1 / 57

Auditing Overview for Employee Benefit Plans

08/2010. PUGH

niveditha
Download Presentation

Auditing Overview for Employee Benefit Plans

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


    1. Auditing Overview for Employee Benefit Plans Pugh & Company, P.C.

    2. 08/2010 PUGH & COMPANY, P.C. 2 Learning Objectives Provide an overview of the audit process including : Risk assessment Significant audit areas Actuarial assumptions SAS 70 reports Terminating plans

    3. 08/2010 PUGH & COMPANY, P.C. 3 Risk Assessment Summary of Risk Assessment Standards Objectives of risk assessment standards Understanding of the entity Assessment of risk Improve linkage between assessed risk and work performed Assessment process Continuous process - must occur throughout the audit Evaluation of audit findings (questions to ask throughout the process) Has audit risk been reduced to acceptably low level? Has risk of material misstatement been reduced to an acceptably low level? If the answer is no to either of these, the audit is not complete.

    4. 08/2010 PUGH & COMPANY, P.C. 4 Risk Assessment Process Procedures Performed Preliminary engagement activities. Inquiries of plan management and others. Preliminary analytical procedures. Observation and inspection. Discussion among the engagement team. Understanding Obtained Industry, regulatory, and other external factors. Nature of the plan. Objectives, strategies, and related business risks. Measurement and review of the plan's financial performance. Internal control. Selection and application of accounting policies. Fraud risk factors. Decisions and Judgments Made Decisions at the Financial Statement Level: Materiality at the financial statement level. Materiality for particular items of lesser amounts. Risks of material misstatement at the financial statement level. Overall audit strategy. Decisions at the Account Balance, Transaction Class, and Relevant Assertion Level: Tolerable misstatement. Risks of material misstatement at the relevant assertion level, including identification of significant risks. Nature, timing, and extent of further audit procedures (including tests of controls and substantive procedures).

    5. 08/2010 PUGH & COMPANY, P.C. 5 Risk Assessment Materiality Based on economic conditions you might expect a lower materiality level. Lower materiality levels may add additional time to the job. Need to be efficient in selecting audit steps in the risk assessment process.

    6. 08/2010 PUGH & COMPANY, P.C. 6 Risk Assessment Materiality… Documentation Need to document basis for materiality Need to document any changes in materiality that occur during the audit and how they were determined Contributions (special bonus/special compensation) Need to document lower level of planning materiality for certain items Administrative expenses (declining profitability of plan sponsor)

    7. 08/2010 PUGH & COMPANY, P.C. 7 Risk Assessment Understanding the Plan and Its Environment The Plan Review plan document Consider summarizing significant information Document flow of information Plan sponsor Record keeper Custodian Trustee Actuary

    8. 08/2010 PUGH & COMPANY, P.C. 8 Risk Assessment Understanding the Plan Records Where are they located? How do we gain access to the data? Specific plan investments Are there hard to value assets? GICs Information technology How is information communicated between Plan sponsor? Service organization? Participants?

    9. 08/2010 PUGH & COMPANY, P.C. 9 Risk Assessment Understanding the Plan Sponsor’s industry Consider factors affecting the industry that could affect the plan Decreased sales Increased costs Layoffs Cash flow problems Increase risk of bankruptcy Increase incentive to minimize expenses through Misallocation of required employer contributions Misuse of forfeitures Shifting plan administrative expenses directly to plan

    10. 08/2010 PUGH & COMPANY, P.C. 10 Risk Assessment Understanding Plan Sponsor Consider interviewing plan sponsor employees Owners Key Management Participant (especially in ESOP) Ask ? What do they know about the plan? ? How do they conduct transactions? ? What are their expectations? ? Should be done during fieldwork on financial statement audit when possible and incorporated into fraud interview process

    11. 08/2010 PUGH & COMPANY, P.C. 11 Risk Assessment Understanding Plan Sponsor Interview dos and don’ts Dos Face to face interviews Interview personnel involved in all aspects of the plan’s operations Share hypothetical situation to initiate fraud discussion ? Treatment of lost participants and the related fraud opportunities ? How and frequency of contribution reconciliations Don’ts Conduct the interview in the presence of other client employees E-mail questions to management Interview only the primary audit contact Ask only yes and no questions

    12. 08/2010 PUGH & COMPANY, P.C. 12 Risk Assessment Understanding the Design and Implementation of Internal Controls Who is ultimately responsible for properly implementing and operating an employee benefit plan? The plan sponsor The responsibility of the plan can not be passed to the service providers Implementation of appropriate monitoring controls is critical where plan operations is outsourced

    13. 08/2010 PUGH & COMPANY, P.C. 13 Risk Assessment Understanding Internal Controls Plan administration controls Determining plan provisions Establishment of the investment policy Authorization of certain transactions Monitoring and on-going evaluation of service providers

    14. 08/2010 PUGH & COMPANY, P.C. 14 Risk Assessment Understanding Internal Controls… Entity level controls – who is in charge of the plan Monitoring (board of directors) Personnel (hiring, training, evaluations) Integrity and ethics (ethics policies) Segregation of duties (protection of assets)

    15. 08/2010 PUGH & COMPANY, P.C. 15 Risk Assessment Understanding Internal Controls… Transaction level controls Eligibility determination Contributions Distributions Investment transactions Allocation to participants accounts (currently a hot topic in the industry) Forfeitures (currently a hot topic in the industry) Plan fees (currently a hot topic in the industry) Participant investment elections Transfers, mergers, new plan setups

    16. 08/2010 PUGH & COMPANY, P.C. 16 Risk Assessment Understanding Internal Controls… Unique control environment Important to understand and document who does what Significant controls may be outsourced to third parties Certain areas may have shared responsibilities A control at one entity might mitigate risk in another area (e.g. vesting)

    17. 08/2010 PUGH & COMPANY, P.C. 17 Risk Assessment Understanding Internal Controls… Participant Controls How many people open their statement, reconcile it to the payroll deductions, recalculate employer contributions, recalculated allocations, and review investment losses? Can we rely on the participant to contribute to the internal control structure? They may not understand the internal control process They may not open their statement on a regular basis They may not know what to look for The internal control process is not their responsibility unless we directly ask them to review a confirmation We should not rely on this to reduce control risk

    18. 08/2010 PUGH & COMPANY, P.C. 18 Risk Assessment Documentation of Internal Controls Identify individual audit areas and related control objectives Consider classes of transactions Activity in participant’s account Existence and occurrence Account balances Investments Receivables Payables Disclosures

    19. 08/2010 PUGH & COMPANY, P.C. 19 Risk Assessment Documentation of Internal Controls… Document controls Client memo and flowcharts Incorporate reference to SAS 70 controls when appropriate Verification through walkthroughs Consider flow of information between plan sponsor and the service organization for each individual audit area and control objective Consider missing steps in the control process

    20. 08/2010 PUGH & COMPANY, P.C. 20 Risk Assessment Documentation of Internal Controls… Engagement team discussion Fraud Error Ask “what could go wrong”? Consider if you only had 8 hours to perform audit procedures - what would you want to do before you personally signed the opinion? Must be tailored to each plan – cannot rely on one discussion for all plans Consider the uniqueness of the various plans

    21. 08/2010 PUGH & COMPANY, P.C. 21 Risk Assessment Challenges of an Employee Benefit Plan Audit When assessing risk keep the following in mind Many clients see the audit as a “necessary evil” Many plan sponsors do not have the policies and procedures in place or do not have them sufficiently documented Many plan sponsors that rely heavily on service providers may not be as rigorous in their procedures and oversight Overuse or underuse of the SAS 70

    22. 08/2010 PUGH & COMPANY, P.C. 22 Risk Assessment Policies and Procedures of the Plan Administrator Related to the Service Organization Plan administrator should have an understanding of what the service organization does and what controls are in place They should be reviewing the SAS 70 annually

    23. 08/2010 PUGH & COMPANY, P.C. 23 Risk Assessment Policies and Procedures … Reconciliation of participant accounts to service organization records should be performed on a timely basis Payroll information should be reconciled to the contribution records In total By participant Reconciling census data provided to service organization to appropriate payroll records The audit can not be the control

    24. 08/2010 PUGH & COMPANY, P.C. 24 Risk Assessment Policies and Procedures … Consider who has access to the data provided to the service organization and the ability to make changes to override controls CFO/Controller Human resources Payroll IT

    25. 08/2010 PUGH & COMPANY, P.C. 25 Risk Assessment Other Procedures of the Plan Administrator Document transactions that are approved Contributions Use of forfeitures Distributions Meet with investment manager Audit consequences Document polices and procedures Consider management points related to significant deficiencies

    26. 08/2010 PUGH & COMPANY, P.C. 26 Significant Audit Areas Participant data Payroll Cash Investments Contributions received and receivable Benefit payments Investment income Fees and Expenses Actuarial Assumptions Form 5500 SAS 70 Terminating Plans

    27. 08/2010 PUGH & COMPANY, P.C. 27 Participant Data & Payroll Objectives include determining: Whether all covered employees have been properly included in employee eligibility records Whether accurate participant data for eligible employees were supplied to the plan administrator and, if applicable, the plan actuary

    28. 08/2010 PUGH & COMPANY, P.C. 28 Participant Data & Payroll Types of data to be tested: Demographic – birth date, hire date Payroll data – wage rate, hours worked, earnings, contributions to the plan

    29. 08/2010 PUGH & COMPANY, P.C. 29 Participant Data & Payroll Examples of substantive procedures Recalculate payroll for selected participants for one or more pay periods Trace individual payrolls from the payroll journal to the participants earnings records Review personnel files for hiring notice, pay rate, birth date, termination date

    30. 08/2010 PUGH & COMPANY, P.C. 30 Cash Typically small If held under a trust agreement or under an insurance contract, confirmations are usually adequate If held independent of a trust agreement or insurance contract, customary audit procedures considered appropriate

    31. 08/2010 PUGH & COMPANY, P.C. 31 Investments Limited Scope Audit Obtain and read a copy of the certification Determine whether the entity issuing the certification is a qualifying institution under DOL regs Compare the investment information certified by the trustee or custodian to the information contained in the plan’s financial statements and related disclosures

    32. 08/2010 PUGH & COMPANY, P.C. 32 Investments If the auditor becomes aware that the certified information my be incomplete or inaccurate the auditor should instruct the plan administrator to: Request that the trustee or custodian recertify or amend the certification for such investments at their appropriate year-end values or recertify or amend the certification to exclude such investments from the limited scope certification or Instruct the auditor to perform full scope procedures on such investments excluded from the certification If not done auditor should consider modifying his or her report

    33. 08/2010 PUGH & COMPANY, P.C. 33 Investments Full Scope Audit Determine nature and location of investments from minutes, agreements with custodians, advisors, etc. Obtain or prepare a schedule of investments showing beginning balance, purchases sales, ending balance Typical audit programs have specific procedures depending upon the type of investments held, such as mutual funds, limited partnerships and derivative.

    34. 08/2010 PUGH & COMPANY, P.C. 34 Investments Full Scope Audit (cont.) Confirm investments held by third-party custodians Perform analytical procedures on average and ending balances Test investment income Test fair value Test the calculation of unrealized gains and losses

    35. 08/2010 PUGH & COMPANY, P.C. 35 Stable Value Funds & GIC’s GIC’s - Audit Considerations Obtain, read and evaluate the GIC contract Maturity dates, minimum crediting rates, rate resets. Is the contract fully benefit responsive? Contract is between plan and issuer. The contract cannot be sold or assigned without consent of the issuer. Contract issuer must be obligated to (1) repay principal and interest, and (2) provide prospective crediting rate adjustments with an assurance the crediting rate will not be < 0% Contract requires all participant-initiated transactions to occur at contract value An event that limits the ability of the plan to transact at contract value with the issuer and with the participants must be probable of not occurring The plan must allow participants reasonable access to their funds Confirm principal and income with Insurance Company/Counterparty. Assess credit quality of the issuer. If a plan holds multiple contracts, each contract should be evaluated individually.

    36. 08/2010 PUGH & COMPANY, P.C. 36 Contributions Received and Receivable Typical analytical procedures include: Comparison to prior year Average per participant Other expectation such as % of compensation Trace to plan sponsor audited financial statements Vouch subsequent receipt

    37. 08/2010 PUGH & COMPANY, P.C. 37 Contributions Received and Receivable Timeliness of remitting participant contributions Contributions must be remitted ASAP Failure to remit may be considered a Prohibited Transaction 15th business day of following month is not a safe harbor

    38. 08/2010 PUGH & COMPANY, P.C. 38 Benefit Payments Determine participant eligibility (request, approval) Recompute amount of benefit Vouch payment Typical analytical procedures include: Comparison to prior year Average per participant Other expectations

    39. 08/2010 PUGH & COMPANY, P.C. 39 Investment Income Objective to test whether net assets and transactions have been allocated to accounts properly in accordance with plan document. Allocation of investment income to be tested even for limited scope audits.

    40. 08/2010 PUGH & COMPANY, P.C. 40 Investment Income Consider reasonableness by comparing current year income and yield to that in the prior year and to investment reports from advisors, trustees, mutual fund companies and to industry indexes or other expectations. SAS 70 may be used to reduce but not eliminate scope of testing

    41. 08/2010 PUGH & COMPANY, P.C. 41 Fees and Expenses Most defined benefit plans and many defined contributions plans pay administrative expenses out of plan assets Typically plan expenses are below materiality levels and therefore are not subject to significant detailed testing Auditors should gain an understanding of what expenses are allowed by the plan Many times expenses paid out of plan assets are prohibited transactions

    42. 08/2010 PUGH & COMPANY, P.C. 42 Commitments and Contingencies Discuss with client Review minutes of various committees Analyze legal expense Request audit inquiry from attorneys Obtain client representation

    43. 08/2010 PUGH & COMPANY, P.C. 43 Actuarial Assumptions Trends and nature of benefit distributions Lump sum vs. annuity payments Shift in plan population over time—turnover or retirement age Recent mergers or acquisitions could cause assumptions to be inappropriate Plan benefit formula changes or a freezing of the plan Whether consistent gains/losses are generated each year

    44. 08/2010 PUGH & COMPANY, P.C. 44 Form 5500 Auditor’s responsibility does not extend beyond the financial information identified in the auditor’s report. Auditor has no obligation to corroborate other information contained in the 5500. Auditor should read the other information in the 5500 and consider whether such information or its presentation is materially inconsistent with information appearing in the audited financial statements

    45. 08/2010 PUGH & COMPANY, P.C. 45 SAS 70 Basic roadmap for auditors Read Independent Service Auditor’s Report and Company Overview to determine that correct SAS 70 has been obtained. Be mindful that missing control objectives may require additional procedures.

    46. 08/2010 PUGH & COMPANY, P.C. 46 SAS 70 The following control objectives should be included Plan setup Enrollments Contributions Distributions, including loans Investment election changes and transfers Investments, including purchases/sales, income and valuation Reconciliation and reporting IT general controls (including access, changes to programs, back-up)

    47. 08/2010 PUGH & COMPANY, P.C. 47 SAS 70 Note: For missing key control objectives or if no SAS 70 report is available, procedures to determine controls in place, the evaluation of their design and implementation must still be adequately addressed by the auditor.

    48. 08/2010 PUGH & COMPANY, P.C. 48 SAS 70 Description of Controls Auditors should read through the detail of the procedures related to a specific control objective to understand overall process and identify controls in place. Warning: Controls included in this description may not always be included in testing so be aware that this may affect reliance.

    49. 08/2010 PUGH & COMPANY, P.C. 49 SAS 70 Tests of Operating Effectiveness Determine which controls were tested as included in the description of controls – usually listed with testing procedures performed Consider the level of testing performed for reliance purposes inquiries alone will not be sufficient evidence for confirming implementation Observations may not be considered sufficient for reliance on controls for purposes of reducing control risk below maximum to reduce substantive audit procedures.

    50. 08/2010 PUGH & COMPANY, P.C. 50 SAS 70 Exceptions Evaluate each exception, including nature, extent and mitigating controls Nature of exception Error in processing? Missing evidence? Extent of exception Isolated error? One of many included under control objective? Did exception lead to qualification of report? Special consideration – IT general controls – exceptions and qualification could affect more than one area and may be a significant problem in reliance and use of SAS 70 report.

    51. 08/2010 PUGH & COMPANY, P.C. 51 SAS 70 Exceptions (continued) Mitigating controls in place Are there other controls in place at the service provider to mitigate risk of error? Other levels of review such as quality control reviews Different access levels that may prevent issues (physical vs. logical access on systems) Does the plan sponsor actually perform that control? (e.g. calculate vesting) Are there mitigating controls in place at the plan sponsor? (e.g., review and approve calculation of vesting)

    52. 08/2010 PUGH & COMPANY, P.C. 52 SAS 70 Evaluation of SAS 70 report and conclusions reached by auditors should be documented clearly and adequately in audit workpapers as required by SAS 103. Documentation can include: Copy of relevant SAS 70 reports obtained and evaluated Checklist of Form used to evaluate SAS 70 report Memo or checklist /form used above to document conclusions reached regarding each area as to reliance on SAS 70, and the extent of that reliance (e.g., reliance related only to design and implementation or further reliance to reduce control risk and substantive audit procedures Note: Reliance may vary from area to area (e.g., reliance placed to reduce substantive audit procedures in contributions, but not in distributions)

    53. 08/2010 PUGH & COMPANY, P.C. 53 Terminating Plans

    54. 08/2010 PUGH & COMPANY, P.C. 54 Terminating Plans

    55. 08/2010 PUGH & COMPANY, P.C. 55 Terminating Plans

    56. 08/2010 PUGH & COMPANY, P.C. 56 Terminating Plans

    57. Overview of Auditing Employee Benefit Plans Questions?

More Related