As plan sponsors and their auditors implement SAS 136, Forming an Opinion and Reporting on Financial Statements of Employee Benefit Plans Subject to ERISA, one new requirement for management is to acknowledge their responsibility for assessing if a 103(a)(3)(c) audit is permissible. This includes whether the investment information is prepared and certified by a qualified institution and the certification complies with the requirements of 29 CFR 2520.103-5 and 103-8. SAS 136 is effective for audits of the plan’s financial statements for periods ending on or after December 15, 2021. This requirement is viewed by the Department of Labor (DOL) as part of the plan management’s responsibility to file complete and accurate annual reports (i.e. Form 5500).
As a result, plan sponsors must be aware of the components of a valid certification and how to assess those components.
Components of a Valid Certification. To be a complete and valid certification to elect a 103(a)(3)(c) audit, the certification attached to (or included with) the plan investment information being certified must be:
- issued by a qualifying institution to the plan,
- signed by an authorized representative of the qualified institution, and
- certify both the accuracy and completeness of the investment information.
To aid in completing these three requirements, below are a few practical pointers:
Qualified Institution. Management must ensure that the certification is issued by a qualified institution. 29 CFR 2520.103 requires the certification be prepared by a bank or similar institution or by an insurance carrier that is regulated, supervised, and subject to periodic examination by a state or federal agency. In addition, the certification should be specific to the plan being audited and should cover the entire plan year being audited.
Authorized Signer. The DOL has also stated that if there is any question as to the authorization of the certification’s signer, that management must take steps to resolve those questions prior to determining if a 103(a)(3)(c) audit is appropriate. If a certification is not signed by an authorized signer, it would not meet the DOL requirement for proper certification.
Certify Both Accuracy and Completeness. The certification will need to clearly certify both accuracy and completeness. If a certification were to only state that that information is either accurate or complete, but not both, it would not meet the DOL requirement for proper certification. If an institution includes any language, either within the certification or within the reporting package, that is not included in the standard language from the regulations, management must assess if such language would call into question the completeness or accuracy of the certified information.
The standard language cited within 29 CFR 2520.103-5 is: “The XYZ Bank (Insurance Carrier) hereby certifies that the foregoing statement furnished pursuant to 29 CFR 2520.103-5(c) is complete and accurate.”
Plan sponsors should understand what portion of the plan’s investments the certification covers. While a certification often covers all investments held by the plan during the audit period, it is possible the plan may hold investments in which only a portion are covered by a certification from a qualified institution.
SAS 136 has instituted a requirement for plan sponsors to assess if a 103(a)(3)(c) audit is permissible and if the certification received is valid for these purposes. Management should complete this assessment for each reporting period and provide their assessment along with their conclusions if the certification is valid and a 103(a)(3)(c) audit is permissible to their auditors during their annual audit.
It is also important to note that a certification covers only investments and the related investment income and does not extend to other areas of the audit.
For assistance with your annual employee benefit plan audits and implementation of SAS 136, please contact your trusted Sikich advisor.