Statement on Auditing Standards No.136 (SAS 136), Forming an Opinion and Reporting on Financial Statements of Employee Benefit Plans Subject to ERISA (Employee Retirement Income Security Act of 1974), addresses issues related to the quality of the independent audit work done on employee benefit plan audits.  These issues were brought to the attention of the AICPA by the Department of Labor’s

Employee Benefit Security Administration (EBSA) who examined the work being performed by independent auditors.  The goals of SAS 136 include improving the quality of the audit by adding specific procedures for testing and increasing the transparency of information included in the nature and scope of the auditor’s report presented as part of the benefit plan audit.

The original effective date for SAS 136 was for years ending after December 15, 2020.  The effective date was delayed by one year due to the pandemic, but auditing firms can choose to adopt the standard on the original effective date.  

Responsibilities of Plan Management and Auditors

SAS 136 provides clarification on the responsibilities of the plan management and of the independent auditors.  Portions of these responsibilities are detailed out in the auditor’s report, engagement letters and required communications.  The goal is to reduce the amount of auditor’s judgment required by defining each party’s role in the audit process.  The following four auditor responsibilities must be disclosed in the auditor’s report: 

• Professional judgments

• Professional skepticism

• Auditor’s communication with those charged with governance

• Review of management’s assessment of going concern (if applicable)

Management’s responsibilities are not included in the auditor’s report; they are included in the engagement letter with their plan auditor.  Management’s responsibilities are:

• Maintain the plan instrument

• Administer the plan

• Maintain sufficient records for plan transactions and benefits

• Financial statements

• Assessment of going concern (if applicable and included in the auditor’s report, not the engagement letter)​

It is expected that the new standard will produce a more thorough audit report as SAS 136 changes how auditors report their findings to those charged with governance.  Additionally, auditors will have to communicate in writing all reportable findings, along with the deficiencies in internal control, to those charged with governance.

Audit Procedures and Documentation Changes

SAS 136 implemented changes in multiple areas of an ERISA plan audit including:

• Engagement acceptance

• Risk assessment and response

• Performance procedures and reporting​

Some of the more specific changes required by SAS 136 include requiring management to provide the auditor a substantially complete Form 5500 draft before the auditor’s report is issued. Also auditors are required to report all reportable findings.  For those clients requesting a limited scope audit (an audit which excludes certain audit procedures over investments and investment income), management must first affirm that this type of audit is permissible and that the investment information can be certified by a qualified institution as both complete and accurate.  The phrase ‘limited scope audit’ has been replaced with ‘ERISA Section 103(a)(3)(C) audit’ and the reporting requirements for an ERISA Section 103(a)(3)(C) audit are heightened.