SAS 136 and How It Changes Employee Benefit Plan Audits

In an effort to improve the quality of ERISA audits and the relevance of the auditor’s report, the American Institute of Certified Public Accountants (AICPA) Auditing Standards Board (ASB) issued Statement on Auditing Standards (SAS) 136, “Forming an Opinion and Reporting on Financial Statements of Employee Benefit Plans Subject to ERISA” in July 2019. SAS 136, which is specific to employee benefit plans, is part of a full suite of standards (SAS Nos. 134 to 140) that impact audits of all entities and is effective for audits of financial statements for periods ending on or after Dec. 15, 2021.

SAS 136 eliminates the limited scope opinion and replaces it with an ERISA Section 103(a)(3)(C) audit. While the new SAS does not affect the accounting or financial statement reporting for plans, it will affect every other aspect of the audit, including engagement acceptance, the audit opinion, audit procedures, and the required communications to those charged with governance. SAS 136 clarifies the responsibilities of plan management and auditors. These responsibilities are specifically included in the auditor’s report, engagement letters, and required communications. 

New Preconditions of SAS 136 for Engagement Acceptance: 

Key changes include Plan management acknowledging and understanding its responsibility and confirming to the auditors the following:

• Maintaining a current plan instrument, including all plan amendments;
• Administering the plan and determining that the plan’s transactions that are presented and disclosed in the ERISA plan financial statements conform with the plan’s provisions, which includes maintaining sufficient records with respect to each of the participants in order to determine the benefits due to or the benefits that may become due to such participants;
• Providing auditor with a substantially complete Form 5500 draft before issuance of the auditor’s report.
• When management elects to have an ERISA Section 103(a)(3)(C) audit, determining whether it is permissible under the circumstances.

Plan Management Responsibilities under SAS 136

As part of the ERISA Section 103(a)(3)(C) audit, plan sponsors will have the additional responsibilities to:

• Review procedures related to maintaining its governing plan instrument and whether the plan instrument is up to date with the latest required amendments and in compliance with current ERISA provisions.
• Determine whether an ERISA Section 103(a)(3)(C) audit is permissible and if the certifications are sufficient. To make this determination, management should work with its third-party service providers to address the following questions:
• Is an ERISA Section 103(a)(3)(C) audit appropriate given the structure and filing requirements of the plan?
• Is the investment information prepared and certified by a qualified institution or an agent qualified to certify on behalf of a qualified institution, pursuant to 29 Code of Federal Regulations (CFR) 2520.103-8?
• Is the certification in writing and signed by a person authorized to represent the qualified institution, and does it address both the accuracy and completeness of the investment information?
• Is the investment information appropriately measured, presented, and disclosed in accordance with the applicable financial reporting framework?
• Acknowledge, in writing, that all the conditions are met and that an ERISA Section 103(a)(3)(C) audit is permissible.

Procedures for an ERISA Section 103(a)(3)(C) Audit

When management elects to have an ERISA Section 103(a)(3)(C) audit, the auditor is required to:

• Evaluate management’s assessment of whether the entity issuing the certification is a qualified institution under DOL rules and regulations.
• Identify which investment information is certified.
• Perform the following procedures on the certified investment information:
  • Obtain from management and read the certification as it relates to investment information prepared and certified by a qualified institution.
  • Compare the certified investment information with the related information presented and disclosed in the ERISA plan financial statements and ERISA-required supplemental schedules.
  • Read the disclosures relating to the certified investment information to assess whether they are in accordance with the presentation and disclosure requirements of the applicable financial reporting framework.
• Perform audit procedures on the financial statement information, including the disclosures, not covered by the certification, as well as noninvestment-related information based on the assessed risk of material misstatement. Plans may hold investments in which only a portion are covered by a certification from a qualified institution. In that case, the auditor should perform audit procedures on the investment information that has not been certified.

Audit Report Changes under SAS 136

The audit report will look significantly different under SAS 136 and will no longer be referred to as a “limited scope audit.” One of the objectives of SAS 136 is to provide readers with a better understanding of the scope of the audit and to make clear the responsibilities of the plan sponsor and the auditor.

The audit opinion of an ERISA Section 103(a)(3)(C) audit will include information on the procedures performed on both certified and noncertified information as well as a new basis for opinion section.

Communications under SAS 136

SAS 136 requires the auditor to communicate, in writing, reportable findings, including identified or suspected noncompliance, to plan management and those charged with governance. Reportable findings are defined as matters that are one or more of the following:

• An identified instance of noncompliance or suspected noncompliance with laws or regulations.
• A finding arising from the audit that, in the auditor’s professional judgment, is significant and relevant to those charged with governance, regarding their responsibility to oversee the financial reporting process.
• An indication of deficiencies in internal controls identified during the audit that haven’t been communicated to management by other parties and that, in the auditor’s professional judgment, are of sufficient importance to merit management’s attention.

The HoganTaylor Employee Benefit Plans Practice

If you have any questions about the content of this publication, or if you would like more information about HoganTaylor's Employee Benefit Plans practice, please email Gwen Stoute Mazzola, Employee Benefit Plans Practice Lead, at gstoute@hogantaylor.com.

INFORMATIONAL PURPOSE ONLY. This content is for informational purposes only. This content does not constitute professional advice and should not be relied upon by you or any third party, including to operate or promote your business, secure financing or capital in any form, obtain any regulatory or governmental approvals, or otherwise be used in connection with procuring services or other benefits from any entity. Before making any decision or taking any action, you should consult with professional advisors.