We've discussed SAS 136 very briefly in the past, but this audit season we share what this would mean for 401(k) plan sponsors and auditors. In this episode, our host and Summit CPA's Director of Accounting/Virtual CFO, Jamie Nau together with Kim Moore Summit CPA's Director of Auditing and 401(k) Senior Auditor, Karen Hill revisit and dive deeper into the new Statement on Audit Standards 136.
Summit CPA Group has merged with Anders CPAs + Advisors! Visit our website to learn more about our 401(k) process and pricing: https://anderscpa.com/401k-audits/
"As long as you talk to your auditor upfront (and say), make sure they're on board, they know what they're doing. They're handling all this properly. Talk about any of these areas that may have peaked your interest that, oh, that sounds like a problem for. Talk to your auditor and do it now. Don't wait." Kim Moore
The finer details in this episode:
Episode resources
Jamie Nau: Hello, everybody. Welcome to today's 401k audit podcast. Once again, we are joined by Kim Moore and Karen Hill. Prior to the show Kim was telling us if they just signed their first engagement letter under the new SAS 136. So we figured it was time to revisit this topic. We had a brief podcast on this a while ago, but we wanted to make sure we went into a little more details, get a little deeper into it. So welcome to the show Kim, are you ready?
Kim Moore: I don't know if I'm ready yet or not. But I'll tell you in a couple of weeks. The AICPA, which is our professional kind of governing body, is doing a two-part CPE session. So I'll let you know in a couple of weeks whether we're all prepared or not. So, let's start. I mean, for those people that are not accountants and not auditors, they're probably like SAS 136, what are you talking about? I know it sounds kind of legalese. But for those of us that are accountants and auditors, we have a whole series of regulations and rules we have to abide by. The SAS actually stands for Statement on Audit Standards. And there's a whole series of, obviously it's up to 136, so there's 135 other ones that have come before this one that govern those of us that are in audit. The kinds of things we have to do the rules of the road, if you will that we have to abide by. So this is a new standard. It was put into play actually a couple of years ago. It could have been early adopted. So if you are listening to this and you have an auditor and they've already talked to you about this, you may already be doing some of this, that is possible, but most audit firms that we've been in contact with have said they were going to wait until they actually had to enact it just because there were so many other things going on with the pandemic and just other things going on. It actually becomes effective for the years ending on or after December 15th, 2020. So that's obviously the entity and in this case it would be a 401k plan that you're auditing when they're planning your end and on or after December 15th. So you're thinking, well, that's couple of months away, but actually those audits will be beginning here pretty soon. So we thought this was a timely topic because it is going to be coming into effect here pretty soon. And there are some things you need to do ahead of time. So that's why I thought good timing for this to get everybody ready as we're heading into the next, you know, couple of months and getting ready for those audits that we'll be starting here pretty soon. Folks that might want to listen to this. I think there's kind of two entities or two groups that might want to listen to this one. If you're an auditor, obviously, and you haven't heard about this this new audit standard applies to benefit plan audits only. It is the first audit standard specifically for benefit plan audits. Always before we've had to cobble together a whole bunch of pieces and parts from other audit standards really meant for other kinds of audits and apply them to benefit plans. This one's specific for benefits. So obviously you do these. This is a very timely topic for you, but really it is kind of geared more to if you are the plan sponsor. So you're a company that sponsors a 401k plan and either you have an audit you know, that you've been doing for the past few years or, you know, upcoming and you might say, well, that's for auditors. What do I care? Does that impact me? I'm not an auditor, but it does impact you. And so those are the kinds of things I think we're going to talk about here.
Jamie Nau: Great. So Karen, I'm going to throw it over to you. I think first, on the topic is just making sure that our listeners understand the kind of the type of audits that are performed. So if you kind of want to walk down that path a little bit and explain that.
Karen Hill: Well, in the past, what we have called a limited scope audit is now going to be referred to as another audit standard. So we are going to have difficulty ourselves changing because it's been called limited scope for so long. As long as I've been in auditing, which has been a long time. So the full scope of what we used to be called a full scope audit is now called 163. And basically the difference between the two is with, as far as the auditing is concerned, is that we have to do testing on investments and investment gains and losses and income. So that part of it is still the same as far as the testing part, there's other things involved in it that is going to change. They are going to be an emphasis now on management activities surrounding the audits.
Jamie Nau: So that's where the plan sponsor comes in. I'm guessing. And that's really, what we're going to talk about today. Obviously the name changes, which since I'm not audited, there's no way I'll memorize that. I'll have to refer back to my notes over and over. I'll probably still call it a limited scope audit.
Kim Moore: It gets very confusing. And it actually relates to the ERISA provision that allows for this whole difference in the two. So that's where that comes from. And just real quick, a little bit of background, the reason for this change is that they really want the auditors to be able to fully audit the plans. They want to get away from a disclaimer opinion. So from an audit standpoint, and I can talk a lot about this today, but we will be actually issuing full opinions now which we were not allowed to do before. And so, it's really going back to the roots of ERISA. What’s required, that's kind of the background of it and the real rationale for why are we doing this in the first place. But all three FEC is, goes back to ERISA.
Jamie Nau: How do I tell what type of audit I need then? Where do I start?
Karen Hill: In reality, this isn't much of a change. It is a little bit of a name change going from the limited scope to the one on three C. But the real emphasis in the standard is that the type of audit determination should be made by the client. So if you're the plan sponsor, you need an audit. It is really your responsibility to determine which of these two is appropriate. Which I know is a lot because most folks that we deal with, our clients and potential clients, wouldn't even mention a limited scope. They're like, I have no idea what you're talking about. So, it's not really that complicated, but it's not something that people, that our plan sponsors deal with on a regular basis. Just because they're not the auditors, they didn't feel like that was their responsibility.
Kim Moore: So, as Karen mentioned the reason for the difference goes to the assets themselves. So I would, if I was planned sponsor, first thing I would do is look at who is holding the assets. So what entity is actually physically holding the assets for you, that's not going to be you at the company, probably not going to be who you work with on a regular basis. So on a day-to-day basis, things may be happening with your plan, whoever you're dealing with is probably not the asset holder. That's usually a record keeper, something like that. So you really got to dig down a little bit and figure out who's actually physically holding the assets. And a firm or a company that is regulated at the state or the federal level, who is audited on a regular basis, they can qualify to give you an asset certification that can be used. They're kind of a qualifying institution, That gets a little bit complicated, and I want to make this as simple as we can. I am sure most plan sponsors are like, what in the world is she talking about? The easiest way I think of it is to find out who that asset holder is. Are they an insurance company? Is it held by a trust company or is it held by a bank? If the answer to any of those is yes, you probably can go down the limited scope, the 1 0 3 8 3 C route. If it's held by some other entity and especially if it's held through a broker dealer, then you're not going to be able to go down this route. Those are probably the two easiest ways to look at this. We actually have a book that that comes from the AICPA on this topic. So if you're listening to this podcast and you really want to dig into this a little bit more, or, you know, you’re asset owners and you're a little confused on this, you know, just shout out. I know Jamie, you're going to be giving out our email address here in a little bit, but just send an email to that address and we'd be happy to give you a copy of that booklet. It's through our quality center that we're a member of. A whole variety of different kind of training materials, and that booklet goes through them in a lot more depth than I just did on the differences in the institutions. So, that's the first thing is find out who holds the asset. What kind of institution, and then that can kind of steer you at a high level down the path. The other thing that you want to look at, is what kind of assets do you have and are they held by this institution? We see quite a lot of our clients, the vast majority of them, all of the assets are held by the institution. So it's a no brainer, you know, they're one of these banks, insurance companies, et cetera. They can give you the certification. All the assets are with them. Easy. It's a 1 0 3 C audit. And probably that's the route you want to go, but we do find, and I don't want to say occasionally it actually happens more often than occasionally where some of the assets are with someone else. So they may have as part of their assets an insurance policy for some of the participants that's held, of course, by an insurance company, maybe the rest of the assets are with Fidelity as an example. Fidelity is not going to be holding an insurance policy. So then you got to look at it for all of these assets that are outside of this entity, you know, what are they? How big are they dollar wise? What kinds of assets are they. And as you start getting into those kinds of discussions I would talk to your service provider and especially your auditor, because it really gets down into a dollar amount and there's no hard and fast rules. A lot of times we find these outside investments are small, so we can still go down the limited scope when a three FTC route but not always And they may be significant enough, but by definition is going to throw you outside of that. So another thing to consider.
Jamie Nau: So it sounds complicated, but at the end of the day, it really isn't. I think you just need to make sure you ask the right questions and talk to the right people and you're going to get the right answer. I know, it's been a long time since I've been in audit, but very rarely have we started going down the wrong path when it comes to this, like usually going into the audit everybody knows what type of audit it is. And, you know, if you are having trouble finding the certification or getting the certification, then you know that something's wrong there, but usually you don't get to that point.
Kim Moore: I would just caution to be careful. Another way you can start with this exercise is go to whoever you work with and say, hey. I got to figure this out. I need a copy of your assets. And if they can't give you one, then you know, you're done, you've got to do full scope, but also be careful because we have seen people come to us and say, yeah, I got certification here it is. And you get looking at it and say yeah, no, that's not going to work because it doesn't fit those other criteria.
Jamie Nau: They misunderstand the request, right? They'll give you like an asset summary, but it's not certified. So it definitely, it has to be a certified.
Karen Hill: And there's specific verbiage that goes along with the certification to determine whether or not it's a proper service.
Jamie Nau: Definitely. I'm going to throw out our email address. So again if you want a copy of that AICPA document, you can email us at: audit@summitcpa.net. And we love when people reach out to us for topics or you are interested in being a guest on the show as well. I'm always looking for people to come on. So let's turn the corner here a little bit. Karen, I'm going to throw this back over to you, obviously we just talked quite a bit about understanding what type of audit you need, but also there's some client acceptance procedures here that need go on. Do you want to dig into that a little bit?
Karen Hill: Okay. As Kim mentioned before, the client is supposed to do the review and determine which type of audit is the correct audit to do go ahead and consult with your auditor if needed to, but ultimately it is the client's decision and in the engagement letter that the auditor will send to the client. It needs to specify which type of audit is going to be performed. And some of the garbage in the engagement letters has been changed to make sure that the proper procedures are completed. It should say in the letter to ensure that the procedures have been completed. And then the auditor's responsibility is to review the procedures of the view with the client, make sure that they did do the necessary procedures in order to determine the proper audit.
Jamie Nau: Great. So that sounds like what we have been doing, but I know the wording on the letters would be a little bit different. So it's important in ahead of time to make sure both sides are in agreement with what that is going to look like. And then can we also mention auditor review here? You want to go into a little bit of that?
Kim Moore: The auditors also going to review once you get into it. Most engagement letters are signed with agreed type of audit, assuming we're going down the path of needing the certification, and we're also going to go through these steps. So there'll be a secondary check on our part. Of course at that point you might find something, you know, deficient in it that needs to be actually signed. An email is not sufficient. It needs to be an actual formal document sign. There's other criteria. So if we see that any of that's missing, we'll have to do the full scope non 103 FTC procedures. That’s the thing I like to point out here, I think what's actually going to happen is for a lot of the folks that they're just going to go down the same path that we've always been doing, and they're going to rely on the auditor. And, of course, we're going to be able to coach them through this and help them understand what they need to do. But what I suspect is going to be a hang-up for some folks is when they have their legal departments review those engagement letters. And that does happen quite often actually. And that, you know, the legal terms isn’t going to know anything about this. And so they're going to say, well, wait a minute. We're supposed to be doing what? What is this? And so here we go again. So, that's why I point this out. You don't want to have a couple months delay getting your audit started because your legal department doesn't understand this. And really it's not that big of a deal and it's not that big of a change. But it could cause you a headache. If your legal department doesn't understand that and they don't want you to sign it because they don't know all you did as the company and they come back and say, hey. We need to strike all this out. Well, we can't do that. If we strike it out, you've automatically put your audit in terms of a full scope and now you got to pay more. That is going to take longer. So we just don't want to have people go down that road when really it isn't necessary. We're trying to get word out to everybody. I think that's probably the most important part of all of this and they understand this timing wise.
Jamie Nau: Right. Obviously we're in the fourth quarter right now of 2021. So again, this is the quarter where a lot of this goes into effect so this is the time to do it. I know it seems like the 401k audit update is still months away, but if you can start doing these procedures now and not waiting until June you will be better prepared.
Kim Moore: Absolutely. Yeah, and in talking legal, let's jump into our next area, plan documents. This is actually a pretty simple one, but we expect it being a pretty problematic area for a lot of our clients. And we expect it from the other folks, it is always been the case that the auditor needs to get copy of the current plan documents. And there's a whole suite of them. That's such as one thing. It's a whole suite of documents to conduct the audit because we need to know what are the parameters of the audit or what the plan is supposed to be operating under. None of that changed it is the same as before. The standard now is it’s management's responsibility to ensure that they maintain all the documentation for the plan, including plan documents signed, executed versions of the plan documents as well as any and all information and documentation required to support transactions maintained by the plan. So we know most 401k plan providers are using service providers for almost all aspects of their plan. They're in-house doing the hiring and terminating of their employees and they're running payroll. Usually in-house not always the case, usually in house other than that, almost all of this work for 401k plan is being done by a service provider of some sort. And you know, as we talk to our clients, they're like, well, you know, that's so-and-so's responsibility. We, you know, we pay them to do that. They'll have that. Maybe they do. Maybe they don't, but ultimately it is very clear it is the plan sponsors responsibility to have this documentation or to know someone else has it and can provide it. So we bring up the plan documents as kind of the first step, because it is. I would say 90 plus percent of the time. No one has a quick grab of a copy of the signed executed plan documents. I mean, this isn't every once in a while habit, it happens almost all of it. So we've been really making it a point to try to push to get those copies to tell our clients saying hey, you need to have these. You should have many ways. But if you don't have them now go get them. And if you don't, nobody can find them. You need to resign copies because we're going to have to have signed copies. So again, we're a couple months out. It would be a good time to go check your files. If you've only got a paper, copy, scan it. And if nobody has a copy, you better be checking with the providers. So you can get one because that's going to become an issue as a big, huge time delay as we get into audits.
Jamie Nau: Yeah, that definitely makes sense. And like you said, the timing is right now, it's applicable to listen to this and jump right on that. So okay Karen, let's jump into a word that auditors have talked about for a long time and I've always, always thought a lot about, and that's estimates. So you know, estimates obviously from the audit standpoint are a higher risk. You know, anytime there's an estimate, it's something that we're going to have to dig into and make sure that the estimate is reasonable. So it sounds like with this new requirement that we're not going to be the only ones talking about the word estimates.
Karen Hill: Sure, actually for years, they've said that the client is the one that's supposed to determine if the estimates are proper, but a lot of them fall back on the auditor. Luckily in most 401k plans the main estimates are the value of the investments themselves. And most of those are usually mutual funds and stocks, things that are readily traded and the valuation is pretty easy to determine. But there are some plans that have some strange investments, maybe some real estate holdings or other types of bonds or CDs or something that the valuation might not be as easy to determine. And in that case, the plan sponsor is the one who is supposed to determine the estimate of the valuation of those different investments.
Jamie Nau: Again, I'm going to use the old term just because I don't have my notes in front of me, but do estimates ever exist on a limited scope audit or just the non-limited scopes?
Karen Hill: On both types of audits, because both of them are going to have investments. So it's something that we need to look at no matter what type of audit we have. And the auditor's going to review the evaluation of the estimates and determine if that's okay.
Kim Moore: Yeah, and this is an area I think that can get complicated for most plans, probably not, but there are cases where it does. So again, I would talk to your provider, talk to your auditor. If you have an investment advisor, that's another place you can go. Because they all will have good information, especially if there are those kind of non-public ones. They should be able to kind of point you in a direction to help you in this area.
Jamie Nau: Great.
Kim Moore: Karen mentioned earlier, going concern, that applies across the board whenever you're doing an audit. To look at going concern of whatever it is you're auditing. In this case we're running 401k plans. So there's a couple of wrinkles. I mean, obviously we want to know is the plan in the process of being terminated? Are there discussions about terminating a plan? Obviously that would be a going concern issue, plans being terminated. That kind of goes without saying, but we also have to look at the underlying company, because without the company, although the plan could be, as it is a standalone, it does exist on its own and it could go on. Usually they don't. So if the company is in any kind of financial difficulty there needs to be a going concern evaluation related to the plan. Again, that's all supposed to be done by the client, not by the auditor. The auditor will review. It gets a little difficult. So again, I would suggest this is something best to talk to your auditor about. I don't know that your service provider is going to be able to help much here, unless you're in the process of terminating the plan. But you know think about what's going on with your company. Think about how that impacted the plan. Did you have any delays in transmitting contributions? Did you shut off employer contributions? You know, all those kinds of things will leave the auditor to say, hm, I don’t know. That might be an issue. Another thing that that's a wrinkle for 401k plans is something called partial plan termination. So you've not done anything, you know, you're not terminating plan. It's going to go on if the company is going on there, you know, so you'd be like, why are you bringing this up? But if something happens that causes 20% of the participants to be in voluntarily terminated, so they're leaving on their own, not that just a whole bunch of people in your company decided they want to work somewhere else, but something happened. So you are closing a facility, it was contract you just decided to shut down portion of your business. If you know, if that number gets around 20%, then you can trigger this partial plan. If they have employer contributions that have a vesting schedule to them, but it can, it's a very complicated. And it can be very costly if you miss it because you can have people that have left your plan. You took money back because they were not vested according to what you thought was the rules. Now you got to go fund it. So the company would have to make up all of that difference because it could end up being a big costly mistake. So if you've had anything and it, you know, we just went through a pandemic, so this could apply to a lot of plans that it normally wouldn't have. And there are specific rules specifically for the pandemic because people may have been laid off. Then you hired them back. So if you did lose some people, regardless of how, I always suggest go talk to your service provider and you may actually need to get an ERISA attorney involved, because again, it does get very, very complicated. You know, talk to your auditor, but ultimately it's usually going to be an attorney call. But it's worth your while to look into it if you think it might apply because it can get very expensive.
Jamie Nau: Yeah, this definitely sounds like a year where you need to pay attention to that. You know, I know a lot of not only like, like you said, people changing jobs, but also just a lot of companies changing the way they do business. You know, I always think of like the restaurant business. Like the one thing I've noticed lately is it seems like dining out is continuing past the pandemic. Like, you know, you used to go to a restaurant before the pandemic and it'd be 75% full and occasionally you'd see someone walk in would take out. And now it's like, you know, you're sitting in there and you're the only person in the restaurant yet you see 50 people coming in and out. And so I think stuff like that is going to change. Like you said, maybe you're going to close storefronts and have more just delivery options and stuff like that. And so I think businesses are changing the way they do things which might lead to something like this. So it's a really good year to kind of make sure you're ahead of this. because again, as with anything you want to make sure that further ahead you are the easier it gets. So let's talk taxes for 401k. Karen what, what kind of changes, what things do we need to be aware of in that area?
Karen Hill: You always want to review the Form 5500. We need to reconcile the report financials to the Form 5500. That's something that we've always done. That doesn't change. The one thing that might change is that we cannot date the management representative, I'm going to say this wrong management representation letter or the audit opinion until we have a substantially completed Form 5500. Now what's a substantially completed form 5500. That's something that you need to determine with your auditor, what they determined substantially complete. I can tell you from personal experience that it is rare that we get a draft of the Form 5500 and there's no changes. I think some of the issues that we had this year with changing audit opinions and that had to do with the Form 5500 had already changed for this standard. A lot of the audit firms decided to push it off for a year. They didn't want to go ahead and early adopt. So maybe some of those issues will be resolved because you know, everybody's now going to be doing the one of the 3 83 C audits this year. And that's something that you might need to stay on top of. Talk to your service provider and see when they plan on giving you a the Form 5500 and also discuss it with your auditor and make sure that they're going to look at that early enough, that if there is changes that need to be made they can be made timely.
Kim Moore: Yeah. I think timing is the key here because you know, certainly you can revise the Form 5500 as many times as you want. It's not that big of a deal. But it's a timing issue and, you know, it's very common for audits to go right down to the wire. And it's also common for the 5500 changes depending on what they are. So obviously get down to the end. You needed substantial change. The auditor's not going to get you the final report without that. You're going to file late and nobody's going to be sympathetic if that happens. So we're just putting this out here because we know different firms are going to determine what's substantially complete and they're not all going to be the same. So you need to know that ahead of time. You need to make sure your auditor's thought about that. And you also need to be talking to a service provider, you know, what's the last day you can be submitting a change and get it back in time. So it is really a timing thing more than anything.
Jamie Nau: Yeah. I remember again, I always think back to the Form 5500. Like once you have those 401k financial statements done and you have the financials finalized it's pretty easy to jump into the Form 5500, but I remember waiting months to see that first draft for after the financial statements were done. Very common in the past to do that. So I think it's time. Change your mindset. So we are right on time here. I know we have one topic left, so I'm going to throw it over you Kim to wrap up.
Kim Moore: I'll do this really quick. It's coping portable findings. We were always supposed to communicate back to the client, any findings that we had no change there, but there is this definition of reportable findings. So it can change what findings are going to get reported back to you and how they're going to get reported. So my suggestion in this area, just talk to your auditor at the beginning of the year. You know, as you're starting this new kind of cycle of audits say, hey, well, you know, from your opinion, what's the reportable fighting. You know, if you want every finding, even if it's tiny doesn't matter, let your honor know that they can communicate to you verbally anything. They can give you a separate written communication. So there's ways you can handle this, but I just would talk to your auditor and say, I heard about the same reportable findings. Can we talk about that a little bit? And you can get that taken care of right away. I would just bring it up, you know, at the beginning, I think though the whole thing with this is if your auditor was doing a good job before, you're not going to see a whole lot of change, but communication and timing are the keys. So as long as you talk to your auditor upfront and make sure they're on board, they know what they're doing. They're handling all this properly. Talk about any of these areas that may have peaked your interest. Don't wait.
Jamie Nau: Yeah, definitely. If they haven't heard of this yet, I would ask them to listen to this podcast. Give them a call or shoot an email out and be like, hey. What about this new standard out there? Is there anything we need to be doing? You want to make sure you're ahead of it. So hopefully this podcast helps. I definitely appreciate you both coming on and informing me as well as the audience. So thank you very much.