In their first report on audits of employee benefit plan (EBP) auditors since 2004, the Department of Labor (DOL) came to the incredible conclusion that CPAs are “putting $653 billion dollars and 22.5 million plan participants and beneficiaries at risk” (“Assessing the Quality of Employee Benefit Plan Audits,” U.S. Department of Labor, May, 2015, p.1, https://www.dol.gov/ebsa/pdf/2014AuditReport.pdf).” The DOL further reported that the issue has gotten worse since 1988.
Under the Employee Retirement Security Act of 1974 (ERISA), employee benefit plans are required to file an annual report and include audited financials from a CPA or independent qualified public accountant. The audit report opines on whether financial statements are presented in conformity with GAAP (p. 5).
Today, most EBP audits (83%) are “limited scope audits”—double what it was in 2001—that statutorily exclude plan assets from the audit. However, even full-scope audits under ERISA section 103(a)(3)(c) allow “the auditor not to perform any auditing procedure with respect to investment information … under instructions from the plan administrator” (“Employee Benefit Plans,” Accounting and Auditing Guide, AICPA, Jan. 1, 2011, p. 100). The DOL report's conclusion requires a leap of logic from the types of audits mandated under ERISA to the safety of plan assets.
Still, the DOL raises two issues that we, as a profession, must address: First, the DOL uncovered significant deficiencies in certain limited scope audits that “contributed to declining audit quality” (p.9). In his article on page 54 of this issue, Adam Lilling looks at the top three offenders and offers guidance that may improve audit results. The DOL also reported that local firms who perform one to two limited scope audits have significantly greater deficiencies than firms specializing in EBP audits. This issue will be addressed in future articles as well.
The Risk of Loss of Plan Assets
The DOL's press releases for this report were unkind to CPAs, making it important to clarify our limited responsibility in auditing EBPs and reassure our clients and the public that plan assets are not at risk. In addition, the public needs to understand that there are many EBP safety nets that protect plan assets. In a discussion with the editor, fiduciary advisor Sheldon Geller observed that safety nets are set up in multiple layers. First, there is a named fiduciary who is “legally accountable for the safekeeping of plan assets.” There is the corporate trustee who, at arm's length, “watches over the plan and is legally accountable for the safekeeping of plan assets.”
There are also, according to Geller, “non-fiduciary service providers, record keepers, third party administrators, and limited scope investment advisors who assume no responsibility for safekeeping of plan assets,” but which are audited (e.g., Fidelity and Vanguard) and provide instant online access to employee retirement accounts, including contributions and withdrawals, as well as daily valuation, participant-directed investments, and other services. These feedback mechanisms provide another level of assurance, integrity, accuracy, and safety of plan assets.
A third level of safety is provided by the government agencies that audit plan sponsors and service providers. The IRS and DOL share responsibility for EBP safety under ERISA. In fact, their reviews cover similar areas that EBP audits cover. Fred Reish, a partner at DrinkerBiddle's employee benefits and executive compensation practice group and chair of its financial services ERISA team, recently highlighted DOL investigations in some of these areas, including “late deposits of deferrals, related party transactions, 408(b)(2) fee disclosures from service providers, indirect compensation from investment vehicles [fees paid to any person or entity in connection with services rendered to the plan], 12b-1 distribution fees and others” (“IRS, DOL Audits, and Fiduciary Litigation,” Nov. 6, 2014). Similarly, says Reish, the IRS audits timely deposit of deferrals, inservice distribution, fiduciary responsibilities, and others.
Audit Deficiencies
The DOL did uncover significant deficiencies in their audits of auditors. Douglas Carmichael, professor of accounting at Baruch College and coauthor of PPC's Guide to Audits of Employee Benefit Plans, pointed out to me that the highest audit deficiency area in the DOL report was related to internal controls. On the upper bound, 23.7% of all audit deficiencies included this issue (Appendix II, p. 27). Adam Lilling's article specifically covers these deficiencies.
In his guide, Carmichael highlights two major internal control deficiencies: inadequate documentation and failure to assess and document control risk (Appendix II, p. 30). Unfortunately, the AICPA's Employee Benefits Plan Audit Guide provides little practical guidance for a local firm, and it is not practitioner-friendly. It does not contain any useful forms, checklists, or practice aides. These are included in PPC's audit guide, as Carmichael stated that his objective in writing the four-volume set was to make the required audit work on internal controls achievable by a local firm.
CPAs are the institutional power whose responsibility is to ensure the accuracy of financial statements, the bedrock of investor confidence.
Still, it should be noted that there are many grey areas regarding internal control issues. Even the AICPA guide—effective 2011—acknowledges that auditors may have difficulty obtaining an understanding of and testing the internal controls of a benefit plan—
increasingly using service providers to initiate, execute and perform the accounting processing of transactions on behalf of the plan administrator. Often the plan does not maintain independent accounting records of such transaction … in these situations, the auditor may not be able to obtain a sufficient understanding of internal control relevant to such transactions to assess the risks of material misstatement … without considering those components of internal control maintained by the service organization … [except by] obtaining and reading the entire document prepared in accordance with SAS 70. [AICPA Audit and Accounting Guide, Employee Benefit Plans, “Internal Control,” 6.22]
Can the DOL Get It Right?
While not diminishing their findings, we do need to look closer at the DOL's methodology. The DOL sampled 400 plans out of 81,162 Form 5500 filings using what it called a “statistically valid sample.” Lawrence Tatum, a professor of statistics and computer information at Baruch College, related the following in a message to me: “With respect to the stated intention of looking at the relationship between the number of audits and audit error rate, it may well be that the study has done its job despite the poor design, as it does seem like there is a clear inverse relationship.” Tatum concluded, however, that the overall error rate was unwarranted. Tatum further studied the methodology and concluded that “incorrect weights were used here to get the overall error rate. … So the estimated overall error rate of 38.8%, computed with incorrect weights, resulted in an estimate which was biased high.”
Finally, with regard to the Employee Benefits Security Administration's (EBSA) use of attribute sampling, Tatum concluded that “the allocation method was based on a misunderstanding of stratified sampling and resulted in a disproportionate allocation. … that one-sixteenth of the sample was allocated to 90% of the population,” meaning that the methodology was biased, yielding a biased result.
The Ergo Propter Hoc Logical Fallacy
The DOL discusses at length the AICPA's EBP Audit Quality Center (AQC), and even compares results of EBPAQC members against nonmembers. It concludes that the EBPAQC members perform better audits. There is a well-known “ergo propter hoc fallacy” (necessarily because of): Paying additional fees to become a member of the EBPAQC does not necessarily make you a better auditor. What if instead what makes you a better auditor is simply auditing more plans? All of the firms that audited 100 or more plans were EBPAQC members (DOL p. 14).
The Primary Care CPA
As I wrote in the January 2015 Journal, CPAs are the institutional power whose responsibility is to ensure the accuracy of financial statements, the bedrock of investor confidence. We are the gatekeepers of the capital markets. Once more, our gatekeeping responsibilities are under assault—this time from the DOL.
Let me suggest a response that will “improve results from within and challenge the detractors from outside; provide a positive response, meaningful dialogue and self-reflection” (CPA Journal, “The Voice of the Profession,” January 2015, p. 11). Let me propose that we consider the local CPA firm practitioner to be the primary care CPA (“PCCPA”), a professional who is expertly trained to understand client issues, but not sufficiently expert to perform all of the specialized procedures that complex business enterprises require. Our PCCPA is the most trusted advisor for startups, entrepreneurs, and small to medium-sized businesses.
But, as Sheldon Geller put it to me, “The local firm practitioner should not provide EBP audit engagements, a specialized engagement, unless he or she has specialized expertise and experience in conducting employee benefit plan audits.” It is these practitioners who only audit one or two EBPs that are the primary source of the deficiencies reported by the DOL.
The PCCPA ought to outsource the EBP audit to specialists. The large accounting firms use specialists. Physicians use specialists. Attorneys outsource work to specialists. All retain a special relationship with clients. It may not be the current business model, but in order to retain the trust not only with our clients but with regulators and the public, is now not the right time to embrace it? And if not now, when? I ask our readers to weigh in on this.
The opinions expressed here are my own and do not reflect those of the NYSSCPA, its management, or its staff.
Richard H. Kravitz, MBA, CPA. Editor-in-Chief.