Employee Benefit Plan Auditing and Financial Reporting Models
This report was produced by the Advisory Council on Employee Welfare and Pension Benefit Plans, usually referred to as the ERISA Advisory Council (the "Council"). This report examines Employee Benefit Plan Auditing and Financial Reporting Models. The ERISA Advisory Council was created by ERISA to provide advice to the Secretary of Labor. The contents of this report do not represent the position of the Department of Labor (DOL).
The 2010 ERISA Advisory Council studied Employee Benefit Plan Auditing and Financial Reporting Models. Because a great deal has changed in the retirement plan industry since the enactment of ERISA's audit requirements in 1974, the Council focused on retirement plans, although certain types of health and welfare plans also fall under the scope of Employee Benefit Plan Auditing and Financial Reporting Models. An examination of current audit requirements and reporting models, and concerns about how they are implemented and applied, led to a focus on three topics and recommendations on each.
Quality of Plan Audits and Auditors The Office of the Chief Accountant ("OCA") for the Employee Benefits Security Administration ("EBSA") of the Department of Labor ("Department" or "DOL") found in 2004 that approximately 30% of plan audits did not comply with professional audit standards or reporting requirements. In spite of extensive guidance issued by both the Department and the American Institute of Certified Public Accountants ("AICPA") as to how plan audits should be conducted, a significant number of plan audits are nonetheless found defective. It appears that a substantial number of those substandard audits can be traced to auditors with limited employee benefit plan audit experience. The reasons for the failures include (1) the auditor's inadequate technical training and knowledge, (2) the auditor's inadequate familiarity with employee benefit plans, (3) a lack of quality control in the audit process, and (4) a failure by the auditor to understand the requirements for limited scope audits. The Council recommends that the DOL encourage better quality, building on some of the existing mechanisms to train auditors and improve quality.
Limited Scope Audits The statutory and regulatory requirements for auditing an ERISA-covered plan are unique from other company and entity audits. With ERISA's authorization of the limited scope audit, a plan administrator may choose to have the plan audited in a manner that would not otherwise be consistent with GAAS. After consideration of a range of views regarding the limited scope audit, the Council has made several recommendations that are designed to limit misunderstandings and the inappropriate application of the limited scope audit.
403(b) Plans These defined contribution arrangements were historically funded with individual annuity contracts selected by individual participants, often with limited employer oversight. They have traditionally been predominant for employees of governments (typically ERISA exempt), educational and other nonprofit entities. Due largely to the way 403(b) plans have historically developed, the new audit requirements effective in 2009 have created significant difficulties for 403(b) plan administrators and 403(b) plan auditors. The challenges in meeting the new reporting and auditing requirements appear in many cases to have resulted in limited reporting of plan assets and auditors disclaiming opinions (offering no opinion) on incomplete financial statements. This has raised fears of dire consequences, since these plans may not be able to file a proper Form 5500 with the Department. The Council has made recommendations that, if implemented, would provide relief to 403(b) plan administrators.
The Council recognizes the following individuals and organizations who contributed greatly to the Councils' deliberations and final report. Notwithstanding their contributions, any errors in the report rest with the Council alone.
Ian Dingwall, U.S. Department of Labor
The 2010 ERISA Advisory Council (the "Council") studied whether the audit requirement and financial reporting model contained in ERISA §§ 103 and 104 provide the protections to plan participants and beneficiaries that Congress originally intended when it enacted ERISA in 1974. The Council studied the efficacy of ERISA's reporting and disclosure schemes as well as problems and costs related to such disclosures. Testimony to the Council was provided on June 29, 2010 and August 31, 2010 by thirteen witnesses, and the Council considered all written statements that it received. In addition, Council members engaged in independent research; their relevant findings are included in this report.
The Council elected to narrow its consideration to three issues: audit and auditor quality, limited scope audits, and the audit and financial reporting requirements for 403(b) plans. After receiving initial testimony and other evidence, and after careful deliberations, the Council concluded that these three areas raise the most immediate concerns. Based on its discussions and debate concerning these issues, the Council submits ten recommendations to the Secretary of Labor for consideration.
A. Recommendations on Audit Quality
B. Recommendations on Limited Scope Audits
C. Recommendations on 403(b) Audit Requirements
The Department should provide administrators of 403(b) plans with an additional year to file their 2009 Form 5500 or other annual report.
D. General Recommendations
The Department should form a task force with the AICPA and other stakeholders it deems appropriate to study ERISA's auditing and financial reporting models and requirements as they currently exist and to revisit them from time to time.
Audits are an important part of ERISA's financial reporting structure, yet their requirements, purpose, and benefits are often misunderstood. Audits offer comfort that a plan's financial statements have been subject to an annual independent examination, and that the plan's processes and financial controls supporting the financial statements have been examined.
One requirement in ERISA that appears to be widely misunderstood is the requirement to engage auditors on behalf of plan participants. ERISA § 103(a)(3)(A) provides that administrators must engage an independent qualified public accountant "on behalf of all plan participants." Despite this express requirement, one witness who generally represents employers testified that he believes the audit is obtained for the benefit of employers, not plan participants.
ERISA requirements for plan audits should further the interests of plan participants and administrators. While plan participants generally do not directly use financial statements, the plan audit and reporting requirements help assure participants that there is a high likelihood that the plan financial statements accurately set forth the financial condition of the plan, and that participant records are appropriately maintained.
Another aspect of audits that seems widely misunderstood, or even widely unknown, is the importance of the auditor's evaluation of a plan's internal controls over financial reporting. Auditors do not merely reconcile financial statements. In addition to their many other audit tasks, auditors review internal controls to determine whether they provide adequate safeguards for plan participants. A simple example of one possible internal control that can be easily understood by lay persons would be a requirement to have two disinterested individuals approve all checks issued by the plan.
Effective internal controls can form the foundation of a safe and sound financial administration. A properly designed and consistently enforced system of operational and financial internal control would help a plan's fiduciaries safeguard the plan's resources, produce reliable financial reports, and comply with laws and regulations. Effective internal control also reduces the possibility of significant errors and irregularities and assists in their timely detection when they do occur. "Well-planned, properly structured auditing programs are essential to effective risk management and adequate internal control systems. Effective audit programs are also a critical defense against fraud and provide vital information about the effectiveness of internal control systems." Thus, to secure a plan's financial condition, it is important for a plan to have adequate internal controls and to have qualified auditors monitor those internal controls. In other laws, such as Sarbanes-Oxley Act of 2002, Congress has emphasized the importance of internal controls for any system of financial accounting and auditing.
B. Statutory Background
ERISA §§ 103(a)(1)(A) and 104(a)(1) require the administrator of an employee benefit plan subject to Part 1 of Title I of ERISA to file an annual report with the Secretary of Labor. Under 29 C.F.R. § 2520.103-1, the annual report is generally required to include a Form 5500, Annual Return/Report of Employee Benefit Plan (hereafter, "Form 5500") and any statements and schedules required to be attached to the Form 5500.
ERISA § 103(a)(3)(A) requires a plan administrator to engage, on behalf of all plan participants, an independent qualified public accountant ("IQPA") to conduct an examination of the plan's financial statements. Under ERISA § 103(a)(3)(D), any person who under state law is a licensed or certified public accountant is eligible to be a "qualified public accountant" for this purpose. The examination is to be conducted in accordance with Generally Accepted Accounting Standards ("GAAS"). The IQPA is to form an opinion on whether the financial statements are presented in accordance with Generally Accepted Accounting Principles ("GAAP"). Under the authority of ERISA §§ 103(a)(3)(A) and 104(a)(2)(A), the Department of Labor has generally waived the audit requirement for qualifying plans that have fewer than 100 participants at the beginning of the plan year. See 29 C.F.R. § 2520.104-46. ERISA § 109 prohibits the Department from requiring that the financial statement and opinion prepared by the IQPA be submitted on a prescribed form. The opinion prepared by the IQPA is to be made a part of the annual report.
In addition, for qualifying plans, ERISA § 103(a)(3)(C) provides an option for a limited-scope audit under which the auditor, generally, need not audit investment information certified by certain banks or insurance carriers. The regulations at 29 C.F.R. § 2520.103-8 implement the limited-scope audit requirements.
ERISA § 103(b) requires the annual report to include certain financial statements of the plan. Generally, much of the plan's financial information is included with the Form 5500. In addition, plans generally must file audited financial statements with the Form 5500. Qualifying plans with fewer than 100 participants generally are exempt from the requirement to attach audited financial statements to the Form 5500. Under ERISA § 103(c)(5), the Secretary of Labor may require the administrator to include as part of the annual report such financial and actuarial information as the Secretary may find necessary or appropriate.
Title III of ERISA, at ERISA § 3004, requires the Secretary of Treasury and the Secretary of Labor to consult when they are required to carry out provisions related to the same subject matter. Internal Revenue Code ("I.R.C.") § 6058 requires administrators of I.R.C. § 401(a) qualified plans to file an annual return stating such information as the Secretary of Treasury may prescribe by regulations with respect to the qualification, financial condition, and operations of the plan. The Form 5500 is the appropriate form for filing such return. See Treas. Reg. § 301.6058-1(a)(1). I.R.C. § 6652(e) imposes a penalty equal to $25 per day, up to $15,000, for a failure to file an annual report under I.R.C. § 6058 on the date and in the manner prescribed therefor, unless it is shown that such failure is due to reasonable cause. I.R.C. § 6058(f) cross-references ERISA § 3004.
The Secretary of Labor may, under ERISA § 505 but subject to Title III and § 109 of ERISA, prescribe such regulations as the Secretary finds necessary or appropriate to carry out the provisions of Title I of ERISA. ERISA § 505 expressly provides that such regulations may define accounting, technical and trade terms used in such provisions; may prescribe forms (subject to ERISA § 109); may provide for the keeping of books and records; and may provide for the inspection of such books and records (subject to ERISA § 504(a) and (b)).
If the Department of Labor finds that the annual report is incomplete or if there is a material qualification by the IQPA in the audit opinion, then it may reject the annual report pursuant to ERISA § 104(a)(4). As relevant here, under ERISA § 104(a)(5), if the plan administrator fails to file a satisfactory report within 45 days after such rejection, the Secretary may, if she deems it in the best interest of participants, (1) retain an IQPA on behalf of the participants to perform the audit, (2) bring a civil action for such legal or equitable relief as may be appropriate to enforce the provisions of Part 1 of Title I of ERISA, or (3) take any other action authorized by Title I of ERISA. The plan is liable to the Secretary for the expenses of such audit, and the Secretary may bring an action to recover such expenses.
C. Legislative History
ERISA's legislative history provides little insight into what Congress may have intended with ERISA's audit requirements. Some of the legislative history merely recites the requirement that plan administrators file annual reports together with an audited opinion. See H.R. Rep. 93-533, 1974 U.S.C.C.A.N. 4,639, 4,657 (Oct. 2, 1973). Other reports explain how the audit requirement changed prior law.
Before Congress passed ERISA, it had adopted the Welfare and Pension Plans Disclosure Act of 1959 ("WPPDA"). The purpose of the WPPDA was to provide employees with the opportunity to obtain information regarding plans so that they could monitor their plans to prevent mismanagement and abuse of plan funds. ERISA's goals were much broader than the WPPDA and focused on protecting the interests of participants and their beneficiaries in employee benefit plans as well as providing financial information about plans to participants and beneficiaries, the Department of Labor, and other agencies. Throughout their consideration of ERISA, the House and the Senate each recognized the shortcomings of the WPPDA and the importance of providing information to plan participants:
The Senate Labor and Public Welfare Committee considered the addition of the audit requirement to be one of the "most significant changes" to the reporting and disclosure requirements of the WPPDA. In explaining the audit requirement further, that Committee stated:
H.R. Conf. Rep. 93-1280 provides the following explanation for ERISA's audit requirements:
The statutory language and the legislative history reinforce the conclusion that a primary purpose of the audit requirement is to protect plan participants. But such protection presupposes an auditor and audit of adequate quality. Yet, the DOL's authority over employee benefit plans audits is very circumscribed. Moreover, the DOL has almost no authority, if any, over employee benefit plan auditors. Nonetheless, the DOL remains the primary overseer of audits and auditor quality in ERISA's reticulated regulatory regime. Based on the foregoing, the Council believes that audit and auditor quality raise the most significant issues in this area of study. Thus, the Council turns first to the issue of quality.
A. Audit and Auditor Quality
1. Background. The Council heard that there are significant problems with audit quality, auditor quality, or both. It appears that the problems are not lack of adequate codification of practices, but rather a failure by auditors to understand or follow established practices and requirements. Retirement benefit plan financial statements and records are very different from those of public companies. Auditing them requires knowledge of how plans operate and their applicable, particularized rules. The DOL's narrow ability to regulate or police quality issues contrasts sharply with regulatory authority given other agencies over audit practices, such as that vested in the Securities and Exchange Commission ("SEC"), as discussed below.
In 2004, the DOL's sample of audits found 30% of them to be defective. Ian Dingwall, Chief Accountant for the OCA, testified that four problem areas lead to most audit failures. Significantly, the DOL found that smaller firms that perform only a few audits are more likely to do poorly. The reasons they do poorly are due mostly to:
2. Guidance Issued by AICPA; Employee Benefit Plan Audit Quality Center. For professional practices that entail a variety of underlying technical issues, it is possible for there to be different causes of quality problems. In some situations, quality problems arise if there is not adequate professional guidance. This does not appear to be the case with ERISA plan audits. The AICPA's Auditing and Accounting Guide, Employee Benefit Plans, March, 2010 provides guidance on how audits for employee benefit plans are to be conducted. The guide was originally issued in 1991 and is periodically updated. In addition, the AICPA maintains an Employee Benefit Plan Audit Quality Center ("EBPAQC"), a voluntary membership division of auditors and firms dedicated to improving and maintaining the overall quality of employee benefit plan audits. Because a lack of guidance does not appear to be an issue, the Council believes that auditor training and a failure to allocated adequate auditor/firm resources are leading causes. It was alleged that in some firms, benefit plan audits are viewed as less significant engagements (i.e., often assigned to the most junior, least experienced staff).
Peer review programs enhance the oversight of quality in professional practices, but no State Board of Accountancy requires employee benefit plan peer reviews as a condition to obtaining or maintaining a license to practice accounting. The AICPA - a voluntary membership organization - requires auditors to undergo peer review every three years, but those reviews are not specific to employee benefit plans. Rather, the accounting peer review systems of the states and the AICPA generally only require a review of a representative cross section of an auditor's practice. Thus, if an auditing firm performs employee benefit plan audits and other types of audits, there is generally no requirement for that firm's employee benefit plan audits to be subjected to a peer review. Despite this lack of quality control for employee benefit plan audits by the states, any person who is a licensed or certified public accountant under state law is authorized to conduct plan audits.
The EBPAQC has many membership requirements that are designed to improve the quality of plan audits, including peer reviews and workpaper inspection programs that focus on employee benefit plan audits. Specifically, to be a member of the EBPAQC, an auditing firm must:
Membership in the EBPAQC, however, is only voluntary. Notwithstanding the importance of audits, nothing in ERISA establishes standards similar to those required by the Audit Quality Center. Although auditors from firms who are members of EBPAQC are more likely to perform proper audits, only about 20% of the firms auditing benefit plans are members of the EBPAQC.
The Council recommendations seek to capitalize on the existing structure of the EBPAQC, and to encourage auditors to take advantage of the EBPAQC resources. Recommendations seek to discourage the selection of auditors who do not have adequate experience or knowledge. Specifically, the Council recommends that plan administrators identify on the Form 5500 whether or not the plan auditor/IQPA is a member of the EBPAQC, to encourage administrators to focus on the special requirements that apply to employee benefit plan audits. Such a requirement may also encourage plan administrators to be aware of the structure that exists for educating auditors on employee benefit plans and provide some protection to the administrator or trustee who chooses an auditor who participates in the AICPA's quality program (the EBPAQC).
To further encourage the resort to audit quality mechanisms by both plan sponsors and auditors, the DOL should establish a safe harbor for initial plan auditor selection, if the auditor is a member of the AICPA EBPAQC.
3. Testimony by the SEC and PCAOB on Auditor Quality. Paul Beswick, Deputy Chief Accountant for Office of the Chief Accountant of the SEC, and Michael Stevenson, Public Company Accounting Oversight Board ("PCAOB"), testified before the Council. The SEC and PCAOB provide federal government oversight on matters related to audits for publicly-traded corporations. In addition, generally, an employee benefit plan that allows employees to invest their salary reduction contributions in company stock must register under the Securities Act of 1933 and file an annual report under the Securities Exchange Act of 1934 with the SEC. For the twelve-month period preceding Mr. Beswick's testimony, approximately 2,000 plans filed an annual report with the SEC.
Mr. Beswick testified that "[c]onfidence in the reliability of audited financial statements depends upon the public perception of the outside auditor as a competent and independent professional." Mr. Beswick stated that for this reason the SEC "imposes strict standards of conduct on auditors who practice before the [SEC]." Mr. Beswick elaborated on those standards in his testimony. Mr. Beswick mentioned further that auditors are subject to oversight by the PCAOB, and then asked Michael Stevenson to testify on the role of the PCAOB.
Mr. Stevenson noted that prior to the Sarbanes-Oxley Act of 2002 ("SOX"), auditing standards for publicly-traded companies were established by the accounting profession and audit quality was monitored through peer reviews. This regime appears to have been less than adequate, and arguably led to auditing failures at Enron, WorldCom, and other companies. In response to those audit failures, Congress passed SOX. In doing so, Congress replaced the accounting profession's self-regulation with an independent accounting oversight board: the PCAOB. In contrast, with respect to employee benefit plans, auditor quality remains subject to self-regulation in a manner that is comparable to the pre-SOX self-regulation of public company auditors.
Under SOX, an accounting firm generally cannot audit a publicly-traded company, a broker, or a dealer without first registering with the PCAOB. Once registered, the firm is generally subject to auditing and related professional practice standards established by the PCAOB. Such firms are also subject to PCAOB inspection, and may be sanctioned by the PCAOB for failing to adhere to required standards. Registration is not automatic; before approving an applicant's request for registration, the PCAOB takes into account (1) whether the applicant has the appropriate professional license, (2) the applicant's disciplinary history, and (3) any indications of possible, pre-registration violations of the registration requirements of SOX. Mr. Stevens testified that generally the PCAOB does not test the applicant's substantive knowledge as a condition to registration, and does not require an applicant to have prior experience auditing publicly-traded corporations, brokers, or dealers. Once an auditor is registered, it is subject to the PCAOB's continuing education requirements, standards, inspections, and potential sanctions, which may include permanently revoking the firm's registration and permanently restraining principals of the firm from being associated with a registered firm.
4. DOL Enforcement of Auditor Quality. The DOL also discussed problems it faces when attempting to enforce auditor quality. Auditors are licensed by the states. The AICPA provides guidance on approved practice for audits, but it is a voluntary membership organization. Not all auditors licensed by the states are members of the AICPA. The DOL has no authority to discipline or sanction auditors. The DOL works cooperatively with the AICPA and state authorities to report problem audits, but there is no assurance that this will prevent or obviate further issues with the auditor or remedy a defective audit. Moreover, states are not compelled to take action when the DOL reports problems with an auditor. The DOL can, generally, impose a penalty on the plan administrator for the auditor's failure to comply with GAAS. One of the Council's general recommendations is that the DOL establish a Task Force to work with the AICPA and other stakeholders on audit matters, and a second general recommendation urges the DOL to engage in a study of quality and promotion of quality.
Although measures to improve the quality of audits and employee benefit plan auditors should enhance participant protections, an audit completed by a qualified auditor in accordance with professional guidelines will not address all of the issues that may be critical to participants. As discussed in the next section, limited scope audits raise issues beyond quality, or that compound quality issues, and go to the nature of the audit itself.
B. Limited Scope Audits
1. Background. ERISA generally requires every plan with more than 100 participants to obtain an audit of the plan's financial statements each year. ERISA § 103(a)(3)(C) permits the plan administrator to exclude from the audit any plan assets held by a bank or similar institution or insurance carrier regulated by a state or federal agency. Based on the statute's legislative history, the Council understands that ERISA contains this exclusion because Congress presumed that assets held by such institutions were already subject to a governmental audit and regulation and therefore at less risk. It also appears that at the time of ERISA's enactment in 1974, retirement plan assets were often held under insurance contracts or in trusts. Custodian banks or trust companies held assets and provided an independent valuation of asset values. Most investments had readily ascertainable market values. Witnesses recounted that since 1974, the investment landscape has changed dramatically. Alternative asset classes and hard to value assets have exploded and hold a significant allocation in many plan portfolios. In short, the context in which the limited scope exemption was adopted no longer exists.
The limited scope audit allows plan administrators to instruct the auditor not to perform any auditing procedures with respect to investment information prepared and certified by a bank or similar institution or by an insurance carrier that is regulated, supervised, and subject to periodic examination by a state or federal agency and that holds plan assets. Proper certifications must address both the accuracy and the completeness of the information submitted. This audit exemption does not apply to information about investments held by a broker or dealer. It does not extend to participant data, contributions, benefit payments, or other information, whether or not such information is certified by the trustee or custodian. Thus, other than on the certified investment information, the auditor must perform GAAS audit procedures on the remainder of the plan's assets and financial statements. The auditor, however, does not perform the normal procedures designed to provide certain basic assurances about the existence, ownership, and value of a plan's assets held by the certifying entity. The resulting lack of audit work can result in an auditor disclaiming an opinion on the financial statements.
2. Differences Between Limited Scope and Full Scope Audits. Concerns were raised that limited scope audits were not well understood by some users, and maybe by some auditors, and that they might be employed in inappropriate situations. These concerns and others, prompted this study and its recommendations. Potential misunderstandings relate to:
The differences between a full scope audit and a limited scope audit may not be readily apparent to a layperson. To illustrate certain, but by no means all, aspects of those differences, the Council developed the following table:
3. The Limited Scope Audit Should Not Be Repealed. The Council concluded that the limited scope audit should not be repealed, but the quality of the limited scope audits and the required certifications should be reinforced and strengthened. Some witnesses and some Council members noted that, in theory, participants could be harmed by incorrect values reported in limited scope certifications for hard to value assets. For example, a participant who receives a distribution from an individual account plan would have that distribution valued based on the valuation reported in the limited scope certification. If that valuation is too high because fair value was not properly reflected in accordance with GAAP, then the participant would receive an amount that exceeds the actual fair value of the participant's account. And assuming that the hard to value asset is not liquidated in order to make the distribution, the actual distribution of cash would come from the plan's other, liquid investments. If that valuation is later corrected, either upon liquidation of the hard to value asset or pursuant to a correction done in order to comply with GAAP, then the remaining plan participants could be harmed (absent some sort of remedy, such as a fiduciary's corrective contribution). Similarly, if the valuation is too low, then the participant who receives the distribution could be harmed, thus improperly benefitting the remaining participants. However, the consensus of the Council that the limited scope audit should not be repealed is supported by the Council's conclusion that the certification process and the performance of the limited scope audit are not proximate causes of incorrect or improper valuations of hard to value assets.
The primary rationale for the Council's conclusion that the limited scope audit should not be repealed was a deficiency of specific material evidence of participant harm caused by limited scope audits and the concern for possible increased costs that could result from a full scope audit. Although the AICPA witnesses testified that plans with little or no hard to value assets might see only minimal increased costs, most Council members expressed concern over any cost increase, however minor. Witnesses testified that often plan assets are used to pay for the expense of an audit. In such a case, at least in an individual account plan, the increased cost of a full scope audit would reduce participant benefits. Moreover, if the plan sponsor pays for the cost of the audit, any increase to audit costs could prompt the sponsor to consider shifting those costs to the participants. The Council concluded therefore that the advantages of a full scope audit over a limited scope audit, if any, would not outweigh the added cost.
The limited scope exception has been called into question several times since ERISA's enactment. The Council heard testimony both supporting and opposing repeal of limited scope audits and acknowledged in the record that many entities have recommended repeal. Organizations or agencies that have advocated the repeal include, but are not necessarily limited to, the AICPA, the Office of the Inspector General for the Department of Labor, and the General Accounting Office. The Office of the Chief Accountant has found problems with limited scope audits, including misuse of limited scope audits and misunderstanding of limited scope requirements. Legislative attempts at repeal have failed in Congress. In addition to recommendations and repeal efforts, the SEC does not accept limited scope audits for plans required to file an annual report with the SEC. Mr. Beswick agreed that a "limited scope audit provides less assurance than a full scope audit," but he admitted that "no audit provides absolute assurance." He noted, however, that in "a full scope audit, the independent auditor obtains an understanding of the processes and internal controls related to investments, performs tests and other procedures, and thereby forms a sound basis for a professional opinion."
In contrast to the proponents of the repeal of limited scope audits, the Profit Sharing Council of America -- representing the employer plan sponsor community -- and trust company and insurance company witnesses -- representing certifying entities -- strongly opposed repeal. Moreover, a group of eight industry and trade organizations wrote to the Council opposing repeal. Comments from that letter include the following:
"As you are aware, the limited scope audit allows an auditor to forego the audit of investment information certified by certain banks or insurance companies. Because banks and insurance companies are heavily regulated, the auditing of certified information is not only redundant but also adds unnecessary costs for plan sponsors with no added protection for plan participants.
Reconsideration of the limited scope audit rules seems to be addressing a problem that does not exist. To our knowledge, the use of limited scope audits has not led to fiduciary breaches or created situations that have left participants vulnerable."
The Council in its questions of witnesses, research, and search for witnesses sought examples of the problems created by limited scope audits. Testimony from Stephen R. Sutten identified situations where entities that were not qualified might be certifying inappropriately, and situations where certifications may be applied to inappropriate assets. Peggy A. Bradley of the Northern Trust Company offered that valuation issues might hold up plan distributions, but she did not believe the limited scope audit was the principle cause of the valuation problem. Despite problems with auditors and administrators misunderstanding the requirements of limited scope audits and their possible misapplication, the Council was unable to identify material evidence or even specific allegations that any participants had been harmed by the limited scope audit provisions, other than possibly in rare and unusual circumstances. Evidence on the scope of misunderstanding and the misuse of limited scope audits was also limited.
Proponents of the limited scope audit stress that repeal would increase audit costs and, in the case of DC plans, this cost may often be passed on to participants. Participant accounts would be reduced without adding value to the participants. It should be noted, however, that in testimony on behalf of the AICPA, Marilee Lau indicated that in most plans the difference in cost between a full scope audit and a limited scope audit would be minimal, unless the Plan invests in "hard to value" assets.
4. Only Properly Qualified Entities Should be Permitted to Certify Witnesses expressed concern about entities such as plan record keepers that issue limited scope certifications, but who in reality might not be the kinds of entities that should issue certifications. It is the obligation of an employee benefit plan administrator to determine whether the conditions for limiting the scope of an accountant's examination, as set forth in ERISA and DOL regulations, are satisfied. See 29 CFR 2520.103-5. In an information letter dated May 17, 2002, DOL guidance was sought in connection with fact patterns in which recordkeepers purported to issue certifications on behalf of custodians or other qualified issuers . The DOL cautioned administrators as follows:
The Council heard testimony that some entities, such as plan record keepers, certify investments even though they are not subject to a governmental audit, do not maintain a trust-based system of accounting, do not have personal knowledge of the investment information being certified, and are not subject to the enforcement or regulatory regime of the governmental audit requirements (and may not be explicitly authorized as contemplated in the above-referenced information letter). Thus, the internal controls of such entities are not necessarily subject to any audit. They may voluntarily submit their internal controls to audit, but such an audit is not mandatory, not performed under the oversight of a governmental regulatory body as envisioned in the limited scope regulations and legislative history, and not subject to any disclosure requirements. Council members raised concerns about such issues and therefore voted to recommend that the DOL clarify the kinds of entities that are qualified to issue certifications under existing regulations and guidance and reiterate that only qualified entities may issue certifications. Under ERISA's legislative history, it would appear that only those entities that are subject to a robust regulatory audit regime should be permitted to certify investments, but not their agents unless the agent itself is also subject to similar strictures that require an audit of the agent's internal controls and related disclosures.
To illustrate, the Office of the Comptroller of the Currency ("OCC"), an agency of the Department of the Treasury, regulates federally-chartered banks and trust companies. Many state laws enacted to regulate state-chartered banks have adopted the OCC rules. The OCC regulations require trust departments of banks and trust companies to perform an internal audit of the trust department. The OCC itself reviews such banks' internal controls and their internal and external audits. Such banks properly hold assets that would be subject to the limited scope audit exemption. But the OCC's authority generally does not extend to a plan's recordkeeper and such a recordkeeper, if is not itself subject to appropriate regulatory oversight should not act as a certifying entity.
5. The Certification Should Include a Disclaimer on Investment Values. Among the matters discussed with regard to limited scope audits were the challenges raised by hard to value assets. Witnesses repeatedly testified that the duty to value assets is not obviated by a limited scope audit. As noted above, when the limited scope exception was adopted in 1974, hard to value assets were relatively rare. As Kerry White of BNY Mellon and Peggy A. Bradley of Northern Trust testified, there has been an extraordinary proliferation of hard to value assets and alternative asset classes, which some commentators and Council members note play an important role in diversifying investment portfolios and risk.
Ms. White and Ms. Bradley stressed, however, that the same challenges with regard to hard to value assets are raised regardless of whether there is a limited or full scope audit. The Council addressed hard to value asset valuation issues in its 2008 Report on Hard to Value Assets, and chose not to revisit those issues. The Council also recommends the consideration of that report to the Secretary and the interested public on the limited scope issues regarding these types of assets.
The Council concluded that in order to reinforce the special circumstances related to hard to value assets, the DOL should require that the certification be attached to the Form 5500. In addition, the Department should enhance the text of the certification to include a disclaimer that investment values may not have been subject to independent verification of fair value. Changes in the certification will remind plan sponsors and administrators of their obligation under existing law to ensure that all assets are properly valued at fair value pursuant to ERISA, and will serve to remind auditors performing a limited scope audit to ensure that plan management has fulfilled that responsibility. Attaching the certification to the Form 5500 will make it accessible to the DOL and participants, and reinforce to plan sponsors and administrators how important it is for them to understand the certification and the certification process.
6. The DOL Should Engage in Outreach Efforts. DOL could implement this recommendation in some relatively simple ways. For example, the Department's Employee Benefits Security Administration ("EBSA") presents seminars and webinars to assist employers, pension plan administrators and other benefit professionals in complying with federal employee benefits law. One example is its "Getting it Right" seminars. A special program on limited scope could be created. The Department could publicize its existing formal and informal guidance on the topic. It could revise the publication Selecting An Auditor for Your Employee Benefit Plan to include a discussion of limited scope audit engagements (this publication has a section titled, "What you Should Know about the Audit").
C. 403(b) Plans
1. Background. A 403(b) plan is, generally, a tax-deferred annuity program established under I.R.C. § 403(b). It is a common form of retirement plan for employees of public schools, employees of certain tax-exempt organizations, and certain ministers. Under a 403(b) plan, employers may purchase annuity contracts, or establish custodial accounts invested only in mutual funds, for the purpose of providing retirement income for eligible employees. Annuity contracts must be purchased from a state licensed insurance company, and the custodial accounts must be held by a custodian bank or Internal Revenue Service approved non-bank trustee or custodian. The annuity contracts and custodial accounts may be funded by employee salary deferrals, employer contributions, or both. Although not subject to the qualification requirements of I.R.C. § 401, many requirements that apply to qualified plans also apply to 403(b) plans. Subject to certain exceptions for church plans that were in existence on September 3, 1982, a 403(b) plan must be a defined contribution plan.
Historically, most employers treated their 403(b) plans as a collection of individual contracts between the employees and the tax-deferred annuity providers. The employer's involvement was minimal, and often limited to allowing annuity providers to promote their products at the worksite and coordinating salary deferrals. In certain circumstances, employees could transfer money between 403(b) vendors without employer knowledge or consent.
For tax purposes, before 2007, 403(b) plans were governed by various guidance issued by the IRS as far back as 1964. Under ERISA, because historically most 403(b) plans looked less like an employer-provided plan and more like a collection of individual contracts, and because 403(b) plan investments were generally limited to state-regulated insurance contracts and registered mutual funds, the DOL required administrators of 403(b) plans to comply with only limited reporting requirements. For example, 403(b) plans were only required to complete Part I, and lines 1-5 and 8 of Part II, of the 2008 Form 5500. Moreover, 403(b) plan administrators were not required to engage an IQPA to audit the plan, include an audit with the Form 5500, or attach any schedules to the Form 5500.
2. New Form 5500 and Audit Requirements Cause Substantial Hardships to 403(b) Plan Sponsors. In 2007, both the IRS and the DOL issued final regulations governing 403(b) plans. As relevant here, the DOL's final regulations required, for the first time and generally effective for plan years beginning on or after January 1, 2009, that administrators of large 403(b) plans (e.g., more than 100 participants) hire an IQPA to audit the plan and include the audit with the plan's annual report.
Administrators for small 403(b) plans are not required to obtain an audit, and may generally use the Form 5500-SF (Short Form 5500). Small plans must, however, report aggregate financial information regarding the plan.
Witnesses testified that the new audit requirements could result in a significant hardship for 403(b) plan sponsors. For example, if only a few employees actually participate in the 403(b) plan, under current guidance, the administrator may still be required to obtain an audit. The instructions to the Form 5500 state that the administrator must use the number of participants required to be entered on line 5 of the Form 5500 to determine whether the plan is subject to the audit requirement. The instructions to line 5 of the Form 5500 define participant to include "any individuals who are currently in employment covered by the plan and who are earning or retaining credited service under the plan."
Due to the "universal availability" rule in the Internal Revenue Code, the Form 5500 instructions generally require most 403(b) sponsors who have over 100 employees to obtain an audit, even if only one employee voluntarily elects to participate. Under the universal availability rule, if one employee is allowed to make a salary reduction contribution to a 403(b), then all employees of the employer must be permitted to make such a contribution. The universal availability rule, when combined with the Form 5500 instructions, requires many 403(b) plan sponsors to obtain a costly audit even if only a few employees actually participate in the plan.
Moreover, in many cases only a few employees voluntarily elect to participate in the 403(b) plan. Thus, even employers that have over 100 employees may have as few as 15 or 20 employees that have an accrued benefit under the 403(b) plan. The Council heard that the audit of such plans could nevertheless cost up to $15,000 or more. Obviously, it is difficult for an employer to justify to employees that almost $1,000 worth of audit expenses must be allocated to each employee's account. But at the same time, a charitable 403(b) plan sponsor may not have the funds needed to pay for the audit. One witness testified that there is a very real possibility that her company may terminate its 403(b) plan solely due to the increased costs resulting from the audit.
One possible solution to this problem would be for the DOL to modify the Form 5500 instructions to provide that 403(b) plans, for purposes of determining whether the plan is a large plan subject to the audit requirement, need not count employees who are eligible to participate in the plan under the universal availability rule but who do not have any benefits under the plan (i.e., no account balance). The regulations that define "participant" for purposes of determining whether a plan is a large plan subject to the audit requirement at 29 C.F.R. § 2510.3-3(d)-1 are susceptible to this interpretation. Moreover, the universal availability rule differs from the non-discrimination and employee communication rules that apply to 401(k) plans because the universal availability rule increases the likelihood of participation by requiring that employees have an "effective opportunity" to participate. To satisfy this requirement, it is not enough for the plan merely to provide that all employees are eligible. Instead, generally, the employer must communicate the availability to all employees without waiting for the employees to ask, and must allow employees to change their elections at least once a year. The effective opportunity requirement makes it more likely that employees who will make an informed decision not to participate, and make it less likely that 403(b) plan sponsors will conceal the plan's availability given a sponsor's desire to avoid the audit requirement. The Council did not, however, decide to recommend that the Secretary modify the Form 5500 instructions in this fashion.
3. Only Group Annuities Should be Audited. The new 5500 (and related audit) requirements effective in 2009 impose very difficult obligations on employers and auditors, do not fit the historical management and structure of 403(b) plans, and will lead to substantial costs for employers without giving value to participants. The Council has made recommendations to lengthen and ease the transition and to modify the requirements going forward to better recognize the diversity and nature of these plans.
For calendar year plans, these filings were due in the Fall of 2010. Some 403(b) plans and related parties expressed serious concerns about the difficulty and cost of identifying and obtaining financial information on contracts and custodial accounts to which contributions have not been made since 2008 (pre-2009 contracts).
The DOL, the AICPA and 403(b) plan specialists all confirmed that there are problems with 403(b) plans and audits, and they relate to the nature of the sponsors, plan structure and records. In some plans with older individual contracts, it is very costly to try to compile plan records and, in some cases, it may be impossible. Similarly, audits of such plans can be extremely costly due to the absence of unified plan records. Testimony was offered that many of the nonprofit and educational employers lack the resources to engage auditors and meet reporting requirements. Other witnesses asserted that audits serve no purpose in protecting plan participants where they hold individual contracts and where the employer has played no role in supporting the arrangement, other than payroll deduction. Employers add value to 401(k) plans by establishing a plan design, selecting and monitoring providers and investment options prudently, maintaining appropriate records, and providing plan oversight. Where individual contracts are used and the participant selects them as in 403(b) arrangements, there is no such value and imposing an audit requirement is expensive. Some witnesses assert that the cost of audits and the audit requirement itself will lead to the termination of many smaller 403(b) plans. The DOL and the IRS had previously granted some relief to help deal with these issues. Witnesses testified that the relief was inadequate and that there was not adequate time to transition to ERISA requirements. This is characterized as an immediate "crisis" for some plan sponsors because many filings are already due. Plans that cannot meet the requirements are subject to civil penalties and other consequences.
The Department issued DOL Field Assistance Bulletin (FAB) 2009-02, Annual Reporting Requirements for 403(b) Plans, and FAB 2010-01, Annual Reporting and ERISA Coverage for 403(b) Plans, to provide enforcement relief for plan administrators "that make good faith efforts to transition for the 2009 plan year to ERISA's generally applicable annual reporting requirements." DOL FAB 2009-02 allows the plan administrator to exclude certain pre-January 1, 2009 annuity contracts and custodial accounts for ERISA reporting purposes.
The AICPA testified that auditors cannot legally disregard incomplete financial statements because ERISA requires the audit reports to identify whether the financial statements are prepared in accordance with GAAP. Therefore if the plan administrator elects to exclude some or all of those contracts or accounts meeting the conditions of DOL FAB 2009-02 from the plan's financial statements or instructs the auditor not to perform procedures on certain or all pre-2009 contracts, or both, the auditor will need to consider the effect of the exclusions on the completeness of the GAAP financial statements of the plan, and consider the issuance of either a qualified opinion or a disclaimer of opinion, both subjecting the Form 5500 to rejection for failing to include an unqualified accountant's report. The auditor/IQPA issues a disclaimer of opinion when the auditor concludes that there is a significant limitation on the scope of the audit. In this case, the auditor is not expressing an opinion on the overall fairness of the financial statement. A disclaimer of opinion lacks independent assurance as whether the 403(b) plan's financial statements are fairly presented.
Interested parties had asked the DOL for an extension of filing requirements, and relief from penalties for late or incomplete filing. Given, the looming mid-October deadline for filing the 5500's and because the Council had resolved to make a recommendation directly relevant to the requests, the Council Chair and Vice Chair sent a letter on September 24 to Assistant Secretary Borzi. The letter advised that the Council has resolved to recommend that the DOL should provide administrators of 403(b) plans with an additional year to file their 2009 Form 5500 or other annual report.
Deputy Assistant Secretary Alan D. Lebowitz responded to the Council in a letter dated October 22, 2010 stating that EBSA did not believe that a general one year delay of the annual reporting and auditing requirements would be appropriate, and providing reasons for its beliefs, including among other things that approximately 15,900 filers out of about 16,100 had filed. Notwithstanding this action, the Council has left its recommendations and discussion in this report to inform the Department's future consideration. Another Council recommendation in this report that the DOL form a task force with the AICPA and other stakeholders to study ERISA's auditing and financial reporting models and requirements could include evaulating new models for auditing 403(b) plans.
The Council's two recommendations echo those made by others. First, the DOL should extend short term relief to provide additional time for 403(b) plans to comply with audit and reporting requirement. For the long term, there should be generalized relief for plans in which individual employees elect custodial accounts or individual annuity contracts. These plans should be exempt from audit requirements. Further, the Council noted that some 403(b) plans contain both group annuity contracts and individual contracts. For plans containing individual custodial contracts and/or individual annuity contracts and group annuity contracts, only the group annuity contracts would be subject to the audit requirements.
One additional closing note on this topic bears mentioning. At the presentation of the draft report to the Secretary on November 4, 2010, the Council was asked whether or not 403(b) plan participants had adequate protections under the law. This excellent question, which goes to the heart of the purpose of audits, participant protection, is not addressed in this portion of the report. This section focused only on the burdens imposed on plans and plans sponsors. Should the Department give further consideration to the 403(b) recommendations, it should consider what potential harms, if any, are addressed by audit and reporting requirements in relation to 403(b) participants. A future Council might also specifically explore the extent of protections afforded 403(b) participants under current law.
The Council's modest efforts herein in no way minimize the critical importance of audits and financial reporting to protecting participants and beneficiaries. No isolated study or single report can address the myriad of issues that audits and financial reporting present in a rapidly evolving world. In the thirty-six years since ERISA's passage, the nature of plans has changed dramatically, notably the shift from defined benefit to defined contribution plans. Different kinds of welfare plans have proliferated. The investment world has offered and will continue to offer different types of assets. For all of these reasons and more, the Council recommends that the DOL establish an ongoing task force with the AICPA and other stakeholders its deems appropriate to continuously explore ERISA's audit and financial reporting requirements, including but not limited to issues related to limited scope audits and 403(b) plans. The task force should also explore ways to strengthen the auditor community. Finally, the Department should engage in ongoing efforts to promote audit and auditor quality.
The Council again expresses its appreciation to the Department and all of the persons and entities whose time and effort contributed to this report. The Council respectfully commends its recommendations to the Secretary which will bolster her efforts to promote and protect benefit plan security for participants and beneficiaries. Beyond the utility of the recommendations, the Council hopes that its exploration of the some of the myriad issues related to plan audits and financial reporting will be of interest to practitioners and stakeholders.
Council members prepared the following summaries. If a witness submitted a written statement, it can be found at www.dol.gov/ebsa/aboutebsa/erisa_advisory_council.html.
Ian Dingwall, EBSA, Office of the Chief Accountant (OCA)
OCA is concerned with annual reporting and auditing of employee benefit plans, including enforcement activities related to plans whose audits are deficient. The OCA can also conduct investigations and coordinates with the IRS and PBGC. OCA is involved in ongoing assessments of plan audit quality, and the most recent review of quality indicated that 30% of audits had some sort of a deficiency, although the seriousness of deficiencies was not identified.
Financial reporting and auditing are believed to enhance participant security. EBSA has worked with the AICPA over the years promoting audit quality and auditor standards. But neither organized can regulate the audit community or practice. Accountants are licensed by states. State requirements vary. Any licensed auditor may perform a plan audit, regardless of training or experience. Higher standards would be desirable but DOL has no authority to set them. AICPA, a voluntary membership organization, issues audit quality guidance and provides continuing education, but many auditors do not use these resources. AICPA has also established an employee benefit quality center it requires ERISA designated partner, quality control procedures, peer review, peer review report must be public. Fewer than 20% of firms belong to the quality center. From time to time, the DOL and AICPA refer deficient auditors to state licensing authorities.
Four characteristics of deficient auditors have been identified:
Certain problems are likely to cause audit failures. Smaller firms who do few audits are most likely to do poorly. In some firms, benefit plan audits are viewed as less important and performed by less experienced staff.
Plan administrators are held responsible for failure of complete and accurate financial reporting deficient filings are subject to rejection. Fines may be imposed. ERISA does not prescribe penalties against auditors who perform deficient audits.
Concerning 403(b) plans, many plan sponsor do not have all of the data for a complete audit. DOL has issued technical advice offering possible solutions to the problem of missing data. Because of data issue, many auditor refuse to issue an unqualified opinion.
EBSA has issued guidance about whether a limited scope audit is appropriate as it is the plan that must resolve whether a limited scope audit is permissible. In addition, plans always have an obligation to substantiate the fair value of investments. This obligation becomes more challenging as regards "alternative investments." Use of the limited scope does not obviate fair value requirements.
John "Joe" Canary, EBSA
Mr. Canary testified that EBSA is responsible for administering and interpreting reporting and fiduciary standards for defined benefit plans, individual account plans, and health and welfare plans. DOL works with IRS and PBGC to establish unified reporting on Form 5500, which is regularly updated. This is part of the overall reporting and disclosure framework, with the underlying goal of protecting rights and benefits. The Form 5500 is important for a variety of stakeholders. A key part of the Form 5500 is the requirement that it include an audit report by an IQPA. The IQPA must give an opinion that the financial statements presented are free from material misstatements and are represented fairly in accordance with GAAP. The DOL plays no role in setting the standards for an audit. The Department has no authority to set qualifications for IQPAs.
Mr. Canary noted the history of ERISA's audit requirements. ERISA covers a range of plan types, but the financial reporting model was enacted at a time when defined benefit plans and other funded plans predominated. Plan types has expanded greatly since 1974, including the 401(k) plan.
ERISA gives the DOL authority to exempt and allow simplified reporting for some plans; it also allows alternative methods of reporting if participants are protected. The DOL has exercised this authority from time to time. It has allowed conditional exceptions for example for "top-hat" plans and certain welfare plans, which are codified in the regulations. I.R.C. § 403(b) plans are now required to file a Form 5500 (since 2009). The DOL has issued transition relief via Field Assistant Bulletins. The accounting profession finds this relief problematic. Plan accountants may refuse to give a clean opinion because a compliant GAAS audit is not possible for organizations that are using these transition rules. Smaller not for profits are concerned about the cost of 403(b) audits. For 403(b) plans only, the accounting profession has requested an alternative to GAAS and GAAP.
Marilee Lau, AICPA, and Michele Weldon, Price Waterhouse Coopers, for AICPA
On behalf of AICPA, Ms. Lau and Ms. Weldon offered recommendation related to limited scope audits, 403(b) plans and audit quality.
Ms. Weldon and Ms. Lau noted that AICPA has supported the repeal of limited scope audits since 1978. They indicated that limited scope audits are estimated to account for 60 to 70% of audits performed each year. They offered several recommendations with supporting rationales in support repeal or modification of limited scope audits.
On 403(b) plans, their testimony supports modification of 403(b) requirements, in part because the information is not available to meet traditional audit requirements. The recommendations for 403(b) plans are:
The testimony noted 403(b) plans first became subject to audit requirements in November, 2007 for the 2009 plan year. Plans have been given transition relief. They are permitted to exclude certain pre-January 1, 2009 annuity contracts and custodial accounts. However auditors by law cannot disregard incomplete financial statements so there is a conflict between pension law and auditing statements. The recommendations provide a way to address this conflict.
On audit quality, the AICPA recommends:
AICPA recommends that the DOL should work collaboratively with EBPAQC to enhance the quality of financial statement audits of ERISA plans, and to develop strategies for improving audit quality. The Department should also continue to use the enforcement program of the AICPA's professional ethics division which has dedicated resources and the expertise necessary to evaluate and address performance issues. The ethics division will share its findings with the EBSA Office of Chief Accountant.
Paul Beswick, SEC Office of the Chief Accountant
Mr. Beswick is the Deputy Chief Accountant in the Office of the Chief Accountant for the SEC. He noted that some employee benefit plans are subject to reporting obligations with both the Department of Labor and the SEC. A plan that is required to file annual reports with the SEC generally does so by using Form 11K. Over the past 12 months, approximately 2,000 employee benefit plans have filed annual reports with the SEC.
Mr. Beswick stated that if a plan allows employees to invest their plan contributions in employer securities, the SEC requires the plan to register the offer and sale under the Securities Act and comply with the Exchange Act reporting obligations.
Mr. Beswick presented his views on a proposed split model audit whereby the bank certification for limited scope audits would be restricted to "easy to value" assets and hard to value assets would be subject to full scope audits. He said the costs of a split model audit, when compared to a full scope audit for all investments, would not be significant because the level of audit effort expended on testing investments that are actively traded in the marketplace is significantly less than the effort for those hard to value assets. He also said defining hard to value assets on a consistent basis may pose significant challenges. Finally, depending on the mix of investments, an auditor may conclude that it has to issue a qualified.
The SEC does not permit a plan administrator to avoid a full scope audit regardless of whether the plan administrator has obtained a certification of the completeness and accuracy of plan investments. The full scope audit provides additional assurance on the accuracy and fairness of the plan's investments and a level of assurance which investors rightly expect from financial statements filed with the Commission. Mr. Beswick believes this approach is consistent with the SEC's mandate for investor protection, particularly when credibility of financial information is so critical to investor confidence.
Mr. Beswick also discussed the SEC's regulatory environment with respect to auditors. The SEC imposes strict standards of conduct on auditors who practice before the Commission. Failure to comply with professional standards and the Commission's rules and other guidance can result in severe sanctions.
Michael Stevenson, Public Company Accounting Oversight Board (PCAOB)
Mr. Stevenson is the PCAOB Deputy General Counsel. He described the scope and nature of the PCAOB's statutory authority and how it exercises its authority to evaluate the competence and qualifications of auditors, and when necessary, to discipline those auditors. Under the Sarbanes-Oxley Act of 2002 ("SOX"), an accounting firm cannot engage in certain audit work without first being registered with the PCAOB. Once registered, any such work performed by the firm and its associated persons is governed by auditing and related professional practice standards set by the PCAOB subject to review and PCAOB inspection and could be the basis for sanctions imposed by the PCAOB.
Registration with the PCAOB is not automatic and the Board takes into account, among other things, whether an applicant is appropriately licensed, an applicant's disciplinary history and indications of possible pre-registration violations of SOX provisions.
The principal way in which the Board evaluates the competence of registered firms and their associated persons is through inspections. Since 2003, the PCAOB has conducted more than 1,300 inspections of registered firms. Those inspections are designed to identify and address weaknesses and deficiencies in how a firm conducts audits. Since 2003, PCAOB inspectors have reviewed aspects of more than 6,000 audits.
In addition to reviewing audit performance, SOX also provides that an inspection should include an evaluation of the sufficiency of a firm's quality control system. The quality control portion of an inspection includes review of such things as a firm's management structure and processes, a firm's practices for partner management, including allocation of partner resources and partner evaluation compensation, a firm's policies and procedures for considering and addressing the risks involved and accepting and retaining clients, a firm's processes related to using audit work of a firm's foreign affiliates on foreign operations audit clients, a firm's processes for monitoring its own audit quality, a firm's independence policies and procedures and a firm's policies and procedures on consultations. As required by SOX, the PCAOB prepares a written report of each inspection and transmits that report to the SEC and relevant state regulatory authorities.
SOX authorizes the PCAOB to investigate auditor conduct and where appropriate, to impose disciplinary or remedial sanctions on registered firms or associated persons for violations. The Board may impose sanctions, among other reasons, for failing to reasonably supervise another person who has committed a violation and for failing to cooperate with a PCAOB investigation. Disciplinary proceedings have resulted in sanctions ranging from censure to permanent revocation of a firm's registration. The PCAOB does not, however, convert every auditing failure identified by PCAOB inspectors in an inspection into a matter for investigation and possible discipline.
Mr. Sutten, an ERISA expert with more than 40 years of experience, prefaced his noted the changes in plan designs and administration since the passage of ERISA. Plan administration changes include but not limited to, new technology, bundled arrangements, and omnibus and real time accounting. While these developments have revolutionized the design, administration, and delivery of employee benefits, there has been little change in ERISA's reporting and disclosure rules which were developed for a different universe of plan designs. Sutten stressed that ERISA's limited scope exemption only applies to the investment information certified by the trustee or custodian. It does not extend to participant data, contributions, benefit payments, or other information whether or not it is certified by the trustee or custodian.
Sutten recalled that bankers and insurance companies originally lobbied for limited scope because their internal accounting systems were already subject to close periodic examination and regulation by federal and state regulators As a consequence, under the limited scope audit provision, auditors have no responsibility to understand or test the controls in place for the investment of plan assets in the internal trust and accounting systems maintained by banks and insurance companies since the systems that hold and account for the investment activity and generate transaction reporting are subject to thorough periodic examinations by federal and state agencies.
Sutten testified that in today's employee benefit universe, the controls on banks, trusts and insurance companies that were initially envisioned as protecting plans in a limited scope audit are not in place for many plans. Specifically, he testified that developments in the financial industry undercut the original purpose of the "limited scope audit" rules, and could potentially undermine the protections that ERISA intended to afford participants and beneficiaries in a plan audit by a qualified independent certified public accountant.
Sutten testified that financial and administrative service providers now provide bundled qualified plan services to defined contribution plans are also most likely to provide plan financial statements to the auditor prepared through the "omnibus accounting" methodology. Under this methodology, the preparation of the plan financial statements often no longer resides on systems maintained by a bank or insurance company. Instead, a participant allocation system residing in a non-bank third party administrator is utilized, along with an omnibus investment account also residing in a non-bank subsidiary, to prepare a plan's annual trust accounting.
According to Sutten, this new procedure draws on data contained in transaction journals as opposed to being "trust based" and subject to the internal reviews of each journal transaction through bank or insurance systems. Consequently, financial reports are based on the plan participants' representative share of the investment activity for all plans participating in the omnibus account, as determined by the recordkeeping system residing in the non-bank third party administrator. Because these reports are not subject to the type of regulatory reviews or certifications that auditors can necessarily rely upon , compliance with the DOL regulations permitting limited scope audits is difficult, as there is no basis for the plan administrator to direct the independent qualified public accountant to perform a "limited scope" report for the plan.
Under the trust system, the product generated was a trust transaction journal, depicting all of the asset activity within the plan or trust during the plan year. In contrast, the omnibus accounting system allocates investment experience in all plans within the omnibus asset account among all of the participants in all plans participating within the omnibus account. The investment data compiled in the omnibus account is directly sent and processed by a non-bank TPA participant accounting system and is then made "plan specific," based on the participant data received by the employers. Finally, the financial statements that are provided are in the form of beginning and end of the year summaries and their underlying data is often based on participant allocation summaries generated by the TPA and depicting allocation of investment history to each participant rather than a trust based transaction journal data which would normally be generated by the bank or insurance company systems. Additionally, the information that appears in the participant allocation summaries is only as good as the information received by the third party administrator.
Sutten made the following recommendations:
Peggy Bradley, Northern Trust Company
Ms. Bradley has served as relationship manager overseeing the compliance and delivery of fiduciary trust services for Fortune 500 ERISA plan sponsors, She discussed the expansion in the "hard to value" asset pool. She noted that financial statement preparers now enjoy the benefit of FASB guidance, greater transparency on pricing inputs, improved methodologies and myriad other resources to guide their fair valuation determinations. She also indicates that sponsors, financial statement preparers and auditors have a greater understanding of limited scope issues and the role of custodial information. She did not identify any specific harm linked to limited scope audits.
Valuation issues are not unique to employee benefit plans except to the extent that valuation issues may hold up distributions. Ms. Bradley said that even in these circumstances, the audit scope is not at issue. In general, she said the issues with limited scope versus full scope audits do not obviate hard-to-value asset concerns. The limited scope exemption controls only the extent of asset valuation and ownership testing by the auditor over such assets. It does not, however, limit or exempt the financial statement preparer from complying with GAAP requirements.
Ms. Bradley finds little purpose in carving out certain assets from the trustee certification process. Instead, she suggests greater use of valuation tools and clear comprehension of the nature of asset values for certain assets.
Ms. Bradley opposes elimination of limited scope audits. Repeal, she said, would burden plans that hold a large portion of marketable and liquid securities whose values are provided by independent sources. Revoking the limited scope exemption, without bolstering the plan sponsor's process for validating fair value, would not lead to improvements in the valuation of plan assets.
She concluded that all stakeholders in the audit process can benefit from additional information, education and outreach on limited scope audits. Specifically, DOL might facilitate providing plan sponsors with examples of best compliance practices, due diligence check lists, and valuation policies.
Michael Monahan, American Council of Life Insurers
The American Council of Life Insurers (ACLI) represents life insurer and fraternal benefit society member companies with over 90 percent of the assets and premiums of the U.S. life insurance and annuity industry.
Mr. Monahan said ACLI fully supports the current limited scope exemption, because it recognizes that the rules governing insurance carriers and the manner in which they are examined protect the interests of policy holders, including employee benefit plan participants and beneficiaries. He stressed a thorough risk-based examination of insurance companies is conducted by state insurance departments, usually on a three-year cycle. Further, insurance companies are audited by independent public accountants every year. State-based examiners also frequently visit carriers as a result of examinations or for other reasons.
Given the extensive regulatory regime, Mr. Monahan asserts that full scope audits would yield no new useful information, but would cost more. ACLI is not aware of any harm suffered as a result of limited scope audits. ACLI believes sponsors should be well-informed about the nature of limited scope audits. Mr. Monahan concluded that the current GAAP accounting provides the most objective valuation measures and any additional regulatory guidance is unnecessary.
Kerry White, BNY Mellon Asset Servicing
Ms. White is a Managing Director for BNY Mellon Asset Servicing. She has extensive experience overseeing the delivery of fiduciary trust services for large corporate ERISA plans. Ms. White's testimony focused on the involvement of major trust banks with limited scope audits in the context of alternative investments and hard-to-value assets, including valuation and reporting issues under FAS 157. She submits that this topic is increasingly important, as the benefit plan environment has changed significantly since ERISA's enactment. Many plans have shifted assets away from traditional investments toward what are characterized as riskier, "hard to value" asset classes.
She indicated that most large trust banks have enhanced reporting and valuation tools to assist plan sponsors in determining the fair value of such assets. In addition to the trust bank services, there are many providers of specialized pricing, valuation, and due diligence services for alternative assets, including independent valuation services. She noted that while these services are expensive, they can give sponsors more insight into the risks involved in various investments. She reiterated that regardless of the audit scope, the proper values are needed for the sponsoring entity's financial reports. Performance measurement and oversight services also help sponsors understand the value of such investments versus more traditional investments.
Ms. White noted that many plans do not have hard to value assets. For those that do (most often larger defined benefit plans), there is continued value in the limited scope exception. She noted that small plans should be spared the additional expense of a full scope audit, particularly if they do not hold "hard to value" assets. This being said, the plan sponsor and auditing firm must set clear terms of engagement. Both the plan sponsor and auditor should understand the assets held by the plan, the processes offered by the trust company, including the source of pricing information and the due diligence undertaken to verify the assets.
M. Kristi Cook, National Tax Sheltered Accounts Association and Susan Diehl, PenServ Plan Services
This panel consisted of Ms. Kristi Cook, attorney, speaking on behalf of the American Society of Pension Professionals and Actuaries ("ASPPA") and the National Tax Sheltered Accounts Association ("NTSAA"), and Susan Diehl, President, PenServ Plan Service, Inc.
Ms. Cook gave a brief background and overview regarding the history and operations of 403(b) plans as compared to 401(k) plans. A typical 401(k) plan offers a limited universe of investments, a record keeper and substantial employer involvement. In contrast,, 403(b) plans historically were deliberately designed for limited employer involvement (given limited resources of sponsors), multiple vendors and investments and the ability for participants to transfer accounts from one vendor to another without employer consent.
Ms. Cook recommended:
Ms. Diehl opened her testimony with an anecdote regarding a small employer who cannot afford to continue a 403(b) plan because of the increased cost in administration but cannot terminate the plan to avoid this cost because it can't force distributions. She believes thousands of nonprofits who have sponsored 403(b) plans over the past 40 years share this dilemma. The "lucky" ones can terminate their plans. She urged the DOL to extend transitional relief because despite best efforts, plans are not prepared to file audit results. She also recommended a small plan exemption so that small employers who cannot afford audits are not forced to terminate their plans. She further recommended educational efforts continue for employers, vendors and TPAs.
David L. Wray, Profit Sharing and 401(k) Council of America
David Wray, President of the Profit Sharing and 401(K) Council of America (PSCA), presented the views of the organization. The PSCA is a 60-year old nonprofit association of approximately 1200 companies employing about 5 million employees who participate in either a profit sharing or 401(K) pension plan.
Mr. Wray testified strongly against the repeal of the limited scope audit exemption. He stressed that the limited scope audit was a vital tool for employers to keep down the costs associated with sponsoring a retirement plan. His testimony noted that a limited scope audit not only costs less, but also the time and additional expense the plan sponsor would otherwise incur to support the audit are lower. This, he stated, was very important because approximately 33 percent of plan sponsors pay plan audit fees from plan assets.
Mr. Wray testified that PSCA was not aware of a single case where a plan participant was harmed because the plan had a limited scope audit rather than a full audit. He stated that because support for repeal of the limited scope audit is linked to the issue of valuing "hard to value" or alternative investments, that this issue should be addressed outside the limited scope audit debate. He stated that it is important to note that neither a limited or full scope audit is designed to determine the fair market value of the investments held by the plan. He further stated that in a full scope audit, the auditor tests the valuation methodologies for determining asset values but does not test the actual value of the investments.
Mr. Wray concluded that PSCA did not believe the valuation of "hard to value" assets was an audit issue, but rather an issue that should be addressed by the Department of Labor in guidance issued after coordinating recent accounting pronouncements issued by the Securities and Exchange Commission (SEC), the Government Accounting Office (GAO), the American Institute of Certified Public Accountants (AICPA), the Department of the Treasury, and the 2006 ERISA Advisory Council.
During the Question and Answer session, Mr. Wray conceded that a full scope audit was not a bad standard to have but he stressed that a cost/benefit analysis would weigh heavily against instituting a full scope audit as the standard to be applied. He stated that the limited scope audit exemption works well and what may be needed is more education for auditors to help them conform to existing standards.
Disclaimer: This document was prepared by individual members of the 2010 Advisory Council on Employee Welfare and Pension Benefit Plans and informally reviewed by staff at the AICPA. It is not issued by the Department of Labor nor has it been reviewed by the Department or any of its regular staff. This document may not be relied upon as authoritative guidance. Its limited purpose is to assist Council Members in understanding testimony concerning plan audits.