SAS No. 136 and Employee Benefit Plans: What is a Reportable Finding?
Plan management and plan sponsor personnel have likely heard from their auditors about auditing standard changes impacting their ERISA (Employee Retirement Income Security Act of 1974) audits for the Plan year ending December 31, 2021.
These changes primarily result from the implementation of AICPA Statement on Auditing Standards (SAS) No. 136, Forming an Opinion and Reporting on Financial Statements of Employee Benefit Plans Subject to ERISA (“SAS 136”), which is effective for periods ending on or after December 15, 2021.
Impacts that SAS No. 136 Has on Written Communication
SAS No. 136 introduces and reiterates certain responsibilities for both plan management and auditors.
One such auditor responsibility relates to the communication of reportable findings.
SAS No. 136 indicates reportable findings as one or more of the following:
- an identified instance of noncompliance or suspected noncompliance with laws or regulations;
- a finding that is significant and relevant to the oversight function of those charged with governance;
- or other deficiencies in internal controls not already communicated that merit management’s attention.
Prior to the implementation of SAS No. 136, auditors were only required to present within written communications to those charged with governance the identification of certain findings representing significant deficiencies and material weaknesses.
Significant deficiencies and material weaknesses represent control deficiencies or combinations of control deficiencies. This determination is based upon the auditor judgment and consideration with a focus on these three key areas: severity, materiality, and potential impact.
Under definitions established by auditing standards, control deficiencies exist when the design or operation of a control does not allow management or employees, in the normal course of performing their assigned functions, to prevent or detect misstatements on a timely basis.
Common examples of control deficiencies in employee benefit plan audits relate to errors in application of plan provisions (i.e., eligibility, eligible compensation, contribution limits). Written communication of control deficiencies that do not rise to the level of a significant deficiency or material weakness has not been required under auditing standards.
Under SAS No.136, the auditor’s written communications continue to include communication of any significant deficiencies or material weaknesses but now also includes communication of reportable findings.
The identification and determination of reportable findings is based on auditor judgment and may include findings related to compliance with laws and regulations, plan provisions, oversight, or financial reporting.
While control deficiencies are not required to be included in written communication, unless elevating to a significant deficiency or material weakness, reportable findings do not have a significance threshold. Therefore, communications given by the auditor under SAS No. 136 may include reportable findings related to control deficiencies that previously may not have required written communication.
It is important to note that reportable findings are internal plan communications, and they do not typically appear within an auditor’s report. However, this does not diminish the importance of the reportable findings.
What Does All of This Mean for My Business?
Plan management and those charged with governance have important ERISA fiduciary roles in their plan oversight capacity, including responsibility for proper plan administration. As such, fiduciaries have responsibilities to consider and address any reportable findings or control matters, to ensure continued compliance with plan provisions and proper oversight.
If you would like to discuss any of the changes to your employee benefit plans as a result of the issuance of SAS No. 136 in more detail, feel free to contact Debora Herbert, Senior Manager at firstname.lastname@example.org or Abby McDonough, Manager at email@example.com.