2 Learning ObjectivesProvide an overview of the audit process including :Risk assessmentSignificant audit areasActuarial assumptionsSAS 70 reportsTerminating plans08/2010PUGH & COMPANY, P.C.
3 Risk Assessment Summary of Risk Assessment Standards Objectives of risk assessment standardsUnderstanding of the entityAssessment of riskImprove linkage between assessed risk and work performedAssessment processContinuous process - must occur throughout the auditEvaluation of audit findings (questions to ask throughout the process)Has audit risk been reduced to acceptably low level?Has risk of material misstatement been reduced to an acceptably low level?If the answer is no to either of these, the audit is not complete.08/2010PUGH & COMPANY, P.C.
4 Risk Assessment Process Procedures PerformedPreliminary engagement activities.Inquiries of plan management and others.Preliminary analytical procedures.Observation and inspection.Discussion among the engagement team.Understanding ObtainedIndustry, regulatory, and other external factors.Nature of the plan.Objectives, strategies, and related business risks.Measurement and review of the plan's financial performance.Internal control.Selection and application of accounting policies.Fraud risk factors.Decisions and Judgments MadeDecisions at the Financial Statement Level:Materiality at the financial statement level.Materiality for particular items of lesser amounts.Risks of material misstatement at the financial statement level.Overall audit strategy.Decisions at the Account Balance, Transaction Class, and Relevant Assertion Level:Tolerable misstatement.Risks of material misstatement at the relevant assertion level, including identification of significant risks.Nature, timing, and extent of further audit procedures (including tests of controls and substantive procedures).08/2010PUGH & COMPANY, P.C.
5 Risk Assessment Materiality Based on economic conditions you might expect a lower materiality level.Lower materiality levels may add additional time to the job.Need to be efficient in selecting audit steps in the risk assessment process.08/2010PUGH & COMPANY, P.C.
6 Risk Assessment Materiality… Documentation Need to document basis for materialityNeed to document any changes in materiality that occur during the audit and how they were determinedContributions (special bonus/special compensation)Need to document lower level of planning materiality for certain itemsAdministrative expenses (declining profitability of plan sponsor)08/2010PUGH & COMPANY, P.C.
7 Risk Assessment Understanding the Plan and Its Environment The Plan Review plan documentConsider summarizing significant informationDocument flow of informationPlan sponsorRecord keeperCustodianTrusteeActuary08/2010PUGH & COMPANY, P.C.
8 Risk Assessment Understanding the Plan Records Where are they located?How do we gain access to the data?Specific plan investmentsAre there hard to value assets?GICsInformation technologyHow is information communicated betweenPlan sponsor?Service organization?Participants?08/2010PUGH & COMPANY, P.C.
9 Risk Assessment Understanding the Plan Sponsor’s industry Consider factors affecting the industry that could affect the planDecreased salesIncreased costsLayoffsCash flow problemsIncrease risk of bankruptcyIncrease incentive to minimize expenses throughMisallocation of required employer contributionsMisuse of forfeituresShifting plan administrative expenses directly to plan08/2010PUGH & COMPANY, P.C.
10 Risk Assessment Understanding Plan Sponsor Consider interviewing plan sponsor employeesOwnersKey ManagementParticipant (especially in ESOP)Ask What do they know about the plan? How do they conduct transactions? What are their expectations? Should be done during fieldwork on financial statement audit when possible and incorporated into fraud interview process08/2010PUGH & COMPANY, P.C.
11 Risk Assessment Understanding Plan Sponsor Interview dos and don’ts Face to face interviewsInterview personnel involved in all aspects of the plan’s operationsShare hypothetical situation to initiate fraud discussion Treatment of lost participants and the related fraud opportunities How and frequency of contribution reconciliationsDon’tsConduct the interview in the presence of other client employeesquestions to managementInterview only the primary audit contactAsk only yes and no questions08/2010PUGH & COMPANY, P.C.
12 Risk AssessmentUnderstanding the Design and Implementation of Internal ControlsWho is ultimately responsible for properly implementing and operating an employee benefit plan?The plan sponsorThe responsibility of the plan can not be passed to the service providersImplementation of appropriate monitoring controls is critical where plan operations is outsourced08/2010PUGH & COMPANY, P.C.
13 Risk Assessment Understanding Internal Controls Plan administration controlsDetermining plan provisionsEstablishment of the investment policyAuthorization of certain transactionsMonitoring and on-going evaluation of service providers08/2010PUGH & COMPANY, P.C.
14 Risk Assessment Understanding Internal Controls… Entity level controls – who is in charge of the planMonitoring (board of directors)Personnel (hiring, training, evaluations)Integrity and ethics (ethics policies)Segregation of duties (protection of assets)08/2010PUGH & COMPANY, P.C.
15 Risk Assessment Understanding Internal Controls… Transaction level controlsEligibility determinationContributionsDistributionsInvestment transactionsAllocation to participants accounts (currently a hot topic in the industry)Forfeitures (currently a hot topic in the industry)Plan fees (currently a hot topic in the industry)Participant investment electionsTransfers, mergers, new plan setups08/2010PUGH & COMPANY, P.C.
16 Risk Assessment Understanding Internal Controls… Unique control environmentImportant to understand and document who does whatSignificant controls may be outsourced to third partiesCertain areas may have shared responsibilitiesA control at one entity might mitigate risk in another area (e.g. vesting)08/2010PUGH & COMPANY, P.C.
17 Risk Assessment Understanding Internal Controls… Participant Controls How many people open their statement, reconcile it to the payroll deductions, recalculate employer contributions, recalculated allocations, and review investment losses?Can we rely on the participant to contribute to the internal control structure?They may not understand the internal control processThey may not open their statement on a regular basisThey may not know what to look forThe internal control process is not their responsibility unless we directly ask them to review a confirmationWe should not rely on this to reduce control risk08/2010PUGH & COMPANY, P.C.
18 Risk Assessment Documentation of Internal Controls Identify individual audit areas and related control objectivesConsider classes of transactionsActivity in participant’s accountExistence and occurrenceAccount balancesInvestmentsReceivablesPayablesDisclosures08/2010PUGH & COMPANY, P.C.
19 Risk Assessment Documentation of Internal Controls… Document controls Client memo and flowchartsIncorporate reference to SAS 70 controls when appropriateVerification through walkthroughsConsider flow of information between plan sponsor and the service organization for each individual audit area and control objectiveConsider missing steps in the control process08/2010PUGH & COMPANY, P.C.
20 Risk Assessment Documentation of Internal Controls… Engagement team discussionFraudErrorAsk “what could go wrong”?Consider if you only had 8 hours to perform audit procedures - what would you want to do before you personally signed the opinion?Must be tailored to each plan – cannot rely on one discussion for all plansConsider the uniqueness of the various plans08/2010PUGH & COMPANY, P.C.
21 Risk Assessment Challenges of an Employee Benefit Plan Audit When assessing risk keep the following in mindMany clients see the audit as a “necessary evil”Many plan sponsors do not have the policies and procedures in place or do not have them sufficiently documentedMany plan sponsors that rely heavily on service providers may not be as rigorous in their procedures and oversightOveruse or underuse of the SAS 7008/2010PUGH & COMPANY, P.C.
22 Risk AssessmentPolicies and Procedures of the Plan Administrator Related to the Service OrganizationPlan administrator should have an understanding of what the service organization does and what controls are in placeThey should be reviewing the SAS 70 annually08/2010PUGH & COMPANY, P.C.
23 Risk Assessment Policies and Procedures … Reconciliation of participant accounts to service organization records should be performed on a timely basisPayroll information should be reconciled to the contribution recordsIn totalBy participantReconciling census data provided to service organization to appropriate payroll recordsThe audit can not be the control08/2010PUGH & COMPANY, P.C.
24 Risk Assessment Policies and Procedures … Consider who has access to the data provided to the service organization and the ability to make changes to override controlsCFO/ControllerHuman resourcesPayrollIT08/2010PUGH & COMPANY, P.C.
25 Risk Assessment Other Procedures of the Plan Administrator Document transactions that are approvedContributionsUse of forfeituresDistributionsMeet with investment managerAudit consequencesDocument polices and proceduresConsider management points related to significant deficiencies08/2010PUGH & COMPANY, P.C.
26 Significant Audit Areas Participant dataPayrollCashInvestmentsContributions received and receivableBenefit paymentsInvestment incomeFees and ExpensesActuarial AssumptionsForm 5500SAS 70Terminating Plans08/2010PUGH & COMPANY, P.C.
27 Participant Data & Payroll Objectives include determining:Whether all covered employees have been properly included in employee eligibility recordsWhether accurate participant data for eligible employees were supplied to the plan administrator and, if applicable, the plan actuary08/2010PUGH & COMPANY, P.C.
28 Participant Data & Payroll Types of data to be tested:Demographic – birth date, hire datePayroll data – wage rate, hours worked, earnings, contributions to the plan08/2010PUGH & COMPANY, P.C.
29 Participant Data & Payroll Examples of substantive proceduresRecalculate payroll for selected participants for one or more pay periodsTrace individual payrolls from the payroll journal to the participants earnings recordsReview personnel files for hiring notice, pay rate, birth date, termination date08/2010PUGH & COMPANY, P.C.
30 CashTypically smallIf held under a trust agreement or under an insurance contract, confirmations are usually adequateIf held independent of a trust agreement or insurance contract, customary audit procedures considered appropriate08/2010PUGH & COMPANY, P.C.
31 Investments Limited Scope Audit Obtain and read a copy of the certificationDetermine whether the entity issuing the certification is a qualifying institution under DOL regsCompare the investment information certified by the trustee or custodian to the information contained in the plan’s financial statements and related disclosures08/2010PUGH & COMPANY, P.C.
32 InvestmentsIf the auditor becomes aware that the certified information my be incomplete or inaccurate the auditor should instruct the plan administrator to:Request that the trustee or custodian recertify or amend the certification for such investments at their appropriate year-end values or recertify or amend the certification to exclude such investments from the limited scope certification orInstruct the auditor to perform full scope procedures on such investments excluded from the certificationIf not done auditor should consider modifying his or her report08/2010PUGH & COMPANY, P.C.
33 Investments Full Scope Audit Determine nature and location of investments from minutes, agreements with custodians, advisors, etc.Obtain or prepare a schedule of investments showing beginning balance, purchases sales, ending balanceTypical audit programs have specific procedures depending upon the type of investments held, such as mutual funds, limited partnerships and derivative.08/2010PUGH & COMPANY, P.C.
34 Investments Full Scope Audit (cont.) Confirm investments held by third-party custodiansPerform analytical procedures on average and ending balancesTest investment incomeTest fair valueTest the calculation of unrealized gains and losses08/2010PUGH & COMPANY, P.C.
35 Stable Value Funds & GIC’s GIC’s - Audit ConsiderationsObtain, read and evaluate the GIC contractMaturity dates, minimum crediting rates, rate resets.Is the contract fully benefit responsive?Contract is between plan and issuer. The contract cannot be sold or assigned without consent of the issuer.Contract issuer must be obligated to (1) repay principal and interest, and (2) provide prospective crediting rate adjustments with an assurance the crediting rate will not be < 0%Contract requires all participant-initiated transactions to occur at contract valueAn event that limits the ability of the plan to transact at contract value with the issuer and with the participants must be probable of not occurringThe plan must allow participants reasonable access to their fundsConfirm principal and income with Insurance Company/Counterparty.Assess credit quality of the issuer.If a plan holds multiple contracts, each contract should be evaluated individually.08/2010PUGH & COMPANY, P.C.
36 Contributions Received and Receivable Typical analytical procedures include:Comparison to prior yearAverage per participantOther expectation such as % of compensationTrace to plan sponsor audited financial statementsVouch subsequent receipt08/2010PUGH & COMPANY, P.C.
37 Contributions Received and Receivable Timeliness of remitting participant contributionsContributions must be remitted ASAPFailure to remit may be considered a Prohibited Transaction15th business day of following month is not a safe harbor08/2010PUGH & COMPANY, P.C.
38 Benefit Payments Determine participant eligibility (request, approval) Recompute amount of benefitVouch paymentTypical analytical procedures include:Comparison to prior yearAverage per participantOther expectations08/2010PUGH & COMPANY, P.C.
39 Investment IncomeObjective to test whether net assets and transactions have been allocated to accounts properly in accordance with plan document.Allocation of investment income to be tested even for limited scope audits.08/2010PUGH & COMPANY, P.C.
40 Investment IncomeConsider reasonableness by comparing current year income and yield to that in the prior year and to investment reports from advisors, trustees, mutual fund companies and to industry indexes or other expectations.SAS 70 may be used to reduce but not eliminate scope of testing08/2010PUGH & COMPANY, P.C.
41 Fees and ExpensesMost defined benefit plans and many defined contributions plans pay administrative expenses out of plan assetsTypically plan expenses are below materiality levels and therefore are not subject to significant detailed testingAuditors should gain an understanding of what expenses are allowed by the planMany times expenses paid out of plan assets are prohibited transactions08/2010PUGH & COMPANY, P.C.
42 Commitments and Contingencies Discuss with clientReview minutes of various committeesAnalyze legal expenseRequest audit inquiry from attorneysObtain client representation08/2010PUGH & COMPANY, P.C.
43 Actuarial Assumptions Trends and nature of benefit distributionsLump sum vs. annuity paymentsShift in plan population over time—turnover or retirement ageRecent mergers or acquisitions could cause assumptions to be inappropriatePlan benefit formula changes or a freezing of the planWhether consistent gains/losses are generated each year08/2010PUGH & COMPANY, P.C.
44 Form 5500Auditor’s responsibility does not extend beyond the financial information identified in the auditor’s report.Auditor has no obligation to corroborate other information contained in the 5500.Auditor should read the other information in the 5500 and consider whether such information or its presentation is materially inconsistent with information appearing in the audited financial statements08/2010PUGH & COMPANY, P.C.
45 SAS 70 Basic roadmap for auditors Read Independent Service Auditor’s Report and Company Overview to determine that correct SAS 70 has been obtained.Be mindful that missing control objectives may require additional procedures.08/2010PUGH & COMPANY, P.C.
46 SAS 70 The following control objectives should be included Plan setup EnrollmentsContributionsDistributions, including loansInvestment election changes and transfersInvestments, including purchases/sales, income and valuationReconciliation and reportingIT general controls (including access, changes to programs, back-up)08/2010PUGH & COMPANY, P.C.
47 SAS 70Note: For missing key control objectives or if no SAS 70 report is available, procedures to determine controls in place, the evaluation of their design and implementation must still be adequately addressed by the auditor.08/2010PUGH & COMPANY, P.C.
48 SAS 70 Description of Controls Auditors should read through the detail of the procedures related to a specific control objective to understand overall process and identify controls in place.Warning: Controls included in this description may not always be included in testing so be aware that this may affect reliance.08/2010PUGH & COMPANY, P.C.
49 SAS 70 Tests of Operating Effectiveness Determine which controls were tested as included in the description of controls – usually listed with testing procedures performedConsider the level of testing performed for reliance purposesinquiries alone will not be sufficient evidence for confirming implementationObservations may not be considered sufficient for reliance on controls for purposes of reducing control risk below maximum to reduce substantive audit procedures.08/2010PUGH & COMPANY, P.C.
50 SAS 70ExceptionsEvaluate each exception, including nature, extent and mitigating controlsNature of exceptionError in processing?Missing evidence?Extent of exceptionIsolated error?One of many included under control objective?Did exception lead to qualification of report?Special consideration – IT general controls – exceptions and qualification could affect more than one area and may be a significant problem in reliance and use of SAS 70 report.08/2010PUGH & COMPANY, P.C.
51 SAS 70 Exceptions (continued) Mitigating controls in place Are there other controls in place at the service provider to mitigate risk of error?Other levels of review such as quality control reviewsDifferent access levels that may prevent issues (physical vs. logical access on systems)Does the plan sponsor actually perform that control? (e.g. calculate vesting)Are there mitigating controls in place at the plan sponsor? (e.g., review and approve calculation of vesting)08/2010PUGH & COMPANY, P.C.
52 SAS 70Evaluation of SAS 70 report and conclusions reached by auditors should be documented clearly and adequately in audit workpapers as required by SAS 103.Documentation can include:Copy of relevant SAS 70 reports obtained and evaluatedChecklist of Form used to evaluate SAS 70 reportMemo or checklist /form used above to document conclusions reached regarding each area as to reliance on SAS 70, and the extent of that reliance (e.g., reliance related only to design and implementation or further reliance to reduce control risk and substantive audit proceduresNote: Reliance may vary from area to area (e.g., reliance placed to reduce substantive audit procedures in contributions, but not in distributions)08/2010PUGH & COMPANY, P.C.