401(k)ology – Audit Smart: Things to Know Before Hiring an IQPA for Your Form 5500

Choosing the right Independent Qualified Public Accountant (IQPA) to complete the financial statements for your Form 5500 audit is a fiduciary responsibility. Not all Certified Public Accounting (CPA) firms specialize in employee benefit plans, and not all firms provide the quality of services that are needed to avoid deficiencies in the audit. If you need assistance in choosing the right auditor for your retirement plan, the best practices and helpful tips we suggest can demystify this daunting task.

Retirement plans that are considered “large” plan filers are required to include audited financial statements as an attachment when filing the annual Form 5500. Effective for the 2023 Form 5500 filing years and beyond, the methodology used to determine which plans are considered large plan filers is based on participants with an account balance in the plan. The current counting methodology is discussed in detail in a prior post found here. In addition, certain small plans that do not meet the audit waiver requirements must include audited financial statements as part of the annual Form 5500 filing.

This post focuses on plans that are required to complete the annual audit, including best practices for selecting the right Independent Qualified Public Accountant (IQPA) partner to perform the audit. Similar to shopping around for big ticket items like homes, cars, or even diamonds, it is important to do the homework before making the final decision. In fact, it is a plan fiduciary’s responsibility to ensure that the auditing firm is independent, provides quality service, and has a track record of completing financial statements that the Department of Labor (DOL) does not deem deficient.

Deficient - Wait, what? These audits are expensive! Yes, but not all CPA firms are experienced in retirement plan audits. If the IQPA report fails to meet the requirements set by the DOL and/or generally accepted auditing standards (GAAS) for employee benefit plan audits, they can be deemed deficient. No one wants the audit report to be flagged as deficient, so it is critically important to vet the CPA firm that will prepare the audited financial statements and to understand what they are engaged to perform.

Think of it this way, if you are about to buy a home – you have it inspected, if you are about to buy a car – you kick the tires, and if you are about to buy a diamond – you better check the color, cut and clarity! The same rules apply when selecting an IQPA – employers need to do some research before engaging the CPA firm. Keep reading to find out why and how…

Selecting an IQPA

Retirement plan audit reports (“audits”) are not cheap. May as well state that right out of the gate. However, engaging with the lowest-cost IQPA may not be a wise fiduciary decision. All things considered, fiduciaries should weigh the cost of the service with multiple other factors when selecting an auditor. The relevant factors for prudently selecting and monitoring an appropriate IQPA for the plan include:

• Relevant Experience - Choose an auditor with demonstrated experience auditing employee benefit plans. Ask about the number and types of benefit plans they have audited (e.g., 401(k), health & welfare plans).

• Credentials - The auditor should be a licensed CPA (Certified Public Accountant) in good standing and ideally a member of professional associations such as the AICPA Employee Benefit Plan Audit Quality Center.

• Industry Reputation - Check their reputation by reviewing client references, testimonials, or online ratings. Inquire about their processes and procedures for staying up to date with ERISA, DOL and IRS regulations. Ask for and contact references from other plan sponsors with a plan of similar participant count and asset size.

• Specialization - Firms specializing in employee benefit plan audits are often better equipped to recognize unique compliance and operational risks. Confirm they have specific experience relevant to your type of retirement plan.

• Communication and Responsiveness - Ensure the auditor is accessible and clearly communicates timelines, requirements, and findings. Ask the auditor to explain the audit process so that you know what to expect and what will be required of the plan sponsor. A good auditor will help you understand the process and flag issues early.

• Fee Structure - Obtain detailed fee proposals from several firms to compare costs and services included. Be wary of unusually low fees, as benefit plan audits are complex and quality is important. Interview the auditor and key team members who will work on your account. Make sure to compare scope, timelines, and support—not just price.

• Independence and Objectivity - The auditor must be independent from your organization and service providers. Avoid any CPA firm with potential conflicts of interest. Independence means no relationships or interests that could bias the audit or opinion. The DOL reviews all relevant relationships between the auditor and the plan or plan sponsor to assess independence.

Like any other plan service provider, it may be beneficial to obtain benchmarking of the fees for plans of similar size and investment models to determine if the cost is reasonable for the services provided.

It should also be noted that plan sponsors need to provide relevant requested information to the auditing firm on a timely basis. If the auditor has difficulty obtaining the information from the plan sponsor, costs may increase because of the additional follow-up time involved, and ultimately it could jeopardize filing by the deadline. Be proactive, be responsive and keep good plan records to keep your audit expenses down.

Deficient IQPA Report

It is essential to ask the auditing firm if any of their reports issued have been deemed deficient. If there have been, inquire how many have been deemed deficient in comparison with the number of audits the firm prepares and the reasons for the deficiencies. Common deficiencies may include:

• Noncompliance with Required Standards: The report does not conform to GAAS, applicable AICPA guidance, or regulations specific to ERISA plan audits.

• Missing or Incomplete Information: Required elements, such as the auditor’s opinion, signatures, date, or identification of the financial statements audited, are absent or incomplete.

• Scope Limitations: The auditor was unable to or failed to obtain sufficient audit evidence, leading to a qualified or adverse opinion.

• Lack of Independence: The auditor was not independent, as required by ERISA, and thus the report is not considered valid.

• Improperly Issued Opinions: Issuing an unqualified (“clean”) opinion when significant issues or scope limitations exist.

• Errors in Report Structure: Failing to clearly state the period covered or not stating the appropriate level of assurance.

• Failure to Address Supplemental Schedules: Not auditing or referencing required supplemental schedules in accordance with DOL rules.

A deficient report can result in rejection of the Form 5500 filing and may trigger further DOL investigation or penalties for the plan sponsor. You read that correctly - the civil penalties will be assessed to the plan sponsor (i.e., employer), not the auditor.

Type of Audit Reports (f/k/a Full Scope and Limited Scope Audits)

“Scope” is mentioned several times above and it is highly valuable for plan sponsors to understand the scope of the audit required for their specific retirement plan. Before 2022, the Form 5500 audit types were referred to as either Full Scope or Limited Scope Audits, depending on the plan’s investments. The Statement on Auditing Standards No. 136 (SAS 136) significantly changed the landscape of the audit reports by expanding the auditing firm’s responsibilities and by focusing on the plan’s management. Currently, all audits either must meet the ERISA §103(a)(3)(C) or the “full scope” requirements.

ERISA 103(a)(3)(C) Audits

Limited scope audits are now known as ERISA 103(a)(3)(C) audits. A limited scope audit allows the IQPA to exclude certain information from their audit procedures, specifically with respect to investment information. Plans taking advantage of a limited scope audit must disclose this in the IQPA’s report attached to Form 5500. Things to know about ERISA 103(a)(3)(C) audits:

• If plan investments are held by a bank, a trust company, or an insurance company, and these institutions certify both the accuracy and completeness of the investment information, the auditor is not required to audit the investment information that has already been certified by the financial institution (which is regulated, supervised and subject to periodic examination).

• The auditor’s opinion will state that they did not audit the certified investment information, and thus the opinion is “limited in scope.”

• While less extensive than a full scope audit, the limited scope audit still requires the auditor to examine other aspects of the plan’s financial statements and internal controls. Just not the certified investments.

• Although not common, plans with investments held in pooled investment vehicles (other than Pooled Separate Accounts (PSA), Common Collective Trusts (CCT) or Master Trust Investment Accounts (MTIA)) where the investment vehicle files separate audited Forms 5500 as a 103-12 Investment Entity (103-12 IE), may rely on the separate audit of the 103-12 IE if certain conditions are met.

• Because ERISA 103(a)(3)(C) audits are less extensive, they are typically less expensive than the full scope audit (requires less time involvement to complete the report).

An interesting footnote here is that before SAS 136, the auditing firm would typically determine if the audit could be performed under limited scope. Under SAS 136, the plan sponsor must certify that the audit meets the requirements of ERISA Section 103(a)(3)(C) and demonstrate how they arrived at that conclusion. The IQPA should guide you through this process and the information above should assist in understanding the complicated audit jargon used in making these determinations.

Practice Note: Plans that include a Self-Directed Brokerage Account/Window (SDBA) remain eligible for the limited scope audit, as those assets will be included in the certified financial statements issued by the custodian. The IQPA will typically break the SDBA out into a single reporting item on the financial statements with additional disclosures about the underlying assets in the SDBA.

Full Scope Audits

If the plan assets are not held by a bank, trust company, insurance company or 103-12 Investment Entity, then the IQPA must prepare a full scope audit.

• In a full scope audit, the IQPA audits all aspects of the plan’s financial statements, including all investments, participant data, contributions, benefit payments, and all other financial activities (dividends, interest, valuation of the individual securities held).

• No exclusions are permitted—everything is subject to audit and review by the IQPA.

• Full scope audits are more comprehensive and require complete substantiation of all assets and liabilities within the plan.

• The auditor’s opinion in a full scope audit is not qualified for any scope limitation.

• Due to the more extensive nature of full scope audits, they will be more expensive than the limited scope variety.

The vast majority of 401(k) plans will be eligible for the ERISA 103(a)(3)(C) limited scope audit because the investments are typically custodied by a trust company that issues certified financial statements. If your plan’s service provider does not provide the certification, it may be time to consider a change in providers to accommodate the audit requirements.

Types of Accountants Opinions Issued

The IQPA must form an “Accountants Opinion” on the plan’s financial statements and the type of opinion is reported on the Form 5500. There are four types of Accountants Opinions:

1. Unmodified – An unmodified or “clean” opinion is the most favorable type the IQPA can issue. It means the auditor believes the plan’s financial statements are presented fairly, in all material respects, in accordance with the applicable financial reporting framework. It also means that there are no material misstatements or concerns with completeness and that the auditor has no reservations about the statements.

2. Qualified – If the auditor issues a qualified opinion, it means that some specific issue(s) found are material but not pervasive to the financial statements. Generally, this means there is one (or more) area(s) where the information does not fully comply, or cannot be confirmed as complying, with the relevant accounting standards, though the rest of the statement is fair. The audit report must state the reason for the qualification, but the statements are still “fairly presented” other than for the identified issue.

3. Disclaimer – If there is a lack of sufficient audit evidence, significant uncertainties, or limitations imposed by the client, the auditor may be unable to form or express an opinion on the financial statements. What this communicates on the Form 5500 is that the auditor does not have enough information to provide any assurance regarding the financial statements.

4. Adverse – If the auditor concludes that the financial statements are materially misstated and do not fairly present the financial position of the plan, the IQPA will issue an adverse opinion. Because this indicates serious problems with the financial statements, plan sponsors should work with the IQPA to rectify the issues to avoid an adverse opinion. While adverse opinions are rare, plan sponsors should know this option exists.

When presented with the finalized audit report, plan sponsors should carefully review the type of opinion and the supporting schedules to confirm that everything is correct before submitting it as an attachment to the Form 5500.

Even experienced auditing firms make mistakes. A recent example we encountered involved an IQPA reporting a Missed Deferral Opportunity as Late Employee Contributions on the Form 5500 and in the audit report. Whoa – that is a big mistake and one that a plan sponsor may not have caught (but we did). The distinction here is that a missed deferral opportunity (MDO) is an operational failure corrected under the IRS’ Employee Plans Compliance Resolution Program (EPCRS), and a late employee contribution is a fiduciary breach corrected under the DOL’s Voluntary Fiduciary Correction Program (VFCP). Had the reporting error not been discovered and corrected before filing the Form 5500, the plan sponsor may have been subject to additional risk and exposure for a DOL investigation.

Moral of the story: Partner with the other plan service providers to assist in reviewing the audit before filing the Form 5500.

Conclusion

Responsible plan fiduciaries should carefully select the CPA firm that will perform the audit of their retirement plan. As the saying goes, it takes a village, so make sure you have the right partners in your corner. Newfront Retirement Services’ team of advisors and dedicated service team can assist in finding audit partners and can assist in benchmarking the cost. Make sure to include our team in your village to approach audits smarter, not harder. Feel free to contact me or just connect to keep up to date on all things ERISA 401(k): Joni_LinkedIn and 401(k)ology

Helpful Links:

• 401(k)ology: Form 5500 Updates: Participant Count Win and Large Plan Filer Warning

• 401(k)ology: The Large Plan Form 5500 Filing Dilemma

• AICPA Statement on Auditing Standards No. 136

• FAQ: The Small Pension Plan Audit Waiver Regulation

• Selecting an Auditor for Your Employee Benefit Plan

Newfront Retirement Services, Inc. is an investment adviser registered with the U.S. Securities and Exchange Commission. Registration as an investment adviser does not imply any level of skill or training, and does not constitute an endorsement by the SEC. For a copy of Newfront Retirement Services disclosure brochure, which includes a description of the firm’s services and fees, please access www.investor.gov or click HERE for the disclosures on our website.