401(k) plan administrators should take note of four changes that could potentially impact your 2023 plan audit. The Department of Labor altered how Form 5500 counts participants, potentially impacting an organization’s need for an audit in 2024. New auditing standards and a renewed focus on securing your IT environment require you to engage your auditor in a frank discussion about what new steps or documentation processes you need to begin to keep your organization’s plan in compliance. Kim Moore, director and 401(k) audit practice leader, and Karen Hill, audit and assurance manager, discussed the changes and strategies plan administrators can use to ensure their organization’s readiness.
Topics discussed in this episode include:
Episode resources:
Narrator: Welcome to the 401k audit CPA success show, where we're 100 percent focused on helping companies across the United States prepare for their 401k audit. If you have 100 eligible participants in your 401k plan, then this podcast is for you.
Kim Moore: Welcome everyone to the 401k plan audit success show, our monthly podcast that we do.
I'm Kim Moore, the audit director here at Anders on the 401k remote audit team and I have Karen Hill audit manager here with me as well. We want to welcome you back to our podcast for this month. We have a little bit of a kind of change of gears on our topic this month. We're going to talk about a couple of new audit standards that could affect your plan for 2023, the 2023 plan audits.
I know we're in 2024, but we are always a year behind in our audits. So this is, we're gonna be talking about 2023 plan years and 2023 plan year audits. I wanted to kind of first preface this that this is a podcast. It's not a training session.
So if you are an auditor listening to this or someone else who's really looking for advanced guidance on these new audit standards, we're just going to briefly touch on them. We're not going to get in all the details. We're not going to talk about from an audit standpoint, how you implement them. So if that's what you need or you have, you know, you're listening to this and you're, you're just realizing I, I would encourage you to go get some additional training.
I know the AICPA has training on one of the big topics we're going to talk about, but they have general training. You can check out your accounting state societies. They usually have training as well. And there's other, other forms that you can get training on these topics.
But anyways, I would encourage you to get out and get that training because these standards we're going to talk about are pretty important and we're not going to cover them in depth. We're going to really look at them more from a plan perspective. So if you are a plan administrator or you're an investment advisor providing advice to the plan or just talking to the plan, you might want to mention these things because it could impact how their audit functions and make some changes to the audit process.
So with that, Karen, I put on the agenda here today, something that is not actually an audit standard change. And I talked about this before, but it's the time of the year when people are figuring out, do I need an audit or not? Or if I've had an audit, do I need to continue to have an audit?
There is a change in this space. And I just wanted to bring it up because I thought it's a good time to mention that. And that has to do with how we count participants from the Form 5500 to determine whether we need an audit or not. You want to kind of talk a little bit about that?
Karen Hill: Okay, yeah, in the past to determine whether or not you needed an audit, you would need to count all eligible participants at the beginning of the plan year.
And the count, the date is still the beginning of the plan year, but they have now changed that to active balances in your plan as of the 1st day of the plan year. So that means anybody, any current employees that are deferring plus any terminated, retired employees that still have account balances in your plan.
So this might mean that if you've had an audit- needed an audit in the past. You might not need one now. That's, that is a possibility.
So this change was made by the Department of Labor. It was, you know, I'm not sure the reason.
Kim Moore: Somewhat, somewhat controversial, I think the change because from an auditor's perspective, a lot of the smaller plans, which would be the ones that have, they, they needed an audit before, not because they had a lot of dollars in the plan or a lot of people participating in the plan, but people that could have. They were eligible.
Those a lot of people were making the argument that those plans tend to have a lot more findings and the audits are good because it helps point out deficiencies. And so now you're, you know, you're focusing on larger plans, which tend to be, they have more staff that can, you know, pay attention to things and know what they're doing in theory.
I think the rationale was that audits are expensive. And so for people to have to pay for an audit when a lot of their employees are not taking advantage of that particular benefit was a, you know, kind of a detriment to companies. I think that was the rationale behind it. But you know, it's DOL's prerogative to, to make changes, their area of purview.
So they have made the change. We, we've seen a few of our clients that, you know, did need audits and have had audits for the past several years and no longer need them for this exact reason that they had a lot of eligibles, but for whatever reason that particular employee base elected not to participate in the plan.
And so they won't need an audit anymore. One thing I, I kind of caution people on though, is that the rule around if you have more than 100 active balances on the first day of the plan year, it's going to drive the audit. That's not going to change. So if you're real close to the 100... so, you know, after you, you look at this and you're taking out the people that are eligible but not participating in, you know, you're maybe in the nineties or something, you know, your company is growing.
I would caution you to say, "oh goody, I don't need an audit," because maybe next year you will need an audit. You might go over that hundred limit and then you will need an audit and then the auditor is required to do what's called beginning balance testing, which means they're going to have to go back and in essence audit this year anyways.
And it, it could cause you a lot of problems implementing that, and so, you know, I, I'm not, I'm not saying that you should go ahead and have the audit anyways. That's up to you how you want to handle it, but if you are a growing company, there's a likelihood that your auditor is going to have to cover the years between when you stopped having the audit and then when you needed it again.
So, you know, it's just an area that to, to kind of think about and I, I think it'd be a good idea to talk to your auditor and say, "what are my options here? I, I know I don't need an audit for 2023, but I might need one for 2024, probably would definitely need one for 2025, you know, we liked," I'm assuming you probably liked your auditor.
"So we liked your services. We'd like you to come back and do that. But what are you recommending in this particular case? Cause different audit firms would handle that situation differently. So. Talk to your auditor if, if you fall into that. Now, if you're a small company and, you know, you don't think you'll ever get over the hundred, probably you know, this is good.
It means you won't need an audit. You probably won't for the near future. So. Just wanted to point that out because it could impact you if you fall into this. We had a lot of eligible people. So with that, then we're going to move on into there's two new audit standards that we wanted to point out.
Audit standards change all the time. And there are audit standards kind of on the, you know, in the discussion phase that, that, aren't quite implemented yet as well, so we may be returning to this topic you know, in, in later dates as well, because as I say, they change all the time. But two we wanted to highlight that our team has been talking about a lot, and there's kind of a lot of back and forth, and we don't... we don't have all the answers here either.
So you know, like I say, we may be back having this discussion again in another year or so, but we wanted to bring to your attention these two new standards that could impact your plan audits. They would definitely impact your auditor. The first one is called SAS 145. SAS is an abbreviation for Statements on Audit Standards.
It's the governing bodies over the audit profession. As I say, they get together and they look at all the rules around how auditors are supposed to conduct audits. And they'll make changes periodically for things that are changing in just the environment. So things like cryptocurrency or the new lot of stuff coming out with AI, there's probably gonna be audit standards coming out regarding those things.
So it could be things that are changing just in the general business environment, or it could be in the, and what is true in this case, is kind of updates, revisions, clarifications to existing audit standards. So SAS 145 covers risk assessment. Risk assessment is an important component of an audit and it is just what it sounds like.
The auditor is assessing the risk to the financial statements from all of the activities that are going on in this case in a benefit plan that could cause the financial statements to be incorrect. So, so they're doing an assessment and there, there were already rules in place around that. I mean, risk assessment is not new.
It's been around. This is really a clarification on some things more than anything. It does put in some definite requirements that were not specified before. I think a lot of firms were doing them, but they weren't required and detailed in the in the standards, which they are now. But this one, It becomes effective for plan years after 12/ 15/ 2023, which would be most of your 2023 plan audits because they're going to have a year end of 12/ 31/ 23.
So for most of this it's going to be for those 2023 plan year audits of your calendar year. Again, if you're not sure if you've got a fiscal year, you're not sure is your auditor going to adopt this or not, you know, just ask them and they'd be able to clarify that.
So Karen, one of the things I wanted to point out, there's, there's several things here that we want to talk about with this particular standard, but one is about the testing that we're going to do is going to come out of the risk assessment and specifically inquiry. So, yeah, talk about that a little bit.
Karen Hill: Yes. In the past you were able to use inquiry, which is basically the auditor asks you, how does this process work? What we've seen mostly it used for in the audit of plans is surrounding the review of payroll. And inquiry could be used in the past
if you had 2 separate people that you made the inquiry and and what they said, agreed, and then you could use that as audit evidence. Well, you can't do that anymore. We can't use inquiry anymore. So specifically taught coming- over surrounding payroll and the review of payroll, your auditor may ask to actually see something that shows that the payroll has been reviewed.
Instead of just asking you and maybe you and the payroll manager or, you know, somebody else about that process.
Kim Moore: Right. Right. We, we anticipate that this is going to cause some problems in, in the audits because a lot of folks.... and rightly so. I mean, there's nothing wrong with it. They're running their payroll.
They're doing checks. You know, they're, they have maybe a checklist and they're working the checklist or maybe they hand it off to someone and say, "hey, can you just double check all this stuff?" But there's no evidence of that anywhere. They're not writing something down. They're not filling out a checklist.
They're not signing. They're not... you know, in some cases we see people might send an email saying, "yep, I reviewed it. It's good to go." We could use that. That would be evidence. So we could use those kinds of things. We've also seen examples where the system may send something out saying this has been approved and payroll is processing now or something.
So, you know, that could be an element of evidence you might be able to use if you understand how, how that process works and how that's generated. But simply you're going through all of these manual activities and there's no, you know, there's nothing I can see of that that's, that's going to be a problem.
And so any, any part of your audit where you know in the past the auditor has asked you a series of questions and then, you know, you, you know that they go to your colleague and ask a series of questions, those are probably going to be areas that are going to be problematic going forward. So something to consider, something to think about ahead of time you know, it may be something that you need to put in place.
In, you know, in addition to what you're already doing for future years, obviously 2023 has already happened. It's in the books, so we can't go back and change 2023, unfortunately, but for, for your 2024 audits and then going forward. You know, it's something to keep in mind. And this is going to be true for any audit.
So it's not, we're going to talk specifically about benefit plan audits, but this would be true for any audit. So if you have a regular financial statement audit that, you know, same thing would apply there too. So. Just kind of be careful with that. Another area that was really clarified, now, this is not a, a change so much, but it clarified that IT is a important component of almost any business in today's environment.
And, and obviously there need to be controls in your IT environment, just like there are in your manual processes. Again, that's not new that's been around, but in a lot of cases on the- in the benefit plan world, we've kind of tried to skirt around it and not talk about it too much because a lot of the work that's done for benefit plans is done by your service providers.
So it's done inside a payroll system and it's done by your record keeper in their record keeping administrative system. A lot of the investment work is done by the custodians and their systems. And so we get things and we've talked in other podcasts about SOC reports and reviewing the SOC reports to look at the controls at those providers.
However this standard is clarifying that you really do need to take a look at the IT environment, regardless of where it is. So if there's processing, it's going to be a two part to this. So if there is processing done at the client, which of course payroll would be run by the client in most cases, even though it's done maybe in an ADP or a Paychex or a Paylocity system, it's still being run by people in the company.
You are going to have to take a look at the IT environment around, you know, that system and, you know, Is there risk involved in that? And then of course you're going to flip over to the administrative end of the benefit plan, which is probably run in a Vanguard or a Fidelity type system. And you're going to have to consider the IT environment there because there are still ways to get into that system and, and access it and do things.
And so you're going to have to look at those IT controls there. Exactly how your auditor is going to do that is, is obviously going to be dependent on that particular auditor. Everybody's going to look at it a little bit differently. But I do expect that there's going to be some additional work done in this area which might involve just they're needing to gain more information, so it might be questionnaires that weren't there before or questions that they're going to ask.
It might be asking for some additional things like an access listing. So, I need to see a listing of who has access to your Vanguard platform at an administrative level or something like that. That's saying they're going to do that, but that might be an example of something that they might do.
You know, you may have an auditor that takes the approach that the IT is a huge risk and they may need to come in and do IT audit testing and maybe they've never done that before. Not saying that will happen, but, but that could happen. So again, I think if you are getting ready to, you know, start your audit or you're talking to your auditor about when, when the audit is going to This is something I would, I would raise with them because you may need to get your IT staff on board.
If you use an external IT provider, you know, you might need some additional kind of setup time to, to get them on board and ready to, to provide the information. So just something that we you know, we, we want to make you aware of. There's also a, a whole series of things. There's something called SCOTABD, which I want is an abbreviation.
I won't go through and define all of that. That's where we had a lot of the discussion on our team is there's a whole series of steps you have to go through for each, if you think about your financial statements, kind of each line that makes up your financial statements to determine the level of work that you need to do assessing risk in each of those areas, and it'll vary.
I mean, not every line is going to be treated the same, and not every audit firm is going to do this work the same way either. So, again, I don't want to get into a whole lot of detail here because we could be spending a two or three hour podcast just talking about what's a SCOTABD.
Karen Hill: Yes, because we've spent more time than that discussing it among our team.
Kim Moore: We really have. It's, it's been a it's, it's the new audit standards are not prescriptive, so they're not telling you, "you need to do... here's your list... go down and do all these things." They're more general guidance. And they're trying to give you principles and then you have to determine how to apply those principles.
And so it does involve a lot of discussion on the part of the auditors and trying to figure out, you know, "okay, so what does this mean for this particular client, for this particular benefit plan? What do I need to do here? What do I not need to do?" The bottom line, I think, from all of this is, number one, talk to your auditor.
Find out how are they addressing this? What is that looking like? Because it may involve additional work on your part or additional discussion. They may want to sit down with you and have kind of a, "let me, let me figure this out with you." So, but I, you know, it depends. It's going to depend on the audit firm and how, how they approach it.
So I would, I would talk to them, first of all. The other thing, though, is that, as we've already mentioned, from the IT area and from the change on the inquiry side. But just in general, the work that the auditors are going to do after they complete their risk assessment may change because of all of this that we're not going to go into depth on.
So they may do less work or they might have to do more work or it could end up being the same kind of work. It could be any of those. And in each one of those line items on your financial statement, it could be any of those three. So it could be more, less, or the same.
And so I think it's a good idea up front as you're doing your planning with your auditor to just kind of say, "Hey, I'm aware of this. I don't know a lot about it, but I want to know what does that mean to me as the auditee? What kinds of additional information am I going to have to provide. Or do we need to book more time for the audit? Do we need to start it earlier," which we always preach! " What, what does this really mean to me?"
It might not mean a lot. Maybe it won't be a big change or it could be a huge change. So, we don't know. It depends on your particular plan. It depends on your auditor. Depends on how they're going to approach this. So my, my, best advice here if you are the plan sponsor of a plan, you're the plan administrator, you know you have audits, or maybe you're someone who's advising those folks, is just have that discussion.
Find out what does it mean to you so you're not surprised. That's kind of my, my best, my best thing on that. So, the next one is, it's again, another SAS, it's called SAS 143, and it has to do with estimates I, it is a new standard so it, you know, it's something as auditors, we got to pay attention to, but Karen, I don't, I don't see this being a big impact to us, at least with our clients.
Karen Hill: Yeah, not for your typical 401k plan that has investments in mutual funds or maybe pulled accounts or something like that because that's... those really aren't estimates, they're based on known data.
You know, maybe if you have receivables and payables, they might involve estimates, but generally, even in that case, if it's contributions that go in after the year end date, you know, those amounts, if you have to refund excess contributions, those have to be made, well, they should have been made by March 15th.
So those amounts should be known as well. The biggest issue will be if there's corrections and they involved estimates and maybe it's material so you have, you have to book something for that. That's probably where we're going to see, have, see some work done around that, that, that type of thing.
Kim Moore: Right. And we don't, we, for our clients, we don't see that a lot. Most of it's the, the first part of what Karen said. They're pretty standard things. We've got support for them. We, you know, they're clearly not, you think of an estimate is like an unknown, right?
There's an unknown element to it. And, and they're, there aren't unknowns with most of what you're going to see in your standard benefit plan. So, yeah, I think it's going to be where you're running into some kind of thing that didn't go right and you've got to make a correction and, but you, you know, you don't want to hold up the audit to do all the work to make it a fully known number
You want to go ahead and put in a little bit of an unknown element just so you can get the audit done and have it be on time, which is fine. That, that's not a problem. But it, it does mean the auditor will have to do some work in this area because it will involve some estimates. There, there also could be situations if you have non standardized things.
So you're doing... you know, the plan invest in assets that are not your standard. You know, like a mutual fund that you can go look online and see what the value is every day. So if you're, you're investing in things that are not-
Karen Hill: Real estate.
Kim Moore: -hopefully Yeah. Or, or you're making loans to outside parties. It's not participant loans, but you're making loans to outside parties outside of the plan.
You know, we've seen plans that they're, they're buying artwork or, you know, something like that. You don't, don't see it very often, but occasionally you can see, you know, some, some More, I don't want to call them strange, but they're not your typical kind of, of assets that you see, and obviously if you had purchased artwork, there's going to be a huge estimate there.
What is the value? Because it has to be marked to fair, the fair value of that piece, not what you paid for it, necessarily, and not how much you think it's worth, but how much could you, could you get if you sold it. Which those could be very different numbers.
Karen Hill: Right.
Kim Moore: So, you know, if you're, and again, this standard applies not just to benefit plan audits, but applies to all audits.
So if you happen to be listening to this and you have a financial statement audit, this would be, this would come up more often in a regular traditional financial statement audit. So those are all things that, that you should think about a little bit more broadly if you, if you have financial statement auditors- audits.
Your auditor will probably if this applies to you, they're going to bring it up because they're going to want to talk to you about the estimates and what that means. And you know, generally it's not going to apply really at all. If it does, it's, you're going to be able to, it's a corrective type action and you're going to be talking about the correction and how you're going to get the data to come up with the estimate.
Anyway, so it's probably not that big of a deal. I think the areas where it could become a problem are things like the artwork. Where you're going to say it's worth a lot of money and the auditor is going to say, well, I don't, I don't know that I see it that way, you know, that, that I could see that being a problem.
But for most plans, those, those kinds of things are never going to happen.
Karen Hill: Yeah, even with corrections, usually the corrections are due to late contributions and the contributions have already been made. So you're only, it's only the earnings and usually it's a matter of days and it's not material. So usually that's not even an issue for us, but it could be.
Kim Moore: Right, right. So we just wanted to kind of bring that up and let you know that that's out there. It's on the radar. If, you know, that sparked your interest and you're thinking, "Uh-oh, that might apply to my plan," then, again, the topic to, to go over with your auditor. Those are our new audit standards that we wanted to kind of talk about today.
I don't know, Karen, any last thoughts before we wrap up here?
Karen Hill: Just that you. As always, communication with the auditor is the best way to to meet these head on. There's chances, I know there with our audits, there has been a slight change. I don't know that it's been so far that significant. Might find that later on in the year.
But if you just communicate with your auditor and find out what they're expecting and plan accordingly, it should help get through these.
Kim Moore: Right. I, you know, I always, we, we stress starting your audit as early as possible. It's a good idea. It's always a good idea, even if there's no changes, but I think given that there are some changes here, what we're finding in conversation with other audit firms is that everybody's a little bit confused by some of these.
And if you use an audit firm that, they do their benefit plan audits only in the summer, they probably haven't even looked at any of this. So, at the time when your audit is going to get started, they're going to be saying, "Uh-oh, what is all this? I, I knew I needed to do something, but I, I didn't realize it was going to be this confusing."
And so, you know, it could end up delaying your audit. So, my, my best advice is talk to your auditor, as Karen said, and then start your audit as early as possible. And again, if you are an auditor and you're hearing this podcast I would strongly encourage you to reach out within your firm, reach out to other audit firms, get some additional training, especially the one on the risk assessment.
You know, that is an area you don't want to make a mistake in because that could make your entire audit have a problem and, and, and be incorrect and, and cause you problems with the Department of Labor and, and other entities. So, just want to make sure that you, you get the training that you need. With that, we're going to wrap up.
I always like to throw out my email address. It's the letter K, then M O O R E at Anders with an S, A N D E R S C P A dot com. Again, the letter K M O O O R E at Anders with an S C P A dot com. If you have any questions about today's podcast, or you'd like to give us some ideas for future podcasts, or just want to reach out if maybe this topic piqued your interest, you'd like to talk a little bit more about it, or you think you might need an audit in the future, we'd be happy to help you out and talk about what audits are all about.
So don't hesitate to reach out and I'd be happy to, to chat with you about any of those topics. Again, thank you for listening, and we'll catch you next month on the next 401k podcast Audit Success Show. Thank you.
Narrator: Enjoy this podcast? Visit our website at anderscpa.com slash 401k to get more tips and strategies for achieving 401k audit success. We are here to be a resource with ever-changing rules and regulations.