The quality of your audit depends on the quality of your auditor. One of the most important jobs of those charged with governance of an employee benefit plan is to choose an auditor the organization can trust. A high-quality audit will help protect the financial integrity of the assets of a plan and ensure the plan is being operated in accordance with plan documents and in the best interest of its participants. In contrast, an incomplete, inadequate, or untimely audit report can potentially result in errors and financial penalties being assessed against the plan sponsor.
To carefully select your audit partner, SC&H Group’s Employee Benefit Plan (EBP) Audits team has compiled important questions plan sponsors should ask and what to listen for when selecting a high-quality auditor.
Firm Experience That Aligns with Your Plan
If a firm is performing many plan audits, it is indicative that they have invested resources and developed a core group of auditors to specialize in benefit plan audits. Firms that have considerable experience in this area are more likely to understand the significant risks for benefits plans, and the issues that regulators find important. Such a firm can add value to the plan sponsor and its plan by not merely checking the compliance box but also recommending ways to improve processes and procedures for effectiveness and efficiency going forward.
1. How many employee benefit plan audits does your firm currently perform?
Audits by regulators have shown that firms that do not perform a lot of benefit plan audits and do not specialize in such audits are more at risk of audit failures and deficient audits. Benefit plan audits are very specialized in nature and are quite different from traditional corporate audits. A firm should be able to speak fluently about how many plans they serve and how long they have been performing such work.
2. What type of employee plan audits does your firm perform (ex. 401k, 401a, 403b, pension, ESOP (employee stock ownership plans), health and welfare)? Is this in line with our plan’s design?
Benefit plans are not all designed in the same way, there are different nuances and rules surrounding diverse types of plans. For example, a 403b Plan must consider the universal availability rules that other plans do not. It is imperative to ensure the auditor has experience servicing plans that are like the one in question—your plan—so that testing is designed based on specific risks and potential issues.
Team Expertise that Meets Your Needs
The plan sponsor should ensure the firm is committed to staffing engagements with auditors that specialize in benefit plans and is committed to staffing continuity.
3. Have any of your firm’s audits been the subject of DOL (Department of Labor) findings or referrals, or been referred to a state board of accountancy or the AICPA for investigation?
Regulators periodically review accounting firms to ensure that adequate, quality-compliant audits are being performed. These reviews/audits are often random in nature and do not indicate that the firm has done anything wrong or is deficient. However, there are times when a firm can be selected by regulators for review based upon certain attributes or client populations. If this has been the case, be sure to ask additional questions to better understand the issues that were uncovered and the processes/controls the audit firm has put in place to mitigate future risks.
4. Who will be on the engagement team and how many plan audits are the team members currently performing?
It is important to understand the levels of experience dedicated to your plan audit. In accounting firms with a dedicated benefit plan practice, the engagement team will often include a senior and staff completing the fieldwork on an engagement with a manager and partner overseeing the engagement and addressing more technical issues. Auditors should serve more than just one benefit plan in a year given the specialized and technical nature of the audits.
5. What is the status of your team’s CPA (Certified Public Accountant) license with the state board of accountancy?
At a minimum, the partner signing the audit report should be an actively licensed CPA.
Security and Efficiencies to Protect Important Information
To address the recent guidance from the DOL, employee benefit plans, like all other organizations and individuals, are vulnerable to cyberattacks—risks relating to privacy, security, and fraud. Ensuring your auditor is versed in cybersecurity best practices is important provided much of the documentation that is utilized in a plan audit is confidential in nature and often contains personally identifiable information. It is imperative that an auditor has a secure way of transmitting such data between themselves, the client, and their vendors. Just as important is ensuring the firm performs periodic outside reviews (or “peer reviews”) performed by another accounting firm. These reviews help to examine the firm’s quality control system in accounting and auditing to maintain and improve the quality of the accounting and auditing services performed by firms.
6. Does your audit firm work in a paperless environment?
How the auditing firm facilitates the audit in a paperless/virtual environment to accommodate client and vendor requirements. You may hear them mention things like cloud-based software, secure and encrypted client portal, virtual meeting tools, on-site testing versus virtual/hybrid, etc.
7. What safeguards are in place to ensure data and information are safeguarded and securely stored and transmitted?
The specific controls they have in place to monitor the security of their outside vendors, especially software vendors, and protect client data. This might also include an explanation of internal processes (often provided by the firm’s IT department).
8. Has the firm’s employee benefit plan audit work been recently reviewed by another CPA (“Peer Review”)? If yes, what type of report did the firm receive, and did this review have any negative findings?
Accounting firms that issue audit reports are required to maintain a system of quality control which includes being subject to monitoring every three years by an outside accounting firm. Peer review reports and results can be located in the public files on the AICPA website.
Training and Education for Continued Success
Training is key to understanding policies and procedures that lead to a successful plan audit. It is important to engage practitioners who are committed to proper training in these highly complex, high-risk audits to avoid misunderstanding important concepts including but not limited to the definition of compensation, limitations of the exemption in 103(A)(3)(C) audits and the extent to which Service Organization Control 1 (SOC 1) reports can be relied on in these audits.
9. How does the firm educate staff about new regulations and make sure that the auditors are up to date with regulatory changes? How often does this training take place?
Firms with dedicated EBP practices should be hosting training for all employees on an annual basis, at a minimum, with specialists in the area attending conferences annually with thought leaders and regulators to keep abreast of changes, risks, and issues in the area.
10. Does the firm offer training to their clients on new regulations and thought leadership?
Firms with dedicated EBP practices tend to be well connected in the industry with investment advisors, ERISA attorneys, etc., and may be able to periodically offer their clients educational input and share opportunities offered by industry experts that can benefit your organization.
Certifications Based on Your Locale
State boards of accountancy require that an accounting firm be well versed with the licensing regulations for the state in which the client operates and follows any licensing requirements as applicable to issue an audit for a client residing in a particular location. In addition, the American Institute of Certified Public Accountants (AICPA) has established the Employee Benefit Plan Audit Quality Center (EBPAQC), which maintains a directory of EBP auditors who have agreed to meet specific experience, training, and practice monitoring requirements.
11. Does the firm hold an active CPA license or qualify for reciprocity in the state in which the plan sponsor resides?
The auditor’s firm should be licensed in the state where you, the client, are headquartered (this is typically based upon the plan sponsor address used on Form 5500). All states are not created equal. Each state has different rules relating to licensing and certifications that they require of accounting firms, so be sure to confirm the firm’s licensure status based on your locale.
12. Is the audit firm a member of the Employee Benefit Plan Audit Quality Center (EBPAQC)?
The EBPAQC is a voluntary membership organization for firms that perform or are interested in performing ERISA employee benefit plan audits. It is committed to helping firms keep up to date on DOL/IRS and other important EBP audit developments. Members of the Center receive periodic e-mail alert updates on new developments in employee benefit plan auditing that they can share with their clients. Firms that specialize in benefit plan audits are typically a member of this quality center.
13. Does the firm have ERISA quality control policies and procedures?
As mentioned above, audit firms are required to have their quality control systems audited every three years. Given that benefit plan audits are different and unique, the firm should have a system of quality control that specifically addresses quality control surrounding employee benefit plan compliance audits.
14. How does the firm ensure its internal policies are followed and that a quality audit is performed?
The firm’s defined system of quality is integrated into every audit performed, in addition to monitoring its system of quality control every three years.
A Decision That Delivers High Quality
Choosing an auditor is an important fiduciary responsibility. If you are in the process of selecting an audit firm or trying to determine if there were any red flags on your last audit, be sure to ask your auditor (or prospective auditor) these questions to ensure you are receiving a quality audit.