session 17 - amazon simple storage service · the employee benefit plan audit quality center and is...

Speakers retain the copyright for all of the following materials. Any replication without written consent is unlawful.

Comments and opinions expressed by the speaker do not necessarily reflect the positions, opinions or beliefs of the AICPA and should not be construed or interpreted as such.

The materials contained in this presentation should not be considered to be in the public domain. Speeches and presentation materials contained here are proprietary works protected by copyright to AICPA and/or to the individual or entity who presented the materials at the conference. All rights are reserved. The authorized use of materials on this page is limited to download for personal reference by authorized users of the conference materials download area. Reproduction, redistribution, reuse, reposting or resale by any party in any form, format or media without express permission is strictly prohibited. Permissions requests may be directed to [email protected] or to Mary Walter, Senior Manager - Licensing and Rights at 919-402-4835..

Changes in Peer Review Guidance Related to Employee Benefit Plans (continued in session #25) William Lajoie Marilee Lau Thomas Parry

Employee Benefit Plans Conference

Session 17

#AICPAebp

Employee Benefit Plans

William G. Lajoie, CPA, CFE, CFFWilliam G. Lajoie, P.C.

Marilee Lau, CPARetired Partner, KPMG

Thomas J. Parry, CPABenson & Neff

#AICPAebp

Introduction and Overview

Enhanced Oversight and MFC UpdateEBP Checklist ReviewPeer Review Update – EBP Focus QC Document Overview Case Study Example Workpaper Overview

2

17 - 1

#AICPAebp

William G. Lajoie, CPA, CFE, CFF

Bill is a shareholder of the CPA practice, William G. Lajoie, P.C. in Centennial, Colorado. He serves as a Technical Reviewer for peer reviews conducted in Colorado (and formerly in New Mexico), has performed over 400 peer reviews and has also served as Chairman of the Peer Review Committee of the Colorado Society of CPA’s. He is a former member of the Executive Committee of the Employee Benefit Plan Audit Quality Center and is currently a member of the AICPA Peer Review Board. He also serves on the Peer Review Practice Monitoring Task Force for Employee Benefit Plans and the Quality Control Task Force of the Auditing Standards Board. His practice consists of attestation services for privately held companies, employee benefit plans, and not-for-profit organizations; forensic services, primarily related to fraud research and consultation; and alternative dispute resolution, principally as an arbitrator. He is also a Neutral on the Commercial Panel of the American Arbitration Association.

3

#AICPAebp

Marilee Lau, CPA

Marilee Lau is a founding member of the AICPA Employee Benefit Plan Audit Quality Center which was established in 2004. She was chair of the Center’s Executive Committee from 2007-2010. This committee works closely with the Department of Labor in order to provide guidance to plan sponsors and their auditors. Marilee was also chair of the Audit Guide Task Force which updates the EBP Guide for Audits of Employee Benefit Plans and the Audit Risk Alert. She is also on the DOL subgroup of the technical standards subcommittee for the AICPA’s Professional Ethics Division and is currently participating as an industry expert in the AICPA Peer Review Program’s enhanced oversight process.

Marilee, a retired Partner with KPMG, was KPMG’s National Partner in Charge of the Employee Benefit Plan Practice until her retirement in 2009. Currently, she is consulting on various employee benefit plan matters.

4

17 - 2

#AICPAebp

Thomas J. Parry, CPA

Tom is a shareholder of Benson & Neff, a local firm located in San Francisco, California. He is responsible for the system of quality control applicable to all accounting and audit services provided by the firm and the engagement partner for audits of employee benefit plans performed by the firm. Tom specializes in reviewing quality control policies and procedures for other AICPA member firms and acts as the quality control reviewer for audit and accounting services provided by other firms to both public and privately held clients.

He is a member of the AICPA Peer Review Board and California Peer Review Committee and chairs the AICPA Peer Review Board Standards Task Force and Peer Review Practice Monitoring Task Force for Employee Benefit Plans. He also serves on the Quality Control Task Force of the Auditing Standards Board.

5

#AICPAebp

Enhanced Oversight & MFC Update

17 - 3

#AICPAebp

Enhanced Oversight Process

RAB issues reviewer feedback as necessary.

Report submitted to AE for consideration during the report acceptance process.

Expert & reviewer discuss issues noted, then expert issues report.

Expert reviews workpapers, completes checklist & compares to reviewer's work.

AICPA notifies firm, peer reviewer & AE of enhanced oversight selection.

Reviewer performs peer review & submits documents to AE.

7

#AICPAebp

Breakdown of Engagements Selected

4832

9

1

EBP Single Audit Government Auditing Standards SOC 1

8

17 - 4

#AICPAebp

Oversight Results by Type

22

17

1

48

41

1

EBP GAS/SINGLE AUDIT SOC 1

Non-Conforming Engagements Total Engagements Reviewed

9

#AICPAebp

Oversight Results by Type

22

17

1

48

41

1

EBP GAS/SINGLE AUDIT SOC 1

Non-Conforming Engagements

7

Only 7 non-conforming engagements were identified by the peer reviewer.

10

17 - 5

#AICPAebp

Level one text• Level two text

- Level three text

Enhanced Oversight Findings Employee Benefit Plans

Service Organization Control (SOC) Reports

Overreliance – omitted testing

Investment elections

Allocation of investment

income

Allocation of contributions

No documentation of evaluation

11

#AICPAebp

Enhanced Oversight Findings Employee Benefit Plans

Investments• Failure to test fair value measurements• No direct confirmation of existence in a full scope audit• Failure to test valuation in a full scope audit

Benefit payments• No audit documentation or no audit work performed• Failure to sufficiently perform procedures related to benefit

and claims payment testing including evaluating participant’s eligibility, examining approvals and recalculation of benefit or claims amounts

Participant data• Failure to sufficiently perform participant testing related to

demographic data and payroll

12

17 - 6

#AICPAebp

Findings (continued)

Failure to report significant plan information, such as related party and party in interest transactions, and prohibited transactions between a plan and a party in interestFailure to obtain an understanding of the actuary’s or appraiser’s objectives, scope of work, methods and assumptions, and consistency of applicationFailure to properly document engagement planning, risk assessment and the internal control environment

13

#AICPAebp

Enhanced Oversight – What’s Next?

Sample size expanded from 90 to 190• 166 Random• 24 Targeted

Two new components• Determining the systemic reasons firms performed

(or failed to perform) engagements in conformity with professional standards in all material respects

• Determining targets for onsite oversight to be performed by the experts

14

17 - 7

#AICPAebp

Matters For Consideration (MFCs)

Collecting data on MFC formsUsing data to develop resourcesAssisting firms with new tools and resourcesExamples of matters in peer reviews: http://www.aicpa.org/InterestAreas/PeerReview/Community/PeerReviewers/Pages/ExamplesofMattersinPeerReviews.aspx

15

#AICPAebp

Examples of Matters in Peer Reviews

Failure to sufficiently perform participant testing Failure to sufficiently perform and document reliance on SOC 1 reportsFailure to sufficiently perform procedures related to benefit and claims payment testingFailure to report significant plan informationFailure to obtain an understanding of the actuary’s objectives, scope of work, methods and assumptions, and consistency of application on defined benefit plansFailure to present a complete Schedule of Assets

16

17 - 8

#AICPAebp

EBP Checklist Review

#AICPAebp

Peer Review EBP Checklist Review

Revised Checklist 20,700Added questions on risk assessmentIdentified and or revised certain bolded questions

18

17 - 9

#AICPAebp

EBP Engagement Profile Changes

List EBP specific training for all engagement personnel for previous 3 yearsRisk assessment contains additional section for DOL limited scope audits• If a limited scope audit, what is the name of the entity

certifying the investments?• Was there a change in entity during the year? • Were all investments certified? If not, Describe assets

not certified and the procedures performed.

19

#AICPAebp


Additional questions related to Risk Assessment of SOC 1 Reports

• Where is the testing of complementary user entity controls documented?

• Were there any changes in service providers?• What is the name of the firm issuing the report?• What is the time period covered by the report(s)?

20

17 - 10

#AICPAebp


Initial Audits - identify where communication with predecessor auditor is documentedReviewer Conclusion on Engagement Profile added

21

#AICPAebp

Engagement Profile Red Flags

Personnel Continuity:Owner or Partner Manager (or

equivalent)

Number of years assigned to this engagement 8 12

Number of years in current position on this engagement 8 10

Describe the engagement team’s experience relevant to this engagement. Partner and manager have audited this plan for the last 12 years.

List EBP specific training for all engagement personnel for the last three years. All staff attended annual A&A update CPE course.

22

17 - 11

#AICPAebp


Audit hours on this engagement: Total

Planning (Risk

Assessment)

Test Work (Substantive Procedures)

Engagement Wrap-up

Owner or Partner 16 - 1 15

EQCR - - - -

Manager (or equivalent) 162 24 64 74

Senior or other prof. - - - -

Total hours 178 24 65 89

Total budgeted 100

23

#AICPAebp


Audit Engagement Risk Assessment1. Summarize key risk factors the engagement team

considered. DOL Regulations2. What other procedures were performed? Limited scope

audit

24

17 - 12

#AICPAebp


Engagement involves reporting on a defined contribution plan Type of report issued: DOL limited scope disclaimer

SOC 1 Report(s)1. Which audit areas did you rely on a type 2 SOC 1 report(s)

to reduce substantive testing? Investments.2. What other procedures were performed? Agreed to

trustee statements.

25

#AICPAebp

Peer Review EBP Checklist and Bolded Questions

Service Auditor Reports• Consider controls that may affect plan’s transactions

and internal control• Obtain an understanding• Obtain audit evidence about operating effectiveness

- Obtain and read type 2 report- Perform appropriate tests of controls- Use another auditor to perform tests of controls- Determine whether report provides sufficient

appropriate audit evidence about the effectiveness of controls to support user auditor’s risk assessment

26

17 - 13

#AICPAebp


Participant Accounts and Allocations• For defined benefit and health and welfare plans,

compare participant data with information given to the actuary to compute the benefit obligation

• For defined contribution plans, test company and individual contributions and demographic data to determine eligibility and vesting to individual participant accounts

27

#AICPAebp


Investments and Investment Income (including interest bearing cash)• Fair value measurements (including appropriate leveling)

and disclosures in conformity with GAAP

Full scope audits• Evidence regarding existence and ownership of

investments through direct confirmation and review for liens or other security interest

• Test investment transactions, including accrued income• Test fair value of investments at the end of the plan year,

including the net change in appreciation or depreciation

28

17 - 14

#AICPAebp


Benefit and Claims Payments• Examine participant’s file for type and amount of

claim and propriety of required approvals• For health and welfare benefit plans, examine service

provider statements or other evidence of service rendered and application of stop loss reimbursements

• Evaluate participant’s or beneficiary’s eligibility, re-computing benefits based on the plan instrument and related documents, option elected, vesting provisions, and pertinent service or salary history

29

#AICPAebp


Employee Stock Ownership Plans (ESOP)• Participant allocations, contributions, investments,

distributions, and notes payable appropriately recorded and disclosed - Employer contributions and forfeitures allocated to

participants according to the plan document - Independent appraisal obtained and reviewed for

privately held employer stock and appropriate procedures applied to the appraisal and appraiser

- Procedures performed over distributions in shares of stock and cash including repurchase agreements, and reallocation of shares

30

17 - 15

#AICPAebp


Auditor’s Report• Limited scope audit states permitted by DOL rules and

regulations with respect to investment information and a disclaimer issued

• Appropriate opinion on supplemental schedules required by ERISA and DOL regulations

• Appropriately modified for a GAAP departure, GAAS departure, or nondisclosure of prohibited transactions

• Appropriately modified for financial statements presented on a basis other than GAAP that is acceptable under ERISA or DOL regulations

• Considered implications of decision to terminate a plan for the auditor’s report

31

#AICPAebp

Peer Review Update –EBP Focus

17 - 16

#AICPAebp

Improving Transparency & Effectiveness of Peer Review

PRB approved proposed changes to guidance• Effective January 1, 2017 • Clarifies and enhances existing guidance • Gives firms ultimate responsibility

33

#AICPAebp

Improving Transparency & Effectiveness of Peer Review

Enhancing procedures to identify systemic causes and assess remediation plansExpecting considerations of firm and reviewer assessments with respect to systemic causes and nonconforming engagementsProviding public with more transparent reporting

34

17 - 17

#AICPAebp

Nonconforming Engagements (Key Changes)

Firm Responsibilities• Add a representation to the firm representation letter that

addresses remediation of nonconforming engagements• Provide details of remediation of nonconforming engagements

on MFC form, Finding for Further Consideration (FFC) form or letter of response, as applicable

Review Team Responsibilities• Assess appropriateness of firm’s remediation efforts• Consider expanding scope to determine pervasiveness of the

nonconforming engagements • Include reference to must-select industry in a report deficiency

when nonconforming engagement is in that must-select industry. - However, do not include explanation of how firm remediated

the nonconforming engagement (“closing the loop”).

35

#AICPAebp

Systemic Causes

Revised definition• “A weakness in the firm’s system of quality control that

allowed a matter to occur or remain undetected”

Firm Responsibilities• Develop and document a System of Quality Control• Describe the firm’s actions taken or planned to remediate

findings, deficiencies and significant deficiencies

36

17 - 18

#AICPAebp

Systemic Causes

Review Team Responsibilities• Identify the systemic cause of matters, findings, deficiencies and

significant deficiencies, in collaboration with the firm.- Conversely, the review team will no longer be required to

provide a recommendation to remediate the systemic cause• Identify deficiencies in the firm’s QC system even when

nonconforming engagements were not identified• Inquire about and review evidence prior to the peer review year

to support assessment of the design and compliance with system controls, when necessary

• Include a link to the requirements of SQCS No. 8 in the descriptions of findings, deficiencies and significant deficiencies

• Assess the firm’s response to findings, deficiencies and significant deficiencies to determine the impact on the peer review, if any

37

#AICPAebp

Reporting and Other

Clarify peer review report• Restructuring the placement of information under appropriate

headings, similar to the clarified audit report • Clarifying the purpose of the report with a descriptive report title• Clarifying the required selections paragraph of the report by

appropriately indicating when singular selections were made

Other changes• The introduction of a closing meeting as the suggested timing

for discussion of peer review preliminary results.• Create a separate letter of representation for Engagement

Reviews.• The introduction of an interpretation that addresses reasons why

a peer review committee may not approve a peer review report within 120 days.

38

17 - 19

#AICPAebp

New Reviewer Remediation Process

Effective December 31, 2015• More than one significant performance deficiency noted, RAB

- Issues deficiency letter OR- Issues removal letter

• Pattern of performance deficiencies noted, RAB- Issues deficiency letter, AND - If performance does not improve, issues removal letter

• Removal letter issued- Reviewer is restricted from scheduling future reviews- PRB hearing panel (within 60 days) determines whether to

ratify • Reviewer may appeal removal to Ad Hoc committee of PRB

39

#AICPAebp

Reviewer Performance Changes

Revisions to Peer Review guidance designed to:• Expedite remediation or removal of poor performing reviewers• Improve consistency in handling of reviewer performance

matters• Enhance reviewer qualifications and training requirements of

reviewers, including reviewers of certain must-select engagements

40

17 - 20

#AICPAebp


Reviewer Performance Guidance Changes -Disagreements• AEs will form hearing panels, consisting of committee members,

to resolve disagreements• Appeals of any decisions reached should be made to the PRB• PRB will then appoint hearing panel members to review and

consider the request

41

#AICPAebp


Reviewer Performance Guidance Changes –Performance and Cooperation• PRB approved revisions that significantly reduce the amount of

time a poorly performing reviewer:- Could be removed from the program- Could be required to complete remediation

Improved consistency • All reviewer performance issues will be classified as:

- Reviewer performance deficiencies- Significant reviewer performance deficiencies

• A revised reviewer feedback form will provide examples of each type

42

17 - 21

#AICPAebp

Independence Requirements

Independence – non-attest services• Preparing financial statements is a non-attest service

effective 12/15/2014• Assess client skills, knowledge and experience (SKE) to:

- Assume management’s responsibilities;- Oversee the non-attest service;- Evaluate and accept responsibility for the results;

• Enhanced engagement checklists address independence and non-attest services

Prepare for this area• Review ET sec. 1.295 requirements for non-attest services

43

#AICPAebp

EBPAQC Tool

Independence Requirements

44

17 - 22

#AICPAebp

Independence Requirements – Engagement Profile Questions

What types of non-attest services will be performed for this client?• Activities such as financial statement preparation, cash-to-

accrual conversions, and reconciliations• Bookkeeping, payroll, and other disbursements• Tax preparation services• Other, which may include advisory services, appraisal,

valuation, and actuarial services, benefit plan administration, business risk consulting, corporate finance consulting, executive or employee recruiting, forensic accounting, information systems design, implementation, or integration, internal audit, investment advisory or management

45

#AICPAebp


For each non-attest service type previously identified, identify the following:• Specific non-attest service• Individual in your firm responsible• Name(s) and title of client personnel overseeing this service• Please describe your assessment and factors leading to your

satisfaction that the client personnel overseeing the service had sufficient skills, knowledge and experience to do so

46

17 - 23

#AICPAebp


Did any of the non-attest service(s) involve leading and directing the entity, including making significant decisions or assuming management responsibilities?Examples of such services include, but are not limited to the following:• Accepting responsibility for the preparation and fair presentation

of the client’s financial statements• Having check signing authority or power of attorney, whether

used or not• Preparing invoices, receipts, or other documents that evidence

the occurrence of a transaction (including data entry)• Authorizing or executing transactions, or making decisions on

behalf of the client47

#AICPAebp


Examples of such services include, but are not limited to the following (continued):• Supervising, hiring, or terminating client employees• Serving on the client’s board of directors• Serving as a client’s stock transfer or escrow agent, registrar,

general counsel, or equivalent• Accepting responsibility for the management of a client’s project• Performing ongoing evaluations of the client’s internal control as

part of its monitoring activities

If any of the preceding boxes are checked, please provide a description.

48

17 - 24

#AICPAebp

QC Document Overview

#AICPAebp

Quality Control and Your Firm’s EBP Practice

A fundamental step in creating a quality EBP audit practice is establishing an effective system of quality control specific to your firm’s EBP audit practice.An effective QC system will provide reasonable assurance that the firm and its personnel comply with professional standards and ERISA and DOL regulatory requirements, and that reports issued by the firm are appropriate in the circumstances.Quality control policies and procedures likely will differ based on firm size and the nature of the EBP audit practice. Documentation and communication of policies and procedures for smaller firms may be less formal and extensive than for larger firms.

50

17 - 25

#AICPAebp

Elements of Quality Control

Leadership responsibilities for quality within the firm (the “tone at the top”)Relevant ethical requirementsAcceptance and continuance of clients and engagementsHuman ResourcesEngagement performanceMonitoring

51

#AICPAebp

Tone at the Top

The firm should promote an internal culture based on the recognition that quality is essential in performing engagements and should establish policies and procedures to support that culture.

Such policies and procedures should require the firm’s leadership (managing partner or board of managing partners, chief executive officer, or equivalent) to assume ultimate responsibility for the firm’s system of quality control.

Firms should designate a partner to be responsible for the quality of the firm’s EBP audit practice. The Designated Partner (DP) in charge of EBP audit quality sets the tone for the firm’s EBP audit practice.

52

17 - 26

#AICPAebp

Relevant Ethical RequirementsThe firm should establish policies and procedures designed to provide it with reasonable assurance that the firm and its personnel comply with relevant ethical requirements. The AICPA Code of Professional Conduct establishes the fundamental principles of professional ethics, which include:

• Responsibilities• Public Interest• Integrity• Objectivity and Independence• Due Care• Scope and nature of services

Conduct a firm-wide self-review to determine that independence is maintained for all EBP audits in accordance with applicable independence rules.Particular care should be exercised in situations where the firm is considering preparing plan client financial statements, and performing other nonattest services

53

#AICPAebp

Acceptance and ContinuanceThe firm should establish policies and procedures for the acceptance and continuance of client relationships and specific engagements, designed to provide the firm with reasonable assurance that it will undertake or continue relationships and engagements only where the firm:

• Has considered the integrity of the client, including the identity and business reputation of the client’s principal owners, key management, related parties, and those charged with its governance, and the risks associated with providing professional services in the particular circumstances

• Is competent to perform the engagement and has the capabilities and resources to do so; and

• Can comply with legal and ethical requirements.Professional standards require that the firm obtain information considered necessary in the circumstances before accepting an engagement with a new client, when deciding whether to continue an existing engagement, and when considering acceptance of a new engagement with an existing client

54

17 - 27

#AICPAebp

Acceptance and Continuance

When considering the appropriate competence and capabilities expected of EBP audit engagement teams, matters to be considered include, among other things:• An understanding of, and practical experience with, EBP audit

engagements through appropriate training and participation;• An understanding of professional standards and ERISA and

DOL requirements;• Technical expertise with relevant specialized areas of

accounting or auditing; and• Knowledge of the EBP industry

55

#AICPAebp

Human Resources

The firm should establish policies and procedures designed to provide it with reasonable assurance that it has sufficient personnel with the capabilities, competence, and commitment to ethical principles necessary to:

• Perform its engagements in accordance with professional standards and regulatory and legal requirements, and

• Enable the firm to issue reports that are appropriate in the circumstances

Such policies and procedures should include recruitment and hiring, if applicable; determining capabilities and competencies; assigning personnel to engagements, if applicable; professional development; and performance evaluation, compensation and advancement.

56

17 - 28

#AICPAebp

Engagement Performance

The firm should establish policies and procedures designed to provide it with reasonable assurance that engagements are consistently performed in accordance with professional standards and regulatory and legal requirements, and that the firm or the engagement partner issues reports that are appropriate in the circumstances. Required policies and procedures should address:

• Engagement performance• Supervision responsibilities and• Review responsibilities

Establish firm policies and procedures that address EBP-specific engagement matters, such as considering the effect of non-compliance findings during the audit, using practice aids not only from the provider normally used, but those from DOL and AICPA EBPAQC, and considering the need to require engagement quality control reviews (EQCR).

57

#AICPAebp

Monitoring

The firm should establish policies and procedures designed to provide the firm and its engagement partners with reasonable assurance that the policies and procedures relating to the system of quality control are relevant, adequate, operating effectively, and complied with in practice. Such policies and procedures should:

• Include an ongoing consideration and evaluation of the firm’s system of quality control

• Assign responsibility for the monitoring process to a partner or partners or other persons with sufficient and appropriate experience and authority

• Assign performance of monitoring of the firm’s system of quality control to qualified individuals

58

17 - 29

#AICPAebp

Monitoring

The purpose of monitoring compliance with quality control policies and procedures is to provide an evaluation of:

• Adherence to professional standards and regulatory and legal requirements;

• Whether the quality control system has been appropriately designed and effectively implemented; and

• Whether the firm’s quality control policies and procedures have been operating effectively, so that reports that are issued by the firm are appropriate in the circumstances.

Monitor the firm’s compliance with established policies and procedures relating to its EBP audit practice to verify they are working as planned.

59

#AICPAebp

Quality Control – A Reviewer’s Perspective

Team Captains should focus on the reviewed firm’s system of quality control and as a result, avoid focusing on the engagements reviewedReviewers should consider key elements (Tone at the top, Acceptance and Continuance, etc.) of the firm’s system of quality control in relation to their risk assessmentPrevious findings (if any) should be considered to determine whether repeat findings exist with the same systemic causeConclusion and overall findings should be documented within the Summary Review Memorandum (SRM)

60

17 - 30

#AICPAebp

Initiatives and Resources to Improve Audit Quality

EBPAQC Tool – Performing Quality ERISA Employee Benefit Plan Audits: Firm Best Practices

• Quality Control Specific to Your Firm’s EBP Audit Practice• Preparing Your Firm for the EBP Audit Season• Training• Educating Your Clients• Engagement Planning• Fieldwork• Engagement Wrap Up and Report Preparation• Post-Wrap Up and Issuance

61

#AICPAebp

EBP Case Study

17 - 31

#AICPAebp

EBP Case StudyIn October 2015, you agreed to serve as the Team Captain for the June 30, 2015, system review of Newton, Manning & Co. (NMC). You were provided the following engagement information as part of planning the current peer review. The firm’s A&A summary is as follows:

As part of your engagement selections, you select two of the four 401(k) audits. Both were performed by the same personnel and had similar procedures.

63

Engagement Type Hours No. of Engagements

DC Plans 240 4

Other SAS 490 4

Reviews 530 8

Comps with Disclosures 50 2

Comps omit Disclosures 40 4

#AICPAebp

EBP Case Study FactsDuring your review, you noted the following items (consider the bolded questions in the EBP Checklist in your assessments):• SOC 1 reports were obtained for the Custodian/Recordkeeper.

The firm had placed these reports in the respective audit files and initialed each to indicate they had been reviewed by the audit team. There is no other documentation in the workpapersregarding the impact of the SOC 1 report.

• Contribution testing consisted of agreeing deferrals per W-2’s to participant accounts on a sample basis, and the total deferrals per Form 5500 to the W-3, and a deposit per the schedule of contributions prepared by the Custodian to the payroll register.

64

17 - 32

#AICPAebp

EBP Case Study Facts (cont’d)

Certain census data (dates of birth and dates of hire) were traced from the census summary to personnel records. The compliance testing summary (performed by the Custodian) was obtained, and a liability recorded for corrective ADP refunds. There were no other adverse results (e.g. top heavy status, etc.), and no further review noted.There was no evidence that income allocations to participants were consideredBenefit payments, all of which were lump-sum distributions, were reviewed by examining check copies and participant requests on a sample basis

65

#AICPAebp

EBP Case Study Facts (cont’d)

A risk assessment by assertion was not completed The firm states that the other two ERISA audits were performed in the same manner

66

17 - 33

#AICPAebp

EBP Case Study Questions

Would any of the items noted result in an engagement not performed and/or reported on in conformity with applicable professional standards in all material respects?What further documentation would you expect to see with respect to the SOC1 reports of the Custodian and Recordkeeper?Should you issue any matters, findings, or deficiencies as a result of the items noted?

67

#AICPAebp


In response to the non-conforming engagements, the firm stated that they would fix the issues noted in the subsequent year’s engagement.• Is this response appropriate? • If not, how should the review team respond? • What are some example actions that would be appropriate for

the firm to take?

What are some example quality control policies and procedures that the firm could implement to improve its performance on future ERISA engagements?

68

17 - 34

#AICPAebp


Assume that no issues on EBP audits were found in the firm’s annual inspection and that in the past three years, the firm’s CPE included a total of 2 hours by Mr. Newton in the annual partner update webinar sponsored by the EBP Audit Quality Center in the years prior to the peer review. Also assume that you reviewed two other SAS engagements, 2 reviews, and 1 compilation which omitted disclosures, and only minor matters were observed. How might this impact the peer review findings and conclusions?

69

#AICPAebp

Example Workpaper Overview

17 - 35

#AICPAebp

Example Workpapers

Planning and Risk AssessmentDocumentation of Review of AICPA Independence Requirements Where non-attest Services are Performed for an EBP Audit ClientDocumentation of Use of a Type 2 Service Auditor’s Report in an Audit of an Employee Benefit Plan’s Financial StatementsParticipant Account Testing

71

#AICPAebp

Debrief and Wrap-Up

17 - 36

AICPA Peer Review Conference Employee Benefit Plans

Conference Case In October 2015, you agreed to serve as the Team Captain for the June 30, 2015, system review of Newton, Manning & Co. (NMC). You were provided the following engagement information as part of planning the current peer review. The firm’s A&A summary is as follows:

Hours No. of Engagements Defined Contribution Plans 240 4 Other SAS Engagements 490 4 Reviews 530 8 Compilations with Disclosures 50 2 Compilations Omit Disclosures 40 4

Totals 1,350 22 As part of your engagement selections, you select two of the four 401(k) audits. Both were performed by the same personnel and had similar procedures. During your review, you noted the following items (consider the bolded questions in the EBP Checklist in your assessments):

• SOC 1 reports were obtained for the Custodian/Recordkeeper. The firm had placed these reports in the respective audit files and initialed each to indicate they had been reviewed by the audit team. There is no other documentation in the workpapers regarding the impact of the SOC 1 report.

• Contribution testing consisted of agreeing deferrals per W-2’s to participant accounts on a sample basis, and the total deferrals per Form 5500 to the W-3, and a deposit per the schedule of contributions prepared by the Custodian to the payroll register.

• Certain census data (dates of birth and dates of hire) were traced from the census summary to personnel records. The compliance testing summary (performed by the Custodian) was obtained, and a liability recorded for corrective ADP refunds. There were no other adverse results (e.g. top heavy status, etc.), and no further review noted.

• There was no evidence that income allocations to participants were considered. • Benefit payments, all of which were lump-sum distributions, were reviewed by

examining check copies and participant requests on a sample basis • The firm did not complete a risk assessment by assertion for either engagement. • The firm states that the items noted above would also be found on the other two 401(k)

audits that were performed.

17 - 37

1. Would any of the items noted result in an engagement not performed and/or reported on in conformity with applicable professional standards in all material respects? ______________________________________________________________________________

______________________________________________________________________________

______________________________________________________________________________

______________________________________________________________________________

______________________________________________________________________________

______________________________________________________________________________

2. What further documentation would you expect to see with respect to the SOC1 reports of the Custodian and Recordkeeper? ______________________________________________________________________________

______________________________________________________________________________

______________________________________________________________________________

______________________________________________________________________________

______________________________________________________________________________

______________________________________________________________________________

3. Should you issue any matters, findings, or deficiencies as a result of the items noted?

______________________________________________________________________________

______________________________________________________________________________

______________________________________________________________________________

______________________________________________________________________________

______________________________________________________________________________

______________________________________________________________________________

4. In response to the non-conforming engagements, the firm stated that they would fix the issues

noted in the subsequent year’s engagements. Is this response appropriate? If not, how should the review team respond? What are some example actions that would be appropriate for the firm to take? ______________________________________________________________________________

______________________________________________________________________________

______________________________________________________________________________

______________________________________________________________________________

______________________________________________________________________________

______________________________________________________________________________

17 - 38

5. What are some example quality control policies and procedures that the firm could implement to improve its performance on future ERISA engagements? ______________________________________________________________________________

______________________________________________________________________________

______________________________________________________________________________

______________________________________________________________________________

______________________________________________________________________________

______________________________________________________________________________

17 - 39

About the Employee Benefit Plan Working Paper Examples This document provides example working papers for audits of employee benefit plans. It has been issued by the Practice Monitoring Task Force for Employee Benefit Plans (PMTF-EBP) of the AICPA and is intended to provide practitioners and peer reviewers with nonauthoritative practical guidance. The examples contained herein have been taken from (a) actual working papers of audits of employee benefit plans that have been edited to protect confidentiality; (b) examples developed by the PMTF-EBP; (c) examples developed by the Employee Benefit Plan Audit Quality Center and (d) the AICPA Audit & Accounting Guide - Employee Benefit Plans (January 1, 2015 edition). The names used in the examples are fictitious. Any resemblance or similarities to real companies or individuals are entirely coincidental and beyond the intent of AICPA staff or the PMTF-EBP. These working paper examples are intended as guidance only and should be tailored to the specific circumstances of each engagement. Additionally, these examples are one way of performing and documenting work performed and are not intended to be all inclusive or used verbatim. This is not a substitute for the authoritative pronouncements. Users of these example working papers are urged to refer directly to applicable authoritative pronouncements.

17 - 40

1 of 2

Illustrative Document

Agenda for Employee Benefit Plan Audit Planning Meeting

To be held on month YY, 20XX, address for meeting location

Participants list client participants (e.g., HR/Benefits, Payroll, Finance, Member representing those charged with governance) list ABC participants (e.g., engagement manager, in-charge)

ABC Objective (name of plan) audit planning

1 Introductions

2 ABC’s audit approach for employee benefit plans

Financial statement audit (plan level) vs. compliance audit (participant level). Risk-based approach, which complies with U.S. generally accepted auditing standards. Utilizes purchased audit programs and forms from ___________. Emphasis on documentation of controls through discussion, observation and review. Reliance on SSAE 16 Reports from service providers and documentation of sponsor “user

controls” listed in the SSAE 16 reports. Substantive audit procedures in key risk areas (e.g. contributions, distributions, loans investments-

full scope only). Perform walkthroughs of the contribution, distribution loan and investment cycles and test of

operating effectiveness of key user controls identified in the SSAE 16 Reports.

3 Events in the Environment

DOL regulations regarding timeliness of contributions Credit crisis Going concern and liquidity Fraudulent transactions Downsizing and layoffs Changes in personnel

4 Current Year Plan Events

AU-C 260 and 265 Adoption of ASU 820 Other new pronouncements Review results of current year plan events on audit (i.e., changes in service providers, changes in

internal systems, changes in management of the Plan, Plan mergers (in/out), Plan termination, partial Plan termination, material Plan amendments, prohibited transactions, litigation, claims, and assessments, material subsequent events)

5 Administrative Matters

Fee clearance (who approves fees).

17 - 41

2

Timing of billings and payment.

Engagement letter signers (who for sponsor and who for plan).

Representation letter signers (who for sponsor and who for plan). Timely filing of Form 5558 extension, if indicated

6 Typical Audit Work Flow

Preliminary Fieldwork Evaluation of SSAE 16 Reports Evaluation of management’s response to “user controls” and SSAE 16 exceptions Process and control interviews, tests of design and implementation. Test of operating effectiveness of key user controls identified in the SSAE 16 Reports. Sample selection for substantive procedures (test of details). Client preparation Prepared by client (PBC) schedules and financial statement/footnote/supplemental schedule

preparation. Gathering audit support. Final Fieldwork Complete controls testing and substantive testing. Issue resolution. ABC internal reviews (senior, manager, Washington National Tax, partner, concurring partner). Comments on financial statements. Execute management representation letter. AU-C 260 communications. AU-C 265 communications, as applicable ABC review of Form 5500. Issue the report with DOL language for limited scope. Client files the Form 5500.

7 Client expectations and concerns

17 - 42

ABC 401(k) Plan Fraud /Error Risk Memo December 31, 2014 An engagement planning meeting was held by the engagement team on 6/28/2015, and was attended by Joe Smith, Frank Jones and Betty Adams.

Required Discussion Topics:

Critical issues and areas of significant audit risk.

Areas susceptible to plan management override of controls.

Unusual accounting practices used by the client.

Application of GAAP to the plan’s facts and circumstances in light of its accounting policies.

Important control systems.

Significant IT applications and how the use of IT may affect the audit.

Materiality levels and how materiality will be used to determine the extent of testing.

The need to exercise professional skepticism throughout the engagement, be alert for information or other conditions that indicate that a material misstatement due to fraud or error may have occurred, and to be rigorous in following up on such indications.

How and where the plan’s financial statements (for example, which accounts or transaction classes) might be susceptible to material misstatement due to fraud.

For areas susceptible to material misstatement due to fraud, the methods management might use to conceal the fraud.

Circumstances that might indicate managing or manipulating financial measures.

Practices that plan management might use to manage financial measures that could lead to fraudulent financial reporting.

How the plan’s assets could be misappropriated.

External and internal factors that might create incentives/pressures, provide opportunities, or enable rationalization of fraud.

How the engagement team might respond to the susceptibility of the plan’s financial statements to material misstatement due to fraud.

Known related‐party and party‐in‐interest relationships and transactions, the possibility of unidentified related parties and parties in interest and how those might be identified, and the susceptibility of the plan to prohibited transactions and of the financial statements to material misstatement due to fraud or error that could result from such relationships and transactions, including how those parties could be used to perpetrate fraud.

17 - 43

This meeting was a supplement to the initial fraud discussions held by the pension group and summarized below. See the Risk Assessment Summary Form for overall financial statement risks identified as well as significant risks and fraud risks identified specific to the Plan and our planned audit response. We discussed possible pension plan fraud and error risks as a group during the annual pension group meeting held on June 6, 2015. In attendance was the Pension Group (those that work on pension engagements). During the team meeting no additional significant risks or fraud risks were noted. Fraud/Error Risks Noted:

1. Risk: Misappropriation of assets. Employee contributions are not being properly or timely

remitted to trust.

Control/procedure: Reconcile employee contributions per payroll register with employee

contributions per trust report. Test timeliness of remittances.

2. Risk: Fictitious employees or inclusion of ineligible employees in the Plan.

Control/procedure: Review internal controls surrounding the enrollment process. Select a

sample from the Census of participating and non‐participating employees and agree to

employment records.

3. Risk: Inaccurate calculation of employee or employer contributions.

Control/procedure: Review internal controls surrounding the contribution process. Select a

sample of participants and determine that contributions were calculated in accordance with the

participant’s election and the Plan document.

4. Risk: Hardship withdrawals are not made in accordance with the Plan document.

Control/procedure: Review internal controls surrounding the hardship withdrawal process.

Select a sample of hardship withdrawals and review documentation that supports the hardship.

Also determine that the participant has taken the maximum allowable loan(s) prior to

requesting the hardship withdrawal and that salary deferral contributions have ceased, if

applicable.

5. Risk: Improper or incorrect allocation of contributions to participant accounts.

Control/procedure: Review internal controls surrounding the contribution process. Select a

sample of participants and determine that contributions were properly allocated to proper

participant’s account.

6. Risk: Inaccurate or improper distribution payment.

Control/procedure: Review internal controls surrounding the distribution process. Select a

sample of distributions and determine that distributions were properly calculated in accordance

with the participant’s request and the Plan document and that the distribution was made to

eligible participant.

7. Risk: Non‐allowable administrative expenses are being charged to the Plan.

Control/procedure: Review administrative expenses, agree to contract and determine that

expenses are allowable under the Plan document.

17 - 44

8. Risk: Forfeitures are not being properly calculated or used.

Control/procedure: Recalculate forfeitures in conjunction with distribution testing. Determine

that forfeitures are being used in accordance with the Plan document.

9. Risk: Participant loans are not in accordance with the Plan document.

Control/procedure: Review internal controls surrounding the loan process. Select a sample of

loans and determine that loans were made in accordance with Plan document. Determine that

interest rates are reasonable, loan payments are properly made in accordance with the

amortization schedule and loans in default are properly deemed.

10. Risk: Improper valuation of Level 3, or hard to value, assets in the Plan.

Control/procedure: Obtain and review Plan management’s method of valuation for

reasonableness.

11. Risk: Uncashed distribution checks are not properly reported. Control/procedure: Obtain a listing of uncased checks, review Plan management’s process

surrounding uncashed checks and determine that amounts, if any, are properly included in Plan

assets.

12. Risk: Certification is not issued by a qualified financial institution and or investment valuation is

not as of the plan’s year end.

Control/procedure: Obtain and review Plan management’s method of determining that the

financial institution is qualified to issue a certification and that valuation is as of the plan’s year

end.

17 - 45

ABC 401(k) Plan Internal Control Memo‐Key Controls and Walkthrough December 31, 2014 Eligibility/Enrollment

Eligibility is defined in the Plan document.

Employees are eligible to participate in the plan upon hire as the plan has automatic enrollment. If an employee elects not to contribute to the Plan, the employee must log in to the website and change the defaulted contribution amount of 3% to 0%.

Thereafter, each January, participants with a deferral rate of less than 10% will have their deferral rate automatically increased by 1% each year until they reach 10%. In addition, employees currently not participating (i.e., 0% deferral rate) are automatically enrolled in the Plan at a 3% pre‐tax deferral rate). Employees are sent an e‐mail by HR with this information which includes instruction of how to opt out.

Newly eligible employees are given the information on the retirement plan upon hire by Sally Jones of HR. (1)

New hire data is uploaded into the Best Retirement Plan Services PSW system (address, date of birth, date of hire, Social Security Number). Best Retirement Plan Services then sends the eligible employees an Enrollment letter. The new hire’s initial enrollment is accomplished with Best Retirement Plan Services by being entered online or via phone.(2)

Once the initial enrollment is made, any change in deferral percentage or investment allocation is made directly through Best Retirement Plan Services by the participant via Best Retirement Plan Services website or via phone (800#). Participants receive a confirmation of any changes made electronically or directly with third‐party. (3)

Employees are encourage to review transactions initiated electronically.

Payroll enters the information into the payroll system when a report is received from Best Retirement Plan Services indicating the deferral percentage elected by the participant.

The employee designates a beneficiary online. Walkthrough XYZ CPA performed the following: (1) Observed that new hire package was provided by Sally Jones and reviewed new hire package noting that

information on the retirement plan was included. (2) & (3) Reviewed SSAE 16 report noting controls over enrollment were tested and operating effectively.

Contributions Employee contributions are based on the employee’s election. See Enrollment above. Maximum limits for Employer matching contributions are made based on the formula specified in Plan document. (1)

Walkthrough XYZ CPA performed the following: (1) Reviewed Plan document noting that matching formula is specified.

Payroll

Payroll is biweekly.

The Company uses the Payroll Company system to processes the payroll.

Access to the payroll terminal is restricted and password protected. (1)

Once Payroll Company has processed payroll, a 401k report is uploaded by Payroll Company; funding totals are reconciled by the Company to the payroll register, and then electronically sent to Best Retirement Plan Services.(2)

Best Retirement Plan Services confirms the file upload to their files and emails accounting (whether the file transfer is ready for funding or whether there are any errors to resolve. Once resolved, accounting is notified that it is ready for funding and they approve the funding, at which point an ACH Pull request is initiated by Best Retirement Plan

17 - 46

Services. This request initiates a wire transfer from the Company’s main checking account directly into the Invest in You Future Bank trust account.(3)

Walkthrough XYZ CPA performed the following:

(1) Inquired of payroll manager and payroll assistant who both indicated that only they have access to payroll. We also observed the payroll manager logging in to payroll terminal with her password.

(2) For the pay period ended 6/15/2014, reviewed reconciliation of funding totals noting no exceptions. (3) For the pay period of 6/15/14, reviewed confirmation and e‐mail of funding totals to Company and approval of

funding noting no exceptions. Distributions

A participant must be coded as “terminated” or “retired” for him/her to request a distribution, unless it is a hardship or in‐service withdrawal. A termination date must be entered into the H.R. system.

Once Best Retirement Plan services has termination information, the participant (former employee) submits her/his distribution request either via phone or the participant website. (1)

The participant will receive a “live” check along with a Distribution Statement. In January of the year following the distribution, Best Retirement Plan Services issues a Form 1099R, which provides tax information on the distribution. (1) & (2)

Hardship documentation is sent to and reviewed by Best Retirement Plan Services based on Plan guidelines. Note that the Plan document does stipulate that deferrals must be suspended for 6 months subsequent to a hardship withdrawal.(1) & (2)

All distribution checks are forwarded to the participant directly. Alternatively, funds may be distributed via Electronic Fund Transfer if so directed by the participant. Walkthrough XYZ CPA performed the following: (1) Reviewed SSAE 16 report noting controls over distributions were tested and operating effectively (2) Walkthrough done in conjunction with substantive procedures at W/P 54‐02. We reviewed check copies, wire transfers, 1099Rs and hardship requests and supporting documentation, noting no exceptions.

Loans

A participant can request a loan on‐line or via phone.

Best Retirement Plan Services approves the loan based on plan provisions, ERISA and tax requirements (1).

Best Retirement Plan Services sends the check and a copy of the loan documents including a copy of amortization schedule directly to the participant (2).

Once the check is cashed, it is considered the consent to the agreement. (3)

Best Retirement Plan Services sends Payroll a report with loan details, which are then entered into the payroll system for payroll deductions to begin the next pay period.

Best Retirement Plan Services sends plan management a delinquent loan report monthly which is reviewed by plan management. Deemed loans must be requested and approved by plan management.(4) Walkthrough XYZ CPA performed the following: (1) We also, reviewed the loan policy and the plan sponsor’s agreement with Best Retirement Plan Services noting that the plan sponsor authorized Best Retirement Plan Services to approve loans in accordance with the Plan’s loan policy.

17 - 47

(2) Reviewed SSAE 16 report noting controls over loans were tested and operating effectively. (3) Walkthrough done in conjunction with substantive procedures at W/P 55‐02. We reviewed check copies, noting no exceptions. (4) Per inquiry of the HR manager, delinquent loans are reviewed monthly. For terminated employees, attempts are made to have the participant pay off the loan. If loan is not paid off, the HR manager authorizes the loan to be deemed distributed after 90 days delinquent. We reviewed the 12/31/14 delinquent loan and deemed loan reports and noted that it appears loans were deemed after a 90 day delinquency.

Rollovers

A terminated participant can request a rollover contribution by completing a form and sending it to Best Retirement Services.(1) & (2)

The terminated participant sends the form and check to Best Retirement Services, who then processes the rollover. (1) & (2)

Walkthrough XYZ CPA performed the following: (1) Reviewed SSAE 16 report noting controls over rollovers were tested and operating effectively (2) Walkthrough done in conjunction with substantive procedures at W/P 93‐03. We reviewed check copies, wire transfers and rollover forms, noting no exceptions.

Investments

Investment options are selected by the Administrative Committee in accordance with the investment policy (1).

Investments are valued by the trustee and contributions are allocated by the recordkeeper in accordance with the participant elections made on‐line or via phone. (2)

Walkthrough XYZ CPA performed the following: (1) Reviewed minutes for March 31, 2014 and noted that investment performance was reviewed. We also reviewed investment policy. See PF (2)Reviewed SSAE 16 report noting controls over investment allocations, participant accounts and financial reporting were tested and operating effectively

Operating Expenses

Operating Expenses are paid by the Company. Financial Reporting

Financial Statement are prepared based on the plan document, certified trustee reports and payroll information. The only adjustment to the certified statements is the accrual for employee and employer contributions receivable. (1)

Total of participant account balances are reconciled to trust report. (2)

HR manger and CFO review Form 5500 and the financial statements

Walkthrough XYZ CPA performed the following: (1) Reviewed the certified statements and the payroll reconciliation provided by client noting the EE and ER

receivable amounts. (2) Reviewed SSAE 16 report noting controls operating effectively over reconciliation of trust assets and participant

accounts. (3) Based on prior years’ experience, financial statement drafts are reviewed and approved by HR manager and CFO.

17 - 48

Documentation of Review of AICPA Independence Requirements Where Non-attest Services Are Performed for an Employee Benefit Plan Audit Client

PLAN NAME: CLIENT NUMBER:

PLAN YEAR END:

17 - 49

Note:

This non-authoritative tool was developed jointly by the Employee Benefit Plan Audit Quality Center and AICPA Professional Ethics. It is intended to assist CPAs performing nonattest services for employee benefit plan audit clients in documenting their assessment of whether the nonattest services impair their independence, whether they have performed any “prohibited” nonattest services, and whether their understanding with the client has been established and documented in writing. It is designed to help the member determine that the requirements of the interpretations of the “Nonattest Services” subtopic [1.295] have been met during the period of the professional engagement or the period covered by the financial statements to ensure their independence has not been impaired. For purposes of this document, the terms “client” and “plan” refer to the plan audit client.

IMPORTANT NOTICE This tool only addresses the auditor’s considerations with respect to the AICPA’s ethics rules regarding nonattest services; it does not contemplate the DOL’s independence rules and does not apply to audits of 11-K filers subject to the PCAOB’s and SEC’s independence rules or governmental (non-ERISA) plans subject to GAO independence rules, but may be modified by the firm to address those requirements. See the AICPA’s DOL and AICPA Independence Rule Comparison and AICPA and SEC Independence Rule Comparison, which compare the more common AICPA and DOL and AICPA and SEC independence rules, respectively, that affect auditors of employee benefit plans, and provide a discussion of the differences.

Background The AICPA recently revised its Ethics rules to state that financial statement preparation and cash-to-accrual conversions performed by the member for a client should be considered nonattest services and subject to the requirements of the interpretations of the “Nonattest Services” subtopic [1.295]. Prior to this revision, the Professional Ethics Division took the nonauthoritative position in its Frequently Asked Questions Performance of Nonattest Services document that if such services were performed as part of an audit, the services would be considered part of the normal audit process and not subject to the interpretations' requirements, provided the records given the member were substantially complete and current. However, if a member had to perform a service to bring those books and records current or complete (such as compiling the subsidiary information), the service would be considered outside the scope of the attest engagement and, therefore, a nonattest service subject to the interpretations’ requirements. Such services now should be considered nonattest services, regardless of whether the services are performed as part of an audit. Members still are permitted to assist plan clients with financial statement preparation, but must make certain the requirements outlined in the interpretations of the “Nonattest Services” subtopic [1.295], are followed. These requirements include such items as:

1. “General Requirements for Performing Nonattest Services” interpretation [1.295.040] which calls for the following safeguards to be met:

a. Before performing nonattest services, the member should determine that the client has agreed to: i. assume all management responsibilities as described in the “Management Responsibilities” interpretation

[1.295.030] ii. oversee the service, by designating an individual, preferably within senior management, who possesses suitable

skill, knowledge, and/or experience. The member should assess and be satisfied that such individual understands the services to be performed sufficiently to oversee them. However, the individual is not required to possess the expertise to perform or re-perform the services.

iii. evaluate the adequacy and results of the services performed. iv. accept responsibility for the results of the services.

b. The member does not assume management responsibilities (See the “Management Responsibilities” interpretation [1.295.030] of the “Independence Rule”) when providing nonattest services and the member is satisfied that the client and its management will

17 - 50

i. be able to meet all of the criteria delineated in item a; ii. make an informed judgment on the results of the member’s nonattest services; and

iii. accept responsibility for making the significant judgments and decisions that are the proper responsibility of management

If the client is unable or unwilling to assume these responsibilities (for example, the client cannot oversee the nonattest services provided or is unwilling to carry out such responsibilities due to lack of time or desire), the member’s performance of nonattest services would impair independence.

c. Before performing nonattest services the member establishes and documents in writing his or her understanding with the client (board of directors, audit committee, or management, as appropriate in the circumstances) regarding

i. objectives of the engagement, ii. services to be performed,

iii. client’s acceptance of its responsibilities, iv. member’s responsibilities, and v. any limitations of the engagement

2. “Cumulative Effect on Independence When Providing Nonattest Services” [1.295.020]

The above safeguards and the “Documentation Requirements When Providing Nonattest Services” interpretation [1.295.050] of the “Independence Rule” [1.200.001] do not apply to communications that are a normal part of the audit and certain routine activities performed by the member, such as providing advice and responding to the client’s questions as part of the client-member relationship. However, in providing such services, the member must not assume management responsibilities, as described in the “Management Responsibilities” interpretation [1.295.030] of the “Independence Rule.” Plan auditors also must take into consideration affiliates of the employee benefit plan when determining whether they are independent with respect to the plan. The “Client Affiliates” interpretation [1.224.010] under the “Independence Rule” provides guidance on which entities should be considered affiliates of the plan and, therefore, subject to the same independence provisions of the AICPA Code of Professional Conduct applicable to the plan. The AICPA’s Frequently Asked Questions: Application of the Independence Rules to Affiliates of Employee Benefit Plans, was prepared to help members better understand how the definitions and guidance provided in the “Client Affiliates” interpretation apply to affiliates of employee benefit plans. This tool is not intended to be used as an audit program or to provide authoritative guidance and should be tailored to the firm’s employee benefit plan audit practice and the circumstances of the individual nonattest services.

17 - 51

Section I – Nonattest Services Performed

What types of nonattest services will be performed for this employee benefit plan audit client? (Check all that apply):

Preparation of plan financial statements

Proposing journal entries affecting the financial statements

Preparation of cash-to-accrual entries

Preparation of reconciliations (e.g., trust statements to payroll and/or recordkeeper statements)

Preparation of Form 5500 or other tax returns, such as IRS Form 990

Valuation and disclosure of investments, including methodology and leveling

Preparation of actuarial valuations

Other: ___________________________________________________________________________________________

What types of nonattest services will be performed for affiliates of the employee benefit plan audit client (e.g., plan sponsor):

Executive or employee search services

IT systems services

Internal audit services

Expert witness services

Other: ___________________________________________________________________________________________

Certain nonattest services are considered “prohibited” because they impair a member’s independence with respect to the plan. In general, prohibited nonattest services are any services where threats (e.g., management participation, self-review or advocacy) are so significant that no safeguards can reduce the threats to an acceptable level. One such example is when an auditor assumes management responsibilities (refer to the “Management Responsibilities” interpretation [1.295.030] of the “Independence Rule” for more information). Examples of activities that would be considered management responsibilities and, as such, impair independence if performed for a plan include:

setting policy or strategic direction for the client.

directing or accepting responsibility for actions of the client’s employees except to the extent permitted when using internal auditors to provide assistance for services performed under auditing or attestation standards.

authorizing, executing, or consummating transactions or otherwise exercising authority on behalf of a client or having the authority to do so.

preparing source documents, in electronic or other form, that evidence the occurrence of a transaction.

having custody of a client’s assets.

deciding which recommendations of the member or other third parties to implement or prioritize.

reporting to those charged with governance on behalf of management.

serving as a client’s stock transfer or escrow agent, registrar, general counsel or equivalent.

accepting responsibility for the management of a client’s project.

accepting responsibility for the preparation and fair presentation of the client’s financial statements in accordance with the applicable financial reporting framework.

17 - 52

accepting responsibility for designing, implementing, or maintaining internal control.

performing ongoing evaluations of the client’s internal control as part of its monitoring activities.

In addition to the examples of management responsibilities identified above, the interpretations under the Nonattest Services Subtopic include examples of nonattest services that impair independence as well as examples of nonattest services that do not impair independence when the “General Requirements for Performing Nonattest Services” interpretation [1.295.040] are met. These examples can be found in the following interpretations:

Advisory Services [1.295.105]

Appraisal, Valuation and Actuarial Services [1.295.110]

Benefit Plan Administration [1.295.115] Bookkeeping, Payroll, and Other Disbursements [1.295.120] Business Risk Consulting [1.295.125] Corporate Finance Consulting [1.295.130] Executive or Employee Recruiting [1.295.135] Forensic Accounting [1.295.140] Information Systems Design, Implementation, or Integration [1.295.145] Internal Audit [1.295.150] Investment Advisory or Management [1.295.155] Tax Services [1.295.160]

Will any nonattest services performed result in the firm performing nonattest services that impair independence?

Yes STOP - independence is impaired. We cannot perform the audit.

No

Section II – General Requirements for Performing Nonattest Services

The “General Requirements for Performing Nonattest Services” interpretation [1.295.040] outlines certain safeguards to be implemented for independence to be maintained. To avoid assuming management responsibilities when providing nonattest services to the client, the member should be satisfied that management will be able to meet all the criteria outlined in the general requirements, make an informed judgment on the results of the member's nonattest services, and be responsible for making the significant judgments and decisions that are the proper responsibility of management.

Before performing the nonattest service, has the client agreed to:

Assume all management responsibilities?

Yes

No STOP - independence is impaired. We cannot perform the audit.

Oversee the service by designating an individual who possesses suitable skill, knowledge, and/or experience?

Yes


17 - 53

Evaluate the adequacy and results of the services performed?

Yes


Accept responsibility for the results of the services?

Yes


(Name of client individual(s) accepting responsibility):__________________________________________________________________________________________

The auditor should assess and be satisfied that the client individual(s) designated to oversee the nonattest service(s) possesses suitable skill, knowledge, and/or experience and that such individual understands the services to be performed sufficiently to oversee them. For example, the auditor may consider credentials/degrees, years in his or her position, CPE, prior experience observing the individual's ability to review and approve services, etc. The AICPA’s Frequently Asked Questions: Performance of Nonattest Services, provides information to assist members in assessing whether the client has suitable skills, knowledge, and/or experience to oversee a nonattest service. (NOTE: The individual is not required to possess the expertise to perform or reperform the services, but only to oversee them. If a client needs assistance in understanding the nature of the entries and their effect on the financial statements, the auditor may explain the accounting principles giving rise to the adjustments, as well as the effect of the adjustments on the financial statements.) Based on my assessment, will the individual(s) be able to meet all the criteria, make an informed judgment on the results of the member's nonattest services, and be responsible for making the significant judgments and decisions that are the proper responsibility of management so that they can accept responsibly for the nonattest services performed?

Yes


Section III – Establishing and Documenting Understanding with the Client

Failure to prepare the required documentation does not impair independence provided that the member did establish the understanding with the client. However, it would be a violation of the Compliance With Standards Rule [1.310.001]. Before performing nonattest services, have we established and documented in writing our understanding with the client regarding the following:

Check if Completed

Understanding to be Established/Documented

Work paper

reference

Objectives of the engagement?

Services to be performed?

Client's acceptance of his or her responsibilities?

Our responsibilities?

17 - 54

Any limitations of the engagement?

17 - 55

Section IV - Cumulative Effect on Independence When Providing Nonattest Services

The “Cumulative Effect on Independence When Providing Nonattest Services” interpretation [1.295.020]** explains that although certain nonattest services individually would not impair independence because the safeguards contained in the “General Requirements for Performing Nonattest Services” interpretation [1.295.040] reduce the self-review and management participation threats to an acceptable level, performing multiple nonattest services can increase the significance of these threats as well as other threats to independence. The interpretation goes on to explain that before agreeing to perform nonattest services, the member should evaluate whether the performance of multiple nonattest services in the aggregate creates a significant threat to the member’s independence that cannot be reduced to an acceptable level by the application of the safeguards in the “General Requirements for Performing Nonattest Services” interpretation [1.295.040]. In situations in which a member determines that threats are not at an acceptable level, safeguards in addition to those in the “General Requirements for Performing Nonattest Services” interpretation [1.295.040] should be applied to eliminate the threats or reduce them to an acceptable level. If no safeguards exist that will eliminate or reduce the threats to an acceptable level, independence would be impaired. Based on the nature and number of nonattest services performed (refer to “Section I – Nonattest Services Performed”), does a significant threat to independence exist that cannot be reduced to an acceptable level by applying the safeguards from the “General Requirements for Performing Nonattest Services” interpretation?

Yes - Complete Section V below

No – Skip to Section VI

**The member is not required to consider the possible threats to independence created due to the provision of nonattest services by other network firms within the firm’s network.

Section V - Evaluation of Safeguards That Reduce Self-Review and Management Participation Threats to an Acceptable Level

AICPA's ethics rules discuss safeguards that reduce the self-review and management participation threats to an acceptable level. Before agreeing to perform nonattest services, the member should evaluate whether the performance of nonattest services (individually or in the aggregate) creates a significant threat to the member’s independence that cannot be reduced to an acceptable level by the application of safeguards.

There are three broad categories of safeguards. The relative importance of a safeguard depends on its appropriateness in light of the facts and circumstances. The AICPA has identified example safeguards in each of the three broad categories, which can be accessed by clicking on the following links:

1. Safeguards created by the profession, legislation, or regulation 2. Safeguards implemented by the attest client 3. Safeguards implemented by the firm, including policies and procedures to implement professional and regulatory

requirements

Use the box below to document the safeguards that will be applied to eliminate or reduce the identified threats to an acceptable level:

Do the safeguards documented above adequately eliminate or reduce the identified threats to an acceptable level?

Yes


17 - 56

Section VI – Conclusion

We have evaluated the nonattest services to be provided to the plan, both individually andin the aggregate. We have determined that none of the nonattest services impair our independence, as described in the interpretations under the Nonattest Services subtopic [1.295] of the “Independence Rule” [1.200.001]. We evaluated and documented all significant threats and applied safeguards to eliminate or reduceany significant threats to an acceptable level. We have also evaluated the skills, knowledge andexperience of the individual(s) designated by the plan to oversee the nonattest service(s) and determined that they are suitable in the circumstances. These evaluations are documented herein. Based on the foregoing, we have determined that threats to independence are at an acceptable level or safeguards are in place to eliminate threats or reduce them to an acceptable level and, as such, we can provide the nonattest services described hereinand remain independent with respect to the employee benefit plan.

Include any additional comments.

Prepared by: Date:

Reviewed by: Date:

Section VII –Other

Auditors may use this section to document independence considerations related to nonattest services other than those related to the requirements of the interpretations of the AICPA’s “Nonattest Services” subtopic [1.295], such as considerations related to the DOL’s independence rules or the SEC’s independence rules as they relate to nonattest services:

17 - 57

Documentation of Use of a Type 2 Service Auditor’s Report in an Audit of an Employee Benefit Plan’s Financial Statements

PLAN NAME: CLIENT NUMBER:

PLAN YEAR END: SCOPE OF PLAN AUDIT: LIMITED FULL

17 - 58

Note:

This non-authoritative tool is intended to assist CPAs auditing the financial statements of employee benefit plans that use one or more service organizations (user auditors). It is designed to assist user auditors in documenting their procedures and findings related to controls at a service organization that are likely to be relevant to the employee benefit plan’s internal control over financial reporting. It focuses on the user auditor’s use of a “report on management’s description of a service organization’s system and the suitability of the design and operating effectiveness of controls” (a type 2 report). Both a type 1 report and a type 2 report provide a user auditor with information about the design and implementation of controls at a service organization that are likely to be relevant to user entities’ internal control over financial reporting. Such information is intended to provide the user auditor with a basis for identifying and assessing the risks of material misstatement in the employee benefit plan’s financial statements related to the services provided by the service organization. A type 2 report also includes a description of the service auditor’s tests of the operating effectiveness of controls and the results of those tests. That information should enable the user auditor to determine whether he or she can rely on the operating effectiveness of the controls that were tested for the purpose of determining the nature, timing and extent of substantive procedures on related account balances, classes of transactions, and disclosures in the employee benefit plan’s financial statements.

The AICPA has introduced a series of three Service Organization Control (SOC) reports. Service auditors’ reports that address controls at a service organization relevant to user entities’ internal control over financial reporting are referred to as SOC 1 reports; for example, a report on management’s description of a service organization’s system and the suitability of the design and operating effectiveness of controls is referred to as a type 2 SOC 1 report. SOC 1 engagements are performed under SSAE No. 16, Reporting on Controls at a Service Organization, and the related reports are referred to as SOC 1 reports.

This tool is not intended to be used as an audit program or to provide authoritative guidance and should be tailored to the user audit or firm’s employee benefit plan audit practice and the circumstances of the individual plan audit. Certain sections of this tool may be completed by the user auditor firm’s reviewer (if applicable) to document the use of a type 2 SOC 1 report in an audit of an employee benefit plan’s financial statements while other sections may be prepared by the engagement team to document procedures performed to evaluate controls at a service organization. For purposes of this tool, the plan auditor is the user auditor.

17 - 59

Section I –Type 2 SOC 1 Report General Information

NAME OF SERVICE ORGANIZATION

NAME OF SERVICE AUDITOR

SERVICES PROVIDED BY THE SERVICE ORGANIZATION

LOCATIONS COVERED (IF APPLICABLE)

PERIOD COVERED BY THE TYPE 2 SOC 1 REPORT

Section II – Service Auditor’s Opinion

What type of opinion did the service auditor express in the type 2 SOC 1 report?

Unqualified

Qualified

If qualified, document the nature of the qualification(s), and any potential effect it may have on the risk of a material misstatement in the employee benefit plan’s financial statements in the box provided below. Note: A qualification may affect a single control objective (e.g., controls related to enrollment) or may affect several control objectives (e.g., IT general controls over logical access.)

Section III – Period Covered by the Type 2 SOC 1 Report

Does the type 2 SOC 1 report cover the period covered by the plan’s financial statements that are being audited?

Yes (skip to Section IV)

No

If the type 2 SOC 1 report does not cover a significant portion of the period covered by the plan’s financial statements, was evidence about the operating effectiveness of controls obtained for the period that is not covered by the type 2 SOC 1 report by performing additional procedures?

Examples of procedures that may be performed include:

• Making inquiries of the service organization about any major changes in the controls or processes, any noted issues, or any changes in programs or software at the service organization since the period covered by the service type 2 SOC 1 report.

17 - 60

(Note: Some service organizations provide a “bridge letter” that addresses the period from the date of the service auditor’s report through the most recent calendar year end.)

Name of service organization representative contacted:

Telephone number:

Date contacted:

Contacted by:

Results:

• Reviewing documentation and correspondence issued by the service organization to management regarding changes to the programs, software, or controls or any noted issues.

• Obtaining additional audit evidence regarding the operating effectiveness of controls at the service organization for the portion of the period that is not covered by the type 2 SOC 1 report. If the plan auditor believes it is necessary, he or she may request that the user organization (plan) contact the service organization to request that the service auditor perform agreed-upon procedures at the service organization or the plan auditor may perform such procedures.

Conclusion:

Document the plan auditor’s conclusion and any procedures performed, as applicable and include any supporting documentation.

Section IV – Service Auditor’s Professional Reputation

If the plan auditor is unfamiliar with or has no experience with the service auditor that issued the type 2 SOC 1 report, the plan auditor should perform procedures concerning the service auditor’s professional reputation. Examples of procedures could include reviewing on-line sources of such information such as the Public Company Accounting Oversight Board’s (PCAOB) website, which includes registration listings and inspection reports; the AICPA’s website from which peer review reports and peer review acceptance letters can be accessed; and the website of the applicable state accountancy board. If no information can be found, document that fact, and determine the effect on the audit.

Was the service auditor’s report prepared by a CPA firm with whom the plan auditor is familiar?

Yes (skip to Section V)

No

Document procedures performed and include any supporting documentation.

17 - 61

Section V – Use of Subservice Organizations / Carve-Outs

Did the service organization outsource any functions relevant to the plan’s internal control over financial reporting to another service organization (a subservice organization), and was the subservice organization carved out of the type 2 SOC 1 report?

Yes

No (skip to Section VI)

If yes, in the table below, list the names of the subservice organizations and the functions performed by the subservice organizations identified in the service auditor‘s type 2 SOC 1 report (and also in the description of the service organization’s systems.) (If the service auditor’s report uses the carve-out method, the functions performed by the service organizations will be provided but the names of the subservice organizations may not be provided.) If the functions performed by the subservice organization are significant and relevant to the plan’s internal control over financial reporting, the plan auditor may consider obtaining additional information about the subservice organization’s controls. Such information may be available from user manuals, system overviews, technical manuals, the contract between the plan and the service organization, and reports on the subservice organization’s controls, prepared by other service auditors, internal auditors, or a regulatory authority.

Complete column 3 to document or reference work performed to address the carved-out subservice organization(s). If

the controls and functions performed by the subservice organization are not deemed relevant or significant to the plan’s

internal control over financial reporting, indicate N/A.

Name of Subservice

Organization Functions Performed

Work performed to address Carved-out Subservice

Organization

17 - 62

Section VI – Identification of Control Objectives and Deviations Noted

In this section, the plan auditor will begin to note the control objectives to determine what is present and what is not, and any noted deviations identified in the results of tests of controls that may affect the nature, timing and extent of audit procedures in an employee benefit plan audit. List below the control objectives included in the description of the service organization’s system.

Control objectives included in the service organization’s description of its system

Were deviations

noted in the service auditor’s

description of tests of controls

and results?

Page(s) #(s) in service organization’s description or

service auditor’s description of tests of controls where control objective

is located Controls provide reasonable assurace that: Yes* No

1.

2.

3.

4.

5.

6.

7.

8.

9.

10.

* For any yes answers, complete the table below.

In the table below, summarize the service organization’s and plan auditor’s response (if any) to any deviations identified by the service auditor in the description of tests of controls and results. Note: Deviations in the results of tests of controls should be considered individually and in the aggregate to determine their effect, if any, on audit procedures to be performed.

Control Objective # (from table above)

Deviation(s) noted

Service Organization’s Response included in the description of the Service Organization’s System (Such responses are not covered by

the service auditor’s opinion)

Plan Auditor’s Response (see note below)

17 - 63

Note: Consider any mitigating controls in place at the plan sponsor, or consider designing procedures to address the risks related to the deviations identified in the table above.

Conclusion:

Deviations were noted as documented above; however, we have concluded that they would not significantly affect the nature, timing and extent of our procedures in the audit of the employee benefit plan.

Although the deviations did not result in a qualification of the service auditor’s opinion on the operating effectiveness of the controls to achieve the control objective, the following procedures were completed by the plan auditor to address and evaluate the effect of the deviations on the audit.

Document procedures performed and include any supporting documentation.

Section VII – Complementary User Entity Controls

Summarize any complementary user entity control considerations identified in the service organization’s description of

its system.

No.

Complementary user entity control considerations

identified in the service organization’s description

Are the Complementary user entity control considerations identified in the service

organization’s description relevant to the plan? If No, document below. If Yes, document or reference work performed to ensure

complimentary user entity controls are in place

Work paper

reference (see note below)

1.

2.

3.

4.

5.

6.

7.

8.

9.

10.

Note: Consider completing the evaluation of the plan sponsor/plan’s controls first. For controls already reviewed and evaluated by the plan auditor, insert the work paper reference where that work is documented. If the plan or plan sponsor has not implemented complementary user entity controls, then that should be documented, as well as the effect on the nature, timing and extent of audit procedures.

17 - 64

Section VIII – Documentation of Evaluation of the Control Objectives If the type 2 SOC 1 report covers only the payroll process, skip Section VIII and go to Section IX.

In the following section, the reviewer or plan auditor can begin to evaluate whether the service organization’s description of its system contains controls and control objectives relevant to the assertions included in the employee benefit plan’s financial statements. (These are documented in columns #1 and #2 in the table below). In addition, the plan auditor will need to evaluate whether the tests of controls performed by the service auditor and the results of those tests provide sufficient appropriate evidence of the operating effectiveness of the controls to support the auditor’s risk assessment.

The plan auditor should consider the following factors in making that evaluation:

• The nature, timing, and extent of the testing. For example, when testing controls, the service auditor should perform procedures in addition to inquiry, as required by related risk assessment standards

• Results of the tests of controls (e.g., any noted deviations)

Evaluation of the Control Objectives

Page # in the service organization’s description

of its system or service auditor’s tests of controls where control objective is listed (from Section VI)

Control objective as listed in the description (from

Section VI)

Does the description of the controls and the control

objectives enable the plan auditor to evaluate the design and confirm the

implementation of relevant controls and assess risk?

(Yes/No)

Do the tests of operating effectiveness and results of

those tests support the achievement of the stated

control objective? (Yes/No)

Note: Consider the effect of any deviations identified in the table

above in Section VI

Reference from Section VII to complementary user entity controls identified in the description that are in place to support the plan auditor’s risk assessment

IT General Controls/Control Objectives – Logical Access and Program Change Management

Controls/Control Objectives Related to New Plan Set-up – Plan Provisions

Controls/Control Objectives Related to New Plan Set-up – Participant Level Data/Accounts and Investments

Controls/Control Objectives Related to Eligibility, Enrollment and Participant Data

Controls/Control Objectives Related to Contributions – Plan Level

Controls/Control Objectives Related to Contributions – Participant Level

Controls/Control Objectives Related to Participant Account Income/Expense Allocations

Controls/Control Objectives Related to Distributions to Participants/Beneficiaries

Controls/Control Objectives Related to Distributions - Plan Expenses

Controls/Control Objectives Related to Marketable Securities Held – Safekeeping & Valuation

Controls/Control Objectives Related to Non-readily Marketable Securities Held – Safekeeping & Valuation

17 - 65

Evaluation of the Control Objectives Continued


of its system or service auditor’s tests of controls where control objective

Is listed (from Section VI)


Section VI)




(Yes/No)


those tests support the achievement of

the stated control objective? (Yes/No)


above in Section VI

Reference from Section VII to complementary user entity controls identified in the description that are in place to support the plan auditor’s risk assessment

Controls/Control Objectives Related to Investment Transactions – Purchases/Sales (Including realized gain/loss)

Controls/Control Objectives Related to Investment Income – Plan Level

Controls/Control Objectives Related to Report Processing – Plan Level

Controls/Control Objectives Related to Report Processing – Participant Level

DEFINED CONTRIBUTION PLANS ONLY

Controls/Control Objectives Related to Participant Loans (Authorization, Calculation and Recording)

Controls/Control Objectives Related to Participant Loan Repayments – Plan Level

Controls/Control Objectives Related to Participant Loan Repayments – Participant Level

Controls/Control Objectives Related to Investment Election Changes and Transfers

DEFINED BENEFIT AND HEALTH & WELFARE PLANS

Controls/Control Objectives Related to Participant Census Data

Controls/Control Objectives Related to Plan Obligations

HEALTH & WELFARE PLANS ONLY

Controls/Control Objectives Related to Claims Processing

17 - 66

Section IX – Payroll Processing Service Organizations

Most large payroll processors provide a type 1 or type 2 report but such reports vary widely as to what services are covered. In addition, some payroll processors issue several reports that cover different locations, services or markets. Plan sponsors may contract with different payroll processors to provide different services. Plan sponsors are expected by the payroll processors to have controls in place to ensure accurate input and submission of data to the payroll processors (complementary user entity controls). Once the plan auditor has obtained the proper type 2 reports, the plan auditor can complete the following sections.

Documentation of the Evaluation of Payroll Reports

In the following section, the reviewer or plan auditor can begin to evaluate whether the report contains controls and control objectives relevant to the assertions included in the employee benefit plans financial statements. (These are documented in columns #1 and #2 in the table below). In addition, the plan auditor will need to evaluate whether the tests of controls performed by the service auditor and the results of those tests provide sufficient appropriate evidence of the operating effectiveness of the controls to support the auditor’s risk assessment. The auditor should consider the following factors in making that evaluation:

• The nature, timing and extent of the testing. For example, when testing controls, the service auditor should perform procedures in addition to inquiry, as required by related risk assessment standards

• Results of the tests of controls (e.g., any noted deviations?)

Evaluation of the Control Objectives Continued


or service auditor’s description of tests of controls where control

objective is listed (from Section VI)


Section VI)




(Yes/No)


those tests support the achievement of the stated

control objective? (Yes/No)


above in Section VI

Reference from Section VII to complementary user entity controls identified in the description that are in place to support the plan auditor’s risk assessment.

Controls/Control Objectives Related to Set-up of New Employees (demographic data, pay rates, withholding amounts)

Controls/Control Objectives Related to Computation of Payroll Amounts Based on Rates (Salary, Hourly)

Controls/Control Objectives Related to Computation of withholdings (401(k), H&W, etc.)

Controls/Control Objectives Related to Reporting of Payroll Amounts Paid and Remitted

Controls/Control Objectives Related to Termination of employees and removal from payroll records

17 - 67

Section X – Conclusion

Has the user auditor obtained a sufficient understanding of the control objectives and related controls at the service organization that is relevant to the plan’s internal control over financial reporting in order to assess the risks of material misstatements and to design the nature, timing and extent of further audit procedures?

Yes

No

Note: If the plan auditor concludes that information is not available to obtain a sufficient understanding to assess the risks of material misstatement, he or she may consider contacting the service organization to obtain specific information or request that a service auditor be engaged to perform procedures that will provide the necessary information, or the plan auditor may visit the service organization and perform such procedures.

Include any additional comments.

Prepared by: Date:

Reviewed by: Date:

17 - 68

To Benefit Plan Name workpapers

Date

From Ref

Review of SSAE 16 Report

Name of service organization

Description of entity reviewed by service organization’s independent auditor

Period covered by SSAE 16 review

Illustrative Document – provided as a template which may be used by engagement teams to evaluate SSAE 16 reports. Depending on which service provider (e.g., recordkeeper or custodian). Objective: The objective of ABC’s review of the report on controls placed in operation and tests of operating effectiveness, prepared pursuant to SSAE 16 of the recordkeeping services of entity reviewed of name of service organization (define service organization, e.g. SO) is such that we wish to reduce control risk associated with:

List processes reviewed in SSAE 16 and relevant to the audit Disbursements process Contributions process Investment process

to such a level such that we may minimize substantive testing in the aforementioned processes. ABC obtained and reviewed a signed copy of the contract between the user organization and the service organization and determined that the services are covered by the SSAE 16 report. To the extent the client uses the service organization for any special purpose, procedures, or activity not included in the scope of the SSAE 16 report, the audit team should perform additional review procedures to the extent considered necessary.

17 - 69

2

In limited scope audits, the auditors are not required to take into consideration any matters related to the investment process which is covered by the limited scope exception.

Procedures Performed and Scope of ABC Review: ABC read the SSAE 16 report of SO reported upon by name of accounting firm (define accounting firm, e.g. AF).

Comments on Independent Service Auditor “ISA” Report: Note, this section describes information obtained from the ISA’s Report. The Independent Service Auditor’s Reports (“ISA’s) did not contain any exceptions relative to the control objectives and procedures as described in the SSAE 16 Reports. Describe any exclusions named in the auditors’ report, if any. e.g., SO uses subservice organizations for certain process related functions: list any entities, processes, etc. excluded fro ISA’s report. e.g. The ISA’s report includes a scope limitation regarding describe scope limitation from the auditors’ report.

Other Scope Limitations described in the SSAE 16 Report: Note this section describes information noted in the rest of the SSAE 16 report. Describe any other limitations of the SSAE 16 Report, e.g., the period reported does not cover the entire audit period, outsourcing, etc. not covered or--indicate None noted.

Effect of ISA Opinion and Scope Limitations on Audit: Describe the effect of any limitations described above and address how the engagement team will reduce audit risk related to the limitations.

17 - 70

3

Significant User Control Considerations Highlighted by Servicers: Lists all User Controls noted in the SSAE 16 report and engagement team discussion here. Key user controls should be linked to the workpaper where it is tested for operating effectiveness.

Control or processes not fully discussed or addressed in the SSAE 16 Report:

Evaluate the omission of key controls at the service organization and how the engagement team will reduce audit risk resulting from these omissions.

ABC noted that the following controls were not fully discussed or adequately tested in the report in order to reduce control risk: List omitted controls

Effect of user control considerations and controls not reported on Audits The engagement team should ensure that the extent to which client control considerations noted above are material to the plan that documentation in the workpapers or here exists to support control risk assessments made.

Exceptions and Management’s Response with Respect to Control Objectives:

Lists all Exceptions to controls testing and engagement team discussion here. If the exceptions are significant, additional documentation and testing may be indicated and best documented in a separate memo.

Effect of Exceptions noted on Audits:

Modify the following paragraph and include the procedures and results of the audit team’s inquiries and/or procedures here:

While the exceptions noted did not result in a qualification of the respective control objective by the ISA, the following procedures were performed by the engagement team:

e.g. Inquiries of Plan management as to how they are satisfied that the exceptions noted did not have an impact on the Plan financial statements (i.e. user control – review by Plan

17 - 71

4

sponsor of SO statements). Auditors may rely on the effectiveness of the user controls noted as mitigating controls to the extent they are being performed.

Other Information disclosed in the SSAE 16 Report and effect on Audits

Describe any other information discussed in the SSAE 16 Report that would be important to the audit, or--None noted

Conclusions with respect to ABC’s Audits With the exception of those matters relating to: Auditor scope; Scope limitations; User control considerations; Controls or processes not addressed in the SSAE 16 report Relevant exceptions noted. Internal controls as documented in the SSAE 16 report, results of testwork therein and independent reporting by name of independent service auditor, support control risk assessments of moderate for the processes listed in the objectives section of this memorandum. As necessary, discuss consideration of the degree to which control risk is reduced below maximum with respect to those matters discussed above where exceptions and scope limitations have been identified.

17 - 72

Not necessary (nationally recognized firm)

Documentation attached

Unmodified Modified

TYPE IReport only includes policies and procedures placed in operation.(Do not complete remainder of Section 1 - No Reliance)

TYPE II

Yes No

1. 38-39For 1 of 51 changes selected for testing, evidence of change ticket approval to the front-end system of the

implementation was not obtained.

No, as the overall system implementation was appropriately tested, approved, and

signed off by key stakeholders.

2. 40-41For 1 of 51 changes selected for testing, evidence of change ticket approval to the front-end system of the

implementation was not obtained.No, as the overall system implementation was appropriately tested, approved, and

signed off by key stakeholders.

3. 42-44For 2 of 14 terminated users selected, the termination evenwas not communicated to IT in a timely manner to facilitate

timely removal of systems access.

No, as users did not gain external access to Fidelity's network or physical facilities

following their termination.

4. 45-46For 2 of the population of 225 new plan setups with XTRACwork items opened by SIG, the system setup did not have

all of the required phases of QC completed.

No. Impacted plans were reviewed and found to have no issues.

5. 47-50

6. 51-59

For 1 of 46 items selected for testing, the in good order review was not performed accurately by the associate. For 1 of 45 QC items selected for testing, the QC review was

not performed accurately.

No. In both cases, work items were not documented according to procedures to aid in retreival of beneficiary information, but the information was accessible within

the Fidelity applications.

7. 60-72For 1 of 75 monetary transactions selected for testing, the in good order review was not performed accurately by the

associate.

No. Despite the review not being performed, the compensating QC control was executed properly, thus any errors were discovered before impacting the

participant's account.

8. 73-74

9. 75-76

10. 77-79

11. 80

12. 81-82

13. 14.

Conclusion - Type I Report -No Reliance

Conclusion - Type II Report

The above summary was prepared by:

Date prepared:

The above summary was reviewed by:

Date reviewed:

tax withholdings are remitted, filed andreported completely, timely and accurately.

Report includes policies and procedures placed in operation and tests of operating effectiveness. Per my review of the SOC 1 report, the following control objectives and associated control policies and procedures were tested for operating effectiveness.

Objectives:Exceptions

Noted?Page(s) # in SOC

1 Report

The results of testing the controls of the service organization were satisfactory to conclude that the controls were operating with sufficient effectiveness to provide reasonable, but not absolute, assurance that the specific control objectives were achieved during the period tested. Further, based on our knowledge of and/or experience with the audit firm that issued the SOC 1 report, we believe that firm is professionally qualified to prepare a Type II SOC 1 report on the service organization.

SOC 1 SummarySection to be completed by staff reviewing the SOC 1 report

(Name of TPA/organization)11/1/12 - 10/31/13

(period covered in SOC 1 report)

(name of audit firm preparing report)

If we do not have knowledge of and/or experience with the auditing firm that issued the SOC 1 report, we must obtain an understanding of its qualifications and possibly test its supporting workpapers before we may rely on its SOC 1 report. Attach documentation of your procedures and results, if necessary.

Type of Report:

Details on exceptions noted. Will this affect the Plan under

audit? Please explain.Controls provide reasonable assurance that:

trial balance reports made available on PSWare accurate and complete

new systems and changes to existingsystemsare authorized, tested, approved, documentedand properly implemented. production processing is appropriatelyauthorized, scheduled and executed, andprocessing problems are identified andresolved in a complete, accurate and timelymanner. logical access to production applications anddatabases is restricted to properly authorizedusers. the setup or modification of plan specificguidelines and fund investments on FPRS areauthorized and accurately updated inaccordance with plan and fund direction. participant records received from prior recordkeepers are completely and accuratelyentered into FPRS. new participant accounts and modifications toexisting participant data are authorized andprocessed accurately and completely onFPRS in a timely manner in accordance withinstructions received from the participant orplan sponsor.

monetary transaction are authorized andprocesses accurately, completely, and timelyin accordance with instructions received. investment purchases and sales areprocessed accurately and timely

participant account balances are valued basedon market prices obtained from authorizedpricing sources and investment income isaccurately and timely allocated and recorded. identified adjustments are processed in acomplete accurate and timely manner

17 - 73

1.

Yes

No

2.

Yes No N/A Reference to document, if applicable

Person contacted:Telephone number:

Date contacted:Contacted by:

1.

Yes

No

2.

Additional information necessary? (Yes/No) If yes, what work performed Reference No

Timeliness of SOC 1 Report

We have contacted a representative at the serviceorganization and/or the auditor that prepared the SOC 1 report and received assurance that the current policies and procedures which provide controls have not changed significantly since the SOC 1 report period. (if yes, please document changes and reference where documented at right).

Section to be completed by staff relying the SOC 1 report

Is the plan year under audit the same as the period covered by the SOC 1 report?

If question 1 above is answered "No," in order to rely on the SOC1 report, we must perform one of the following procedures:

We have obtained a bridge letter from the service organization and/or the auditor that prepared the SOC 1 that indicates no significant changes to the controls in place from date of SOC 1 to date of Plan's year-end. X

Subservice OrganizationsSection to be completed by staff relying on SOC 1 report

Did the service organization outsource any functions relevant to the Plan's internal control over financial reporting to another service organization (a subservice organization), and was the subservice organization carved out of the type 2 report?

If yes, list the names of the subservice organizations and the applicable functions each subservice organization performs. If the functions performed by the subservice organization are significant and relevant to the Plan's internal control over financial reporting, consider obtaining additional information about the subservice organization's controls (such information may be available from user manuals, system overviews, technical manuals, the contract between the plan and the service organization and reports on the subservice organization's controls, prepared by other service auditors, internal audits, or regulatory authority).

Name of Subservice Organization Functions Performed IC for XYZ Data Center Operations and related infrastructure

17 - 74

Copy of SOC 1 report is retained at the following location: 2400.05

Conclusion:

Signed by:

Date:

Exceptions:

(Plan name)

12/31/2013(Plan year end)

Control objective(s) that address vesting: 4,7

Control objective(s) that address participant distributions/withdrawals: 7, 10, 12

Applicable Control Objectives

We may not rely on the SOC 1 report for the following audit objectives and will perform additional audit work in these areas:

Control objective(s) that address participant loans: 7

Control objective(s) that address allocation of contributions to participant accounts:

6,7

Control objective(s) that address allocation of investment earnings to participant accounts:

8,9

Control objective(s) that address investment allocation: 6

Plan Conclusion

Section to be completed by staff relying the SOC 1 report

Except as noted below, based on the above evaluation of the internal controls and procedures surrounding the activities at this service organization, we conclude that it is appropriate to assess control risk at below maximum for participant accounts and related transactions (including investment income at the participant level) recorded by this service organization. As such, we will only perform limited testing in these areas. Our reliance on the SOC 1 report will reduce, but will not eliminate, substantive testing in the areas identified.

17 - 75

Yes No N/A Client response on how CCC in place

1.

2.

3.

4. We open a service request with TPA to

grant appropriate access.

5.

Applies to new plans only.

6.


7.


8.


9.

10.

11.

12.

Client Complimentary User Entity Control Considerations / Interaction with Service OrganizationSection to be completed by staff relying on the SOC 1 report

Review the user controls in place at the client office in order to rely on the service organization's controls and testing summarized in the SOC 1 report. If the client has already documented how the user controls are in place on another document, just attach to this memo and do not retype below, but be sure to address any "No" answers here or on the attachment.

CCC in Place at Client?

The Plan sponsor is responsible forreviewing and approving the detailed planset up document.

The plan sponsor is responsible for administering access to the Plan's PSW portal.

The Plan sponsor is responsible for notifyingFWS of any changes to the Plan document.

The Plan sponsor is responsible forreviewing and approving any modificationsmade to the Plan recordkeeping agreement.

The Plan sponsor is responsible forreviewing and approving the reconciledparticipant data reports indicating that theparticipant data has been properly mappedto FPRS. The Plan sponsor is responsible forestablished controls to ensure thatparticipant information sent to FWS for newparticipant accounts is accurate andcomplete.

The Plan sponsor is responsible forreviewing and approving the reconciled testdata indicating that the test data has beenproperly mapped to FPRS. The plan sponsor is responsible forreviewing and approving the finalreconciliation reports generated from FPRSindicating that the plan assets have beenproperly transferred and reconciled toparticipant/plan balances.

The plan sponsor is responsible for sendingparticipant data in the agreed upon format.

The plan sponsor is responsible fordetermining a participant's eligibility toparticipate in the Plan. The plan sponsor is responsible forestablishing plan guidelines with respect tothe level of information and authorizationrequired for FWS to process additions of

The Plan sponsor is responsible forestablishing controls to ensure thatinformation sent to FWS for new participantaccounts and modifications to participantdata processing is accurate, complete andreceived by FWS in a timely manner.

17 - 76

13.

14.

15.

16.

17.

18.

If there are "No" answers for any question above, indicate if there are mitigating controls.If there are no mitigating controls, indicate how the no answer will affect our audit.

The plan sponsor is responsible forestablishing controls to ensure thatparticipant forms are accurate, complete and properly authorized and that the requestedtransaction is in accordance with the planprovisions.

The Plan sponsor is responsible for updating participant elections based on the feedback file received from Fidelity.

The Plan sponsor is responsible for resolving rejected items and re-submitting them to FWS in a timely manner.

The Plan sponsor is responsible for submitting complete and accurate data in a timely manner.

The Plan sponsor is responsible for notifying Fidelity of discrepancies with its own records in a timely manner.

The Plan sponsor is responsible for timely review of all plan trial balances, valuation summaries and participant records.

17 - 77

Participant Testing

12/31/2013

Purpose:

Sample Size:

See documentation of sample size at w/p 8000.01Definitions:

Procedures: ‐ Select the sample

‐ Determine if sample is eligible to participate by reviewing DOB and DOH and eligibility requirements of the Plan

‐ Determine if sample is participating in the Plan through review of plan records (including TPA, payroll and census data)

‐ For participating employees: ‐ send positive participant confirmations to all participants in sample

‐ complete columns B, C, D, G, J and K for all participants

‐ select a sub sample of participants and agree pay rate per census to pay rate per payroll and to payroll authorizations in personnel file.

‐ for the sub sample of participants, complete all columns hereon (recalculation of deferral and ER match).

‐ For non participating EE's:

‐ If elections are made electronically, send a negative non‐participant confirmation to all non‐participants.

‐ Reconcile and cross reference any returned confirmations.

Testing

Conclusion: Based on test work performed on subsequent tab, participant contributions and eligibility appear reasonable.

To test eligibility of employees and to further test participation or non‐participation in the Plan.

Firm selected sample from census data based on discussions during planning meeting. The population includes both participants and non‐participants in the Plan.

Our sample size is further based on the fact that the Plan has not changed TPAs during the current year and that the SOC 1 covers the same attributes we are testing here and have

noted no relevant exceptions.

‐ Determine if employees must submit an enrollment form even for non‐participation. If so, request forms and agree non‐participation to form (if

form is supposed to be completed, but not, consider an MLP)

Per review of plan document, compensation is defined as: wages as defined in Code Section 3401(a) and all other payments of compensation to an Eligible Employee by the

Employer (in the course of the Employer's trade or business) for services to the Employer while employed. Compensation shall include amounts that are not includable in the gross

income of the Participant under a salary reduction agreement. Additionally, the value of restricted stock or of a qualified or a non‐qualified stock option granted to an Employee by

an Employer to the extent such value is includable in the Employee's taxable income and severance pay received prior to termination of employment are excluded from eligible

compensation.

17 - 78

Participant Testing

12/31/2013

Purpose:

Sample Size:

See documentation of sample size at w/p 8000.01Definitions:

Procedures: ‐ Select the sample

‐ Determine if sample is eligible to participate by reviewing DOB and DOH and eligibility requirements of the Plan

‐ Determine if sample is participating in the Plan through review of plan records (including TPA, payroll and census data)

‐ For participating employees: ‐ send positive participant confirmations to all participants in sample

‐ complete columns B, C, D, G, J and K for all participants

‐ select a sub sample of participants and agree pay rate per census to pay rate per payroll and to payroll authorizations in personnel file.

‐ for the sub sample of participants, complete all columns hereon (recalculation of deferral and ER match).

‐ For non participating EE's:

‐ If elections are made electronically, send a negative non‐participant confirmation to all non‐participants.

‐ Reconcile and cross reference any returned confirmations.

Testing

Conclusion: Based on test work performed on subsequent tab, participant contributions and eligibility appear reasonable.

To test eligibility of employees and to further test participation or non‐participation in the Plan.

Firm selected sample from census data based on discussions during planning meeting. The population includes both participants and non‐participants in the Plan.

Our sample size is further based on the fact that the Plan has not changed TPAs during the current year and that the SOC 1 covers the same attributes we are testing here and have

noted no relevant exceptions.

‐ Determine if employees must submit an enrollment form even for non‐participation. If so, request forms and agree non‐participation to form (if

form is supposed to be completed, but not, consider an MLP)

Per review of plan document, compensation is defined as: wages as defined in Code Section 3401(a) and all other payments of compensation to an Eligible Employee by the

Employer (in the course of the Employer's trade or business) for services to the Employer while employed. Compensation shall include amounts that are not includable in the gross

income of the Participant under a salary reduction agreement. Additionally, the value of restricted stock or of a qualified or a non‐qualified stock option granted to an Employee by

an Employer to the extent such value is includable in the Employee's taxable income and severance pay received prior to termination of employment are excluded from eligible

compensation.

17 - 79

Scope:

Selected 25 participants on a haphazard basis from the census information, see "401k Census" tab as follows:

5‐ Non‐participating employees

20‐ Participating employees

Procedures:

Non‐participants:Program Step3b

10

Participating employees:

3b

5a

10

5c

4

3a

5b

6b

7

General1 We reviewed the plan documents to identify demographic data used in determining eligibility, vesting, etc.

Plan

2) Obtained enrollment waiver from the employee personnel file obtained from HR.

1) Reviewed the employee file to verify birth date and hire date. Birth date and hire date were vouched to a signed HR document. All forms used can be found in the Employee personnel file.

Participant Data Testing

4) Traced YTD contribution to participant statement to verify system of participant reporting.

1) Reviewed the employee file to verify birth date and hire date. Obtained personnel files and employee benefit files from HR. Birth date and hire date were vouched to the employee enrollment

form or another signed HR document if the enrollment form was unavailable. All forms used can be found in the Employee personnel file.

2) Traced gross compensation and deferral to reporting on the employee form W‐2 report box 3 (gross wages). The difference between census wages and W‐2 wages is section 125 deductions which

is in line with the definition of compensation per the plan document.

December 31, 2013

3) Reviewed deferral forms in effect for 2013. Reviewed latest deferral form reflecting changes to deferral. Noted Plan administrator signature, and verified the deferral percentage indicated on the

form agrees with calculation performed.

7) Recalculated employee contribution by multiplying the deferral % per the enrollment form by the gross compensation.

8) Recalculated the employer match, which is 100% of the employers deferral up to a maximum of 3% not to exceed $2,460. Additionally the company makes a discretionary match of .50 per service

hour up to a max of $1,040.

6) Reviewed authorization of pay rate in comparison to payroll report as verification of payroll system. See Payroll Testing at WP 3955.01, 5 participants were selected for this test.

5) Verified participant is eligible. Eligibility requirements are the individual must be at least 21 and have 1000 hours of service completed in 6 consecutive months. No new participants were selected

in our sample, however we test hours in conjunction with payroll testing and hire dates are also verified in step 1.

9) As all relevant controls are tested in the SOC1 and confirmations provide additional comfort that the allocations between funds are in line with participant directives, we will rely on the 3

confirmations received w/o/e as our testing of investment allocation between funds.

Confirms were sent to 5 non participants and first 5 participants, but were not returned prior to fieldwork, as such alternative procedures have been

performed on all the selections. Any confirmations received subsequent to fieldwork have been added to the file for additional comfort.

17 - 80

Testing Non‐participants:Participant Name Birth Date 1) Hire Date Term Date Gross Comp. 2)

1 Name 10/24/1977 x 2/1/2013 7/19/2013 26,083.03 n/a

2 Name 5/11/1979 x 4/8/2013 7/31/2013 17,576.00 n/a 3957

3 Name 7/29/1977 x 9/6/2005 7/12/2011 346.46 AA4 Name 2/13/1967 x 10/9/2012 2/8/2013 10,260.41 x5 Name 3/6/1977 x 8/14/2006 ‐ 59,444.48 AB 3957

Participating employees:Participant Name Birth Date 1) Hire Date Term Date Rehire Date Gross Comp. Prevailing

Wage Comp

Prevailing

Wage

Hours

Per Diem Hours Wages per W‐

2 Box 5

Difference Recalc

Employer

Cont.

Recalc

Employer

Disc.

Diff EE Diff ER Diff

Discretionary

3) 4) 5) 6) 9) Notes

1 Name 8/13/1958 x 6/8/2011 8/2/2013 ‐ 65,387.86 ‐ ‐ ‐ 1,281.00 65,093.46 294.40 1,961.64 640.50 0.03 0.03 ‐ x x x ** x

2 Name 10/10/1976 x 6/30/2008 ‐ 3/8/2012 75,908.36 ‐ ‐ ‐ 2,299.50 71,186.24 4,722.12 2,277.25 1,040.00 (0.03) (0.15) ‐ x x x x x AC

3 Name 9/5/1967 x 8/28/2006 6/17/2013 10/5/2012 26,559.67 4,515.58 168.58 ‐ 1,010.01 25,888.89 670.78 767.03 420.72 0.05 0.15 (2.20) x x x ** x AC

4 Name 11/4/1963 x 4/27/2009 ‐ ‐ 98,728.54 ‐ ‐ ‐ 2,039.50 94,841.18 3,887.36 2,460.00 1,019.75 (0.57) ‐ ‐ x x x x x 3957

5 Name 12/3/1984 x 10/14/2003 ‐ 6/21/2011 92,408.12 ‐ ‐ ‐ 2,666.00 91,108.64 1,299.48 2,460.00 1,040.00 (0.08) ‐ ‐ x x x ** x AC

6 Name 7/7/1948 x 11/30/1987 ‐ ‐ 106,583.32 ‐ ‐ ‐ 2,093.00 103,905.95 2,677.37 2,460.00 1,040.00 19,802.50 B ‐ ‐ x x x x x7 Name 5/29/1972 x 4/9/2012 11/15/2013 ‐ 56,743.60 ‐ ‐ ‐ 1,953.15 54,757.36 1,986.24 1,134.87 976.58 (0.00) (0.00) 0.00 x x x x x

8 Name 2/23/1951 x 5/2/1994 8/1/2013 ‐ 169,437.87 ‐ ‐ ‐ 1,462.56 165,693.61 3,744.26 2,460.00 731.28 9,444.97 C ‐ ‐ x x x x x

9 Name 3/17/1954 x 1/4/1999 ‐ ‐ 72,218.11 ‐ ‐ ‐ 1,993.00 68,296.43 3,921.68 2,166.54 996.50 0.01 0.01 ‐ x x x ** x

10 Name 9/18/1959 x 9/10/2012 5/31/2013 ‐ 29,112.29 ‐ ‐ ‐ 1,035.34 28,512.53 599.76 387.94 244.42 (0.02) 0.10 ‐ x x x ** x

11 Name 10/31/1956 x 6/21/2014 ‐ ‐ 43,242.68 ‐ ‐ ‐ 2,017.00 41,855.32 1,387.36 1,297.28 1,008.50 (0.02) (0.10) ‐ x x x ** x

12 Name 10/23/1974 x 2/2/2009 ‐ ‐ 107,474.31 ‐ ‐ ‐ 2,081.00 104,408.03 3,066.28 2,460.00 1,040.00 (2,382.75) D ‐ ‐ x x x ** x

13 Name 3/2/1990 x 9/5/2012 ‐ ‐ 39,572.96 8,059.18 312.50 ‐ 2,183.00 39,006.68 566.28 657.65 662.75 4.75 0.07 1.38 x x x ** x

14 Name 6/9/1970 x 6/1/1987 ‐ 1/2/2012 76,946.55 ‐ ‐ ‐ 2,081.00 75,780.71 1,165.84 2,308.40 1,040.00 (0.11) (0.11) ‐ x x x ** x AC

15 Name 3/8/1971 x 2/3/2003 ‐ ‐ 84,073.52 ‐ ‐ ‐ 2,254.32 78,734.68 5,338.84 1,681.47 1,040.00 (0.02) (0.02) ‐ x x x ** x

16 Name 5/27/1971 x 12/21/2011 ‐ 4/26/2013 10,365.54 ‐ ‐ ‐ 580.42 10,365.54 ‐ 310.97 290.21 0.01 0.00 ‐ x x x ** x AC

17 Name 4/2/1980 x 2/23/2009 ‐ 4/12/2013 25,397.44 ‐ ‐ ‐ 712.84 25,397.44 ‐ 761.92 356.42 0.08 0.08 ‐ x x x ** x AC

18 Name 7/22/1984 x 12/20/2011 ‐ 8/23/2011 37,579.77 ‐ ‐ ‐ 1,393.84 36,737.32 842.45 1,127.39 696.92 0.14 0.14 ‐ x x x ** x AC

19 Name 3/20/1954 x 10/13/2003 ‐ 5/3/2013 73,511.83 ‐ ‐ ‐ 843.00 72,945.11 566.72 2,205.35 421.50 0.00 0.04 ‐ x x x ** x AC

20 Name 12/13/1954 x 4/4/2001 ‐ ‐ 47,996.00 ‐ ‐ ‐ 2,080.00 46,508.02 1,487.98 1,439.88 1,040.00 ‐ ‐ ‐ x x x ** x

‐ ‐ ‐

Findings: ί Immaterial, due to rounding, pfr

x Procedure Performed without exception.

AA

AB

AC

A

B The par cipant's contribtu on reached maximum yearly deduc on of 17,500 for 2013 plus the catch up contribu on of 5,500. This is not an excep on, pfr.

C

D

** Attribute not tested as detailed in scope.

Conclusion: Based upon testing performed we agree with management's assertion that the data is accurately reflected.

The indicated participant was auto‐enrolled in the plan per requirements set forth in the plan document. This is not considered an exception, pfr.

8)2)

The Participants were hired, terminated, and rehired. Per SPD, "If a participant is no longer a participant because he has terminated employment, and was rehired, then he will be able to participate in the plan on the date of rehire provided the prior service had not been disregarded

under the Break in Service rules (see page 7 of w/p 9301)." In the above cases, the prior service hours were not been disregarded and therefore they were eligible to participate in the plan. pfr.

Difference is due to 125 deferrals (COFDental, COFHealth and Vision, FSA Health) which were vouched to the Payroll Check History Special Amount List for pay period dates from 01/01/13 to 12/26/13 This appears reasonable. pfr.

The participant's contribtution reached maximum yearly deduction of 17,500 for 2013. This is not an exception, pfr.

No waiver was required for this participant because he was terminated in 2011. US DOL audited the company to ensure that the employers are in complaince with the

Fair Labor Standards Act, and required that a few employees were paid the required overtime for all the hours worked in excess of 40 hours in a workweek. The

amount of $346.46 was the back pay (overtime) that was paid to the bunch of the people. This is not an exception, Appears reasonable, pfr.

The waiver form was not signed by the participant. See management comment.

Participant went to a prevailing wage project the week prior to 5/6/2013. He chose to defer 3% on both the gross compensation and the prevailing wage compensaion. He started deferring on the

prevailing wage compensation from 5/22/2013. Wages ae excluded from 5/6/2013‐5/21/2013, the calculations reflects these changes and immaterial difference is noted.

The participants was eligible to defer on 03/31/2013. Wages and hours were excluded from 9/10/2012‐3/31/2013. The calculation appropriately reflected these change of deferrals and no difference

noted.

Participant chose to defer both on the gross compensation (6%) and the prevailing wage compensaion (3%). He was eligible to defer on 3/25/2013. Wages and hours are excluded from 9/5/2012‐

5/25/2013. The calculations reflects these changes and immaterial difference is noted.

Reviewed the deferral form. The participant changed the deferral % from 8% to 42% to maximize the contributionin 2013. The participant's contribtution reached maximum yearly deduction of

17,500 for 2013 plus the catch up contribution of 5,500. This is not an exception, pfr.

17 - 81

ABC PlanEligibility Testing

Purpose:

Source: XYZ auditor used participant personnel file, TPA website- participant personnel profile, Plan Summary Description and compliance testing participant data as of 12/31/1

Scope: See w/p D-1.A.1 for sample selections

Procedures:

Item # NameSocial Security

Number Birth Date Hire DateTermination

DateFT/P

T 7.a. 7.b. 7.c. 7.d.Confirm

sentConfirm

ref Notes1 Removed Removed Removed 8/4/1999 N/A PT X N/A X X C N/R participating2 06/22/2001 N/A PT X N/A X X C N/R participating3 10/24/2007 N/A PT X N/A X X C N/R participating4 02/06/2006 N/A PT X N/A X X C N/R participating

5 11/07/2007 N/A PT X X X X C N/Rnon participating

6 02/18/2003 N/A FT X N/A X X C N/R participating7 11/05/2008 N/A PT X N/A X X C N/R participating8 11/19/200 N/A PT X N/A X X C N/R participating

Attributes:

7 Perform the following procedures on the eligibility sample selected7.a. Obtain the participant executed plan enrollment form or, in an electronic environment, the enrollment log or comparable documentation

from the recordkeeper (e.g., participant’s confirmation statement of enrollment). If an enrollment log or comparable recordkeeper documentation7.b. The plan sponsor is not required by law to obtain a response from an eligible participant electing to opt-out of the plan. If this situation occurs

the workpapers must clearly indicate as such. Prepare a management letter comment indicating that the plan sponsor should obtain this documentation as evidence that the employee was provided the opportunity to participate in the plan should questions arise at a later time.Consider sending confirmation letters to such participants

7.c. Agree birth date, hire date, and social security number per the payroll register or personnel file to the recordkeeper’s data7.d. Ascertain that the employee is properly included or excluded from participating in the plan based on the eligibility requirements

set forth in the plan document (e.g., birth date, hire date, hours worked, etc.)NOTE: Be aware that the plan may identify different dates when an employee may enter and make elective deferrals to the planand when the employee is eligible to receive employer matching, profit sharing or other employer contributions. Audit workpaperdocumentation must be clear in testing each provision of eligibility

Procedures:

7.a. XYZ received a report from TPA of all the participants in the Plan and their YTD contributions7.b. Participants opt out through TPA 7.c. XYZ agreed the birth date, hire date, and social security number per the personnel file to TPA's data7.d. XYZ ascertained that the employee is properly included or excluded from participating in the plan. According to the plan document

all regular full-time employees of the Company are eligible to participate in the Plan

X Attribute satisfied without exception.C confirmation sent to participant

N/A Attribute is not applicable based upon Plan provisions and nature of current year contributionsNR Confirmation was not returned by the participant

Conclusion: Based upon the testing performed, it appears eligibility requirements are met by the plan participants and that contributions are being properly recorded

Procedures were performed to satisfy the attributes listed in the audit program. Please see attributes for further detail of procedures performed.

12/31/201X

To ascertain that employees participating in the plan are eligible to participate as per the Plan document terms, and to ensure that participants who meet eligibility requirements are given the opportunity to participate in the Plan.

17 - 82

EBP (2/15)

© 2015 Thomson Reuters/Tax & Accounting. All Rights Reserved. Reprinted with permission from PPC's Guide to Audits of Employee Benefit Plans, Twenty-fifth Edition (February 2015)

EBP-CX-3.1

1

Index N-03

CX-3.1: Understanding the Plan and Identifying Risks

Plan: ABC 401(k) Plan Financial Statement Date: 12/31/2014

Instructions: This form is designed to assist in (1) gathering information necessary to understand the plan and its environment, (2) identifying potential risks to the financial statements, and (3) accumulating permanent file information. Use Part I of this form to identify and document the key elements of your understanding and the potential risks that could result in misstatements (1) at the financial statement level (that is, overall risks that may affect many accounts or assertions) and (2) at the relevant assertion level for classes of transactions, account balances, and disclosures (that is, specific risks that may affect one or a few accounts or assertions). Document sufficient information about the plan and its environment to enable you to identify risks of material misstatement of the financial statements, assess those risks, and design appropriate responses on EBP-CX-7.1 . It may not be necessary to document a response to each question. You need to be familiar with the matters discussed in Chapter 4 .

Consider the information gathered during other engagements performed for the plan, your client acceptance or continuance procedures (EBP-CX-1.1 ), preliminary analytical procedures, engagement team discussion (EBP-CX-3.2 ), and fraud risk inquiries (EBP-CX-3.3 ), and your preliminary judgment about materiality (EBP-CX-2 ), when completing this form.

Use Part II of this form to document the sources of information used and procedures performed to obtain or update your understanding of the plan and its environment. Procedures that should be performed include inquiries of management, internal audit personnel (if applicable), and others, observation of plan activities and operations, and inspection of documents and reports.

Consider potential financial statement risks both individually and in combination in Part III of this form. If you determine there is a risk of material misstatement of the financial statements, add the risk to EBP-CX-7.1 .

Part I—Understanding the Plan and Its Environment 1. General Information

Plan administrator or key plan official (name and title): Suzy Benefits

Plan administrator’s address: 401 Amendment Way

Plan administrator’s telephone number (800) 555-5555 Plan administrator’s fax number: N/A

Plan administrator’s email address(es): [email protected]

Client key accounting personnel (name and title): Bob Smith, Accounting Manager

Plan’s Form 5500 preparer/consultant (if not our firm): Best Retirement Plan Services

Address: 211 Main Street, San Francisco, CA 94105 Telephone number: N/A Contact person: N/A Email address: www.schwabplan.com Plan’s attorney (name of firm): The plan did not use an attorney in 2014.

Address: N/A

Telephone number: N/A

Contact person: N/A

Structure, Governance, Related Parties, Parties in Interest, and Service Providers

SAMPLE

17 - 83

EBP (2/15) © 2015 Thomson Reuters/Tax & Accounting. All Rights Reserved. Reprinted with permission from PPC's Guide to Audits of Employee Benefit Plans, Twenty-fifth Edition (February 2015)

EBP-CX-3.1 (Continued)

2

2. Describe the plan. (Obtain a copy or prepare excerpts of the plan document, plan amendments, summary plan descriptions, etc., for retention in the client’s permanent file. Review new documents or changes in documents for matters affecting the plan’s accounting, the financial statements, or the audit.)

Plan’s legal name: ABC 401(k) Plan

Date plan formed: 01/01/1986

a. Type of plan [check applicable item]:

i Defined benefit retirement plan

1) Cash balance plan

ii Defined contribution retirement plan [check one or more of the following]:

1) Profit sharing plan

2) Money purchase pension plan

3) Stock bonus plan

4) Employee stock ownership plan (ESOP)

5) Target benefit plan

6) Cash or deferred arrangement [401(k)]

7) Other (specify) Single employer contributory Plan

iii Health or welfare benefit plan [complete each of the following]:

1) Type of benefit (specify, for example, medical, dental, life insurance, etc.) [ ]

2) Defined benefit or defined contribution (specify which) [ ]

3) Insured, uninsured, or partially insured (specify which) [ ]

b. Type of plan sponsor (check one):

i Single-employer plan

ii Multiemployer plan (indicate number of participating employers) [ ]

c. Contributory or noncontributory (indicate which): Contributory

d. Employee groups covered (for example, all, salaried, hourly, etc.): All employees who are at least 18 years of age are eligible to contribute to the Plan provide they are not an excluded class as defined by the Plan document.

SAMPLE

17 - 84



3

e. Number of plan participants at the beginning of the period: 250

f. Social Security integration (indicate if provided and if so provide details): N/A 3. Name and address of plan sponsor:

ABC Company, 401 Amendment Way, San Francisco CA 94132

4. List the members of the administrative committee or board of trustees. Identify changes that would affect the audit.

Name Title Fred Profit Chairman, HR Director Suzy Benefit Benefits Manager Bob Smith Accounting Manager There were no changes in personnel from the prior year.

5. If the plan has an audit committee or formally designated group with oversight responsibility for the financial reporting process, list the members and identify the chairman.

Name Title N/A N/A [ ] [ ] [ ] [ ] [ ] [ ] [ ] [ ]

6. Identify the group or individual(s) charged with governance, if those charged with governance include nonmanagement personnel.

Same as item 4 above

7. List the plan administrator and principal members of management. Identify changes that would affect the audit.

Name Duties Same as item 4 above [ ] [ ] [ ] [ ] [ ] [ ] [ ] [ ] [ ] [ ] [ ] [ ] [ ] [ ] [ ]

8. List all related parties and parties in interest, including the plan sponsor or employers participating in a multiemployer or multiple employer plan and their principal owners and immediate families; members of the plan’s board of trustees or administrative committee; the plan administrator; a fiduciary; persons who have control over plan assets; investment advisors; persons who provide services to the plan, such as actuaries, investment custodians, lawyers, auditors, etc.; and an employee organization whose members are covered by the plan. Also list known transactions with such parties, including administrative services or premises provided or other costs absorbed by the plan sponsor. Obtain copies, or prepare excerpts, of any agreements, contracts, leases, etc., related to such transactions. If the plan engages in transactions with related parties or parties in interest, document whether the entity is unaudited or audited by another firm. Identify changes in related-party and party-in-interest relationships or transactions.

Name Relationship Type and Purpose

of Transaction Audit Firm

(or Unaudited)

SAMPLE

17 - 85



4

Name Relationship Type and Purpose

of Transaction Audit Firm

(or Unaudited) Investment in Your Future Bank

Trustee Investments Cash receipts and disbursements

Deloitte-SSAE 16 Report

Best Retirement Plan Services

Record Keeper Contributions Distributions Loan Participant Accounts

Deloitte-SSAE 16 Report

ABC Company Plan Sponsor Contributions Unaudited See above Administrative

Committee members

Plan oversight NA

Payroll Company Payroll Contributions KPMG-SSAE 16 Report

XYZ C.P.A.s Mr. Green

Plan Auditor Attorney

NA NA

Unaudited Unaudited

9. List the names of custodians or trustees holding or transacting in plan assets and the nature of the arrangement, for example, custodial only, discretionary trust, nondiscretionary trust, common/collective trust, master trust, etc. Describe any effect on the audit.

Name Nature Investment in Your Future Bank Acts as trustee of Plan assets. Holds and

executes investment transactions. We are performing a limited scope audit and will obtain a certification from the trustee as to the completeness and accuracy of investments and investment activity.

10. List insurance companies with which the plan has contracts and the nature of the contracts, for example, allocated individual or group annuity contract; unallocated contract (deposit administration, immediate participation guarantee, or guaranteed investment contract, general account, pooled or individual separate account); fully insured or experience-rated health or welfare benefit contract; etc. Describe any effect on the audit.

Name Nature N/A [ ] [ ] [ ] [ ] [ ] [ ] [ ]

SAMPLE

17 - 86



5

11. List the name of the plan actuary (if the plan uses one) and other specialists the plan engages, such as appraisers, investment advisors, plan designer, etc. Describe any effect on the audit.

Name Nature N/A [ ] [ ] [ ] [ ] [ ] [ ] [ ]

12. List the name and nature of any service organizations that provide services such as a third-party plan administrator, mortgage servicing agent, real estate manager, EDP bureau, health claims processor, etc. Describe any effect on the audit.

Name Nature Best Retirement Plan Services Plan recordkeeper. Maintains participant accounts

and executes participant transactions. Recordkeeper has SSAE 16 report which we will review as part of our planning and test user controls.

Payroll Company

Processes employee deferrals. Payroll Company has a SSAE 16 report which we will review as part of our planning and test user controls.

13. Describe potential financial statement risks related to the plan’s structure, governance, related-party or party-in-interest relationships and transactions, and service providers. Consider risks that could result in misstatements of the financial statements.

Potential financial statement risks include, improper certification from trustee, inaccurate calculation of employee or employer contributions, late remittance of employee contributions and inaccurate or improper benefit payments, See RAS-03 for risks considered during planning.

Industry, Regulatory, and Other External Factors

14. Identify and describe (a) the industry in which the plan sponsor operates that affects the plan’s operations; (b) how the industry and the plan are affected by economic, political, or social conditions; and (c) the laws and regulations affecting the plan and the plan sponsor’s industry and any history of noncompliance.

The Company operates in the Life Science industry. There have been no significant changes within the Company or its industry which would affect the Plan. The laws governing employee benefit plans are complex. In addition, the DOL has heightened its scrutiny with respect to compliance with regulatory requirements and has stepped up enforcement activities. The Plan is overseen by the Administrative Committee who meet regularly with various third-parties to stay current and stay in compliance with applicable laws and regulations. There have been no instances of noncompliance identified in the past.

15. If not listed previously, describe potential financial statement risks related to the employee benefit plan industry, the industry in which the plan sponsor operates, and the external environment, including the regulatory, economic, political, and social environment. Consider risks that could result in misstatements of the financial statements.

See #14. Above. Due to the complexity of laws and regulations surrounding employee benefit plans, potential financial statement risks include non-compliance with laws and regulations, See RAS-03 for risks considered during planning.

Nature of the Plan

Plan Operations

SAMPLE

17 - 87



6

16. Describe the major sources of plan income, that is, employer and employee contributions; securities interest, dividends, and gains and losses; mortgage and loan interest; rents; and any other factors important to understanding how the plan is funded. If the plan is a defined contribution plan, also describe the disposition of forfeitures, that is, are they allocated to participant accounts or returned to the plan sponsor.

The Plan's major sources of income consist of the following: 1) Employee contributions, including rollovers, 2) Employer contributions (based on board approved amounts, up to 5% of eligible participant compensation to a maximum of $5,000), 3) Interest, dividends, and unrealized/ realized gains and losses on investments. Forfeitures will first be used to pay administrative expenses and any remaining amounts will be used to reduce future employer contributions.

17. Provide information about the plan’s major assets (for example, government securities, corporate stocks and bonds, mutual funds, real estate, loans and mortgages, insurance contracts, etc.), liabilities (exclusive of benefit obligations), and expenses (not absorbed by the plan sponsor) and how they affect the plan’s accounting, the financial statements, or the audit. Consider whether significant assets, liabilities, and expenses are appropriate for that type of plan. Identify significant amounts subject to estimation, changes in circumstances that could affect estimates, significant concentrations, significant assets subject to impairment, or potential liabilities from litigation, or other significant contingent liabilities.

The Plan investments are held by Investment in Your Future Bank, who acts as the trustee of Plan assets. The Plan’s investments consist of 15 mutual funds. The investments are stated at fair market value as reported by the trustee based on quoted market prices. The Plan Administrator has the prospectuses available to the Plan Participants that explain in detail each of the fund investment objectives and policies. The prospectuses also detail the expenses charged by the fund. Investment fees are netted against investment earnings. The Plan sponsor pays the majority of Plan expenses, except those charged to individual participants when they request a loan or distribution.

18. Describe any “paperless transactions” occurring in the daily operation of the plan (for example, participants enrolling in the plan, making initial investment options, or changing investment options by telephone, internet, or intranet) and how they affect the plan’s accounting, the financial statements, or the audit.

Paperless transactions include, enrollment, deferral changes, investment allocation changes, loans and distributions. Participant have on-line access to their account 24 hours a day. Participants receive a confirmation for any changes they make to their account on-line. Plan sponsors also have access to view participant accounts and activity. See review of SSAE 16 reports at W/P J1-01 covering paperless transactions.

19. Describe how frequently transactions are processed and how frequently assets are valued (for example, daily, monthly, etc.).

Transactions are processed daily and assets are valued daily.

20. Describe any significant transactions, or transactions outside the normal course of operations, entered into during the year.

Two investment choices were eliminated by plan management and replaced with two new options causing participants to elect to change there options or go with the new options.

Financing

21. What are the plan’s major sources of financing, if any, for example, notes payable, leasing, etc., and any significant terms, such as debt covenants, restrictions, or guarantees. Obtain copies, or prepare excerpts, of all loan and lease agreements (both operating and capital leases) for the permanent file. Review new

SAMPLE

17 - 88



7

documents or changes in documents for matters affecting the plan’s accounting, the financial statements, or the audit.

Plan has no financing activities as this is a 401(k) plan.

22. Describe the plan’s use of derivatives, including (a) extent, (b) types, (c) purpose, (d) aspects of the plan’s operations that might present risks hedged using derivatives, (e) whether interest-bearing debt has been converted from fixed to variable (or vice-versa) using derivatives, and (f) the potential for embedded derivatives.

Plan has no derivatives

Financial Reporting

23. Indicate the existence and location of the following accounting records, that is, whether they are maintained by the plan administrator, plan sponsor, employers participating in a multiemployer plan, trustees, insurance companies, actuaries, service organizations, or other parties:

Record Location

a. General ledger Investment in Your Future Bank

b. Cash receipts records Investment in Your Future Bank and

Plan Sponsor

c. Cash disbursements records

Investment in Your Future Bank

d. Investment asset records

Investment in Your Future Bank

e. Participant records

Best Retirement Plan Services

f. Contribution records

Best Retirement Plan Services Plan Sponsor

g. Claims records

N/A

h. Distribution records

Best Retirement Plan Services Investment in Your Future Bank

i. Individual participant account

information

Best Retirement Plan Services Investment in Your Future Bank

j. Administrative expenses records

Plan Sponsor Best Retirement Plan Services Investment in Your Future Bank

k. Other (Specify.) N/A

N/A

24. What is the basis of reporting? GAAP Special purpose framework (specify) N/A

25. What are the plan’s significant accounting policies, including actuarial and investment valuations, methods of accounting for significant and unusual transactions, and other areas where there may be accounting alternatives or a lack of authoritative guidance? Determine if the accounting policies are appropriate and if there have been changes in the policies used and the reasons for such changes. Describe any specialized accounting standards, including any new standards applicable to the plan, or any other issues related to the application of GAAP.

SAMPLE

17 - 89



8

Method of Accounting The accompanying financial statements have been prepared on the accrual basis of accounting in accordance with accounting principles generally accepted in the United States of America. Use of Estimates The preparation of financial statements in conformity with accounting principles generally accepted in the United States of America requires management to make estimates and assumptions that affect the reported amounts of assets and liabilities, and changes therein, disclosure of contingent assets and liabilities and changes in net assets available for benefits. Actual results may differ from those estimates. Investment Valuation and Income Recognition Investments are reported at fair value. Fair value is the price that would be received to sell an asset or paid to transfer a liability in an orderly transaction between market participants at the measurement date. See Note 3 for discussion of fair value measurements. Purchases and sales of securities are reflected on a trade date basis. Interest is recorded as earned on an accrual basis. Dividends are recorded on the ex-dividend date. Net appreciation in fair value of investments includes the Plan’s gains and losses on investments bought and sold as well as held during the year. Recognition of Benefit Payments Benefits are recorded when paid.

SAMPLE

17 - 90



9

26. Describe any special legal, regulatory, or reporting requirements.

The Plan is required to attach audited financial statement to the Form 5500 filing. The filing is due 7 months after year end with an additional extension available for 2.5 months. Final due date is October 15, 2015.

27. If material misstatements have been noted in prior audits, briefly describe the nature and cause of the misstatements and the accounts affected.

None noted.

28. Describe any conditions that may cause doubt about the plan’s ability to continue as a going concern that could affect the risk of material misstatement of the financial statements.

Based on discussions with Plan management and review of Plan sponsor’s financial statements, there appears to be no substantial doubt about the ability of the Plan to continue as a going concern.

Risks

29. If not listed previously, describe potential financial statement risks related to the nature of the plan. Consider risks that could result in misstatements of the financial statements.

No additional significant risks or conditions were identified.

Objectives and Strategies and Related Business Risks

30. Describe the plan’s significant objectives, and its strategies for achieving them, focusing on matters affecting the plan’s accounting, the financial statements, or the audit. Consider objectives and strategies related to industry or regulatory developments, the plan’s investment offerings, plan amendments, the use of third-party service providers, and technology.

The plan sponsor has outsourced most functions related to the Plan to service providers who are highly specialized in employee benefit plan administration. The service providers and the Plan are overseen and monitored by the Administrative Committee.

31. If not listed previously, describe potential business risks that may affect the plan’s ability to achieve its objectives or execute its strategies. Consider risks that could result in misstatements of the financial statements.

No additional significant risks or conditions were identified.

Measurement and Review of the Plan’s Financial Performance

32. What performance measures, both financial and nonfinancial, are most important in managing and measuring the plan’s results (for example, investment returns, cash flow, regulatory compliance, employee satisfaction, etc.), and what reports are used to monitor those indicators?

Compliance with laws and regulations, investment returns and participant participation and satisfaction are most import. The Administrative Committee meets regularly to review and discuss the investment performance and to discuss any legal or regulatory developments. Reports prepared by Best Retirement Plan Services showing investment returns and benchmarks for similar investments. The Committee also reviews monthly participation reports

33. If not listed previously, describe potential financial statement risks related to the plan’s measurement and review of its financial performance. Consider risks that could result in misstatements of the financial statements.

The Plan Administrative Committee monitors investments, plan participation and complaints.

No additional significant risks or conditions were identified

Other Considerations and Risks

34. Describe any other significant aspects of the plan or its environment, including other agreements or contracts, for example, collective bargaining agreements or contract with a third-party plan administrator, that have audit

SAMPLE

17 - 91



10

significance. Obtain copies or abstracts of agreements for retention in the plan’s permanent file. Review new documents or changes in documents for matters affecting the plan’s accounting, the financial statements, or the audit. Describe any other potential risks that could result in misstatement of the plan’s financial statements.

None noted all contracts and service agreements are included in the PF.

35. Consider whether information gathered about the plan and its environment, including the consideration of fraud risk factors, indicates potential risks that could result in misstatements of the plan’s financial statements due to fraud, and describe those potential risks. Describe which types of revenue, revenue transactions, or assertions give rise to the risk of improper revenue recognition due to fraud.

See Risk Assessment Summary Form.

Part II—Procedures Performed

1. Describe the sources of information used and procedures performed to obtain or update your understanding of the plan and its environment.

Information used in updating our understanding of the Plan and its environment was obtained through inquiry with client, inquiry of service organizations, observation, inspection, substantive procedures, review of perm file documents, review of Plan minutes and SSAE 16 reports.

Part III—Conclusion

1. We have documented our understanding of significant matters affecting the plan and its environment and considered potential risks both individually and in combination. We have included matters that represent risks of material misstatement of the financial statements at EBP-CX-7.1 .

Completed or Updated by: 2014 2013 2012

Name Date Name Date Name Date

SAMPLE

17 - 92

EBP (2/15)


EBP-CX-4.1

1

Index N-03a

CX-4.1: Understanding the Design and Implementation of Internal Control

Plan: ABC 401 (k ) Plan Financial Statement Date: 12/31/2014

Instructions: This form may be used to document the understanding of internal control relevant to the audit and the sources of information used and procedures performed to obtain or update the understanding. Obtain the understanding by making inquiries of management and others, observing plan procedures and controls, inspecting documents and records, and tracing transactions through the system (that is, performing walkthroughs) to evaluate the design of controls relevant to the audit and determine whether they have been implemented. Corroborate inquiries through observation or inspection to determine that controls exist and are being used.

While obtaining an understanding of the design and implementation of internal control, focus on—

• The identified risks to the financial statements.

• The assertions and principles or control objectives related to the identified risks.

• The controls the client has in place to mitigate identified risks.

• Whether or not those controls are properly designed and implemented.

• The possible effect on the audit of your understanding (for example, on the design of substantiveprocedures or the decision about whether to test controls).

If the plan has multiple locations or employers, consider the need to obtain an understanding of controls for each location or employer, to the extent needed to assess the risk of material misstatement.

The “Activity and Entity-level Control Forms” at EBP-CX-5 are optional source lists of control activities and entity-level controls and may be used to assist you in identifying and describing the plan’s controls. If desired, they may be completed to further document your understanding of controls and to indicate the controls, if any, that you plan to test.

Control Environment

1. Obtain an understanding and describe how the attitudes, awareness, and actions of management, as well asthose charged with governance, demonstrate its commitment to accurate accounting and financial reporting.Evaluate whether management has created and maintained a culture of honesty and ethical behavior, thecontrol environment provides an appropriate foundation for the other components of internal control, andthose other components are not undermined by deficiencies in the control environment. (Concentrate on theimplementation of controls because controls may be established but not acted upon.) (See section 406 .)

Consider the following principles:

○ The plan demonstrates a commitment to integrity and ethical values.

○ The board of trustees or other plan oversight committee, demonstrates independence frommanagement in exercising oversight of the development and performance of internal control overfinancial reporting.

○ With board oversight, management establishes structures, reporting lines, and appropriate authoritiesand responsibilities to achieve financial reporting and regulatory compliance objectives.

○ The plan demonstrates a commitment to attract, develop, and retain competent individuals inalignment with financial reporting objectives.

○ The plan holds individuals accountable for their internal control responsibilities.

SAMPLE

17 - 93

EBP (2/15)



2

Based on past experience and interaction with plan management, plan management appears to have integrity and to operate the Plan in an ethical manner. Plan management has been open and forthright and has demonstrated a commitment to objectivity in its dealings with us and with the Plan participants. The Company’s code of conduct are outlined in the employee handbook. All employees are given the employee handbook when they are hired. In addition, they are required to confirm that they have read it. Plan management has formal job descriptions outlining roles and responsibilities of Plan personnel, personnel who are evaluated at least annually and are provided with written performance reviews, The Administrative Committee is actively involved and oversees the operations of the Plan. The Committee meets regularly. The Committee has outsourced many of the functions related to Plan administration to highly specialized and reputable service organizations.. Plan management maintains responsibility for authorizing transactions processed by the service organizations. The Committee meets regularly with the service organizations and monitors their performance. The financial statements are prepared based on the plan document, certified trust statements, information provided by the recordkeeper and payroll reports. Plan management reviews financial information as well as SSAE 16 reports provided by the service organizations.

2. Describe the sources of information used and procedures performed to obtain or update your understanding of the control environment and to evaluate the design of controls and determine whether they have been implemented.

We reviewed the employee handbook noting that it properly outlined the Company’s standards with respect to conduct. We also inspected confirmation from Jack Johnson, new hire, confirming that he had read the handbook.

We, also reviewed the Administrative Committee minutes, service provider contracts and SSAE 16 reports obtained from service providers.

3. Considering the size and complexity of the plan, is the control environment properly designed and implemented? (If no, describe the deficiency of design or implementation and the potential risks to the financial statements. Determine if those risks should be included on EBP-CX-7.1 . Accumulate and evaluate deficiencies using EBP-CX-15.1 .)

Yes

Risk Assessment

4. Obtain an understanding and describe what plan management does to identify and respond to business or operations risks that may affect accounting or financial reporting. Risk assessment involves management identifying potential risks of misstatement in the financial statements, estimating their significance, assessing the likelihood of their occurrence, and implementing control activities or taking other steps to address those risks. (This process may be informal with little or no documentation.) Inquire about and document business risks that management has identified and how they have addressed those risks, and consider whether those risks may result in material misstatement of the financial statements. (See section 406 .)


○ The plan specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to financial reporting objectives.

○ The plan identifies risks to achieving its objectives and analyzes risks to determine how the risks should be managed.

SAMPLE

17 - 94



3

○ The plan considers the potential for fraud in assessing risks to the achievement of financial reporting objectives.

○ The plan identifies and assesses changes that could significantly impact the system of internal control.

The Company maintains a fraud prevention policy which is utilized by plan management. However, the risk assessment process is informal. Plan management identifies potential risks in conjunction with the monitoring of plan operations and has adopted accounting policies that are appropriate for the Plan and consistent with GAAP. Plan management keeps abreast of current laws and regulations including those that potentially impact the financial statements. The monthly, quarterly and year-end financial reports and SSAE 16 reports are reviewed by various levels of plan management to avoid misstatement. Monitoring of service providers and plan operations is on-going.

5. Describe the sources of information used and procedures performed to obtain or update your understanding of the plan’s risk assessment process and to evaluate the design of controls and determine whether they have been implemented.

See "control environment" above. We also reviewed the fraud prevention policy.

6. Considering the size and complexity of the plan, is the risk assessment process properly designed and implemented? (If no, describe the deficiency of design or implementation and the potential risks to the financial statements. Determine if those risks should be included on EBP-CX-7.1 . Accumulate and evaluate deficiencies using EBP-CX-15.1 .)

Yes

Information and Communication

7. Obtain an understanding and describe the overall availability and timeliness of information necessary (both internal and external) for internal controls and the financial reporting system to function properly. This involves determining how the right information is made available to the right people at the right time. Also, describe how management communicates financial reporting roles and responsibilities and significant financial reporting matters to employees, those charged with governance, and appropriate external parties (such as regulatory authorities) and how exceptions are brought to the attention of persons at the appropriate level to take corrective action. (Communication may be written, electronic, oral, or through the direct actions and involvement of management.) (See section 406 .)


○ The plan obtains or generates and uses relevant, quality information to support the functioning of internal control over financial reporting.

○ The plan internally communicates information, including objectives and responsibilities for internal control, necessary to support the functioning of internal control over financial reporting.

○ The plan communicates with external parties regarding matters affecting the functioning of internal control.

Plan management meets and communicates regularly to address plan issues or concerns. Monthly reports are received from service organizations and reviewed by plan management. Quarterly statements are mailed to all participants for their review, Participants can access their account daily on-line and they are encouraged to report any discrepancies. Due to the small size, informal communication occurs routinely to ensure employees have the information needed to do their jobs and understand the types of problems that should be brought to the attention of plan management. Plan management is

SAMPLE

17 - 95

EBP (2/15)



4

readily accessible and takes an open and positive approach when errors, omissions, or other matters are brought to her attention. The annual financial statements are prepared based on the Plan document, certified trustee statements, recordkeeper reports and payroll information.

8. Describe the sources of information used and procedures performed to obtain or update your understanding of the plan’s information and communication process and to evaluate the design of controls and determine whether they have been implemented.

See "control environment" above. .

9. Considering the size and complexity of the plan, is the information and communication process properly designed and implemented? (If no, describe the deficiency of design or implementation and the potential risks to the financial statements. Determine if those risks should be included on EBP-CX-7.1 . Accumulate and evaluate deficiencies using EBP-CX-15.1 .)

Yes

Monitoring

10. Obtain an understanding and describe how management monitors the operation of the plan’s five components of internal control to make sure (a) controls are operating as intended and (b) changes to controls are made when necessary. Also, describe what reports or other information (such as investment reports, reconciliations, or monthly financial reports) management uses for that purpose and why management considers the information reliable. Consider controls relevant to the audit. (See section 406 .)


○ The plan selects, develops, and performs ongoing and/or separate evaluations to determine whether the components of internal control are present and functioning.

○ The plan evaluates and communicates internal control deficiencies in a timely manner to those parties responsible for taking corrective action, including senior management and the board of trustees or other plan oversight committee, as appropriate.

Monitoring the Plan's compliance with the IRS/DOL regulations is a priority of plan management, Annual compliance testing is completed and the Form 5500 with audited financial statements is filed timely. Experienced personnel are assigned to plan operations. The Administrative Committee oversees Plan operations and periodically analyzes plan results and data. The Administrative Committee actively monitors service organization and reviews the SSAE 16 reports annually.

11. Describe the sources of information used and procedures performed to obtain or update your understanding of the plan’s monitoring process and to evaluate the design of controls and determine whether they have been implemented.

See "control environment" above. Also reviewed current monthly reports from trustee and recordkeeper and discussed results with the plan management. It appears that, plan management understands the statements and reports provided to them.

12. Considering the size and complexity of the plan, is the monitoring process properly designed and implemented? (If no, describe the deficiency of design or implementation and the potential risks to the financial statements. Determine if those risks should be included on EBP-CX-7.1 . Accumulate and evaluate deficiencies using EBP-CX-15.1 .)

Yes

IT Environment and General Computer Controls

13. Document your understanding of the plan’s IT environment and the design and implementation of the plan’s general computer controls by completing EBP-CX-4.2.2 . Consider whether the plan has selected and

SAMPLE

17 - 96



5

developed general controls that support the achievement of financial reporting objectives. If desired, provide a cross-reference to that workpaper. A separate memorandum, flowchart, or questionnaire, if used, also may be referenced.

W/P Ref. See RAS-07

Financial Close and Reporting

14. Document your understanding of the plan’s financial close and reporting process and the design and implementation of controls within that process to prevent or detect and correct material misstatements in the financial statements by completing EBP-CX-4.2.1 and, i f applicable, EBP-CX-4.3.1 or EBP-CX-4.3.2 . If desired, provide a cross-reference to that workpaper. A separate memorandum, flowchart, or questionnaire, if used, also may be referenced.

W/P Ref. See RAS-08

Activity-level Controls

15. Identify and list the significant transaction classes, if any, within each audit area. Significant transaction classes are those classes of transactions in the plan’s operations that are significant to the financial statements, generally because of the volume of transactions processed. (A list of transaction classes that might be significant is provided at EBP-CX-4.2 .) Obtain an understanding of the procedures and related key control activities that are relevant to the audit within both manual and IT systems for processing significant transaction classes. Based on your understanding of control activities, you will ordinarily be able to determine whether the plan has (a) selected and developed control activities that contribute to the mitigation of risks to the achievement of financial reporting objectives to acceptable levels, and (b) deployed control activities through policies that establish what is expected and in procedures that put policies into action. Document your understanding by completing EBP-CX-4.2.1 and, if applicable, EBP-CX-4.3.1 or EBP-CX-4.3.2 for each significant transaction class. If desired, provide a cross-reference to those workpapers. A separate memorandum, flowchart, or questionnaire, if used, also may be referenced.

Significant Transaction Classes

Documentation of Significant Transaction Classes

W/P Ref. Financial Close and Reporting: RAS-06 Defining the Financial Close and Reporting Process [ ] Performing the Accounting Period Close [ ] Capturing and Processing Nonroutine Information [ ] Preparing and Reviewing Financial Statement Disclosures [ ] Reviewing and Approving Financial Statements [ ] Employer Contributions Received and Receivable: Processing Contributions Received RAS-06 [ ] [ ] [ ] [ ] [ ] [ ] Investments and Contracts with Insurance Companies and Similar Institutions:a

[ ]

N/A-Limited Scope Audit [ ] [ ] [ ] [ ] [ ] [ ]

[ ] Participant Data and Employee Contributions: RAS-06 Maintaining Participant Data [ ] Processing Employee Contributions [ ] [ ] [ ] [ ] [ ] Benefit Payments: [ ] Managing Benefit Payments RAS-06

SAMPLE

17 - 97

EBP (2/15)



6

Significant Transaction Classes

Documentation of Significant Transaction Classes

W/P Ref. [ ] [ ] [ ] [ ] [ ] [ ] Benefit Obligations and Participant Accounts: [ ] Maintaining Participant Accounts RAS-06 [ ] [ ] [ ] [ ] [ ] [ ] Cash: [ ] N/A [ ] [ ] [ ] [ ] [ ] [ ] [ ] Notes Receivable from Participants: [ ] Managing Participant Loans RAS-06 [ ] [ ] [ ] [ ] [ ] [ ] Property and Equipment Used in Operations: [ ] N/A [ ] [ ] [ ] [ ] [ ] [ ] [ ] Loans Payable: [ ] N/A [ ] [ ] [ ] [ ] [ ] [ ] [ ] Operating Expenses: [ ] Not a significant transaction class [ ] [ ] [ ] [ ] [ ] [ ] [ ] [ ] [ ] Other (specify): [ ] [ ] [ ] [ ] [ ] [ ] [ ] [ ] [ ]

Completed or updated by: (When this form is reviewed and updated instead of being completed anew, carefully reconsider the factors listed and responses documented on the form in light of known changed client conditions and document, for each engagement year, the procedures performed to update your understanding. If the form is updated, refer to the “List of Substantive Changes and Additions” included with each annual supplement of this Guide to determine whether the form has been revised in the current edition. If the form has been revised, complete the revised form instead of updating this form.)

2014 2013 2012 Name Date Name Date Name Date

Note a Consistent with AEBP, Paragraph 8.169 , in a DOL limited-scope audit, it is not necessary to gain an understanding of control activities related to investment assets and related transactions, information about which

SAMPLE

17 - 98



7

is prepared and certified by a bank or similar institution or an insurance company holding the assets. However, if any investments are not certified by such an institution, the auditor should consider gaining an understanding of accounting procedures.

SAMPLE

17 - 99

169EBP 2/16

EBP-CX-7.1

Index

EBP-CX-7.1: Risk Assessment Summary Form

Instructions

This form is designed for identifying significant audit areas, documenting the risks of material misstatementaffecting each area (including fraud risks or other significant risks), assessing those risks, selecting an auditapproach that is appropriately tailored to respond to the assessed level of risk, and documenting the linkage of theassessed risks to the audit procedures that respond to those risks. Your risk assessments should take into accountmateriality, the results of preliminary analytical procedures, information obtained about the plan and itsenvironment, including its internal control, the consideration of fraud, engagement team discussions, results ofengagement acceptance or continuance procedures, other engagements performed for the entity, and any othersources that provide information relevant to identifying and assessing risks.

Document risks of material misstatement at the overall financial statement level and the planned responses in PartI. Indicate whether the overall risks are fraud risks or other significant risks.

Complete the risk assessment summary table in Part II as follows (also considering any overall risks assessed inPart I):

Column Instructions

Significant Audit Area? Place a check mark in the box for each audit area that is considered significant.An audit area includes the related account balances, transaction classes, anddisclosures. An audit area is generally significant if it contains a significanttransaction class, material account balance, fraud risk or other significant risk, orrequires significant disclosures. See discussion at section 407.

Audit Area Space is provided at the end of the risk assessment summary table to add auditareas unique to the plan or to describe specific risks related to matters such asrelated party transactions, subsequent events, significant estimates, or disclo-sures.

Identified Risks/AssertionsAffected

Based on your understanding of the plan obtained when performing riskassessment procedures and the conclusions reached at EBP-CX-3.1, list in thespace provided (1) any specifically identified risk that is of a magnitude that couldresult in material misstatement of the financial statements and (2) the relatedassertion(s).

There is a presumption that you will identify improper revenue recognition due tofraud as a risk of material misstatement.

Indicate If Significant Risk Indicate if the identified risk of material misstatement is a fraud risk or othersignificant risk by placing an “F” in this column if the risk is a fraud risk or an “S”in this column if the risk is a significant risk other than a fraud risk. If the risk is nota fraud risk or other significant risk, leave the column blank. When consideringwhether an identified risk is a significant risk, determine if it relates to (1)significant economic, accounting, or other developments needing specificattention; (2) complex transactions; (3) significant related-party and party-in-inter-est transactions; (4) measurements that are subjective or uncertain, especiallyestimates with a high degree of uncertainty; or (5) significant transactions outsidethe normal course of business or that otherwise appear unusual. Treat significantrelated party transactions outside the normal course of business as significantrisks. See discussion at section 407.

© 2016 Thomson Reuters/Tax & Accounting. All Rights Reserved. Reprinted with permission from PPC's Guide to Audits of Employee Benefit Plans, Twenty-sixth Edition (February 2016).

SAMPLE

17 - 100

170 EBP 2/16

(Continued)EBP-CX-7.1

Index

Column Instructions

Risk Assessment Documen-tation Approach

Assess the risk of material misstatement at the relevant assertion level. For auditareas that are not significant, or for significant areas where you have not identifiedany specific risks, it may be appropriate and more efficient to document the riskassessment for the audit area as a whole. If that is done, the risk assessment isassumed to be the same for all assertions and ought to be the highest level of riskfor any assertion in the area. (Exercise caution when documenting theassessment at the audit area level. Failure to consider the level of risk related toeach assertion could result in an inappropriate response.) However, forsignificant audit areas where you have identified one or more specific risks,document the risk assessment at the assertion level. When documenting the riskassessment at the assertion level, make an assessment for each relevantassertion regardless of whether you have identified any specific risks related tothat assertion. See discussion at section 407. Consider the following assertionswhen making your risk assessments:

Existence or Occurrence (E/O)Completeness (C)Rights or Obligations (R/O)Accuracy or Classification (A/CL)Valuation or Allocation (V)Cutoff (CO)

I/R Document the assessed level of inherent risk as high, moderate, or low.Completing EBP-CX-3.1 and performing other risk assessment proceduresgenerally provides a basis to assess inherent risk. The comments/linkage columnmay be used to document additional information to support the basis. Theauthors believe including a few comments about the nature of the audit area andrelated assertions will normally be sufficient. EBP-CX-7.2 provides a list of factorsto consider that may influence inherent risk for each assertion or audit area.

C/R Document the assessed level of control risk as high, moderate, or low based onthe understanding of internal control and, if applicable, tests of controlsdocumented at EBP-CX-10.1.

Assessed RMM Document the combined assessed risk of material misstatement (RMM) as high,moderate, or low. See discussion at section 407.

Audit Approach Select the audit approach that is responsive to the assessed risk of materialmisstatement, and tailor the audit programs as necessary. Obtain morepersuasive audit evidence the higher the risk assessment. Regardless of the riskassessment, you should perform substantive procedures for all relevantassertions for each material class of transactions, account balance, anddisclosure. In addition, you should perform substantive procedures specificallyresponsive to significant risks. When the response to significant risks consistsonly of substantive procedures, perform some tests of details rather than relyingon only analytical procedures. Determining the audit approach is discussed insection 411.

Comments/Linkage Provide comments as considered necessary about the risk assessment, plannedresponses, or to clarify the linkage between risks and responses.

© 2016 Thomson Reuters/Tax & Accounting. All Rights Reserved. Reprinted with permission from PPC's Guide to Audits of Employee Benefit Plans, Twenty-sixth Edition (February 2016).

SAMPLE

17 - 101


EBP-CX-7.1

3

Risk Assessment Summary Form

Part I-Overall Risks and Responses

Describe overall risks (that is, risks at the financial statement level that may affect many assertions) and your planned responses. Examples of overall risks include weaknesses in the control environment, changes in plan management, lack of plan expertise necessary to prepare the financial statements, going concern considerations, related-party and party-in-interest transactions, motivation by plan management to fraudulently misstate the financial statements, etc. Responses may include consideration of staffing, increasing the level of supervision, use of a specialist, changing the timing of procedures, incorporating unpredictability, etc.

Identified Risk Responses Management override of controls.(Significant)(Fraud) Improper certification (S)

The risk of management override of controls is addressed by procedures in the general audit programs. Such procedures include: • Assignment of audit staff based on consideration of audit risk. • Review and testing of journal entries and adjustments made to Plan financial statements. Procedures to incorporate an element of unpredictability in the audit from period to period. • Consideration of the selection and application of significant accounting principles. • Review of accounting estimates for bias. • Evaluation of business rationale for unusual transactions. • Evaluation of the appropriateness of fraud-related inquiries performed. In addition we will be performing the following procedures: Reconcile contributions between payroll records and trustee records. For contribution receivables verify subsequent receipts. Verify that distributions are made to eligible participants and accurately calculated by recalculating, vouching to distribution forms and/or cancelled check, reviewing form 1099R, and tracing distributions to participant account statement. We will review certification obtained from trustee and ensure investments and related activity are certified as complete and accurate and that the values are as of plan’s year end.

Plan: ABC 401(k) Plan Financial Statement Date: 12/31/2014 Completed by: Date: Approved by: [ ] Date: [ ]

SAMPLE

17 - 102

EBP (2/15)



4

Identified Risk Responses Noncompliance with laws and regulations (S)

We will review and evaluate Plan management’s procedures to ensure compliance with laws and regulations, inquiry of those charged with governance as well as being aware during our audit of potential issues which would affect noncompliance.

SAMPLE

17 - 103



5

Part II-Risk Assessment Summary

Document your specific risk assessments and your planned responses by completing the following table:

Risks of Material Misstatement Risk Assessment Response

Significant Audit Area?

(=Yes) Audit Area Identified Risks/Assertions Affected

Indicate If Significant

Risk (S=Significant,

F=Fraud)

Risk Assessment

Documentation Approach

I/R (H,M,L)a

C/R (H,M,L)b

Assessed RMM

(H,M,L)cd

Audit Approach (L, B, E)e

Contributions Received and Receivable

Improper revenue recognition due to fraud. S,F By Audit Area: B Contributions are not timely remitted to the trust or are not remitted to trust. (E/O,C,CO)

or By Assertion:

E/O L M L

C L M L

R/O L M L V L M L

A/CL L M L CO L M L

Commentf

Inherent risk assessment at RAS-05. Control risk was assessed at moderate for all assertions based on testing of controls at the Plan sponsor (reconciliation, review and approval of contributions) and our reliance on the controls tested and operating effectively in the SSAE 16 reports. See SSAE 16 review and our testing of entity user controls at J-series workpapers.

As a response to the fraud risk/significant risk identified, we will reconcile total contributions per payroll to total contributions received by the Plan. We will review the client’s schedule of remittances to the Plan and test the schedule to determine its accuracy. We will also on a sample basis select a sample of participants and test their total contributions per their W-2 and reconcile to total contributions received in their participant account.

SAMPLE

17 - 104

EBP (2/15)



6



(=Yes) Audit Area

Identified Risks/Assertions

Affected



F=Fraud)

Risk Assessment


I/R (H,M,L)a

C/R (H,M,L)b

Assessed RMM

(H,M,L)cd


N/A Limited Scope Audit

Investments and Related Income—DOL Limited-scope Audit

By Audit Area:

or

By Assertion: E/O

C R/O

V A/CL

CO

Comment N/A Limited Scope Audit.

SAMPLE

17 - 105



7






F=Fraud)

Risk Assessment


I/R (H,M,L)a

C/R (H,M,L)b

Assessed RMM

(H,M,L)cd


Participant Data and Employee Contributions

By Audit Area: B Employee contributions are not calculated accurately in accordance with participant’s request or the Plan document. (V,A/CL)

S or By Assertion:

E/O L M L C L M L

R/O L M L V L M L

A/CL L M L CO L M L

Comment

Inherent risk assessment at RAS-05. Control risk was assessed at moderate based on our reliance on the controls tested and operating effectively in the SSAE 16 reports. See SSAE 16 review and our testing of entity user controls at J-series workpapers.

As a response to the significant risk identified, we will select a sample of participants and recalculate their contribution amount based on the participant’s election and the Plan document.

SAMPLE

17 - 106

EBP (2/15)



8






F=Fraud)

Risk Assessment


I/R (H,M,L)a

C/R (H,M,L)b

Assessed RMM

(H,M,L)cd


Benefit Payments

By Audit Area: B

Distributions not properly calculated in accordance with participants request or the Plan (E/O, C, CO) Distributions are made to ineligible participants.(E/O)

S,F S,F

or By Assertion:

E/O L M L C L M L

R/O L M L V L M L

A/CL L M L CO L M L

Comment


As a response to the fraud/significant risk identified, we will select a sample of participants and recalculate their distribution amount based on the participant’s election and the Plan document. SAMPLE

17 - 107



9



(=Yes) Audit Area Identified Risks/Assertions

Affected



F=Fraud)

Risk Assessment


I/R (H,M,L)a

C/R (H,M,L)b

Assessed RMM

(H,M,L)cd


Participant Accounts (and Benefit Obligations)

By Audit Area: B

Need the identified risk? or

By Assertion: E/O L M L

C L M L R/O L M L

V L M L A/CL L M L

CO L M L

Comment


We will reconcile total account balances per the recorderkeeper to assets recorded by the trustee.

SAMPLE

17 - 108

EBP (2/15)



10






F=Fraud)

Risk Assessment


I/R (H,M,L)a

C/R (H,M,L)b

Assessed RMM

(H,M,L)cd


No Operating Expenses By Audit Area: L

Do we need to say anything here? or

By Assertion: E/O

C R/O

V A/CL

CO

Comment

SAMPLE

17 - 109



11






F=Fraud)

Risk Assessment


I/R (H,M,L)a

C/R (H,M,L)b

Assessed RMM

(H,M,L)cd


Notes Receivable from Participants (Participant Loans)

Participant loans not in accordance with participant’s election and/or plan documents or not being repaid properly. (E/O C, C/O))

S,F By Audit Area:

B

or

By Assertion: E/O L M L

C L M L R/O L M L

V L M L A/CL M M L

CO L M L

Comment


As a response to the fraud/significant risk identified, we will select a sample of participants and test that the loan was made in accordance with the participant’s election and the Plan document.

If you did not identify improper revenue recognition as a fraud risk in the risk assessment summary table, document the reasons supporting your conclusion. [ ]

SAMPLE

17 - 110

177EBP2/16

(Continued)EBP-CX-7.1

Notes:a You may make an overall, or combined, assessment of the risk of material misstatement at the assertion level by completing only the Assessed RMMcolumn, or make separate assessments of inherent risk and control risk and then combine them as discussed in note b.

b Based on the assessed levels of inherent and control risk, the combined assessed RMM may be determined as follows:

Inherent Risk × Control Risk = Risk of Material MisstatementHigh High HighHigh Moderate HighHigh Low ModerateModerate High ModerateLow High LowModerate or Low Moderate LowModerate or Low Low LowUse your judgment in determining the combined risk of material misstatement.

c Possible audit approaches are as follows:L (Limited Procedures) = Preliminary analytical procedures, other risk assessment procedures, and final analytical procedures are consideredsufficient. (This approach is not appropriate for significant audit areas.) No additional audit program is needed.B (Basic Procedures) = The basic procedures in the core audit programs are sufficient. This approach includes primarily analytical procedures(includes some tests of details, many of which are required by the professional standards). If you plan to perform those procedures in the basicprogram to respond to an identified risk, document that response in the comments column. (This approach is generally not appropriate for fraudrisks or other significant risks.)E (Extended Procedures) = Basic substantive procedures plus selected extended procedures (procedures for additional assurance) or other auditprocedures are needed for this audit area or assertion. If this approach is selected, go to the appropriate core audit program and select or developextended procedures (procedures for additional assurance) or other audit procedures to respond to the risks at the relevant assertion level.The particular tests selected, whether they are in the Basic or Extended programs, need to be tailored to the nature, cause, and direction of potentialmisstatements at the relevant assertion level. The auditor should also consider whether it is appropriate (or necessary) to alter the extent or timingof the procedures to adequately respond to the risk assessment.

d Comments might include:¯ Information that clarifies how the audit programs/procedures have been tailored to respond to your risk assessment.¯ Descriptions of the procedures that will be performed to specifically respond to fraud risks or other significant risks.¯ Information about the nature, timing, or extent of further audit procedures in response to other identified risks.¯ Whether you plan to perform procedures in the Basic Procedures section of the audit programs to respond to an identified risk.¯ A reference to where tests of controls are performed.¯ Documentation of the basis for your assessment of inherent risk for an assertion or account. A documentation example for property used inoperations might be, “The property area has no complex accounting, auditing, judgmental, or other issues, other than the evaluation andcategorization of related repairs and maintenance. Inherent risks for all assertions are considered to be low, other than completeness which isdeemed to be moderate.”

© 2016 Thom

son Reuters/Tax &

Accounting. A

ll Rights R

eserved. R

eprinted with perm

ission from P

PC

's Guide to A

udits of Em

ployee Benefit P

lans, Twenty-sixth E

dition (February 2016).

SAMPLE

17 - 111

EBP (2/15)


EBP-CX-7.2

1

Index RAS-05]

EBP-CX-7.2: Inherent Risk Assessment Form

Plan: ABC 401(k) Plan Financial Statement Date: December 31, 2014 Completed by: [ ] Date: [ ]

Instructions: This form may be used to assist with your assessment of inherent risk. While this form is optional, it can be used as a tool to identify and document the factors that significantly influence inherent risk. For each audit area, indicate whether the inherent risk factors represent a high (H), moderate (M), or low (L) level of risk for the relevant assertions or for the audit area as a whole, depending on your risk assessment approach documented on EBP-CX-7.1 . (Alternatively, you may place a check mark for those factors that significantly influence inherent risk for each assertion or audit area.) Based on the significance of the identified inherent risk factors, assess overall inherent risk as high, moderate, or low and document your overall assessment at EBP-CX-7.1 . Space is provided for comments, if desired, on the factors or assessments reflected in the table.

Audit Area a

Risk Assessment Approach b

Inherent Risk Factors

Comments Engagement

Risk c Accounting

Issues d Auditing Issues e

Prior Period Misstatements f

Susceptibility to Fraud g

Accounting Personnel h

Need for Judgment i

Nature of

Items j Complexity k Contributions Received and Receivable

By Audit Area:

The contribution process is not complex and the transactions are routine. There is proper segregation of duties at the Plan sponsor as well as the use of qualified service organizations in the process.

SAMPLE

17 - 112

EBP (2/15)



2

Audit Area a



Comments Engagement

Risk c Accounting





Need for Judgment i

Nature of

Items j Complexity k or

By Assertion:

The susceptibility to misappropriate or misstate this account appears low. There have been no prior period misstatements noted in past year audits. See additional information on the process at RAS-05.

E/O L L L L L L L L L C L L L L L L L L L R/O L L L L L L L L L V L L L L L L L L L A/CL L L L L L L L L L CO L L L L L L L L L Investments, Derivatives, and Related Incomes

By Audit Area:

N/A Limited Scope Audit

or By

Assertion:

E/O C R/O V

SAMPLE

17 - 113



3

Audit Area a



Comments Engagement

Risk c Accounting





Need for Judgment i

Nature of

Items j Complexity k A/CL CO Contracts w ith Insurance Companies and Similar Contracts

By Audit Area:

N/A No such contracts

or By

Assertion:

E/O C R/O V A/CL CO

SAMPLE

17 - 114

EBP (2/15)



4

Audit Area a



Comments Engagement

Risk c Accounting





Need for Judgment i

Nature of

Items j Complexity k Participant Data and Employee Contributions

By Audit Area:

The participant data and employee contribution process is not complex and the transactions are routine. There is proper segregation of duties at the Plan sponsor as well as use of qualified service organizations in the process.

or By

Assertion:


E/O L L L L L L L L L C L L L L L L L L L R/O L L L L L L L L L

SAMPLE

17 - 115



5

Audit Area a



Comments Engagement

Risk c Accounting





Need for Judgment i

Nature of

Items j Complexity k V L L L L L L L L L A/CL L L L L L L L L L CO L L L L L L L L L Benefit Payments

By Audit Area:

The benefit payment process is not complex and the transactions are routine. There is proper segregation of duties at the Plan sponsor as well as use of qualified service organizations in the process.

or By

Assertion:


E/O L L L L L L L L L

SAMPLE

17 - 116

EBP (2/15)



6

Audit Area a



Comments Engagement

Risk c Accounting





Need for Judgment i

Nature of

Items j Complexity k C L L L L L L L L L R/O L L L L L L L L L V L L L L L L L L L A/CL L L L L L L L L L CO L L L L L L L L L Benefit Obligations

By Audit Area:

N/A Defined Contribution Plan

or By

Assertion:

E/O C R/O V A/CL CO SAMPLE

17 - 117



7

Audit Area a



Comments Engagement

Risk c Accounting





Need for Judgment i

Nature of

Items j Complexity k Participant Accounts

By Audit Area:

Participant accounts are maintained and activity recorded by Best Retirement Plan Services. Transactions are routine. There is proper segregation of duties at the Plan sponsor as well as use of qualified service organizations in the process.

or By

Assertion:

The susceptibility to misappropriation or misstatement of this account appears low. There have been no prior period misstatements noted in past year audits. See additional information on the process at RAS-05.

E/O C

SAMPLE

17 - 118

EBP (2/15)



8

Audit Area a



Comments Engagement

Risk c Accounting





Need for Judgment i

Nature of

Items j Complexity k R/O V A/CL CO Cash By Audit

Area: N/A No cash

or By

Assertion:

E/O C R/O V A/CL CO

SAMPLE

17 - 119



9

Audit Area a



Comments Engagement

Risk c Accounting





Need for Judgment i

Nature of

Items j Complexity k Notes Receivable from Participants

By Audit Area:

The notes receivable process from participants process is not complex but transactions are infrequent due to the size of the plan, therefore less routine. There is proper segregation of duties at the Plan sponsor as well as use of qualified service organizations in the process.

SAMPLE

17 - 120

EBP (2/15)



10

Audit Area a



Comments Engagement

Risk c Accounting





Need for Judgment i

Nature of

Items j Complexity k or

By Assertion:

The susceptibility to misappropriate or misstate this account appears lmoderate. There have been instances in prior years where the loan repayments were not entered into the payroll system in a timely manor. See additional information on the process at RAS-05.

E/O C R/O V A/CL CO Property and Equipment Used in Operations

By Audit Area:

NA None

or By

Assertion:

E/O

SAMPLE

17 - 121



11

Audit Area a



Comments Engagement

Risk c Accounting





Need for Judgment i

Nature of

Items j Complexity k C R/O V A/CL CO Accounts Payable and Accrued Expenses

By Audit Area:

N/A Not considered a significant audit area. The majority of Plan expenses are paid by the Plan sponsor.

or By

Assertion:

E/O C R/O V A/CL CO Loans Payable

By Audit Area:

N/A None

or By

Assertion:

E/O

SAMPLE

17 - 122

EBP (2/15)



12

Audit Area a



Comments Engagement

Risk c Accounting





Need for Judgment i

Nature of

Items j Complexity k C R/O V A/CL CO Operating Expenses

By Audit Area:

N/A The only expenses are participant loan fees that are paid by the plan.

or By

Assertion:

E/O C R/O V A/CL CO Other By Audit

Area: N/A

or By

Assertion:

E/O C R/O

SAMPLE

17 - 123



13

Audit Area a



Comments Engagement

Risk c Accounting





Need for Judgment i

Nature of

Items j Complexity k V A/CL CO d

Notes

a Use a risk assessment approach consistent with your documentation on EBP-CX-7.1 .

b Use a risk assessment approach consistent with your documentation on EBP-CX-7.1 .

c The effect of risk factors that were identified on EBP-CX-3.1 .

d The complexity and contentiousness of accounting issues.

e The frequency or significance of difficult-to-audit transactions or disclosures.

f The nature, cause, and materiality of misstatements detected in prior audits.

g The susceptibility to fraud, including both misappropriation of assets and fraudulent financial reporting.

h The competence and experience of personnel assigned to process data or make decisions.

i The extent of judgment or estimates involved.

SAMPLE

17 - 124

EBP (2/15)



14

j The size and volume of items comprising the account balances or transaction classes.

k The complexity of calculations.

SAMPLE

17 - 125

session 17 - amazon simple storage service · the employee benefit plan audit quality center and is...

Documents