Auditing Overview for Employee Benefit Plans
Download
Report
Transcript Auditing Overview for Employee Benefit Plans
Auditing Overview for Employee
Benefit Plans
Learning Objectives
Provide an overview of the audit process
including :
Risk assessment
Significant audit areas
Actuarial assumptions
SAS 70 reports
Terminating plans
08/2010
PUGH & COMPANY, P.C.
2
Risk Assessment
• Summary of Risk Assessment Standards
– Objectives of risk assessment standards
• Understanding of the entity
• Assessment of risk
• Improve linkage between assessed risk and work
performed
– Assessment process
• Continuous process - must occur throughout the audit
• Evaluation of audit findings (questions to ask throughout
the process)
– Has audit risk been reduced to acceptably low level?
– Has risk of material misstatement been reduced to an
acceptably low level?
– If the answer is no to either of these, the audit is not
complete.
08/2010
PUGH & COMPANY, P.C.
3
Risk Assessment Process
Procedures Performed
•
Preliminary engagement activities.
•
Inquiries of plan management and others.
•
Preliminary analytical procedures.
•
Observation and inspection.
•
Discussion among the engagement team.
Understanding Obtained
•
Industry, regulatory, and other external factors.
•
Nature of the plan.
•
Objectives, strategies, and related business risks.
•
Measurement and review of the plan's financial performance.
•
Internal control.
•
Selection and application of accounting policies.
•
Fraud risk factors.
Decisions and Judgments Made
•
Decisions at the Financial Statement Level:
–
–
–
–
•
Materiality at the financial statement level.
Materiality for particular items of lesser amounts.
Risks of material misstatement at the financial statement level.
Overall audit strategy.
Decisions at the Account Balance, Transaction Class, and Relevant Assertion Level:
–
–
–
08/2010
Tolerable misstatement.
Risks of material misstatement at the relevant assertion level, including identification of significant risks.
Nature, timing, and extent of further audit procedures (including tests of controls and substantive procedures).
PUGH & COMPANY, P.C.
4
Risk Assessment
• Materiality
– Based on economic conditions you might
expect a lower materiality level.
– Lower materiality levels may add additional
time to the job.
• Need to be efficient in selecting audit steps in the
risk assessment process.
08/2010
PUGH & COMPANY, P.C.
5
Risk Assessment
• Materiality…
– Documentation
• Need to document basis for materiality
• Need to document any changes in materiality that
occur during the audit and how they were
determined
– Contributions (special bonus/special compensation)
• Need to document lower level of planning
materiality for certain items
– Administrative expenses (declining profitability of plan
sponsor)
08/2010
PUGH & COMPANY, P.C.
6
Risk Assessment
• Understanding the Plan and Its
Environment
– The Plan
• Review plan document
– Consider summarizing significant information
• Document flow of information
– Plan sponsor
– Record keeper
– Custodian
– Trustee
– Actuary
08/2010
PUGH & COMPANY, P.C.
7
Risk Assessment
• Understanding the Plan
• Records
– Where are they located?
– How do we gain access to the data?
• Specific plan investments
– Are there hard to value assets?
– GICs
• Information technology
– How is information communicated between
» Plan sponsor?
» Service organization?
» Participants?
08/2010
PUGH & COMPANY, P.C.
8
Risk Assessment
• Understanding the Plan Sponsor’s industry
• Consider factors affecting the industry that could
affect the plan
–
–
–
–
Decreased sales
Increased costs
Layoffs
Cash flow problems
– Increase risk of bankruptcy
• Increase incentive to minimize expenses
through
– Misallocation of required employer contributions
– Misuse of forfeitures
– Shifting plan administrative expenses directly to
plan
08/2010
PUGH & COMPANY, P.C.
9
Risk Assessment
• Understanding Plan Sponsor
• Consider interviewing plan sponsor employees
– Owners
– Key Management
– Participant (especially in ESOP)
» Ask
What do they know about the plan?
How do they conduct transactions?
What are their expectations?
08/2010
Should be done during fieldwork on financial
statement audit when possible and
incorporated into fraud interview process
PUGH & COMPANY, P.C.
10
Risk Assessment
• Understanding Plan Sponsor
• Interview dos and don’ts
– Dos
» Face to face interviews
» Interview personnel involved in all aspects of the plan’s
operations
» Share hypothetical situation to initiate fraud discussion
Treatment of lost participants and the
related fraud opportunities
How and frequency of contribution reconciliations
Don’ts
» Conduct the interview in the presence of other client
employees
» E-mail questions to management
» Interview only the primary audit contact
» Ask only yes and no questions
08/2010
PUGH & COMPANY, P.C.
11
Risk Assessment
• Understanding the Design and
Implementation of Internal Controls
– Who is ultimately responsible for properly
implementing and operating an employee
benefit plan?
• The plan sponsor
– The responsibility of the plan can not be passed to
the service providers
– Implementation of appropriate monitoring controls is
critical where plan operations is outsourced
08/2010
PUGH & COMPANY, P.C.
12
Risk Assessment
• Understanding Internal Controls
– Plan administration controls
• Determining plan provisions
• Establishment of the investment policy
• Authorization of certain transactions
• Monitoring and on-going evaluation of service
providers
08/2010
PUGH & COMPANY, P.C.
13
Risk Assessment
• Understanding Internal Controls…
– Entity level controls – who is in charge of the
plan
• Monitoring (board of directors)
• Personnel (hiring, training, evaluations)
• Integrity and ethics (ethics policies)
• Segregation of duties (protection of assets)
08/2010
PUGH & COMPANY, P.C.
14
Risk Assessment
• Understanding Internal Controls…
– Transaction level controls
• Eligibility determination
• Contributions
• Distributions
• Investment transactions
• Allocation to participants accounts (currently a hot
•
•
•
•
08/2010
topic in the industry)
Forfeitures (currently a hot topic in the industry)
Plan fees (currently a hot topic in the industry)
Participant investment elections
Transfers, mergers, new plan setups
PUGH & COMPANY, P.C.
15
Risk Assessment
• Understanding Internal Controls…
– Unique control environment
• Important to understand and document who does
what
• Significant controls may be outsourced to third
parties
• Certain areas may have shared responsibilities
• A control at one entity might mitigate risk in another
area (e.g. vesting)
08/2010
PUGH & COMPANY, P.C.
16
Risk Assessment
• Understanding Internal Controls…
– Participant Controls
• How many people open their statement, reconcile it
to the payroll deductions, recalculate employer
contributions, recalculated allocations, and review
investment losses?
• Can we rely on the participant to contribute to the
internal control structure?
– They may not understand the internal control process
– They may not open their statement on a regular basis
– They may not know what to look for
– The internal control process is not their responsibility
unless we directly ask them to review a confirmation
– We should not rely on this to reduce control risk
08/2010
PUGH & COMPANY, P.C.
17
Risk Assessment
• Documentation of Internal Controls
– Identify individual audit areas and related
control objectives
• Consider classes of transactions
– Activity in participant’s account
– Existence and occurrence
• Account balances
– Investments
– Receivables
– Payables
• Disclosures
08/2010
PUGH & COMPANY, P.C.
18
Risk Assessment
• Documentation of Internal Controls…
– Document controls
• Client memo and flowcharts
• Incorporate reference to SAS 70 controls when
appropriate
– Verification through walkthroughs
– Consider flow of information between plan
sponsor and the service organization for each
individual audit area and control objective
– Consider missing steps in the control process
08/2010
PUGH & COMPANY, P.C.
19
Risk Assessment
• Documentation of Internal Controls…
– Engagement team discussion
• Fraud
• Error
• Ask “what could go wrong”?
• Consider if you only had 8 hours to perform audit
procedures - what would you want to do before you
personally signed the opinion?
• Must be tailored to each plan – cannot rely on one
discussion for all plans
• Consider the uniqueness of the various plans
08/2010
PUGH & COMPANY, P.C.
20
Risk Assessment
• Challenges of an Employee Benefit Plan
Audit
– When assessing risk keep the following in
mind
• Many clients see the audit as a “necessary evil”
• Many plan sponsors do not have the policies and
procedures in place or do not have them sufficiently
documented
• Many plan sponsors that rely heavily on service
providers may not be as rigorous in their procedures
and oversight
• Overuse or underuse of the SAS 70
08/2010
PUGH & COMPANY, P.C.
21
Risk Assessment
• Policies and Procedures of the Plan
Administrator Related to the Service
Organization
– Plan administrator should have an
understanding of what the service
organization does and what controls are in
place
• They should be reviewing the SAS 70 annually
08/2010
PUGH & COMPANY, P.C.
22
Risk Assessment
• Policies and Procedures …
– Reconciliation of participant accounts to
service organization records should be
performed on a timely basis
• Payroll information should be reconciled to the
contribution records
– In total
– By participant
• Reconciling census data provided to service
organization to appropriate payroll records
• The audit can not be the control
08/2010
PUGH & COMPANY, P.C.
23
Risk Assessment
• Policies and Procedures …
– Consider who has access to the data provided
to the service organization and the ability to
make changes to override controls
• CFO/Controller
• Human resources
• Payroll
• IT
08/2010
PUGH & COMPANY, P.C.
24
Risk Assessment
• Other Procedures of the Plan
Administrator
– Document transactions that are approved
• Contributions
• Use of forfeitures
• Distributions
– Meet with investment manager
• Audit consequences
– Document polices and procedures
– Consider management points related to
significant deficiencies
08/2010
PUGH & COMPANY, P.C.
25
Significant Audit Areas
•
•
•
•
•
•
•
•
•
•
•
•
Participant data
Payroll
Cash
Investments
Contributions received and receivable
Benefit payments
Investment income
Fees and Expenses
Actuarial Assumptions
Form 5500
SAS 70
Terminating Plans
08/2010
PUGH & COMPANY, P.C.
26
Participant Data & Payroll
Objectives include determining:
• Whether all covered employees have been
properly included in employee eligibility
records
• Whether accurate participant data for
eligible employees were supplied to the
plan administrator and, if applicable, the
plan actuary
08/2010
PUGH & COMPANY, P.C.
27
Participant Data & Payroll
Types of data to be tested:
•
Demographic – birth date, hire date
•
Payroll data – wage rate, hours worked,
earnings, contributions to the plan
08/2010
PUGH & COMPANY, P.C.
28
Participant Data & Payroll
Examples of substantive procedures
• Recalculate payroll for selected
participants for one or more pay periods
• Trace individual payrolls from the payroll
journal to the participants earnings
records
• Review personnel files for hiring notice,
pay rate, birth date, termination date
08/2010
PUGH & COMPANY, P.C.
29
Cash
• Typically small
– If held under a trust agreement or under an
insurance contract, confirmations are usually
adequate
– If held independent of a trust agreement or
insurance contract, customary audit
procedures considered appropriate
08/2010
PUGH & COMPANY, P.C.
30
Investments
• Limited Scope Audit
– Obtain and read a copy of the certification
– Determine whether the entity issuing the
certification is a qualifying institution under
DOL regs
– Compare the investment information certified
by the trustee or custodian to the information
contained in the plan’s financial statements
and related disclosures
08/2010
PUGH & COMPANY, P.C.
31
Investments
• If the auditor becomes aware that the certified
information my be incomplete or inaccurate the
auditor should instruct the plan administrator to:
– Request that the trustee or custodian recertify or
amend the certification for such investments at their
appropriate year-end values or recertify or amend the
certification to exclude such investments from the
limited scope certification or
– Instruct the auditor to perform full scope procedures on
such investments excluded from the certification
• If not done auditor should consider modifying his
or her report
08/2010
PUGH & COMPANY, P.C.
32
Investments
• Full Scope Audit
– Determine nature and location of investments
from minutes, agreements with custodians,
advisors, etc.
– Obtain or prepare a schedule of investments
showing beginning balance, purchases sales,
ending balance
– Typical audit programs have specific
procedures depending upon the type of
investments held, such as mutual funds,
limited partnerships and derivative.
08/2010
PUGH & COMPANY, P.C.
33
Investments
• Full Scope Audit (cont.)
– Confirm investments held by third-party
custodians
– Perform analytical procedures on average and
ending balances
– Test investment income
– Test fair value
– Test the calculation of unrealized gains and
losses
08/2010
PUGH & COMPANY, P.C.
34
Stable Value Funds & GIC’s
GIC’s - Audit Considerations
• Obtain, read and evaluate the GIC contract
• Maturity dates, minimum crediting rates, rate resets.
• Is the contract fully benefit responsive?
– Contract is between plan and issuer. The contract cannot be sold or
assigned without consent of the issuer.
– Contract issuer must be obligated to (1) repay principal and interest,
and (2) provide prospective crediting rate adjustments with an
assurance the crediting rate will not be < 0%
– Contract requires all participant-initiated transactions to occur at
contract value
– An event that limits the ability of the plan to transact at contract value
with the issuer and with the participants must be probable of not
occurring
– The plan must allow participants reasonable access to their funds
•
•
•
Confirm principal and income with Insurance
Company/Counterparty.
Assess credit quality of the issuer.
If a plan holds multiple contracts, each contract should be
evaluated individually.
08/2010
PUGH & COMPANY, P.C.
35
Contributions Received and Receivable
• Typical analytical procedures include:
– Comparison to prior year
– Average per participant
– Other expectation such as % of compensation
• Trace to plan sponsor audited financial
statements
• Vouch subsequent receipt
08/2010
PUGH & COMPANY, P.C.
36
Contributions Received and Receivable
Timeliness of remitting participant
contributions
Contributions must be remitted ASAP
• Failure to remit may be considered a
Prohibited Transaction
• 15th business day of following month is
not a safe harbor
08/2010
PUGH & COMPANY, P.C.
37
Benefit Payments
• Determine participant eligibility (request,
approval)
• Recompute amount of benefit
• Vouch payment
• Typical analytical procedures include:
– Comparison to prior year
– Average per participant
– Other expectations
08/2010
PUGH & COMPANY, P.C.
38
Investment Income
• Objective to test whether net assets and
transactions have been allocated to
accounts properly in accordance with plan
document.
• Allocation of investment income to be
tested even for limited scope audits.
08/2010
PUGH & COMPANY, P.C.
39
Investment Income
• Consider reasonableness by comparing
current year income and yield to that in
the prior year and to investment reports
from advisors, trustees, mutual fund
companies and to industry indexes or
other expectations.
• SAS 70 may be used to reduce but not
eliminate scope of testing
08/2010
PUGH & COMPANY, P.C.
40
Fees and Expenses
• Most defined benefit plans and many
defined contributions plans pay
administrative expenses out of plan assets
• Typically plan expenses are below
materiality levels and therefore are not
subject to significant detailed testing
• Auditors should gain an understanding of
what expenses are allowed by the plan
• Many times expenses paid out of plan
assets are prohibited transactions
08/2010
PUGH & COMPANY, P.C.
41
Commitments and Contingencies
• Discuss with client
• Review minutes of various committees
• Analyze legal expense
• Request audit inquiry from attorneys
• Obtain client representation
08/2010
PUGH & COMPANY, P.C.
42
Actuarial Assumptions
• Trends and nature of benefit distributions
– Lump sum vs. annuity payments
• Shift in plan population over time—
turnover or retirement age
• Recent mergers or acquisitions could
cause assumptions to be inappropriate
• Plan benefit formula changes or a freezing
of the plan
• Whether consistent gains/losses are
generated each year
08/2010
PUGH & COMPANY, P.C.
43
Form 5500
• Auditor’s responsibility does not extend
beyond the financial information identified
in the auditor’s report.
• Auditor has no obligation to corroborate
other information contained in the 5500.
• Auditor should read the other information
in the 5500 and consider whether such
information or its presentation is
materially inconsistent with information
appearing in the audited financial
statements
08/2010
PUGH & COMPANY, P.C.
44
SAS 70
Basic roadmap for auditors
• Read Independent Service Auditor’s
Report and Company Overview to
determine that correct SAS 70 has been
obtained.
• Be mindful that missing control objectives
may require additional procedures.
08/2010
PUGH & COMPANY, P.C.
45
SAS 70
• The following control objectives should be
included
–
–
–
–
–
–
Plan setup
Enrollments
Contributions
Distributions, including loans
Investment election changes and transfers
Investments, including purchases/sales,
income and valuation
– Reconciliation and reporting
– IT general controls (including access, changes
to programs, back-up)
08/2010
PUGH & COMPANY, P.C.
46
SAS 70
Note: For missing key control objectives or if
no SAS 70 report is available, procedures
to determine controls in place, the
evaluation of their design and
implementation must still be adequately
addressed by the auditor.
08/2010
PUGH & COMPANY, P.C.
47
SAS 70
Description of Controls
• Auditors should read through the detail of
the procedures related to a specific
control objective to understand overall
process and identify controls in place.
• Warning: Controls included in this
description may not always be included in
testing so be aware that this may affect
reliance.
08/2010
PUGH & COMPANY, P.C.
48
SAS 70
Tests of Operating Effectiveness
• Determine which controls were tested as included
in the description of controls – usually listed with
testing procedures performed
• Consider the level of testing performed for
reliance purposes
– inquiries alone will not be sufficient evidence for
confirming implementation
– Observations may not be considered sufficient for
reliance on controls for purposes of reducing control
risk below maximum to reduce substantive audit
procedures.
08/2010
PUGH & COMPANY, P.C.
49
SAS 70
Exceptions
• Evaluate each exception, including nature, extent
and mitigating controls
– Nature of exception
• Error in processing?
• Missing evidence?
– Extent of exception
• Isolated error?
• One of many included under control objective?
• Did exception lead to qualification of report?
• Special consideration – IT general controls – exceptions
and qualification could affect more than one area and may
be a significant problem in reliance and use of SAS 70
report.
08/2010
PUGH & COMPANY, P.C.
50
SAS 70
Exceptions (continued)
• Mitigating controls in place
– Are there other controls in place at the service
provider to mitigate risk of error?
• Other levels of review such as quality control
reviews
• Different access levels that may prevent issues
(physical vs. logical access on systems)
– Does the plan sponsor actually perform that
control? (e.g. calculate vesting)
– Are there mitigating controls in place at the
plan sponsor? (e.g., review and approve
calculation of vesting)
08/2010
PUGH & COMPANY, P.C.
51
SAS 70
Evaluation of SAS 70 report and conclusions
reached by auditors should be documented
clearly and adequately in audit workpapers as
required by SAS 103.
• Documentation can include:
– Copy of relevant SAS 70 reports obtained and evaluated
– Checklist of Form used to evaluate SAS 70 report
– Memo or checklist /form used above to document
conclusions reached regarding each area as to reliance
on SAS 70, and the extent of that reliance (e.g.,
reliance related only to design and implementation or
further reliance to reduce control risk and substantive
audit procedures
– Note: Reliance may vary from area to area (e.g.,
reliance placed to reduce substantive audit procedures
in contributions, but not in distributions)
08/2010
PUGH & COMPANY, P.C.
52
Terminating Plans
08/2010
PUGH & COMPANY, P.C.
53
Terminating Plans
08/2010
PUGH & COMPANY, P.C.
54
Terminating Plans
08/2010
PUGH & COMPANY, P.C.
55
Terminating Plans
08/2010
PUGH & COMPANY, P.C.
56
Overview of Auditing Employee
Benefit Plans
Questions?