Remember when there were nine planets in our solar system? How about when blackberries and apples were only fruit? Ten years ago, the first iPhone was released, the housing bubble burst, and the Chicago Bears lost in the Super Bowl to the Indianapolis Colts. How times have changed! Advancements in technology have enhanced the way we do business, communicate, and even how long we live. As life expectancy increases, and people spend more time in retirement, a new challenge has been created. The ability to rely on a fully funded pension for a happy retirement has faded into the past, and employer-sponsored retirement plans have fallen under increased regulation and compliance requirements. Changes in technology frequently impact filing and audit requirements of benefit plans. Even the results of the most recent Equifax breach, which are still relatively unknown, will have an impact.
Pensions were at one time a cornerstone for American workers. They were relied upon to provide guaranteed and reliable payments during retirement. The responsibility for the success of these plans was placed solely in the hands of employers and their plan fiduciaries. As the availability in pension plans declined, participants increased their enrollment in employer-sponsored contribution plans. These plans allow participants to take a more active role in their retirement, with the guidance and assistance of a plan sponsor and administrators. Plan administrators, or those charged with governance of the plan, hold a fiduciary duty to the active management of all plan types. Primarily, the responsibility of those charged with governance is to run the plan in the best interest of its participants and beneficiaries, including diversifying the investment options, monitoring fees, and protecting personally identifiable information such as Social Security numbers. To address the public’s concern that retirement plans were being mismanaged and abused, provisions of Title I of ERISA were enacted in 1974. Administered by the U.S. Department of Labor’s Employee Benefits Security Administration (EBSA), Title I contained rules for reporting and disclosure, vesting, prohibited transactions, participation, funding, fiduciary responsibility and civil enforcement. As benefit plans were established as regulated entities, special audit requirements under ERISA were also developed to help monitor their compliance.
One of these requirements arose with the development of technologies. Personal information is being stored and sent electronically across the web and on remote servers. There have been recent concerns raised by the Department of Labor about the security and accessibility of this vulnerable personal information. Data like Social Security numbers, addresses, and dates of birth have a significant value to hackers. Generally, standard insurance policies do not include coverage related to cyber risks; therefore, those charged with governance should be assessing their plan’s risks on a regular basis.
In an effort to respond to the concerns of the DOL, the Auditing Standards Board, which is an AICPA committee tasked with creating new auditing standards, has proposed a new Statement on Auditing Standards, AU-C Section 703, Forming an Opinion and Reporting on Financial Statements of Employee Benefit Plans Subject to ERISA. The proposed standard includes new required procedures when an ERISA limited-scope audit is performed, an expanded description of management’s responsibilities, new communication on the ERISA supplemental schedules, new required emphasis-of-matter paragraphs, and a new Report on Specific Plan Provisions Relating to the Financial Statements. Expected results of these modifications include harmonizing plan reporting requirements, modernizing financial information and improving compliance. As with most new auditing standards, there will be some compromises made before it becomes effective. Under the proposed guidance, the new report would include additional disclosures of the engagement partner, which could overemphasize the impact of one individual over the entire audit team, and disclosure of the audit firm’s peer review results, which could mislead users who are not familiar with these types of reports. Proposed Group Health Plan information included in Schedule J could result in additional plan sponsors, an estimated 2.1 million, being required to file a Form 5500. The proposed auditing standards will add additional expense to the audit process for the gathering of the newly required information, and specialists are concerned that plan administrators could pursue lower-cost, and lower-quality, providers or discontinue sponsorship of plans in their entirety.
As John F. Kennedy said, “Change is the law of life. And those who look only to the past or the present are certain to miss the future.” A new era of challenges lies ahead as technology advances. The possible loss of privacy in a cyberattack, like the most recent Equifax breach, has heightened the awareness of identity theft and security. It reminds us of how little control we have over our own personal information and who has access to it. The Auditing Standards Board continues to keep the audit process current and modernized while allowing CPAs to produce a product that supports compliance with the DOL and while providing useful information for plan sponsors and administrators. The expanded use of technology in retirement plan reporting is still forthcoming, and regulators are committed to creating a balance of rules to protect personal information, alongside feasibility of implementation. While information technology and security are not specifically tested by current auditing requirements, they will most certainly be considered and influenced by the events of tomorrow.
Courtney S. Schenkel is a Director in EFPR Group’s attest department.
She can be reached at CSchenkel@EFPRgroup.com or 585-295-0567.