Retirement Spotlight: Making Sense of the New Auditing Standard for ERISA Plans

On July 10, 2019, the American Institute of Certified Public Accountants (AICPA) issued formal guidance for those who audit financial statements that are included with Form 5500, Annual Return/Report of Employee Benefit Plan, filings. The AICPA first proposed this guidance in April 2017, following a request by the Department of Labor (DOL) to improve the quality of employee benefit plan audits. This guidance, released in a new Statement on Auditing Standards No. 136 (SAS 136), will apply to audits for reporting periods ending on or after December 15, 2020.


What is AICPA’s Role with ERISA Plans?

Founded over 130 years ago, the AICPA is the world’s largest member association representing accounting professionals. Many view the AICPA as an important source of guidance for the accounting profession. Aside from developing audit standards, the AICPA provides educational materials, creates and evaluates CPA exams, and ensures that technical and ethical standards are maintained. The AICPA has also established an Employee Benefit Plan Audit Quality Center to help CPAs meet the various challenges of performing plan audits.


When is an ERISA Plan Audit Required?

Before detailing the AICPA guidance, a quick review of the plan audit requirements may help. Plan sponsors whose plans are not subject to the Employee Retirement Income Security Act (ERISA) do not need to provide audit results to the DOL. This group includes most church plans and owner-only plans. In addition, smaller plans that meet certain waiver requirements are not subject to the Form 5500 audit requirements. But an employee benefit plan is subject to an independent audit if the plan

  • had 100 or more eligible participants as of the first day of the plan year and did not file as a small plan filer for Form 5500 reporting in the prior year, or
  • filed as a small plan filer for Form 5500 reporting in prior years but now has 121 or more eligible participants as of the first day of the current plan year.

An “eligible participant” is an employee who is eligible to participate in the plan (even if not deferring), or has terminated employment but still has a plan balance.


Limited Scope Audit vs. Full Scope Audit

Because SAS 136 does not change ERISA, plan sponsors can still elect to have a limited scope audit (now known as the ERISA Section 103(a)(3)(C) audit) if the qualified institution holding the assets provides a certified statement confirming the accuracy and completeness of the plan’s investment information. (A “qualified institution” is a financial organization that holds plan assets and is regulated and subject to periodic examination by a state or federal agency.)

During a limited scope audit, the auditor is not required to test the accuracy or completeness of the investment information, nor does the auditor need to assess the control risk related to assets held by the certifying institution. But the auditor does need to provide required financial statement disclosures and review and test controls on plan operations related to the plan’s noninvestment information—such as participant data, contributions, and benefit payments.

Auditors must conduct a full scope audit if the institution does not provide a certified statement on the plan’s investment information, or on any investments not included in the certification. During a full scope audit, the auditor must review and test both the plan’s investment and noninvestment information.


What’s “New” About the New Auditing Standard?

SAS 136 clarifies and formalizes current best practices that auditors working with employee benefit plans should already be familiar with. It also provides detailed requirements unique to employee benefit plans, which will help auditors meet their obligations. Some of the most significant provisions found in SAS 136 are described below.

  • SAS 136 replaces a modified opinion (typically a disclaimer) used with ERISA Section 103(a)(3)(C) audits with a two-pronged opinion. The opinion should indicate whether the
    • information in the financial statements not covered by certification is presented fairly, and
    • investment information contained in the financial statements reconciles with, or is derived from, the information contained in the certification.
  • The auditor must obtain plan sponsor acknowledgements that the sponsor is responsible for
    • determining whether a 103(a)(3)(C) audit is permissible and whether the certification meets ERISA requirements,
    • maintaining and providing a current plan document,
    • preparing and fairly presenting financial statements, and
    • providing a substantially completed (draft) Form 5500.
  • The auditor must read the current plan document and consider relevant plan provisions when designing and performing audit procedures.
  • The auditor must identify which investment information is certified.
  • SAS 136 requires the auditor to follow detailed requirements for providing written communication to the plan sponsor about the results of the audit.
  • SAS 136 reformats and changes certain content requirements within the auditor’s report.


Why Did the AICPA Create a Formal Auditing Standard?

The DOL grew concerned about the quality of ERISA plan audits after it conducted an assessment of Form 5500 filings and related audit reports for the 2011 filing year. The purpose of the DOL’s assessment was to determine whether the quality of ERISA plan audits had improved since the DOL last reviewed Form 5500 filings in 2004. The DOL found that ERISA plan audits had not improved since 2004. In fact, the audits had grown worse.

During the assessment, the DOL reviewed a sample of 400 plan audits from a pool of 81,162 Form 5500 filings. The DOL found that 39% of audits contained major deficiencies with respect to one or more generally accepted auditing requirements. These deficiencies could lead to the rejection of the Form 5500 filing and put $653 billion in assets for over 22 million plan participants at risk. (In 2004, 33% of audits contained major deficiencies.) Examples of major deficiencies included no documentation of an internal control environment, failure to test timely remittance of employee contributions, inadequate work determining eligibility and calculation of benefit payments, and no testing of participant investment options.

The DOL also reviewed the number of limited scope audits that were performed. In 2004, 59% of the 400 audits reviewed were limited scope audits. In 2011, that number increased to 81%. The DOL believes that the increased number of limited scope audits has contributed to the increased number of deficiencies found in audits.


How Should Plan Sponsors Prepare?

Although the SAS 136 provisions won’t take effect until 2021, plan sponsors should discuss the effect of these changes with their CPAs. While the new SAS 136 primarily affects audit practices, plan sponsors that have not taken an active role in past plan audits can anticipate more involvement under this newly formalized standard.

Ascensus will continue to monitor any developments regarding this guidance. Visit for future updates.

Click here for a printable version of this issue of the Retirement Spotlight.