This session will outline the changes and updates that affect employee benefit plan audits, including management’s assessments that a Section 103(a)(3)(c) audit is appropriate for, how the new audit report will look like, and the required representations from management to the auditor.

1. AU-C Section 703 (SAS 136)
Changes to Your Annual EBP Audits; An
Overview for Plan Management
Presented By:
Donna Nevolo, CPA, Partner
Sheri Wronko, CPA, Partner
Ana Romeo, CPA, Manager

2. withum.com
• Understand the history of SAS 136
• Identify key changes contained in SAS 136
• Understand the new performance requirements for an audit of financial
statements of employee benefit plans subject to ERISA
Learning Objectives

3. withum.com
In 2015, the DOL’s Employee Benefits Security Administration (EBSA) published
a study that examined the quality of audit work performed on employee benefit
plans by independent qualified public accountants. The study found that 39% of
employee benefit plan audits had one or more major deficiencies with respect
to one or more relevant GAAS requirements which would lead to rejection of a
Form 5500 filing. Close to 60% of the limited scope audits studied were found
to contain audit deficiencies.
There was a need to strengthen the quality of employee benefit plan audits
and enhance auditor reporting. The AICPA’s response was a new auditing
standard, SAS 136.
History

4. withum.com
In July 2019, the AICPA Auditing Standards Board (ASB) issued as a final standard,
Statement on Auditing Standards (SAS) No. 136, Forming an Opinion and Reporting on
Financial Statements of Employee Benefit Plans Subject to ERISA. It:
• prescribes certain new performance requirements and
• changes the form and content of the related auditor’s report.
SAS 136 is effective for plan audits for periods ending on or after December 15, 2021.
• It applies to audits of single employer, multiple employer, and multiemployer plans
subject to ERISA.
• It should not be adapted for plans that are not subject to ERISA.
Overview

5. withum.com
SAS 136 has been codified in new AU-C section 703 of the AICPA Professional
Standards. This standard is the foundational section that addresses the
auditor’s responsibility to form an opinion on the ERISA plan financial
statements and prescribes the form and content of the auditor’s report for
ERISA plan audits.
Overview (cont.)

6. withum.com
POLLING QUESTION #1

7. withum.com
• Terminology
• Requirements for plan auditors
• Engagement acceptance and management acknowledgements
• Substantially complete Form 5500 required
• Auditor’s report
• Management representation letter
• Auditor’s communications, including reportable findings
Key Changes

8. withum.com
“Limited scope” audit is now referred to as:
 ERISA Section 103(a)(3)(C) audit
“Full scope” audit is now referred to as:
 ERISA Non-Section 103(a)(3)(C) audit
Terminology

9. withum.com
Where does this reference come from?
It is referring to the specific section in the ERISA regulations:
ERISA section 103(a)(3)(C) permits plan management to
elect to exclude from the audit certain investment
information that a qualified institution holds and certifies as
complete and accurate.
Terminology

10. withum.com
Requirements for auditors have been expanded in all phases of an audit, including:
• Engagement acceptance
• Obtaining additional management representations
• Performing risk assessment procedures related to the plan instrument, plan tax
status and prohibited transactions, and responding to identified risks
• Issuing a new form of the auditor’s report
• Communicating additional matters (reportable findings) to those charged with
plan governance
Requirements for Plan Auditors

11. withum.com
Before an auditor can accept performing an audit under the new standard, the auditor is required to obtain
management’s agreement as part of the engagement letter that it acknowledges its responsibility with
regards to the following:
• Maintaining a current plan instrument, including all plan amendments
• Administering the plan and determining that the plan’s transactions that are presented and
disclosed in the ERISA plan financial statements are in conformity with the plan’s provisions,
including maintaining sufficient records with respect to each of the participants to determine the
benefits due or which may become due to such participants
• Providing a substantially complete draft Form 5500 prior to dating of the audit report
• When management elects to have an ERISA Section 103(a)(3)(C) audit, determining whether:
• an ERISA Section 103(a)(3)(C) audit is permissible under the circumstances
• the investment information is prepared and certified by a qualified institution as described in 29
CFR 2520.103-8
• the certification meets the requirements in 29 CFR 2520.103-5, and
• the certified investment information is appropriately measured, presented, and disclosed in
accordance with the applicable financial reporting framework
Engagement Acceptance;
Management Acknowledgements

12. withum.com
If management elects an ERISA Section 103(a)(3)(C) audit,
management must provide the auditor with their
assessment and determination that the entity preparing and
certifying the investment information is a qualified
institution, and that the certification satisfies the ERISA
requirements for an ERISA Section 103(a)(3)(C) audit.
This acknowledgement is required during client acceptance.
Engagement Acceptance;
Management Acknowledgements (Cont)

13. withum.com
How do you make that determination?
Things to consider:
1. Is the investment information prepared and certified by a qualified
institution? A qualified institution can be a
• Bank
• Insurance Company
• Trust Company
• Sometimes an agent is certifying on behalf of a bank, insurance or trust company
2. Is the certification signed by an authorized representative?
• Look for an explicit statement of authority to represent the certifying institution
Management’s Assessment

14. withum.com
Did the qualified institution certify to both the accuracy and completeness of
the investment information?
4. Does the certification or the related reporting package include language that
qualifies or calls into question whether the investment information is accurate
and complete?
• Sometimes certain investments are not covered by the certifications
5. Are the investments certified by the qualified institution properly valued as of
the date of the plan's financial statements?
• Certification date = plan financial statement date
• Are the investments properly valued?
Management’s Assessment

15. withum.com
Management’s Assessment

16. withum.com
Management’s Assessment

17. withum.com
• Evaluate management’s assessment of whether the entity issuing the certification is a qualified institution under DOL
rules and regulations, and ERISA Section 103(a)(3)(C) audit is permissible.
• Identify which investment information is certified.
• Perform the following procedures on the certified investment information:
• Obtain from management and read the certification as it relates to investment information prepared and certified by a qualified
institution.
• Compare the certified investment information with the related information presented and disclosed in the ERISA plan financial
statements and ERISA-required supplemental schedules.
• Read the disclosures relating to the certified investment information to assess whether they are in accordance with the presentation
and disclosure requirements of the applicable financial reporting framework.
• Perform audit procedures on the financial statement information, including the disclosures, not covered by the
certification as well as noninvestment-related information based on the assessed risk of material misstatement. Plans
may hold investments in which only a portion are covered by a certification from a qualified institution. In that case,
the auditor should perform audit procedures on the investment information that has not been certified.
Requirements for Plan Auditors (Cont)

18. withum.com
The plan document and effective amendments (referred to as the plan
instrument) is essential to understanding the plan and identifying and
performing audit procedures that are responsive to assessed risks.
Risk Assessment – Plan Instrument

19. withum.com
The auditor should consider whether management has performed the relevant IRC
compliance tests, including but not limited to, discrimination testing, and has corrected or
intends to correct failures, as applicable.
When plans are granted special tax status for the contributions and earnings on plan
investments to be exempt from taxation (tax-exempt status), such plans are required to be
designed and operated in accordance with IRC requirements in order to maintain their tax-
exempt status. Accordingly, the plan’s tax status is fundamental to the plan.
To determine if a plan is operating within the specific guidelines established by the plan
instrument in accordance with the IRC, management is responsible for conducting certain
nondiscrimination and other compliance tests, which are required to be performed at least
annually, unless otherwise provided by the IRC.
The auditor’s consideration of whether the plan has performed and passed, corrected, or
intends to correct failures of relevant IRC compliance tests may include inquiry and
inspection.
Risk Assessment – Plan Tax Status

20. withum.com
The auditor should evaluate whether prohibited transactions identified by
management or as part of the audit have been appropriately reported in the
applicable ERISA-required supplemental schedules.
Certain plan transactions with parties in interest are prohibited under Sections
406 and 407 of ERISA (referred to as prohibited transactions) and are required,
without regard to their materiality, to be disclosed to the DOL in the plan’s Form
5500 if they occur. For example, information on all delinquent participant
contributions are required to be reported on Schedule H of Form 5500. Large
plans with delinquent participant contributions are required to attach a
Schedule of Delinquent Participant Contributions. All other prohibited
transactions are reported on the Schedule of Nonexempt Transactions.
Risk Assessment – Prohibited Transactions

21. withum.com
POLLING QUESTION #2

22. withum.com
SAS 136 requires management to provide to the auditor, prior to the dating of the
auditor’s report, a draft of Form 5500 that is substantially complete.
A draft Form 5500 that is substantially complete includes the forms and schedules
that could have a material affect, involving both qualitative and quantitative
considerations, on the information in the financial statements and ERISA-required
supplemental schedules.
The auditor will compare the information within the draft 5500 to the information in
the financial statements and communicate material inconsistencies or misstatements
to management.
Substantially Complete
Draft Form 5500

23. withum.com
Key terms
• Material inconsistencies
Information contained in the Form 5500 that conflicts with
information contained in the audited ERISA plan financial statements is
considered an inconsistency.
• Material misstatements of fact
A misstatement of fact is information contained in the Form 5500
unrelated to matters appearing in the audited ERISA plan
financial statements that is incorrectly stated or presented.
Substantially Complete
Draft Form 5500 (Cont)

24. withum.com
Form 5500, Schedule H - Updates
With SAS 136, ERISA Section 103(a)(3)(C) are no longer disclaimer opinions in
form under GAAS and in the Form 5500 Accountant’s Opinion section

25. withum.com
Form 5500, Schedule H - Updates
Section III: Accountants Opinion section has been updated for SAS 136
Use this box for ERISA
Section 103(a)(3)(C)
audits
Use this box for Non-
Section 103(a)(3)(C)
audits
Related to certification
from 103-12 investment
entities (this is very rare)

26. withum.com
POLLING QUESTION #3

27. withum.com
Plan sponsors will notice that the audit report will look significantly different once the
EBP SAS has been implemented. One of the objectives of SAS 136 is to provide
readers with a better understanding of the scope of the audit and to make clear the
responsibilities of the plan sponsor and the auditor.
The audit opinion of an ERISA section 103(a)(3)(C) audit will include information on
the procedures performed on both certified and noncertified information as well as a
new basis for opinion section.
The audit report is intended to be more transparent as to plan sponsor and auditor
responsibilities, regardless of whether an ERISA section 103(a)(3)(C) audit or a non-
ERISA section 103(a)(3)(C), formerly referred to as “full scope,” audit is performed.
Auditor’s Report

28. withum.com
The Section 103 (a)(3)(C) audit is not considered a scope limitation under AU-C
Section 705, Modifications to the Opinion in the Independent Auditor’s Report
(resulting in a disclaimer of opinion). Therefore, instead of issuing a disclaimer
of opinion, an auditor will issue an opinion that will consist of two parts:
(1) an opinion on the fair presentation of information in the financial
statements not covered by the certification and
(2) an opinion on whether the investment information in the financial
statements reconciles with information in the certification.
Auditor’s Report (Cont)
See external attachment – “SAS 136 - Auditor's Report - Section 103(a)(3)(c)”

29. withum.com
Limited Scope Audit – Auditor’s Opinion
1. Report on the Financial Statements
2. Management’s Responsibility for the
Financial Statements
3. Auditor’s Responsibility
4. Basis for Disclaimer of Opinion
5. Disclaimer of Opinion
6. Other Matter
7. Report on Form and Content in
Compliance with DOL Rules and
Regulations
Audit Report – Updates
Limited Scope (PY) -> ERISA Section 103(a)(3)(C) (CY)
Section 103(a)(3)(C) – Auditor’s Opinion
1. Scope and Nature of the ERISA Section
103(a)(3)(C) Audit for the 2021 Financial
Statements
2. Opinion on the 2021 Financial
Statements
3. Basis for Opinion on the 2021 Financial
Statements
4. Responsibilities of Management for the
2021 Financial Statements
5. Auditor’s Responsibilities for the Audit of
the 2021 Financial Statements
6. Other Matters

30. withum.com
Since the prior year audit opinion wording is different than the current year
wording, the auditor has the following options for reporting:
1. Include 2 separate audit opinions (the current year opinion in the new
format and the prior year opinion) as illustrated in exhibit B of AU-C section
703
2. Issue one report and refer to the prior year (2020) report in an other-matter
paragraph in the current year (2021) report.
Audit Report – Updates
Limited Scope (PY) -> ERISA Section 103(a)(3)(C) (CY)

31. withum.com
Scope and Nature of ERISA Section 103(a)(3)(C) Audit for the 2021 Financial Statements
• The “Scope and Nature of the ERISA Section 103(a)(3)(C) Audit” section of the auditor’s report
should also do the following:
• Identify the plan whose financial statements have been audited
• State that the auditor performed an audit of the financial statements of an employee benefit plan subject to the
Employee Retirement Income Security Act of 1974 (ERISA), as permitted by ERISA Section 103(a)(3)(C) (ERISA
Section 103(a)(3)(C) audit)
• Identify the title of each statement that the financial statements comprise
• Refer to the notes
• Specify the dates of or periods covered by each financial statement that the financial statements comprise
• State that management, having determined it is permissible in the circumstances, has elected to have the audit
of the plan’s financial statements performed in accordance with ERISA Section 103(a)(3)(C) pursuant to 29 CFR
2520.103-8 of the Department of Labor’s Rules and Regulations for Reporting and Disclosure under ERISA
• State that as permitted by ERISA Section 103(a)(3)(C), the audit need not extend to any statements or
information related to assets held for investment of the plan (investment information) by a bank or similar
institution
• State that management has obtained a certification from a qualified institution as of, and for the year ended
date, stating that the certified investment information, as described in [insert note reference] to the financial
statements is complete and accurate
Audit Report – Updates
Limited Scope -> ERISA Section 103(a)(3)(C)

32. withum.com
Opinion on the 2021 Financial Statements
• The auditor’s report should include the “Opinion” section, directly following the “Scope and
Nature of the ERISA Section 103(a)(3)(C) Audit” section, with the heading “Opinion.”
• When the auditor has not identified any material misstatements of the financial statements
and no scope limitations exist, the auditor’s report should include a statement that, in the
auditor’s opinion, based on the audit and on the procedures performed as described in the
“Auditor’s Responsibilities for the Audit of the Financial Statements” section
• the amounts and disclosures in the accompanying financial statements, other than those agreed to
or derived from the certified investment information, are presented fairly, in all material respects,
in accordance with the applicable financial reporting framework.
• the information in the accompanying financial statements related to assets held by and certified to
by a qualified institution agrees to, or is derived from, in all material respects, the information
prepared and certified by an institution that management determined meets the requirements of
ERISA Section 103(a)(3)(C).
• The auditor’s opinion should identify the applicable financial reporting framework and its
origin.
Audit Report – Updates
Limited Scope -> ERISA Section 103(a)(3)(c)

33. withum.com
The auditor should express an unmodified opinion when the auditor concludes that the
ERISA plan financial statements are presented fairly, in all material respects, in accordance
with the applicable financial reporting framework.
When auditing ERISA plan financial statements, the auditor is required to report on whether
the ERISA-required supplemental schedules are fairly stated, in all material respects, in
relation to the financial statements as a whole, in accordance with AU-C section 725,
Supplementary Information in Relation to the Financial Statements as a Whole.
If the auditor addresses other reporting responsibilities in the auditor’s report on the ERISA
plan financial statements that are in addition to the auditor’s responsibility under GAAS,
these other reporting responsibilities should be addressed in a separate section in the
auditor’s report with the heading “Report on Other Legal and Regulatory Requirements” or
another heading that is appropriate to the content of the section.
Auditor’s Opinion

34. withum.com
Apply the requirements in AU-C section 705 when a modification to the
auditor’s opinion on the ERISA plan financial statements is necessary.
• Qualified opinion
• Adverse opinion
• Disclaims an opinion
Modifications to the opinion

35. withum.com
Basis for Opinion on the 2021 Financial Statements
• The auditor’s report should include a section, directly following the “Opinion”
section, with the heading “Basis for Opinion” that does the following:
• States that the audit was conducted in accordance with generally accepted auditing
standards (GAAS) and identifies the United States of America as the country of origin of
those standards
• Refers to the section of the auditor’s report that describes the auditor’s responsibilities for
GAAS
• Includes a statement that the auditor is required to be independent of the plan and to meet
the auditor’s other ethical responsibilities, in accordance with the relevant ethical
requirements relating to the audit
• States whether the auditor believes that the audit evidence the auditor has obtained is
sufficient and appropriate to provide a basis for the ERISA Section 103(a)(3)(C) audit
opinion
Audit Report – Updates
Limited Scope -> ERISA Section 103(a)(3)(c)

36. withum.com
Responsibilities of Management for the 2021 Financial Statement
• This section of the auditor’s report should describe management’s responsibility for the
following:
• The preparation and fair presentation of the financial statements in accordance with the applicable
financial reporting framework, and for the design, implementation, and maintenance of internal control
relevant to the preparation and fair presentation of financial statements that are free from material
misstatement, whether due to fraud or error
• The election of the ERISA Section 103(a)(3)(C) audit and that the election does not affect management’s
responsibility for the financial statements.
• When required by the applicable financial reporting framework, the evaluation of whether there are
conditions or events, considered in the aggregate, that raise substantial doubt about the plan’s ability to
continue as a going concern [for the time period set by the applicable financial reporting framework, as
applicable.]
• Maintaining a current plan instrument, including all plan amendments Administering the plan and
determining that the plan’s transactions that are presented and disclosed in the financial statements are
in conformity with the plan’s provisions, including maintaining sufficient records with respect to each of
the participants, to determine the benefits due or which may become due to such participants.
Audit Report – Updates
Limited Scope -> ERISA Section 103(a)(3)(c)

37. withum.com
Auditor’s Responsibilities for the Audit of the 2021 Financial Statements
• There is an expanded description of the auditor’s responsibilities, including
the auditor’s responsibilities relating to professional judgment and
professional skepticism, and the auditor’s communications with those
charged with governance, In addition, this section explains that the ERISA
section 103(a)(3)(C) audit did not extend to the certified investment
information, except certain procedures that are outlined in this section of
the auditor’s report
Audit Report – Updates
Limited Scope -> ERISA Section 103(a)(3)(c)

38. withum.com
Other Matters
• The two main matters reported in the “Other Matters” paragraph will be:
1. 2021 Supplemental Schedules Required by ERISA
1. Expanded information about the nature of the schedules, management’s responsibility, how the
information (other than certified investment information) was subject to audit procedures and
the auditor’s opinion.
2. Auditor’s Report on the 2020 Financial Statements
1. Included since Withum is taking the one report approach (this would be omitted if a two
statement approach is taken – one report for ERISA Section 103(a)(3)(c) (2021) and one for the
limited scope audit (2020).
2. Includes an expanded description of the disclaimer of opinion for 2020.
Audit Report – Updates
Limited Scope -> ERISA Section 103(a)(3)(c)

39. withum.com
Audit Report – Updates
Full Scope -> Non-Section 103(a)(3)(c)
Non-Section 103(a)(3)(c) – Auditor’s Opinion
1. Opinion
2. Basis for Opinion
3. Responsibilities of Management for
the Financial Statements
4. Auditor’s Responsibilities for the
Audit of the Financial Statements
5. Supplemental Schedules Required
by ERISA
Full Scope – Auditor’s Opinion
1. Report on the Financial Statements
2. Management’s Responsibility for
the Financial Statements
3. Auditor’s Responsibility
4. Opinion
5. Report on Supplementary
Information

40. withum.com
Audit Report – Updates
Full Scope -> Non-Section 103(a)(3)(c)
When a continuing auditor performed a full-scope audit of comparative ERISA
plan financial statements in the prior year and a non-Section 103(a)(3)(C) audit
in the current year (the initial year of implementation of the EBP SAS, as
amended), the continuing auditor updates their prior year report in accordance
with paragraph .86 of AU-C section 703. This would result in issuing one report
that refers to each period for which the financial statements are presented and
on which the auditor is expressing an opinion (for example, for the years ended
December 31, 2021 and 2020)
See external attachment – “SAS 136 - Auditor's Report - Non-Section 103(a)(3)(c)”

41. withum.com
In addition to the requirements in AU-C section 580 Written Representations, the auditor
should request the following written representations from management in an audit of ERISA
plan financial statements:
• That management has provided the auditor with the most current plan instrument for the audit
period, including all plan amendments
• Acknowledgement of its responsibility for administering the plan and determining that the plan’s
transactions that are presented and disclosed in the ERISA plan financial statements are in
conformity with the plan’s provisions, including maintaining sufficient records with respect to each
of the participants to determine the benefits due or which may become due to such participants
• When management elects to have an ERISA Section 103(a)(3)(C) audit, acknowledgement that
management’s election of the ERISA Section 103(a)(3)(C) audit does not affect its responsibility for
the financial statements and for determining whether:
 an ERISA Section 103(a)(3)(C) audit is permissible under the circumstances,
 the investment information is prepared and certified by a qualified institution as described in 29 CFR 2520.103-8
 the certification meets the requirements in 29 CFR 2520.103-5, and
 the certified investment information is appropriately measured, presented, and disclosed in accordance with the
applicable financial reporting framework
Written Representations at the end of the engagement

42. withum.com
POLLING QUESTION #4

43. withum.com
SAS 136 requires auditors, when designing and performing audit procedures for employee
benefit plans subject to ERISA, to consider relevant plan provisions that affect the risk of
material misstatement (i.e., whether eligibility and contribution provisions are administered
in accordance with the plan document). Auditors will be required to communicate in writing
to those charged with plan governance on a timely basis “reportable findings” resulting from
these procedures.
Reportable findings are matters that are one or more of the following:
• An identified instance of noncompliance or suspected noncompliance with laws or regulations in
accordance with AU-C section 250
• A finding arising from the audit that is, in the auditor’s professional judgment, significant and
relevant to those charged with governance regarding their responsibility to oversee the financial
reporting process in accordance with AU-C section 260
• An indication of deficiencies in internal control identified during the audit that have not been
communicated to management by other parties and that, in the auditor’s professional judgment, are
of sufficient importance to merit management’s attention in accordance with AU-C section 265,
Communicating Internal Control Related Matters Identified in an Audit
Reportable Findings

44. withum.com
Management should expect to receive a written communication of reportable
findings that should include the following:
• A description of the reportable finding
• Sufficient information to enable those charged with governance and management
to understand the context of the communication
• An explanation of the potential effects of the reportable findings on the financial
statements or to the plan
The auditor is not permitted to issue a written communication stating no
reportable findings were identified during the audit.
Reportable Findings (cont.)

45. withum.com
AICPA.org-
https://us.aicpa.org/content/dam/aicpa/research/standards/auditattest/downloadabledocuments/sas-136.pdf
https://www.aicpa.org/resources/download/ebpaqc-tool-for-discussing-sas-136-with-plan-clients
https://us.aicpa.org/content/dam/aicpa/interestareas/frc/auditattest/downloadabledocuments/sas-136-illustrations.pdf
https://us.aicpa.org/content/dam/aicpa/interestareas/frc/auditattest/downloadabledocuments/attest-clarity/ebp-auditing-
standard-at-a-glance.pdf
https://us.aicpa.org/content/dam/aicpa/research/standards/auditattest/downloadabledocuments/au-c-00703.pdf
Withum articles-
https://www.withum.com/resources/preparing-for-new-ebp-audit-standard/
https://www.withum.com/resources/changes-to-your-annual-employee-benefit-plan-audits-are-here-what-you-need-to-know/
More resources:

46. withum.com
Questions?

47. withum.com
Thank you!
Ana Romeo, CPA
Manager
aromeo@withum.com
Sheri Wronko, CPA
Partner
swronko@withum.com