Employee Benefit Plans and Audit Quality

Highlighting deficiencies found in Department of Labor inspections

This article was originally published by The CPA Journal.

Many auditors who conduct employee benefit plan (EBP) audits may be unaware of the responsibilities and the risks that come along with these audits. The Department of Labor (DOL) is actively investigating EBP audits; when an audit is found deficient, the DOL refers the auditor to the AICPA Ethics Division. When it deems necessary, the AICPA Ethics Division has been imposing penalties on auditors, including pre-issuance reviews, practice restrictions, suspension or termination from the AICPA, and notification to the state board of accountancy.

The DOL Study

In May 2015, the DOL released a study “Assessing the Quality of Employee Benefit Plan Audits.” The study concluded that 39% of the audits inspected were deficient, up from 19% in 1997. The study showed a strong correlation between audit quality and the number of EBP audits a firm conducted. Firms that audited only one to two or three to five plans exhibited a 76% and a 68% failure rate, respectively; firms that audited 100 or more plans exhibited a 12% failure rate. The number of audits conducted was inversely related to the failure rate.

According to the study, in 2011 there were 5,203 firms that audited one to five plans. These firms generally focus on accounting and tax services, and only audit EBPs as a courtesy to their clients. EBP audits are unique from financial statement audits, and developing the necessary expertise to conduct a high-quality audit is a time-consuming commitment. If EBP audits are not an audit firm’s primary focus, if it is merely “dabbling” in the practice, the proper resources and necessary audit quality may not be there.

Such firms are often confused by the term “limited-scope audit.” When an inexperienced EBP auditor sees that a trust company is certifying the plan’s assets, the auditor might think that the audit is a compilation, rather than a highly regulated audit. In a limited scope audit, the auditor is not responsible for testing the amounts on the statements of net assets available for benefits(balance sheet) or the statement of changes in net assets available for benefits (income statement); however, the auditor still must perform auditing procedures on the limited-scope certification and test that the plan participants are being treated in accordance with ERISA guidelines and the plan document. Limited-scope audits have increased in popularity, representing 83% of all EBP audits in 2013 (up from 48% in 2001). The misunderstanding over an auditor’s responsibilities in a limited-scope audit may have contributed to the increased audit deficiency rate.

The discussion below focuses on three common deficiencies found in limitedscope EBP audits, namely adequately testing for

• remitting employee contributions on a timely basis,

• demographic data, and

• hardship distributions

Remitting Employee Contributions on a Timely Basis

Plan sponsors have the fiduciary responsibility to transmit employee contributions to the plan “as of the earliest date on which such contributions can reasonably be segregated from the employer’s general assets” (29 CFR 2510.3-102). There is no bright-line rule for large filers (generally over 100 participants), and it is important for auditors to consider multiple factors when determining the proper time frame for the sponsors to remit employee contributions. First, an auditor should consider the employer’s ability to remit employee tax payments. An auditor should also analyze the timeliness of a sponsor’s remittance. If a sponsor has demonstrated the ability to remit on the payroll date, then it has shown that it can reasonably segregate in that time frame. Sponsors often cite 29 CFR 2510.3- 102(b)(1), which states: “In no event shall the date determined … occur later than … the 15th business day of the month following the month in which such amounts would have otherwise have been payable to the participant in cash.” The DOL has noted on several occasions that this “15th business day” rule is not a safe harbor. That section of the rule is only to define an outside limit for remitting employee contributions. If a sponsor is relying on the 15th business day “rule,” then such sponsor likely has several delinquent contribution remittances.

How to test. Auditors should consider all remittances from the sponsor to the plan. At the beginning of the audit, an auditor should ask the client for a schedule of every payroll date, the amounts withheld, and the date the funds were remitted. The number of days it took the sponsor to remit all contributions should be calculated and then tested by tracing a sample of the contributions to the trust report. All late contributions must be disclosed on Form 5500, Schedule H, Line 4a, and the required supplementary schedule, “Schedule of Delinquent Participant Contributions” as supplementary information.

How to advise the client. To avoid future issues, a sponsor should set up an automatic remittance from its payroll company to the plan. Often, sponsors have overly complicated systems that involve sending checks to a third-party administrator before the trust company. Sponsors sometimes depend upon one employee who may have other responsibilities or may be out of the office on the day the contributions need to be remitted. These manual functions put sponsors at risk for remitting participant contributions late. In addition, auditors should remind trustees to review reports from the trust company in order to catch any late contributions early in the year and put corrective actions in place promptly. Late contributions that are identified should be fixed through the DOL’s Self-Correction Program or Voluntary Fiduciary Correction Program.

Demographic Data

Plan sponsors are required to keep an accurate census and appropriate supporting documentation. The censusis used as a basis for plan decisions, such as inclusion and exclusion from the plan, eligibility for employer contributions, vesting, and benefit payments. Sponsors that neglect this responsibility may have an inaccurate census or inadequate supporting documentation. An auditor must read the plan document to determine which demographic criteria (commonly, date of birth, sex, date of hire, and date of termination) are necessary to test.

How to test. Testing demographic data is essential to an EBP audit, but inexperienced auditors often overlook it. While it is not required, the author recommends a two-tiered approach: a confirmation mailing and inspection of the participant’s personnel files to vouch participant data.

• Confirmation mailing. Auditors should attempt to confirm the date of birth, sex, date of hire, and date of termination for every person in their sample. Confirmation letters should be sent at the beginning of the audit, field work scheduled a few weeks later, and all unreturned confirmation letters should then be brought to the client’s location. Participant identification should be observed to ensure that the correct person signs the confirmation letter.

• Vouching participant data. After selecting a sample, the client should be asked to supply documentation supporting their date of birth, sex, date of hire, and date of termination. An auditor should go through the client’s file to vouch for the supporting documentation for the attributes tested.

How to advise the client. In order to improve the quality of their census and documentation of demographic data, the client should be encouraged to conduct internal audits. Human resources managers should test a certain number of employees in the census each month by inspecting personnel files and comparing the demographic data in them against the census, just as an auditor would. If human resources functions are decentralized, a manager should test different locations and compare the recordkeeping policies. The tone at the top is critical, as the staff maintaining these records might turn over frequently.

Hardship Distributions

Hardship distributions from an EBP are intended to be a last resort for participants. The requirements necessary to take a hardship distribution are clearly stated in the plan document and in ERISA guidelines. Hardship distributions also need to be approved by the appropriate level of the plan’s management. Occasionally, a participant might be in need without meeting the specifications of a hardship distribution—perhaps the participant has not claimed one of the qualifying reasons or has not taken the maximum number of allowable loans. Participants can only withdraw employee contributions (not earnings or employer contributions), and is restricted from making contributions for the next six months. Management may not be aware of these rules, and thus permit a hardship distribution in violation of ERISA rules.

How to test. When testing benefit payments, auditors identify any hardship distributions and select them in the benefit payment sample. Testing benefit payments without selecting hardship distributions is not a representative sample. First, ensure that the plan allows for hardship distributions, that the participant took out the maximum number of loans before the hardship distribution was issued, and that the participant only withdrew employee contributions. In addition to requesting the benefit authorization form and cancelled checks, auditors should also request the documentation that demonstrated the participant’s financial need. When inspecting the benefit payment request forms, the reason given for the hardship should be traced to the plan document, to ERISA guidelines, and to the documentation indicating need. Auditors should also vouch that an appropriate level of management approved the distribution.

If the hardship was not for the participant, it must be for a listed beneficiary. After testing the hardship, auditors should perform subsequent tests to ensure that the participant did not make any contributions for the next six months.

Auditors should ask plan trustees if they are aware that the participant took the hardship distribution. It is possible that the trustees would not have approved that distribution, had they known about it. The failure of the trustees to know about the distribution is indicative of the plan’s internal controls and should contribute to auditors’ planning and testing procedures.

How to advise the client. Clients may not be aware that hardship distributions expose them to additional auditing procedures and regulations. Hardship distributions receive scrutiny from both auditors and the DOL, and proper procedures must in place to challenge participants’ assertions that they qualify for a hardship distribution. Plan sponsors should have adequate documentation to support the nature and extent of the hardship, and they should not merely rely upon a service provider’s electronic approval service in the absence of documentation. If a client is concerned that the requirements cannot be met, it should consult a third-party administrator. In addition, the trustees should review the plan’s activity each period to make sure that they are aware of all hardship distributions.