Cover Page
Title Page

Notice to Readers

This Audit Risk Alert (alert) replaces Employee Benefit Plans Industry Developments—2016.

This alert is intended to provide auditors of employee benefit plan financial statements with an overview of recent economic, industry, regulatory, and professional developments that may affect the audits and other engagements they perform. It also can be used by plan management and plan sponsors to address areas of audit and accounting concern.

This publication is an other auditing publication, as defined in AU-C section 200, Overall Objectives of the Independent Auditor and the Conduct of an Audit in Accordance With Generally Accepted Auditing Standards (AICPA, Professional Standards). Other auditing publications have no authoritative status; however, they may help the auditor understand and apply generally accepted auditing standards.

In applying the auditing guidance included in an other auditing publication, the auditor should (using professional judgment) assess the relevance and appropriateness of such guidance to the circumstances of the audit. The auditing guidance in this document has been reviewed by the AICPA Audit and Attest Standards staff and published by the AICPA and is presumed to be appropriate. This document has not been approved, disapproved, or otherwise acted on by a senior technical committee of the AICPA.

Recognition

2017 Employee Benefit Plan Audit Risk Alert Task Force

Bertha Minnihan, Task Force Chair
Theresa Kluk Banka
Mark Blackburn
Sandi Carrier
Kriste DeAngelo
Monique Elliott
Judy Goldberg
Josie Hammond
Marilee Lau
David Leising
Dennis Polisner
Mark Ritter
Deborah L. Smith
Wendy Y. Terry
Beth Thompson
David Torrillo
Diane M. Walker
Diane M. Wasser
Michele M. Weldon

The AICPA gratefully acknowledges those members of the Auditing Standards Board, the AICPA Technical Issues Committee, and the AICPA Employee Benefit Plans Audit Risk Alert Task Force who helped identify the interest areas for inclusion in this alert. The AICPA also gratefully acknowledges the contributions of the Office of the Chief Accountant, the Employee Benefits Security Administration, and the U.S. Department of Labor (DOL).

AICPA Staff
Diana G. Krupica
Lead Technical Manager
Member Learning and Competency

Feedback

The Audit Risk Alert Employee Benefit Plans Industry Developments is published annually. As you encounter audit or industry issues that you believe warrant discussion in next year’s alert, please feel free to share them with us. Any other comments you have about the alert also would be appreciated. You may email these comments to A&APublications@aicpa.org.

____________________________

How This Alert Helps You

.01 This Audit Risk Alert (alert) helps you plan and perform your employee benefit plan audits and also can be used by plan management and plan sponsors to address audit and accounting concerns. It provides information to assist you in achieving a more robust understanding of the business, economic, and regulatory environments in which your clients operate. This alert is an important tool to help you identify the significant risks that may result in the material misstatement of financial statements and delivers information about emerging practice issues and current accounting, auditing, reporting, and regulatory developments. For developing issues that may have a significant effect on the employee benefit plan industry in the near future, the "On the Horizon" section provides information on these topics.

.02 It is essential that the auditor understand the meaning of audit risk and the interaction of audit risk with the objective of obtaining sufficient appropriate audit evidence. Auditors obtain audit evidence to draw reasonable conclusions on which to base their opinion by performing the following:

.03 The auditor should develop an audit plan that includes, among other things, the nature and extent of planned risk assessment procedures, as determined under AU-C section 315, Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement (AICPA, Professional Standards). AU-C section 315 defines risk assessment procedures as the audit procedures performed to obtain an understanding of the entity and its environment, including the entity’s internal control; and to identify and assess the risks of material misstatement (whether due to fraud or error) at the financial statement and relevant assertion levels. As part of obtaining the required understanding of the entity and its environment, in accordance with paragraph .12 of AU-C section 315, the auditor should obtain an understanding of the relevant industry, regulatory, and other external factors, including the applicable financial reporting framework. This alert assists the auditor with this aspect of the risk assessment procedures and further expands the auditor’s understanding of other important considerations relevant to the audit.

Economic and Industry Developments

The Current Economy

General Discussion

.04 Recognizing that economic conditions and other external factors relevant to an entity and its environment constantly change, it is important for auditors to evaluate whether changes have occurred since the previous audit that may affect their reliance on information obtained from their previous experience with the entity. These changes may affect the risks and risk assessment procedures applicable to the current year’s audit.

.05 When planning an audit, auditors need to understand the economic conditions facing the industry in which an entity operates, as well as the effects of these conditions on the entity itself. These external factors—such as interest rates, availability of credit, consumer confidence, overall economic expansion or contraction, inflation, and labor market conditions—are likely to have an effect on an entity’s business and, therefore, its financial statements. Considering the effects of external forces on an entity is part of obtaining an understanding of the entity and its environment.

.06 The year 2016 was marked by steadily increasing employment rates, lackluster wage growth, an increase in long-term interest rates, and a continuing suppression of the price of crude oil. After the 2016 national elections in November, the U.S. stock market hit record high levels.

.07 Over the past few years, the Federal Reserve has decreased the target for the federal funds rate more than 5.0 percentage points from its high of 5.25 percent prior to the financial crisis, to less than 0.25 percent, where it remained until December 2015. After a long period of anticipation, at its December 2015 meeting, the Federal Reserve increased the target federal funds rate from 0.25 to 0.5 percent. At its December 2016 meeting, the rate was increased from 0.5 percent to 0.75 percent, and further increases are anticipated. The reasons cited for the decision to take action include the following:

Employee Benefit Plan Considerations

.08 Part of obtaining an understanding of the entity and its environment is considering how external forces affect an employee benefit plan. This consideration allows the auditor to plan and perform the audit to address risks identified. A new perspective with each audit is helpful as economic conditions and trends in the employee benefit plan industry may create additional risks of material misstatement that did not previously exist or did not have a material effect on the audit of the employee benefit plan in prior years.

.09 The following are challenges or trends that have occurred over the past few years that may be important for auditors to consider when gaining an understanding of the industry, in light of the current economic environment:

Hot Topics

Cybersecurity

.10 According to the 2016 Employee Retirement Income Security Act of 1974 (ERISA) Advisory Council report, cyber threats include data breaches whereby sensitive, protected, or confidential data have potentially been viewed, stolen, or used by someone unauthorized to do so. Individuals, organizations, and industries are susceptible to cyber threats, including employee benefit plans and their service providers. Common cyber risks to employee benefit plan participants include identity theft, privacy breaches, and theft of assets. The cost of a breach, which includes detecting the extent of the breach, recovering the data, and restoring technological systems, can be substantial.

.11 Cyber threats cannot be eliminated, but they can be managed. Employee benefit plans often maintain and share sensitive employee data and asset information across multiple unrelated entities as a part of the employee benefit plan administration process. Because employee benefit plans are regulated by ERISA, it is important for anyone who interacts with the plan to be particularly aware of the effect that breaches have on participants and beneficiaries and the associated rights and duties of plan fiduciaries and service providers arising under ERISA.