid out of plan assets are prohibited transactions
42. 08/2010 PUGH & COMPANY, P.C. 42 Commitments and Contingencies Discuss with client
Review minutes of various committees
Analyze legal expense
Request audit inquiry from attorneys
Obtain client representation
43. 08/2010 PUGH & COMPANY, P.C. 43 Actuarial Assumptions Trends and nature of benefit distributions
Lump sum vs. annuity payments
Shift in plan population over time—turnover or retirement age
Recent mergers or acquisitions could cause assumptions to be inappropriate
Plan benefit formula changes or a freezing of the plan
Whether consistent gains/losses are generated each year
44. 08/2010 PUGH & COMPANY, P.C. 44 Form 5500 Auditor’s responsibility does not extend beyond the financial information identified in the auditor’s report.
Auditor has no obligation to corroborate other information contained in the 5500.
Auditor should read the other information in the 5500 and consider whether such information or its presentation is materially inconsistent with information appearing in the audited financial statements
45. 08/2010 PUGH & COMPANY, P.C. 45 SAS 70 Basic roadmap for auditors
Read Independent Service Auditor’s Report and Company Overview to determine that correct SAS 70 has been obtained.
Be mindful that missing control objectives may require additional procedures.
46. 08/2010 PUGH & COMPANY, P.C. 46 SAS 70 The following control objectives should be included
Plan setup
Enrollments
Contributions
Distributions, including loans
Investment election changes and transfers
Investments, including purchases/sales, income and valuation
Reconciliation and reporting
IT general controls (including access, changes to programs, back-up)
47. 08/2010 PUGH & COMPANY, P.C. 47 SAS 70 Note: For missing key control objectives or if no SAS 70 report is available, procedures to determine controls in place, the evaluation of their design and implementation must still be adequately addressed by the auditor.
48. 08/2010 PUGH & COMPANY, P.C. 48 SAS 70 Description of Controls
Auditors should read through the detail of the procedures related to a specific control objective to understand overall process and identify controls in place.
Warning: Controls included in this description may not always be included in testing so be aware that this may affect reliance.
49. 08/2010 PUGH & COMPANY, P.C. 49 SAS 70 Tests of Operating Effectiveness
Determine which controls were tested as included in the description of controls – usually listed with testing procedures performed
Consider the level of testing performed for reliance purposes
inquiries alone will not be sufficient evidence for confirming implementation
Observations may not be considered sufficient for reliance on controls for purposes of reducing control risk below maximum to reduce substantive audit procedures.
50. 08/2010 PUGH & COMPANY, P.C. 50 SAS 70 Exceptions
Evaluate each exception, including nature, extent and mitigating controls
Nature of exception
Error in processing?
Missing evidence?
Extent of exception
Isolated error?
One of many included under control objective?
Did exception lead to qualification of report?
Special consideration – IT general controls – exceptions and qualification could affect more than one area and may be a significant problem in reliance and use of SAS 70 report.
51. 08/2010 PUGH & COMPANY, P.C. 51 SAS 70 Exceptions (continued)
Mitigating controls in place
Are there other controls in place at the service provider to mitigate risk of error?
Other levels of review such as quality control reviews
Different access levels that may prevent issues (physical vs. logical access on systems)
Does the plan sponsor actually perform that control? (e.g. calculate vesting)
Are there mitigating controls in place at the plan sponsor? (e.g., review and approve calculation of vesting)
52. 08/2010 PUGH & COMPANY, P.C. 52 SAS 70 Evaluation of SAS 70 report and conclusions reached by auditors should be documented clearly and adequately in audit workpapers as required by SAS 103.
Documentation can include:
Copy of relevant SAS 70 reports obtained and evaluated
Checklist of Form used to evaluate SAS 70 report
Memo or checklist /form used above to document conclusions reached regarding each area as to reliance on SAS 70, and the extent of that reliance (e.g., reliance related only to design and implementation or further reliance to reduce control risk and substantive audit procedures
Note: Reliance may vary from area to area (e.g., reliance placed to reduce substantive audit procedures in contributions, but not in distributions)
53. 08/2010 PUGH & COMPANY, P.C. 53 Terminating Plans
54. 08/2010 PUGH & COMPANY, P.C. 54 Terminating Plans
55. 08/2010 PUGH & COMPANY, P.C. 55 Terminating Plans
56. 08/2010 PUGH & COMPANY, P.C. 56 Terminating Plans
57. Overview of Auditing Employee Benefit Plans Questions?