Auditing Overview for Employee Benefit Plans Learning Objectives Provide an overview of the audit process including : Risk assessment Significant audit areas Actuarial assumptions SAS 70 reports Terminating plans Risk Assessment • Summary of Risk Assessment Standards – Objectives of risk assessment standards • Understanding of the entity • Assessment of risk • Improve linkage between assessed risk and work performed – Assessment process • Continuous process - must occur throughout the audit • Evaluation of audit findings (questions to ask throughout the process) – Has audit risk been reduced to acceptably low level? – Has risk of material misstatement been reduced to an acceptably low level? – If the answer is no to either of these, the audit is not complete Risk Assessment Process Procedures Performed • Preliminary engagement activities • Inquiries of plan management and others • Preliminary analytical procedures • Observation and inspection • Discussion among the engagement team Understanding Obtained • Industry, regulatory, and other external factors • Nature of the plan • Objectives, strategies, and related business risks • Measurement and review of the plan's financial performance • Internal control • Selection and application of accounting policies • Fraud risk factors Decisions and Judgments Made • Decisions at the Financial Statement Level: – – – – • Materiality at the financial statement level Materiality for particular items of lesser amounts Risks of material misstatement at the financial statement level Overall audit strategy Decisions at the Account Balance, Transaction Class, and Relevant Assertion Level: – – – Tolerable misstatement Risks of material misstatement at the relevant assertion level, including identification of significant risks Nature, timing, and extent of further audit procedures (including tests of controls and substantive procedures) Risk Assessment • Materiality – Based on economic conditions you might expect a lower materiality level – Lower materiality levels may add additional time to the job • Need to be efficient in selecting audit steps in the risk assessment process Risk Assessment • Materiality… – Documentation • Need to document basis for materiality • Need to document any changes in materiality that occur during the audit and how they were determined – Contributions (special bonus/special compensation) • Need to document lower level of planning materiality for certain items – Administrative expenses (declining profitability of plan sponsor) Risk Assessment • Understanding the Plan and Its Environment – The Plan • Review plan document – Consider summarizing significant information • Document flow of information – Plan sponsor – Record keeper – Custodian – Trustee – Actuary Risk Assessment • Understanding the Plan • Records – Where are they located? – How we gain access to the data? • Specific plan investments – Are there hard to value assets? – GICs • Information technology – How is information communicated between » Plan sponsor? » Service organization? » Participants? Risk Assessment • Understanding the Plan Sponsor’s industry • Consider factors affecting the industry that could affect the plan – – – – Decreased sales Increased costs Layoffs Cash flow problems – Increase risk of bankruptcy • Increase incentive to minimize expenses through – Misallocation of required employer contributions – Misuse of forfeitures – Shifting plan administrative expenses directly to plan Risk Assessment • Understanding Plan Sponsor • Consider interviewing plan sponsor employees – Owners – Key Management – Participant (especially in ESOP) » Ask  What they know about the plan?  How they conduct transactions?  What are their expectations?  Should be done during fieldwork on financial statement audit when possible and incorporated into fraud interview process Actuarial Assumptions • Trends and nature of benefit distributions – Lump sum vs annuity payments • Shift in plan population over time—turnover or retirement age • Recent mergers or acquisitions could cause assumptions to be inappropriate • Plan benefit formula changes or a freezing of the plan • Whether consistent gains/losses are generated each year Form 5500 • Auditor’s responsibility does not extend beyond the financial information identified in the auditor’s report • Auditor has no obligation to corroborate other information contained in the 5500 • Auditor should read the other information in the 5500 and consider whether such information or its presentation is materially inconsistent with information appearing in the audited financial statements SAS 70 Basic roadmap for auditors • Read Independent Service Auditor’s Report and Company Overview to determine that correct SAS 70 has been obtained • Be mindful that missing control objectives may require additional procedures SAS 70 • The following control objectives should be included – – – – – – Plan setup Enrollments Contributions Distributions, including loans Investment election changes and transfers Investments, including purchases/sales, income and valuation – Reconciliation and reporting – IT general controls (including access, changes to programs, back-up) SAS 70 Note: For missing key control objectives or if no SAS 70 report is available, procedures to determine controls in place, the evaluation of their design and implementation must still be adequately addressed by the auditor SAS 70 Description of Controls • Auditors should read through the detail of the procedures related to a specific control objective to understand overall process and identify controls in place • Warning: Controls included in this description may not always be included in testing so be aware that this may affect reliance SAS 70 Tests of Operating Effectiveness • Determine which controls were tested as included in the description of controls – usually listed with testing procedures performed • Consider the level of testing performed for reliance purposes – inquiries alone will not be sufficient evidence for confirming implementation – Observations may not be considered sufficient for reliance on controls for purposes of reducing control risk below maximum to reduce substantive audit procedures SAS 70 Exceptions • Evaluate each exception, including nature, extent and mitigating controls – Nature of exception • Error in processing? • Missing evidence? – Extent of exception • Isolated error? • One of many included under control objective? • Did exception lead to qualification of report? • Special consideration – IT general controls – exceptions and qualification could affect more than one area and may be a significant problem in reliance and use of SAS 70 report SAS 70 Exceptions (continued) • Mitigating controls in place – Are there other controls in place at the service provider to mitigate risk of error? • Other levels of review such as quality control reviews • Different access levels that may prevent issues (physical vs logical access on systems) – Does the plan sponsor actually perform that control? (e.g calculate vesting) – Are there mitigating controls in place at the plan sponsor? (e.g., review and approve calculation of vesting) SAS 70 Evaluation of SAS 70 report and conclusions reached by auditors should be documented clearly and adequately in audit workpapers as required by SAS 103 • Documentation can include: – Copy of relevant SAS 70 reports obtained and evaluated – Checklist of Form used to evaluate SAS 70 report – Memo or checklist /form used above to document conclusions reached regarding each area as to reliance on SAS 70, and the extent of that reliance (e.g., reliance related only to design and implementation or further reliance to reduce control risk and substantive audit procedures – Note: Reliance may vary from area to area (e.g., reliance placed to reduce substantive audit procedures in contributions, but not in distributions) Terminating Plans Terminating Plans Terminating Plans Terminating Plans Overview of Auditing Employee Benefit Plans Questions?