< Back to Thought Leadership

SAS No. 136 and Employee Benefit Plans: What is a Reportable Finding?

SAS No. 136 and Employee Benefit Plans: What is a Reportable Finding?

Plan management and plan sponsor personnel have likely heard from their auditors about auditing standard changes impacting their ERISA (Employee Retirement Income Security Act of 1974) audits for the Plan year ending December 31, 2021.

These changes primarily result from the implementation of AICPA Statement on Auditing Standards (SAS) No. 136, Forming an Opinion and Reporting on Financial Statements of Employee Benefit Plans Subject to ERISA (“SAS 136”), which is effective for periods ending on or after December 15, 2021.

Impacts that SAS No. 136 Has on Written Communication

SAS No. 136 introduces and reiterates certain responsibilities for both plan management and auditors.

One such auditor responsibility relates to the communication of reportable findings.

SAS No. 136 indicates reportable findings as one or more of the following:

  • an identified instance of noncompliance or suspected noncompliance with laws or regulations;
  • a finding that is significant and relevant to the oversight function of those charged with governance;
  • or other deficiencies in internal controls not already communicated that merit management’s attention.

Prior to the implementation of SAS No. 136, auditors were only required to present within written communications to those charged with governance the identification of certain findings representing significant deficiencies and material weaknesses.

Significant deficiencies and material weaknesses represent control deficiencies or combinations of control deficiencies. This determination is based upon the auditor judgment and consideration with a focus on these three key areas: severity, materiality, and potential impact.

Under definitions established by auditing standards, control deficiencies exist when the design or operation of a control does not allow management or employees, in the normal course of performing their assigned functions, to prevent or detect misstatements on a timely basis.

Common examples of control deficiencies in employee benefit plan audits relate to errors in application of plan provisions (i.e., eligibility, eligible compensation, contribution limits). Written communication of control deficiencies that do not rise to the level of a significant deficiency or material weakness has not been required under auditing standards.

Under SAS No.136, the auditor’s written communications continue to include communication of any significant deficiencies or material weaknesses but now also includes communication of reportable findings.

The identification and determination of reportable findings is based on auditor judgment and may include findings related to compliance with laws and regulations, plan provisions, oversight, or financial reporting.

While control deficiencies are not required to be included in written communication, unless elevating to a significant deficiency or material weakness, reportable findings do not have a significance threshold. Therefore, communications given by the auditor under SAS No. 136 may include reportable findings related to control deficiencies that previously may not have required written communication.

It is important to note that reportable findings are internal plan communications, and they do not typically appear within an auditor’s report. However, this does not diminish the importance of the reportable findings.

What Does All of This Mean for My Business?

Plan management and those charged with governance have important ERISA fiduciary roles in their plan oversight capacity, including responsibility for proper plan administration. As such, fiduciaries have responsibilities to consider and address any reportable findings or control matters, to ensure continued compliance with plan provisions and proper oversight.

If you would like to discuss any of the changes to your employee benefit plans as a result of the issuance of SAS No. 136 in more detail, feel free to contact Debora Herbert, Senior Manager at dherbert@blueandco.com or Abby McDonough, Manager at amcdonough@blueandco.com.

How not-for-profits can make use of artificial intelligence

Empowering Change: How Not-For-Profits Can Make Use of Artificial Intelligence

By Chad Nieter, Senior Manager at Blue & Co. Artificial intelligence (AI) is technology that enables computers and digital devices to learn, read, write, talk, see, create, play, analyze, make […]

Learn More
Beneficial ownership information report

Beneficial Ownership Information Report –New 2024 Requirement

By Amy Sandlin, CPA, Tax Quality Control at Blue & Co. Tens of millions of businesses are estimated to be now required to file a Beneficial Ownership Information Report (“BOIR”) […]

Learn More

CMS 2024 Physician Fee Schedule Update

Every year the Centers for Medicare and Medicaid Services (CMS) publishes their annual Final Rule, which contains updates to the Physician Fee Schedule that impact what healthcare organizations are reimbursed […]

Learn More