As the days get longer, the snow melts and flowers start to bloom, it can only mean one thing – employee benefit plan audit season is almost upon us. The upcoming season of audits of employee benefit plans with Dec. 31, 2021, year ends will be significantly different than in years past, as Statement on Auditing Standard No. 136, Forming an Opinion and Reporting on Financial Statements of Employee Benefit Plans Subject to ERISA (SAS 136) will now be effective.

Successfully implementing SAS 136 will not only require auditors to revise their procedures from prior years but also will require certain commitments from plan sponsors, as well as heightened coordination among auditors, plan sponsors and plan trustees.

SAS 136 addresses the lingering audit quality issues noted in past U.S. Department of Labor reviews of Forms 5500 and confirmed in recent peer review findings related to audits of employee benefit plans, where the number of deficient audit engagements of employee benefit plans remains unacceptably high.

SAS 136 significantly changes the auditor’s opinion in audits of employee benefit plans performed under ERISA Section 103(A)(3)(c) guidance, whereby the plan sponsor obtains certified financial information from the plan’s trustee that such information is prepared and certified by a qualified institution under 29 CFR 2520.103-8. In such circumstances, the auditor will issue opinions both on the financial statement information covered by the certification and that which is not.

However, there are other areas where SAS 136 significantly changes the approach to employee benefit plan audits. While not a complete list, here are some key considerations when auditors are planning and performing their audits of EBPs for 2021 year-end:

  • Management’s certification process. While generally considered a mere formality, SAS 136 requires the plan sponsor to support its assertion that the plan is eligible for an ERISA Section 103(A)(3)(c) audit. Auditors should assess this assertion as part of their acceptance and continuance procedures and obtain sufficient documentation of the certification process during the audit.
  • Maintenance of an updated plan instrument. The plan sponsor is required to maintain a current plan instrument and administer the plan in accordance with this document. The auditor is to obtain the instrument and plan and perform the audit in accordance with the instrument, noting any instances of transactions which are not in accordance with the plan instrument.
  • Risk assessment procedures. A key finding of both the Department of Labor and peer reviews of employee benefit plan audits is that auditors are not performing sufficient procedures on such audits, even when the investment information is appropriately certified. In essence, this is the same issue which is frequently noted in audits of non- employee benefit plan financial statements. Based on the reading and understanding of the plan instrument, the auditor should perform a risk assessment and sufficient audit procedures on all accounts, transactions and processes not covered by the certification. While not a “new” requirement of SAS 136, this is an area where many employee benefit plan audits have been deficient in the past.
  • As mentioned, SAS 136 replaced the disclaimer of opinion given by the auditor under the previous limited scope audit approach of the pre-SAS 136 guidance with the two opinions provided under an ERISA Section 103(A)(3)(c) audit. This opinion also incorporates other aspects of the recent report changes under SAS 134.
  • Reportable findings. SAS 136 requires that the employee benefit plan auditor communicate, in writing, any reportable findings identified during the audit to the plan sponsor. Reportable findings are any of the following:
    • Identified instance(s) of noncompliance or suspected noncompliance with laws or regulations.
    • A finding noted in the audit that is considered by the auditor to be significant and relevant to those charged with governance as it relates to their responsibility to oversee the financial reporting process.
    • Deficiency in internal control identified during the audit that has not been communicated to management by other parties and that is important enough to warrant management’s attention.
  • Form 5500 procedures. In order for the auditor to perform required audit procedures on the Form 5500 supplemental schedules, the plan sponsor is required to provide the auditor with a draft Form 5500 which is substantially complete prior to the dating of the audit opinion. Accomplishing this task might require greater coordination among the plan sponsor, trustee and auditor than in years past.
  • Updated engagement letter, representation letter and opinion templates. Not surprising, given the above, many of our audit templates, from engagement letters to representation letters and our opinions have been updated to reflect this updated guidance. 2021 is definitely not the year to just change the dates and use the same format as years past.

As we have seen, implementing SAS 136 will significantly change the employee benefit plan audit process. So, what should we be doing now? Here are some key steps which all auditors of employee benefit plans should be doing now:

  • Read SAS 136 and get familiar with it
  • Communicate the changes in the audit process due to SASS 136 with the plan sponsor and perform necessary coordination
  • Update templates, as necessary
  • Adequately scope and perform the audit

It has been said that those who fail to plan, plan to fail. That’s definitely the case with the implementation of SAS 136. So, while you are enjoying the longer days and hopefully a few days of vacation recovering from busy season, make sure to plan to succeed with your 2021 audits of employee benefit plans this year.


Rich Daisley has over 26 years of experience in the accounting and auditing field, having worked in both the client service setting, mainly for PwC’s Capital Markets and Accounting Advisory Services Group and for PECO Energy’s Merger and Acquisition Group. 

Leave a Reply

Your email address will not be published.