Large Plan Audits

[pmacduff]

I need assistance from all you CPAs out there!

A client has a large plan 5500 for 2007 where the auditors are requesting information from the client with regard to SAS 112. The Accountant has mentioned that this is a new standard for the current year audits.

I work with a number of Accountants and Accounting firms on the large plan audits for our clients. We have already completed many for 2007. This is the first request I have heard of referencing this standard.

The entity is in the health care field and not for profit. They also have a DB Plan.

Any assistance greatly appreciated!

[JanetM]

From the AICPA. There are lots of articles if you google "sas 112".

Understanding SAS No. 112

By Charles E. Landes, CPA

In an effort to help practitioners better understand and implement the requirements of Statement on Auditing Standards (SAS) No. 112, Communicating Internal Control Related Matters Identified in an Audit, the AICPA staff has developed an Audit Risk Alert entitled Understanding SAS No. 112 and Evaluating Control Deficiencies: A Companion to SAS No. 112, Communicating Internal Control Related Matters Identified in an Audit. This Audit Risk Alert summarizes the important aspects of the new standard and presents a number of short case studies designed to guide the auditor though the process of evaluating identified control deficiencies. To obtain this new risk alert go to: https://www.cpa2biz.com/stores/sas112.

During this summer and fall, the Audit & Attest Team has become aware that some practitioners may be misunderstanding certain concepts that are important to SAS No. 112. The most common misunderstanding is the belief that the auditor’s drafting of the client’s financial statements automatically results in a material weakness. Asking the auditor to draft the financial statements does not cause a control deficiency; however, it may be the result of a control deficiency. A control deficiency exists if the client does not have controls over the preparation of the financial statements, including the footnote disclosures, which would prevent or detect a misstatement in the financial statements. This misunderstanding and others are debunked in the Audit Risk Alert.

The following are some key underlying concepts that will help in successfully implementing SAS No. 112:

· The auditor cannot be part of a client’s internal control. Becoming part of a client’s internal control impairs the auditor’s independence.

· What the auditor does is independent of the client’s internal control over financial reporting. Therefore, the auditor cannot be a compensating control for the client.

· The client’s designation of an individual who possesses suitable skill, knowledge, and/or experience to oversee a service performed by the CPA (Ethics Interpretation 101-3 Performance of Nonattest Services) is not a control. Therefore, having such a designated person does not mean that the client does not have a control deficiency.

· SAS No. 112 does not require the auditor to search for control deficiencies, but rather to evaluate them if they have been identified.

· A system of internal control over financial reporting does not stop at the general ledger; rather it includes controls over the preparation of the financial statements.

· To properly apply SAS No. 112 the auditor has to have a working knowledge of the COSO framework. COSO’s Internal Control-Integrated Framework describes the elements of internal control over financial reporting. SAS No. 112 directs the auditor to evaluate control deficiencies when identified, and communicate certain deficiencies to management and those charged with governance.

Keeping these simple but important underlying concepts in mind will help auditors successfully implement the new Standard.

[pmacduff]

Thanks Janet, I have read through some of those articles this morning. I guess my question is...does this standard apply to the Qualified Plan 5500 audits?

Reading through I got the impression that the standard applies to the Company's regular financial statements. These are statements that the Company would prepare and the Accountant would audit. In the Qualified Plan arena the Investment vendor (not the client) prepares the financial statements and the Independent auditor reviews them.

Am I missing the boat on this?

[JanetM]

Yes it does. We actually started doing SAS112 last year on all out plans.

[Bill Presson]

Yes it does. We actually started doing SAS112 last year on all out plans.

Our audit division started them last year as well.

[pmacduff]

Then as TPA there isn't really anything that I can provide?

The 401(k) plan that we TPA was new in '07 but the client has an existing DB Plan that has always needed an audit. The Accountant is requesting information from the client with regard to the SAS 112. The client is looking to me for guidance and I didn't want to tell them they need to deal directly with the CPA on this if there is a roll I should be filling for them.

Thanks for the responses!

[Guest Dell]

I think there might be a little mix-up in what is behind the need for additional info. SAS 112 requires more documentation of issues encountered during the audit, and new communication with the trustees about deficiencies; but it doesn't require any new inquiries.

It is the new risk assessment standards (104 - 111) that require much more inquiry and understanding of the internal control procedures in place at the plan and at the service provider level. I think they are simply referencing the wrong statement. These are effective for plan years beginning after 12/15/2006, so could be new depending on the plan year-end.