Attack of the Killer Accountants
O.k. so I am a sucker for B science fiction movies. If we are going to continue these postings on accounting issues, I just wanted to get your attention.
This posting is on a slightly different tack than those I posted last year. This falls more into the category of client service. Regular tax season is coming to a close and the season for auditors to turn to benefit plan audit work is nearly upon us. That made me think of some of the problems we encountered last year and the fact that advance knowledge and enlisting the assistance of the legal community might be helpful.
As you know, ERISA Section 103(a)(3)(A) requires certain plans to attach audited financial statements to their annual filing. The statute specifically provides that such statements shall be prepared in accordance with generally accepted accounting principles (GAAP) and the audit must be conducted in accordance with generally accepted auditing standards (GAAS).
In recent years both of those requirements have caused a fair amount of stress in completing these engagements. The EBSA office of the Chief Accountant takes these requirements very seriously. They have conducted two audits of the auditors over the last decade with less than favorable findings. They have reported auditors to the AICPA and their state licensing boards and reprimands have been issued. However, this has not resulted in the increase in the level of (dare I say) accountability, that the government would like to see. Thus, they have announced at various forums that they are going to start holding the sponsor responsible for the quality of the audit and assessing a $50,000 penalty for each report that is filed with a less than acceptable audit.
So - what is an acceptable audit? The AICPA Audit and Accounting Guide - Employee Benefit Plans includes the fundamental GAAP and GAAS standards for benefit plan audits. A few of those requirements are particularly invasive and frequently involve legal counsel, so that is what I wanted to address in this posting.
1. Related party transactions: GAAS requires that the auditor look at all related party transactions with an eye to potential prohibited transactions. This means things like the auditor having to get some kind of comfort that employee salary deferrals or loan payments have been deposited on a timely basis. Some auditor's will take the 15th business day of the following month as if it is a safe harbor, others will not. In any event, it is a required audit step and not just something that comes up as the part of random systems tests. So, plan sponsors are best served if they have already documented their procedures to demonstrate that they current process meets the regulation.
2. Asset values: Whether it is the prohibited transaction rules where the auditor has to test related party sales or purchases for "adequate consideration" or the value of non-traded assets for simple financial statement reporting, GAAS requires that the auditor takes specific steps with respect to any valuation product. Whether it is an internal valuation estimate or an independent outside appraisal, GAAS requires the auditor to look not simply at the credentials of the person performing the valuation, but also at the data provided to them to make the determination and the reasonableness of the assumptions employed. See SAS 101 - Auditing Fair Value Measurements and Disclosures. Recently, legal advisers to ERISA fiduciaries have advised them to refuse to provide a copy of the valuation report to the auditor. That leaves the auditor in a bind. They either have to figure out some way to get the report, see if they can replicate the results of the report or issue an opinion that includes a "scope limitation." Under current EBSA procedures any report that receives such a scope limitation is reviewed by a real person prior to acceptance.
3. HIPAA matters: When auditing a health plan, GAAS requires the auditor to do some claims testing. This means access to confidential health information. Auditors are accustomed to dealing with this kind of confidential information and their access to the information should be considered administratively necessary. Nevertheless it is frequently a hard fought and costly battle to get all of the parties to agree to the terms required to let the auditor access the information. Front end recognition of this requirement and planning for it to happen can speed the completion of these audits.
4. Other confidentiality matters: This arises most frequently on health plan audits. Frequently a claims administrator concludes that they have some kind of proprietary rights to systems, pricing arrangements, etc. They either refuse to provide access to the information or attempt to place limitations on the audit, such as pre-approval of the auditor's report, pre-approval of allowable audit procedures, etc. These actions are not consistent with an audit conducted in accordance with GAAS. Thus, once again, the sponsor is faced with having to intervene to obtain access to the appropriate data or have the auditor issue a scope limitation on the audit report with the resulting extra scrutiny.
I suspect that there are other areas where advance planning is required. These are just a few of the areas to give you an idea of what the audit faces in trying to do a good job for the plan administrator. So, spend a little time with your auditor planning the engagement, anticipating these issues. It really will help in the long run.