Original air date: June 9, 2017 Rebroadcast and recording info at http://www.mhmcpa.com Join our Employee Benefit Plan experts for a concise review of audit and accounting issues and the latest tax updates and tax strategies for compliant plan design. Other topics include changes to the IRS Determination Letter Program, substantiation guidelines for hardship distributions and cybersecurity basics for employee benefit plans.

1. #cbizmhmwebinar 1
CBIZ & MHM
Executive Education Series™
Employee Benefit Plan Hot Topics
Linda Lauer, Hal Hunt, Patrick McKie and Kyle Konopasek
June 9 & June 16, 2017

2. #cbizmhmwebinar 2
About Us
• Together, CBIZ & MHM are a Top Ten accounting provider
• Offices in most major markets
• Tax, audit and attest and advisory services
• Over 2,900 professionals nationwide
A member of Kreston International
A global network of independent
accounting firms
MHM (Mayer Hoffman McCann P.C.) is an independent CPA firm that provides audit, review and attest services, and works closely with CBIZ, a business consulting,
tax and financial services provider. CBIZ and MHM are members of Kreston International Limited, a global network of independent accounting firms.

3. #cbizmhmwebinar 3
Before We Get Started…
• To view this webinar in full screen mode, click on view options
in the upper right hand corner.
• Click the Support tab for technical assistance.
• If you have a question during the presentation, please use the
Q&A feature at the bottom of your screen.

4. #cbizmhmwebinar 4
CPE Credit
This webinar is eligible for CPE
credit. To receive credit, you will
need to answer periodic
participation markers
throughout the webinar.
External participants will receive
their CPE certificate via email
immediately following the
webinar.

5. #cbizmhmwebinar 5
Disclaimer
The information in this Executive Education Series
course is a brief summary and may not include all
the details relevant to your situation.
Please contact your service provider to further
discuss the impact on your business.

6. #cbizmhmwebinar 6
Presenters
Linda is the Co-Attest Practice Leader and a Lead Managing Director in
Memphis, Tennessee. She also manages the Employee Benefit Plan Audit
segment for the Memphis office. She serves as the main contact for benefit
plan audit engagements and is responsible for overall coordination and
efficient utilization of firm resources. She also serves on the National
Employee Benefit Plan Audit task force, which is responsible for developing
audit methodology for the national practice.
Linda’s experience includes more than 25 years with local and international
accounting firms as well as employee benefit administration for Fortune
500 companies, including Manager of Retirement Administration for
FedEx.
901.842.2872 • llauer@cbiz.com
Linda Lauer, CPA
MHM Shareholder

7. #cbizmhmwebinar 7
Presenters
Hal leads the Employee Benefit Plan Audit Practice. With over 30 years of
diverse experience with EBP accounting, auditing and compliance issues, he is
also a member of the firm’s Professional Standards Group as a subject matter
expert on EBP plan audits, as well as business combinations and lease
accounting.
As the National Practice Leader for EBP Audits, Hal is responsible for providing
internal training on the subject, along with providing technical support to
engagement teams, serving as engagement quality reviewer and developing
resource tools for our EBP audit professionals.
In addition, Hal has served on the AICPA's Employee Benefit Plan Audit Quality
Center (EBPAQC) Executive Committee and is also a member of the AICPA's
EBPAQC ESOP Task Force and Practice Monitoring Task Force.
816.945.5610 • hhunt@cbiz.comHAL HUNT, CPA
Shareholder

8. #cbizmhmwebinar 8
Presenters
Based in our Philadelphia office, Patrick is a member of the accounting
& attestation group, with significant experience in employee benefit
plan audits. Patrick has experience in attest and accounting profession
for several years, including a wide variety of clients ranging from public
companies to start-up companies in industries such as construction, real
estate, not-for-profit, manufacturing and several others. He is
responsible for the completion of many attest engagements throughout
the year, and provides management and development of our dedicated
attest personnel.
610.862.2329 • pmckie@cbiz.com
Patrick McKie
Manager

9. #cbizmhmwebinar 9
Presenters
Kyle is a Manager in our Kansas City office who works closely with the
Business and Technology Risk Services group at CBIZ MHM, LLC and has
been with the organization since 2001. He is experienced in planning,
conducting, supervising, reviewing and reporting on internal audit
engagements, SOC engagements, and financial statement audits. He
assists client management in preparing risk assessments, audit plans
and product deliverables and maintains client relationships. Kyle serves
a variety of clients within multiple industries including financial
institutions, payroll processing and manufacturing.
816-945-5512 • kkonopassek@cbiz.com
Kyle Konopasek, CIA
Manager

10. #cbizmhmwebinar 10
Additional Authorship Note
Some of this presentation’s content was
authored by others who presented at the
2017 AICPA Employee Benefits Conference.

11. #cbizmhmwebinar 11
Agenda
Industry Developments
02
01
03
04
Accounting Issues for 2016 EBP Audits
DOL’s Concerns About Audit Quality
Questions
Proposed Changes to Auditors’ Reporting Standards
Proposed Changes to Form 5500
Changes to IRS Determination Letter Program
Cybersecurity Risks to Benefit Plans
05
06
07
08

12. #cbizmhmwebinar 12
Industry Developments

13. #cbizmhmwebinar 13
Industry Developments
• Uncertainty in the regulatory environment as a result of
the new administration
• Increases in mergers, spin-offs, and acquisitions causing
challenges when planning audits
• Continued downsizing of companies leading to a full or
partial plan termination
• Lost participants
• Increases in the number of employers withdrawing from
multiemployer plans
• Increase in litigation over excessive fees
• Limited scope certifications may not be acceptable
• Lack of proper plan oversight

14. #cbizmhmwebinar 14
Accounting Issues for 2016 EBP Audits

15. #cbizmhmwebinar 15
Accounting Issues for 2016 EBP Audits
• ASU 2014-15, Disclosures of Uncertainties about an Entity’s
Ability to Continue as a Going Concern
• ASU 2015-07, Disclosures for Investments in Certain Entities
That Calculate Net Asset Value per Share (or Its Equivalent)
• ASU 2015-10, Readily Determinable Fair Value
• ASU 2015-12, Plan Accounting
• ASU 2016-01, Financial Instruments-Overall (Subtopic 825-10):
Recognition and Measurement of Financial Assets and
Financial Liabilities
• ASU 2016-19, Technical Corrections and Improvements
• ASU 2017-06, Employee Benefit Plan Master Trust Reporting
• Mortality improvement scales

16. #cbizmhmwebinar 16
ASU 2014-15, Disclosures of Uncertainties about an Entity’s
Ability to Continue as a Going Concern
• Effective for periods ending on or after December 15, 2016 (early
application was permitted)
• Entity’s management should evaluate whether there are conditions or events, considered
in the aggregate, that raise substantial doubt about the entity’s ability to continue as a
going concern within one year after the date that the financial statements are issued
• Disclosures when substantial doubt is raised but is alleviated by management’s plans
(substantial doubt does not exist)
• Disclosures when substantial doubt is raised and is not alleviated (substantial doubt exists)
• SAS 132, The Auditor’s Consideration of an Entity’s Ability to Continue as a
Going Concern
• Statement on Auditing Standards (SAS) 132 supersedes SAS 126
• Issued February 2017
• Primary objective was to consider the accounting provisions of ASU 2014-15
• Effective for audits of financial statements for periods ending on or after December 15,
2017

17. #cbizmhmwebinar 17
ASU 2015-07, Disclosures for Investments in Certain Entities
That Calculate Net Asset Value per Share (or Its Equivalent)
• Effective for fiscal years beginning after December 15, 2016 (early
application is permitted)
• Eliminates the requirement to categorize investments for which fair values
are measured using the net asset value per share practical expedient
• Also limits disclosures to investments for which the entity has elected to
measure the fair value using the practical expedient

18. #cbizmhmwebinar 18
Readily Determinable Fair Value (ASU 2015-10, Technical
Corrections and Improvements)
Definition of Readily Determinable Fair Value:
• An equity security has a readily determinable fair value if it meets any of
the following conditions:
• a. The fair value of an equity security……..currently available on a securities
exchange registered with the US Securities and Exchange Commission…….
• b. The fair value of an equity security ……..traded in a foreign market……if
that foreign market is of a breadth and scope comparable to the US
markets referred to above.
• c. The fair value of an equity security that is an investment in a mutual fund
or in a structure similar to a mutual fund (that is, a limited partnership or
a venture capital entity) is readily determinable if the fair value per share
(unit) is determined and published and is the basis for current transactions.

19. #cbizmhmwebinar 19
ASU 2015-12, Plan Accounting
• FASB issued a three-part ASU to simplify financial reporting for benefit
plans
• Part I: Fully Benefit-Responsive Investment Contracts (FBRICs)
• Part II: Plan Investment Disclosures
• Part III: Measurement Date Practical Expedient
• Developed by the Emerging Issues Task Force (EITF)
• Responded to advocacy efforts by the AICPA’s Employee Benefit Plans Expert Panel
• Identified the issues affecting a large number of plans with the goal of completing a
project within a short period of time
• Effective for fiscal years beginning after December 15, 2015
• Early application was permitted
• Plans could early adopted any of the ASU’s three parts without early adopting the other
parts

20. #cbizmhmwebinar 20
Part I: Fully Benefit-Responsive Investment Contracts
• Clarifies that contract value is the relevant measure for
FBRICs because that is the amount participants would
receive in a transaction
• Eliminates requirements to measure fair value and
present related fair value measurement disclosures
• Synthetic investment contracts are presented as single
amount at contract value with other FBRICs (no longer
break out underlying securities)
• Indirect investments in FBRICs through investment
companies (e.g., stable value CCTs) are not in the scope of
this guidance
• FBRICs held in a master trust are subject to the same
presentation and disclosure requirements.

21. #cbizmhmwebinar 21
Part II: Plan Investment Disclosures
• Simplifies the level of disaggregation for investments
measured using fair value by general type of investment
• Self-directed brokerage accounts are one general type of
investment
• Eliminates the following disclosures
• Net appreciation or depreciation in fair value of investments by
general type
• Individual investments with a value equal to or greater than 5% of
net assets available for benefits
• The significant investment strategies for an investment in a fund
that files an annual report on Form 5500 as a direct filing entity
when the plan measures that investment using the NAV practical
expedient
• Applies to master trust disclosures

22. #cbizmhmwebinar 22
ASU 2016-01, Financial Instruments: Recognition and
Measurement of Financial Assets and Liabilities
• Employee benefit plans are no longer required to include
disclosures for financial instruments not recorded at fair
value.
• Prior to adoption, FASB ASC 825-10-50 generally required
public entities or nonpublic entities with over $100 million
in assets to make certain disclosures related to the fair
value of financial instruments not recorded at fair value.
• For employee benefit plans, disclosures typically related to
the fair value of notes payable for leveraged ESOPs
• Effective for fiscal years beginning after December 15,
2018
• Early application is permitted.

23. #cbizmhmwebinar 23
ASU No. 2016-19, Technical Corrections and Improvements
• Issued December 2016
• Amendment to Master Glossary
• Definitions of benefits and plan assets were modified to
clarify applicability to health and welfare plans.
• Amendment to FASB ASC 965-30, Plan Accounting –
Health and Welfare Benefit Plans
• Clarifies that the events to be addressed in the roll
forward of the benefits obligation valuation are those
occurring between the most recent valuation date and
the plan’s year-end

24. #cbizmhmwebinar 24
ASU 2017-06, Employee Benefit Plan Master Trust Reporting
• Issued February 2017
• Effective date and transition
• Effective for fiscal years beginning after December 15, 2018
(early adoption permitted)
• Retrospective application
• Must adopt the master trust amendments and the 401(h)
amendments at the same time, if both are applicable
• Limits ASC 250-10 required disclosures (BC25.)
• Disclose only the nature of and reason for the change in
accounting principle (that is, the requirement of paragraph
250-10-50-1(a))
• Amendments do not affect sponsor accounting

25. #cbizmhmwebinar 25
Reporting a plan’s interest in a master trust and the change in the value
of that interest as separate line items on the plan’s financial statements
Disclosing the master trust’s investments by general type of investment
Disclosing the master trust’s other assets/liabilities
Disclosing the dollar amount of the plan’s interest in the master trust’s
investments (for each general type) and other assets/liabilities
ASU 2017-06: What’s New or Clarified?

26. #cbizmhmwebinar 26
ASU 2017-06: Other Assets and Liabilities
• Not prescriptive on how other assets and liabilities
should be disaggregated
• Examples, not an all-inclusive list
a. Amounts due from brokers for securities sold
b. Amounts due to brokers for securities purchased
c. Receivables relating to derivatives
d. Payables relating to derivatives
e. Accrued interest and dividends
f. Accrued expenses

27. #cbizmhmwebinar 27
Illustration for Divided Interest in Master Trust

28. #cbizmhmwebinar 28
Illustration for Undivided Interest in Master Trust

29. #cbizmhmwebinar 29
ASU 2017-06: What’s the Same?
Disclosing the net appreciation or depreciation in the fair value of master
trust (Note: ASU 2015-12 eliminated the requirement to disclose this amount
by type of investment.)
Disclosing the investment income of the master trust
Disclosing the description of the basis used to allocate net assets and total
investment income to the plan
Disclosing the percentage interest in the master trust for plans with
undivided interests (that is, when the plan has a proportionate, rather than
specific, interest in the master trust)

30. #cbizmhmwebinar 30
Disclosing the percentage interest in the master trust
for plans with divided interests
Providing investment disclosures in the health and
welfare benefit plan relating to the 401(h) account
assets (The health and welfare plan will be required
to disclose the name of the defined benefit pension
plan in which those disclosures are provided.)
ASU 2017-06: What’s Eliminated?

31. #cbizmhmwebinar 31
ASU 2017-06: Disclosures for Underlying Investments of the
Master Trust
• GAAP does not address disclosures for the underlying
investments of a master trust (e.g., fair value disclosures,
derivative disclosures)
• ASU 2017-06 Background Information and Basis for
Conclusions (BC20.) states that this issue was not addressed
because it does not appear to be a significant current
practice issue for which standard setting is warranted and
there is no intent to change current practice
• Majority of plans provide these disclosures based on the
following
• AICPA Technical Questions and Answers Section 6931.11 Fair
Value Measurement Disclosures for Master Trusts
• AICPA Audit and Accounting Guide, Employee Benefit Plans

32. #cbizmhmwebinar 32
Mortality Improvement Scales…What’s New?
• Society of Actuaries (SOA) issued MP-2016 improvement scale on October 20, 2016
• Reflects a decrease in the rate of improvements in life expectancies in the United States
compared with the data in the 2015 mortality improvement scale (MP-2015)
• Incorporates mortality data from the Social Security Administration, which indicates that
deaths are occurring at rates slightly higher than assumed in MP-2015
• SOA did not update the RP-2014 base mortality tables
• This updated information should be considered for 2016 audits and any 2015 audits issued
after October 20, 2016
• AICPA Technical Q&A (TIS 3700.01) Effect of New Mortality Tables on
Nongovernmental Employee Benefit Plans (EBPs) and Nongovernmental Entities
That Sponsor EBPs (February 2015)
• IRS issued Notice 2016-50 providing updated static mortality tables
• RP-2000 mortality table, adjusted for mortality improvements using Projection Scale AA
required for funding purposes
• Treasury Department and IRS have issued proposed regulations prescribing
mortality tables to be used by most defined benefit pension plans for plan years
beginning on or after January 1, 2018

33. #cbizmhmwebinar 33
DOL Concerns About Audit Quality

34. #cbizmhmwebinar 34
DOL’s Most Recent Audit Quality Study
• Final Report released in May 2015
• Study recommended by the DOL OIG
• 4th such audit quality assessment since 1988
• Based on a statistical sample of 400 plan audits
• 6 strata based on size of EBP practice
• DOL’s Full Report found at:
• http://www.dol.gov/ebsa/pdf/2014AuditReport.pdf

35. #cbizmhmwebinar 35
DOL’s Most Recent Audit Quality Study: Findings
Nearly 4 in 10 audits fail to
meet professional standards
$653 billion in plan assets and
22.5 million participants at risk

36. #cbizmhmwebinar 36
Strata Audit Reviews
Audits With
Deficiencies
1-2 95 75.8%
3-5 95 68.4%
6-24 95 67.4%
25-99 65 41.5%
100-749 25 12.0%
750+ 25 12.0%
Total Reviewed 400 38.8%
DOL’s Most Recent Audit Quality Study: Findings
Audit Deficiency Rate by Stratum
(Audit Quality Study - 2013 Form 5500 Database)

37. #cbizmhmwebinar 37
Audit Quality Assessment 1988 1997 2004 2014
Audits With GAAS
Deficiencies
23% 19% 33% 39%
A Disturbing Trend
DOL’s Most Recent Audit Quality Study: Findings

38. #cbizmhmwebinar 38
DOL’s Most Recent Audit Quality Study: Findings
• Correlation between size of a firm’s EBP practice and audit
quality
• Nearly 75% of plan audits were deficient in firms who audit
1-2 plans annually
• Peer Review is not a useful identifier of quality work
• In 4 of 6 strata, audits with 5+ GAAS deficiencies were
performed by firms with clean peer review reports
• CPAs not always properly licensed
• While benefit plan audits are unique, the problem is
broader – a lack of understanding of audits

39. #cbizmhmwebinar 39
DOL’s Most Recent Audit Quality Study: Recommendations
• Enforcement
• Case targeting
• Work with NASBA/AICPA’s Ethics Division to improve
sanctioning process
• Regulatory/Legislative
• Repeal the limited-scope audit exception
• Authorize the Secretary to establish accounting
standards and auditing principles for benefit plans
• Amend the definition of an IQPA
• Outreach
39

40. #cbizmhmwebinar 40
Audit Firm Risk From Poor Audit Quality
•Rejection of client’s filing
•Referral of deficient work to AICPA and state
board
•Damage to professional reputation
•Threat to professional license and livelihood

41. #cbizmhmwebinar 41
Plan Administrator/Plan Sponsor Risk From Poor Audit Quality
•Fiduciary risk for lack of prudence in selecting a
qualified CPA firm
•Potential rejection of Form 5500 filing due to
deficient audit work
•Potential assessment of civil monetary
penalties

42. #cbizmhmwebinar 42
DOL’s Ongoing Audit Quality Review Process
• Audits will be selected from Form 5500 filings
• Firms performing < 100 plan audits
• Will review 200-300 plans done by firms with <100 EBP audits
• Selection of will be done on a statistical basis, using the same tiers
as the most recent study
• Firms performing between 100 - 200 plan audits
• Will look at many of these firms
• May review one or two audits of each firm
• Firms performing > 200 plan audits
• Will continue to use “firm inspection” approach
• Likely review 4 to 6 of these firms
• DOL will continue to make only one request for documents.
42

43. #cbizmhmwebinar 43
DOL’s Conclusions/Recommendations on Audit Quality
• Improvement in the process is necessary
• More communication between the Department and
the State Boards of Accountancy and the AICPA
• More education for auditors and plan administrators
• More enforcement actions taken with auditors
performing deficient audits
• Enhanced licensing procedures and enforcement
• Improved peer reviews

44. #cbizmhmwebinar 44
Enhancing
Audit
Quality
Enforcement
Aggressive investigation of
all referrals of deficiencies;
enhanced coordination with
state boards; reinforced rules
on due care
Peer Review
Focus on greater risk industries or
areas; more significant remediation;
root cause analysis; termination from
peer review after repeat quality
issues
Practice Monitoring
of the Future
Near real-time, ongoing
monitoring of firm quality
checks using robust
technological platform
Standards and Ethics
Quality control standards
implementation; evaluation of clarified
standards implementation; auditor’s
report revisions; ethics codification
Pre-licensure
Next version CPA Exam; AP course;
changes to accounting education;
additional doctoral-level audit
professors with practical experience
CPA Learning and Support
Competency models for audits,
competency assessment tools,
targeted resources; certificate
programs
Audit Quality Center resources, tools
and training; CPEA; audit guides, risk
alerts and practice aids
AICPA Enhance Audit Quality (EAQ)
6-Point Plan to Improve Audits
44

45. #cbizmhmwebinar 45
PROPOSED CHANGES TO AUDITOR’S REPORTING
STANDARDS

46. #cbizmhmwebinar 46
• Exposure draft issued in April 20, 2017 with 120-day
comment period (August 21, 2017)
• Applies to financial statement audits of employee
benefit plans subject to ERISA
• Intended to improve the communicative value and
relevance of the auditor’s report and the quality of
ERISA employee benefit plan audits
• Proposed standard would be effective for audits of
financial statements for periods ending on or after
December 15, 2018
Proposed AU-C 703, Forming an Opinion and Reporting on
Financial Statements of Employee Benefit Plans Subject to ERISA

47. #cbizmhmwebinar 47
Proposed Auditor’s Reporting Standard for ERISA Plans
• Background
• AICPA Auditing Standards Board (ASB) developed the
EBP Reporting Task Force in January 2015
• DOL audit quality study report issued May 2015
• Improve quality of EBP audits by strengthening the EBP
auditor’s report
• Address forming an opinion and reporting on ERISA
plan financial statements
• DOL provided specific suggestions
• ASB discussions – July 2015-February 2017

48. #cbizmhmwebinar 48
Reporting on Specific Plan Provisions
• Specific plan provisions relating to the financial
statements
• Required auditing procedures
• Report findings from procedures
• Included to address diversity in practice and the work
performed in an ERISA audit
• Can be part of the auditor’s report on the financial
statements or in a separate report

49. #cbizmhmwebinar 49
Procedures to Inform Reporting on Specific Plan Provisions
• Procedures performed as part of the financial
statement audit
• Procedures should be performed, irrespective of risk
of material misstatement
• Required topics recommended by DOL and task force
based on areas often overlooked in ERISA
engagements

50. #cbizmhmwebinar 50
Procedures to Inform Reporting on Plan Provisions
• Procedures relate to:
• participant eligibility
• benefit payments
• claim payments
• participant vesting provisions
• employer and employee contributions
• disclosure of prohibited transactions
• Internal Revenue Code compliance tests
• participant asset allocations
• use of forfeitures
• recording of account activity

51. #cbizmhmwebinar 51
Report on Specific Plan Provisions Relating to the Financial
Statements
As part of obtaining reasonable assurance about whether ABC 401(k)
Plan’s financial statements are free from material misstatement, we are
required to perform certain procedures to test whether the plan and plan
transactions are in accordance with specific plan provisions. We
performed procedures relating to participant eligibility, benefit
payments, participant vesting provisions, employer and employee
contributions, disclosure of prohibited transactions, Internal Revenue
Code compliance tests, participant asset allocations, use of forfeitures,
and recording of account activity for the year ended December 31, 20X2
as required by generally accepted auditing standards for audits of
employee benefit plans subject to the Employee Retirement Income
Security Act of 1974 as set forth in AU-C section 703, Forming an Opinion
and Reporting on Financial Statements of Employee Benefit Plans Subject
to ERISA. However, these procedures were not performed for the
purpose of providing an opinion on compliance with those provisions
and, accordingly, we do not express such an opinion.

52. #cbizmhmwebinar 52
Report on Specific Plan Provisions Relating to the Financial
Statements
No findings
• During our audit, we did not have any findings relating to whether the plan and
plan transactions are in accordance with specific plan provisions. However, the
audit was not designed to identify all instances when the plan and plan
transactions are not in accordance with those specific plan provisions.
or
Findings have been noted
• During our audit, we noted the following findings relating to whether the plan
and plan transactions are in accordance with specific plan provisions. However,
the audit was not designed to identify all instances when the plan and plan
transactions are not in accordance with those specific plan provisions. Our
opinion on the financial statements is not modified with respect to these
findings.
[Describe findings]

53. #cbizmhmwebinar 53
Report on Specific Plan Provisions
• Illustrative Finding
• We noted instances when vesting was not calculated in
accordance with the plan instrument, which resulted in
the plan not paying appropriate benefits.

54. #cbizmhmwebinar 54
Limited Scope – Introductory Paragraph
We have performed an audit of the accompanying
financial statements of ABC 401(k) Plan, subject to the
limitation on the scope of the audit imposed by
management, as permitted by Employee Retirement
Income Security Act of 1974. The financial statements
comprise the statements of net assets available for
benefits as of December 31, 20X2 and 20X1, and the
related statement of changes in net assets available for
benefits for the year ended December 31, 20X2, and
the related notes to the financial statements.

55. #cbizmhmwebinar 55
Basis for Limitation on the Scope of the Audit
As permitted by 29 CFR 2520.103-8 of the Department of Labor’s Rules
and Regulations for Reporting and Disclosure under the Employee
Retirement Income Security Act of 1974, management imposed a
limitation on the scope of the audit. Under the authority of section
103(a)(3)(C) of the Employee Retirement Income Security Act of 1974, the
audit need not extend to information related to assets held for
investment of the plan (investment information) prepared and certified
by a bank or similar institution or insurance carrier which is regulated and
supervised and subject to periodic examination by a State or Federal
agency, provided that the statements or information regarding assets so
held are prepared and certified to by the bank or insurance carrier in
accordance with 29 CFR 2520.103-5 and 29 CFR 2520.103-8.
We have been informed by management that a qualified institution holds
the investments and executes investment transactions. Management has
obtained certifications from the qualified institution as of December 31,
20X2 and 20X1, and for the year ended December 31, 20X2, stating that
the investment information, described in Note X to the financial
statements, is complete and accurate.

56. #cbizmhmwebinar 56
Limited scope: Management’s Responsibility
• Same as full scope, plus:
Management is also responsible for determining whether a
limitation on the scope of the audit is permissible in the
circumstances, in accordance with the Employee Retirement
Income Security Act of 1974, including evaluating whether
• the certification is prepared by a qualified institution, and
• the certified investment information is complete and
accurate.
The limitation on the scope of the audit does not affect
management’s responsibility for the financial statements.
Management is responsible for determining whether the
certified investment information is appropriately measured,
presented and disclosed in accordance with accounting
principles generally accepted in the United States of America.

57. #cbizmhmwebinar 57
Limited Scope: Auditor’s Responsibility
• Same as full scope, plus:
With respect to the certified investment information that management
instructed us not to audit, we did not assess the risks of material
misstatement nor did we consider internal control over the certified
investment information. Our procedures were limited to the following:
(a) obtaining and reading the certification
(b) evaluating management’s assessment of whether the entity issuing
the certification is a qualified institution under the Employee
Retirement Income Security Act of 1974
(c) comparing the certified investment information with the related
information presented and disclosed in the financial statements
(d) evaluating whether the form and content of the certified investment
information presented and disclosed in the financial statements are in
accordance with accounting principles generally accepted in the United
States of America
Required
Procedures

58. #cbizmhmwebinar 58
Limited Scope: Auditor’s Responsibility
Other than with respect to the certified investment
information, our audit procedures were not limited for
other amounts and disclosures in the financial
statements.
We believe that the audit evidence we have obtained is
sufficient and appropriate to provide a basis for our
audit opinion with the ERISA-permitted audit scope
limitation on the financial statements.

59. #cbizmhmwebinar 59
New Limited Scope Opinion Paragraph
Auditor’s Opinion With the ERISA-Permitted Audit Scope
Limitation on the Financial Statements
In our opinion, based on our audit and based on our use
of the certification of the investment information that
we were instructed not to audit, the financial
statements referred to above present fairly, in all
material respects, the net assets available for benefits of
ABC 401(k) plan as of December 31, 20X2 and 20X1, and
the changes in net assets available for benefits for the
year ended December 31, 20X2, in accordance with
accounting principles generally accepted in the United
States of America.

60. #cbizmhmwebinar 60
Document Requests Feedback on 9 Issues for consideration
1. Required procedures when an ERISA-permitted audit scope
limitation is imposed
2. The form and content of the auditor’s report on ERISA plan
financial statements with an ERISA-permitted audit scope
limitation
3. Modification to the opinion in the independent auditor’s report
4. Required emphasis-of-matter paragraphs
5. Reporting internal control deficiencies
6. Certain requirements for audits of ERISA financial statements and
related required report on specific plan provisions relating to the
financial statements
7. Required procedures relating to the Form 5500
8. Proposed new reporting standard and amendments to other AU-
C sections
9. Proposed effective date

61. #cbizmhmwebinar 61
• Respondents are asked to provide comments on
Issues 1-9 as well as on the content of the proposed
SAS
• Comments are most helpful
• When they refer to specific paragraphs
• Include reasons for the comments
• Make specific suggestions for any proposed changes
• When in agreement with proposals in the exposure
draft it is helpful for the ASB to be made aware of this
view
Comments

62. #cbizmhmwebinar 62
ASB Process
• ASB will consider all comments received at future ASB
meetings
• Comment letters and ASB discussions are public and
materials can be found on AICPA website
• Your comments count!

63. #cbizmhmwebinar 63
Proposed Changes to Form 5500

64. #cbizmhmwebinar 64
Form 5500 Modernization Initiative - Five Major Goals
• Modernize financial statements and investment
information
Goal #1
• Update reporting requirements for service
provider fee and expense information
Goal #2
• Enhance accessibility and usability of data filed
on the forms
Goal #3
• Require reporting by all group health plans
covered by Title I of ERISA
Goal #4
• Improve compliance through new questions on
plan operations and financial management of
the plan
Goal #5

65. #cbizmhmwebinar 65
CHANGES TO IRS DETERMINATION LETTER
PROGRAM

66. #cbizmhmwebinar 66
Changes to the Determination Letter Program
• IRS Notice 2016-37
• Effective 1/1/17, the IRS will eliminate the staggered five-year remedial
amendment cycle (Cycle A filers have until 1/31/17 to file a final submission) for
individually designed plans (IDP)
• IRS will no longer accept determination letter applications other than for:
• Initial plan qualification
• Plan termination (Form 5310)
• IRS makes a special exception
• IRS will publish a Required Amendment List annually (1 October of each year)
• An IDP must be amended to retain its qualified plan status for each item on the list by the end of
the second calendar year following the year the list is published
• Discretionary amendments are required by the end of the plan year in which
the amendment is operationally put into effect
• Eliminating the expiration dates on determination letters
• Extended the adoption period for certain pre-approved defined contribution
plans (April 30, 2017, instead of April 30, 2016)

67. #cbizmhmwebinar 67
Cybersecurity Risks to Benefit Plans

68. #cbizmhmwebinar 68
Key Cybersecurity Issues
• Cybersecurity Risks To Employee Information
• Benefit Plans and Data Security—Duty to Protect Data
• Duties to Employees After Data Security Breaches
• What Can Employers and Plans Do Proactively?

69. #cbizmhmwebinar 69
69
Cybersecurity is Not a Stand-alone Effort

70. #cbizmhmwebinar 70
High-Risk Cybersecurity Points of Control
• Third-party vendor vulnerabilities
• Phishing emails, malware, ransomware
• Transfer of sensitive data to third parties
• Deliberate
• Accidental
• Browser and internet vulnerabilities (infected sites)
• Advance Persistent Threats (APT)
• Change control

71. #cbizmhmwebinar 71
Top Cybersecurity Threats
In 2016, the top cyber threats to healthcare organizations
include:
• Denial-of-Service (DoS)
An assault on a service from a single source that floods it with so many requests that it
becomes overwhelmed and is either stopped completely or operates at a significantly
reduced rate.
• Ransomware
A class of extortive malware that locks or encrypts data or functions and demands a
payment to unlock them.
• Malware
Also called malicious code, is software designed to gain access to targeted computer
systems, steal information or disrupt computer operations.
• Phishing
Email attack that attempts to convince a user that the originator is genuine, but with
the intention of obtaining information for use in social engineering.

72. #cbizmhmwebinar 72
Trends in Cybersecurity
• Increasingly sophisticated phishing attacks
• Less reliance on passwords alone
• Increased use of multi-factor authentication, biometrics
and applications to verify transactions
• Increased investment in security and training
• Board involvement in security matters

73. #cbizmhmwebinar 73
• Protected Health Information (PHI)
• Medical files
• Billing records
• Insurance records
• Sensitive Personally Identifiable Information (PII)
• Social Security numbers
• Payment Card Industry (PCI)
• Credit card numbers and information
• Access credentials
• System usernames and passwords
• Physical access badges
• High-value assets
• Laptops, phones, personal devices
73
What the Attackers Want

74. #cbizmhmwebinar 74
• BRAND
Data breaches diminish trust and confidence among customers and
business partners.
• REPUTATION
Those who rely on you to protect their health also trust you to protect
their personal information. When sensitive data is exposed, your
reputation is on the line.
• REGULATORY SCRUTINTY
Loss or theft of sensitive and confidential information may require
regulators be notified.
• FINANCIAL IMPACT
A data breach may have negative financial consequences through fines
and/or lawsuits.
• OFFICER/DIRECTOR LIABILITY
A data breach may open officers and/or directors to being held
personally liable.
74
What’s at Stake?

75. #cbizmhmwebinar 75
Breach of Employee Data
Headlines are laden with stories about breaches of
consumer or customer data, but employee data is also
a target.
Common Risks:
• Employee data can be especially sensitive in nature
(SSNs, DOBs, financial and medical information, bank account
details, beneficiary information, confidential emails)
• Breach could also affect former employee’s data
(weak off-boarding resulting in undeleted or stored off-
network)

76. #cbizmhmwebinar 76
Data Security Laws
As state laws evolve in the area of security of sensitive PII,
benefit plan administrators should be aware of the laws and
adjust administrative practices accordingly.
• Focus on the state of residence of the individual to whom the data
relates, not only the state in which the company resides or the plan
administered
• For a pension plan, could be any state in which a retiree lives
• May also include states of residence of beneficiaries
• Data disposal laws (e.g. sensitive PII)
• SSN protection laws (e.g. using SSN as ID number or mailing SSN)
• Protection of medical information
• Broad general cybersecurity requirements vary by state

77. #cbizmhmwebinar 77
ERISA Preemption
• Under § 514(a), ERISA broadly preempts any and all state
laws as they may relate to any covered employee benefit
plan.
• There are two aspects of ERISA preemption: (1) express
preemption under ERISA § 514(a); and (2) preemption
due to a conflict with ERISA’s exclusive remedial scheme
set forth in ERISA § 502(a).
• A state law which duplicates, supplements, or supplants
the ERISA civil enforcement remedy to recover benefits
under the terms of a plan, enforce rights under a plan or
clarify rights to future benefits under a plan is preempted
when it "conflicts with the clear congressional intent to
make the ERISA remedy exclusive."

78. #cbizmhmwebinar 78
ERISA and Data Security
• ERISA indirectly addresses data security and how
employee benefit plans should protect sensitive PII of
participants and beneficiaries of benefit plans through
Duty of Care or the Prudent Expert Rule.
• Under Duty of Care, a fiduciary must act with the care,
skill, prudence, and diligence that a prudent person acting
in a like capacity and familiar with such matters would use
in similar circumstances.
• ERISA holds a fiduciary who breaches any of these duties
personally liable for any losses to the plan that result from
its breach of duty.

79. #cbizmhmwebinar 79
ERISA and Data Security
• Lack of Department of Labor (DOL) guidance
• ERISA Advisory Council advised the DOL to issue guidance
on obligation of fiduciaries to protect PII in 2011 . . . the DOL
has yet to act.
• ERISA Advisory Council issued a report in November 2016
to the Secretary of Labor, “Cybersecurity Considerations
for Benefit Plans”.
• Provides best practices and considerations for plan
sponsors, fiduciaries and service providers when designing a
cybersecurity program.
• Focused on vulnerabilities due to number of users and
service providers and lack of regulatory framework.

80. #cbizmhmwebinar 80
Mitigating Personal Liability
• If a fiduciary can demonstrate that it had security policies
in place and had taken reasonable steps to safeguard the
data according to industry standards or had undertaken
proper diligence in selecting a plan service provider.
• Target Special Litigation Committee Example
• Target shareholders filed derivative actions in
Minnesota against Target directors and certain
executive officers.
• Under Minnesota law, a court deferred to the Special
Litigation Committee’s (SLC) recommendation to
dismiss the derivative action.

81. #cbizmhmwebinar 81
Information Security Program
Written plan created and implemented by the organization to
identify and control risks to information and information systems
and to properly dispose of information.
• Data inventory and classification
• Policies and procedures
• Incident response plan
Security Awareness Program
Security awareness reflects the organization’s attitude toward
protecting the physical and intellectual assets of an organization.
• Employee training
• Controlled testing of InfoSec program components
Reducing Risks – Develop Strong Internal Programs

82. #cbizmhmwebinar 82
• Organizational culture and control environment must be
baselined to leading industry standards (i.e. NIST).
• Policies, procedures, and programs must be enforced to be
effective.
• Controls need to be validated against established policies,
procedures, and programs.
• Most security threats can only be mitigated.
• The human element is always the weakest link when dealing
with security.
• Good habits drive security culture and there are no
technologies that will ever make up for poor security culture.
• Awareness programs, when properly executed, provide
knowledge that instills behavior.
Key Take-Aways

83. #cbizmhmwebinar 83
?
QUESTIONS

84. #cbizmhmwebinar 84
If You Enjoyed This Webinar…
Upcoming Courses:
• 6/22: Hedging of Foreign Exchange Exposures
• 6/26 & 7/17: Second Quarter Accounting and Financial Reporting Issues Update
• 6/28: Financial Instruments - Preparing for the New FASB Requirements
Recent Publications:
• Share-Based Payments Receive Some Accounting Clarity
• How to Navigate Complex Debt and Equity Transactions
• FASB Revisits Accounting for Premiums on Callable Debt Securities
• FASB’s Definition of a Business Project and Other Accounting Highlights from Q1
2017

85. #cbizmhmwebinar 85
Connect with Us
linkedin.com/company/
mayer-hoffman-mccann-p.c.
@mhm_pc
youtube.com/
mayerhoffmanmccann
slideshare.net/mhmpc
linkedin.com/company/
cbiz-mhm-llc
@cbizmhm
youtube.com/
BizTipsVideos
slideshare.net/CBIZInc
MHM CBIZ

86. #cbizmhmwebinar 86
THANK YOU
CBIZ & Mayer Hoffman McCann P.C.
cbizmhmwebinars@cbiz.com