A lack of "healthy paranoia" can be one of the biggest problems in approaching employee benefit plan (EBP) audits, said Bertha Minnihan, CPA.
An EBP audit at first may seem straightforward and simple, so auditors may let down their guard or attempt to perform an audit without the specialzed training they need to do the job. If practitiolers are not careful, they may find that an EBP audit is like a cute little dog that has a surprisingly nasty bite.
"We may think because they're smaller, and he balance sheet may have three items reported as opposed to 20, that we can relax a little bit and kind of just overlook the risk," said Minnihan, the national practice leader of employee benefit plan services for Moss Adams. "That can get us in trouble."
In addition to a healthy dose of paranoia, EBP auditors need to arm themselves with expertise specific to these engagements. Understanding the areas of EBP audits that can be troublesome also can be helpful. With that in mind, the AICPA Professional Ethics Division has identified common quality issues that have arisen from investigations of EBP audits. The following tips address some of those issues and can help practitioners perform high-quality audits.
At a basic level, an auditor needs to have the competence and appropriate technical qualifications to complete the audit in accordance with professional standards (AICPA Code of Professional Conduct, "Competence," ET [section]1.300.010,[paragraph].01). Establishing competence begins with specialized training in EBP audits, and competence during an EBP engagement begins with gaining a comprehensive understanding of the plan and how it operates. In an EBP audit, this requires thoughtful consideration of the plan document and the adoption agreement. Each of these documents may be more than 100 pages long, but studying them is the only way to understand the terms and operations of the plan, the service requirements for employees, and the vesting rules, according to Scott Dufek, CPA. Along with his wife, Nancy, who's also a CPA, Dufek runs Dufek & Co., a Midwestern firm that is devoted solely to EBP audits.
"Almost any failure, short of documentation failures, you can trace right back to that the auditor didn't understand or take the time to fully read and digest the plan document and adoption agreement," Dufek said. "It takes a long time. They're long, thick documents. But if you don't understand what you're auditing, you don't have much chance to do it right."
As with any engagement, EBP auditors must not let their familiarity with the client lead them to become too comfortable and fail to perform testing that's necessary to arrive at a proper conclusion in the auditor's report.
"We don't go on our feelings," Minnihan said. "It's all evidential. I always say, 'Every day is new, and every piece of evidence has to fit.' You've got to trace the fact pattern before we conclude. And that's very sacred to what we do."
Relationships with clients are not the only areas where familiarity can cause trouble for CPAs. Auditors of defined benefit plans also may work with the same actuary on several accounts or for several years. Each time, though, sufficient procedures need to be performed related to the actuary. Practitioners are required to test the assumptions used by the actuary, as well as the actuary's reputation, conclusions, and qualifications, and their relationship to the plan. EBP auditors should take care not to rely too heavily on the work of actuaries. And testing the information provided to the actuary can provide assurance that the actuary's output is based on proper input.
EBP audits also require an understanding of a "limited-scope" audit (if applicable; not all EBP audits are limited-scope audits). Limiting the scope of an audit eliminates audit procedures over certified investments and related transactions, but other...