In April 2017, the AICPA’s Auditing Standards Board (ASB) issued an Exposure Draft Proposed Statement on Auditing Standards (the ED) entitled “Forming an Opinion and Reporting on Financial Statements of Employee Benefit Plans Subject to ERISA.” In this author’s opinion, the proposal is objectionable in many ways, most particularly with regard to “limited scope” audits of these plans. Quite frankly, it is too far-reaching, ill advised, ill conceived, illogical, and self-contradictory.
The ED proposes several subtle but highly contentious provisions that, if adopted, would be effective for ERISA plan audits of financial statements for periods ending after December 14, 2018. This article is intended to call these proposed new requirements to the attention of CPA Journal readers who conduct audits of employee benefit plans (EBPs) subject to ERISA requirements and to encourage them to provide comments to the ASB advocating that the proposal be withdrawn or modified substantially to address these issues. The ASB has requested that comments be received by Aug. 21, 2017.
For no apparent justifiable reason, it appears that the ASB is proposing to capitulate to the demands of the Department of Labor (DOL) to satisfy its regulatory objectives (which appear to extend beyond its statutory purpose and authority under ERISA) by mandating procedures and reporting language, most of which have little or nothing to do with the sole purpose of a financial statement audit, which is providing financial statement users with assurance as to the absence of material misstatements therein.
In 2010, the Employee Benefits Security Administration of the DOL authorized and published the results of a study entitled “Advisory Council Report on Employee Benefit Plan Auditing and Financial Reporting Models” (http://bit.ly/2uDBWd7). The report acknowledges that ERISA section 103(a)(3)(A) requires that auditors be engaged “on behalf of all plan participants,” but also that “plan participants generally do not directly use financial statements.” There is much evidence in this report that in many respects, its authors significantly misunderstood the respective roles and responsibilities of auditors and management with regard to financial statements. For example, it incorrectly states that the purpose of an audit report is “to help assure participants that there is a high likelihood that the plan financial statements accurately set forth the financial condition of the plan, and that participant records are appropriately maintained.” This misunderstanding appears to be the root of the DOL’s dissatisfaction with its audit observations to date.
AU-C sections 320.02–.06 tell auditors that what is material is information that “could reasonably be expected to influence the economic decisions of users made on the basis of the financial statements.” But who are the users, if not the plan participants? The regulators? And what economic decisions are made based on the financial statements? If there are no identifiable users who make economic decisions based on the financial statements, how does one determine what is material for risk assessment and audit scope purposes?
Pursuant to the ED, the ASB would, again without any apparent justification, require auditors to issue reports that are significantly inconsistent with sound audit and other reporting standards and principles (and even one ethical standard) cited below that have been in place for decades, are tried and true, and apply without exception to all other audit or other attestation services for all entities other than EBPs subject to ERISA.
Limited Scope Audits
Under the ED, despite a severely limited audit scope imposed by the client, auditors would be required to issue an unmodified opinion based in part on the custodian’s unaudited certification (to which only limited procedures would be applied), rather than a disclaimer.
The text of the ED and Illustration 3 in the Exhibit of the proposed standard are inconsistent with the general provisions of AU-C sections 705.10–.13, which apply to reporting on a management-imposed scope limitation; however, the ED proposes no amendment to sections 705.10–.13 providing an exception in reference to section 703. This oversight would leave a glaring contradiction between the two standards. This author firmly believes AU-C sections 705.10–.13 should stand unmodified, without exception.
Moreover, the proposed reporting model for limited-scope audits appears clearly inconsistent with the long-standing “General Standards Rule” in the AICPA’s Code of Professional Conduct, which requires CPAs to “obtain sufficient relevant data to afford a reasonable basis for conclusions or recommendations in relation to any professional services performed” [ET section 1.300.001.01(d)]. No amendment to this ethical requirement has been proposed, and such a proposal would appear to be beyond the authority of the ASB. This author firmly believes ET section 1.300.001.01(d) should likewise stand unmodified, without exception.
As provided in AU-C sections 705.10–.13, an auditor has three possible ways to deal with an unresolved client imposed scope limitation. The most extreme of these, of course, would be for the auditor to withdraw from the engagement, for example when management’s integrity is in doubt. Normally, however, when the possible effects on the financial statements of any misstatements undetected due to the scope limitation could be both material and pervasive in the auditor’s judgment, a disclaimer of opinion on the financial statements (as has historically been the case for these EBP engagements) would be required. If the effect were only material, but not pervasive, a qualified opinion (AUC sections 705.10–.13), which would necessarily begin with words like “except for the effects of any adjustments,” may be issued.
Unfortunately, the definition of “pervasive” in the Auditing Standards Codification glossary renders pervasiveness irrelevant as a separate reporting consideration from materiality and therefore effectively removes the reporting option of a qualified opinion implied by AU-C sections 705.10–.13. The definition describes effects on the financial statements that are “not confined to specific elements, accounts, or items,” but it also includes, alternatively, those effects that “if so confined, represent or could represent a substantial proportion of the financial statements,” or “with regard to disclosures,” are “fundamental to users’ understanding of the financial statements.” In this author’s opinion, the glossary definition of pervasiveness should be revised, thus making a qualified opinion viable in a manner that should be far more palatable to auditors.
Most likely because of this overly far-reaching definition, however, the ASB bypassed the qualified opinion option and jumped to the self-contradictory “clean” opinion proposed in the ED. Why? What is driving this conclusion? How would this report language contribute to the achievement of the DOL’s regulatory objective? Who is supposed to benefit from such a meaningless, groundless, and outlandish opinion?
To emphasize by way of analogy the palpable absurdity of the proposed clean opinion, one can see the custodian as akin to a material, self-managing subsidiary. The subsidiary’s management controls its assets, keeps its books, and sends unaudited financial statements to the parent for consolidation. How could the parent’s auditor express a clean opinion in reliance on these unaudited financial statements?
The limited scope report form proposed in Illustration 3 of the Exhibit appears to be inappropriately modeled in certain respects after the traditional report form commonly used for dividing responsibility between participating component audit firms that now resides in AU-C 600. The critical distinction, however, is that under AU-C 600, the reporting auditor’s reliance is placed on audited, not unaudited, information, and even when making reference to the work of a component auditor, the reporting auditor must take considerable overall responsibility for the direction, supervision, and performance of the audit engagement.
Pursuant to the ED, the ASB would require auditors to issue reports that are significantly inconsistent with sound audit and other reporting standards and principles.
Alternatively, one might view the custodian’s certificate as a sufficiently reliable piece of evidence, like a third-party confirmation, which paragraph A45 of the ED firmly and correctly states that it is not. Here, the critical distinction is that unlike a confirmation, such a certificate does not independently confirm information that was previously recorded by the audit client; it is the sole source of such information. Moreover, reference would never otherwise be made in an audit report to a confirmation, the work of an auditor’s specialist (AU-C 620.14), or any other single piece of audit evidence, even when it provides significant support for a clean opinion. Why, then, should one do so when, as proposed, it provides no support?
As explained in paragraph A48(b)-(c), the proposed requirement of paragraph 20(d) would require an auditor, based solely on management’s inquiries, to ascertain whether investments subject to an ERISA-authorized scope limitation “are measured, presented, and disclosed in accordance with the applicable financial framework” and “how investments at fair value are leveled in the fair value hierarchy table.” In view of plan management’s probable ignorance of such matters in almost all cases when a qualified custodian institution is employed, as well as the inherent lack of reliability of management inquiries, it is highly doubtful that such inquiries would have any value to the DOL or anyone else. This proposed requirement should be omitted from any final standard.
Admittedly, except as noted in the above paragraph, the proposed mandatory procedures that would be applied to investments subject to limited-scope reporting, which are not mandated by ERISA, would not be burdensome, but these procedures would afford little or no assurance as to the reliability of the content of the plan custodian’s certificate. If the final version of the proposal were, however, to require that auditors obtain a type 2 SOC-1 report on the effectiveness of the relevant internal controls applied by the custodian of the data reported in the certificate (which it does not even suggest), it would strengthen the audit process somewhat and provide some additional measure of reliability. It appears, however, that such additional reliability would likely be insufficient to overcome the need for an overall disclaimer of (or possibly a qualified) opinion as would be prescribed in AU-C sections 705.10–.13.
Except in connection with SEC registrations, it is inherently unreasonable to hold auditors responsible for client actions after the report date.
Reporting on Specific Plan Provisions
The ED contains a newly proposed requirement to report on specific plan provisions relating to the financial statement, either in the primary audit report or presented supplementally, disclosing auditor findings from applying certain mandated procedures.
It is clear that these proposed mandatory procedures would likely add considerable time to many EBP ERISA audits and present other problems discussed below, but would afford little or no assurance 1) as to the reliability of the financial statements (because it would have only a remote potential, if any, for identifying a material misstatement) or 2) of identifying material instances of noncompliance (based on their lack of any prescribed minimum scope). Despite these severe limitations, such a report would be attached to Form 5500 and therefore be available (inappropriately in this author’s view) to the public.
In almost all circumstances, the probability of discovery of a material misstatement that would require adjustment to the plan’s financial statements as a result of noncompliance would be extremely remote, even in the case of the most egregious violation of plan provisions (or even ERISA or DOL requirements). In such regard, it is highly unlikely that the DOL would assess a penalty against plan assets or revoke the tax qualified status of a plan, as suggested in paragraphs A13 and A39 of the ED, as that would adversely affect participants, the very people the plan exists to benefit and the DOL exists to protect. Instead, it is far more likely that any penalty would be assessed against the responsible employer/sponsor or other administrator, or a custodian of plan assets. The same would be true for the IRS. On the other hand, there is some risk that an employer could fail to make a mandated matching contribution or that improper plan distributions represent an unrecorded receivable (unlikely to be material), which risks justify performing eligibility and transaction tests. Nevertheless, these risks do not appear to justify the separate report on specific plan provisions.
The ED would require auditors to perform substantive testing “without regard to the risk of material misstatement,” counter to the basic underlying principles of modern, risk-based financial auditing. But even in audits performed to enable an opinion on compliance, the scope of audit procedures employed is based on the auditor’s assessment of the risk on material noncompliance.
The ED essentially proposes a report on compliance, although because it would not require issuing an opinion on compliance, it would resemble, in some ways, an agreed-upon procedures report. But the ED neither prescribes nor requires the reporting of the scope of such procedures. Therefore, the scope is left to the auditor’s discretion (rather than set or agreed to by the users, as would be required in an agreed-upon procedures engagement), and it is subject to second-guessing by regulators, peer reviewers, or litigants, especially when one’s work is compared to other auditors who tend to overaudit. In fact, a self-defensive desire to preempt such second-guessing likely might cause many auditors to overaudit.
In addition, the ED would require auditors to apply judgment in deciding which findings are “inconsequential” (which is undefined) and therefore not reportable. Since it is the auditor’s report, the auditor must bear sole responsibility for such judgments, even if made in consultation with those charged with governance as suggested in paragraph A136. Such auditor judgments are prohibited under the attestation standards (AT-C sections 215 and 315) that apply to agreed-upon procedures engagements, as is distribution or use of such reports to or by those who have not agreed to the procedures.
The proposed requirement for reporting on specific plan provisions would probably entail significant additional work for many auditors and accordingly add considerable administrative costs to many EBP audits subject to ERISA, whether of limited scope or not. These additional costs, if not to be borne by employer/sponsors, would necessarily reduce plan assets and thus have the unfavorable result of being borne by employee participants. In addition, if the report form for limited-scope audits were adopted as proposed, auditors might decline to accept such engagements, thus causing a reduction in competition and further increases in administrative costs. Another possible consequence might be that some small business employers will discontinue their EBPs rather than absorb such additional unwarranted costs. As a result, working people would be forced to rely on IRAs for tax deferrals, which, due to limitations, would be substantially lower than with defined benefit plans, thus reducing their disposable income currently and in retirement.
Proposed Auditor Responsibilities regarding Form 5500
Proposed procedures regarding Form 5500 are based on AUC section 720, even though the form is not considered a “document containing audited financial statements,” as defined in AU-C section 720.02. For no explainable reason, however, the ED would allow auditors to issue an audit report prior to the availability of an unissued Form 5500 while retaining responsibilities with respect to the 5500 after the audit report date. Except in connection with SEC registrations, it is inherently unreasonable to hold auditors responsible for client actions after the report date. The standard should preclude issuance of an audit report before the unissued Form 5500 is made available to the auditor and require that the terms of the engagement provide so.
The DOL has no statutory authority either to set auditing or reporting standards or to require compliance testing and reporting, which is likely the primary reason it is pressuring the auditing profession for these changes. But why should the profession yield to such pressure by requiring its members to perform procedures and issue reports that are inconsistent with its otherwise applicable standards that are not required by law or regulation? In the opinion of this author, there should be no exceptions made in auditing standards for ERISA-compliant EBP audits. If the DOL wants a compliance audit and report for EBPs, it should ask Congress to amend ERISA.
Auditors are urged to view the NYSSCPA’s comment letter at http://www.nysscpa.org/advocacy/comment-letters#2017, and to submit their comment letters on time.