Working With Your Auditor

Transcription

1 Working With Your Auditor Internal controls are used to ensure that financial statements are accurate and the plan is being operated effectively, efficiently and in compliance with laws and regulations. Ultimately, trustees are responsible for these controls. 46 benefits magazine april 2014 v51 no4

2 by Patrick C. Stines and Ann Kellen A t a recent International Foundation conference session, trustees asked a multitude of questions about internal controls. It seemed as though, through no fault of their own, they didn t clearly understand their role in the plan s internal control process and how that relates to the functions of the external independent auditor. As a trustee, you likely are concerned with accurate financial reporting, protecting plan assets and complying with laws and regulations. A sound system of internal control is an integral part of these functions. This article is intended to be a quickreference tool to familiarize you with or enhance your understanding in the areas of: What is internal control? The role of your external independent auditor Controls at your third-party administrator (TPA) The audit committee Basic plan controls and policies. april 2014 benefits magazine 47

3 takeaways >> Internal controls are the practices and procedures used in running plan operations and reporting to interested parties. Benefit plans with clearly defined employee roles and accountability measures enhance the efficiency of trustee oversight. A plan s control activities should be tailored to its specific needs. Internal control is a management function, not the responsibility of the external independent auditor. Trustees have a fiduciary responsibility to monitor third-party administrators. An auditor can help trustees or management by informing them of expiring or nonexistent plan policies and contracts. What Is Internal Control? As a trustee, you are a member of the plan s governing body and, therefore, ultimately responsible for implementation and oversight of internal controls. Accounting standards define internal control as a process implemented by management to provide assurance regarding: Reliability of financial reporting Effectiveness and efficiency of operations Compliance with laws and regulations Safeguarding of assets. More than just a set of rules, internal controls are the practices and procedures used in running plan operations and reporting to interested parties. The goals of internal controls are to improve organizational performance, enhance oversight and prevent or detect fraud. Accounting standards use an internal control framework developed by the Committee of Sponsoring Organizations (COSO), a group of professionals from public accounting, government, education and related fields. The COSO model breaks down the reporting model into five core components: control environment, risk assessment, control activities, information and communication, and monitoring. Control Environment Tone at the Top This is the foundation of an internal control system and is the demonstrated attitude of those who run the organization. The tone at the top includes: Policies and manuals including an ethics policy, a conflict of interest policy, human resource manuals and accounting manuals Management s response to known internal control weaknesses: Have prior recommendations been corrected or are practices unchanged? Defined organizational structure: Who does what? Is there adequate segregation of duties? External auditors make inquiries of plan personnel. From those inquiries, we usually can determine if a strong system of internal control is in place. An answer such as I don t know can be an indicator of a lax control environment. Benefit plans with clearly defined employee roles and accountability measures enhance the efficiency of trustee oversight function. Risk Assessment What Could Go Wrong? Risk assessment includes: Addressing changes in regulatory and economic environments Management-established objectives (e.g., budgets) An outside review of high-risk areas Assessment of fraud risk. Risk assessment involves establishing objectives at different levels (reporting, operational, compliance-based) and identifying and analyzing what could go wrong. For example, the process of developing a disaster recovery plan is part of the risk-assessment process. Control Activities Policies and Procedures in Response to Risk Analysis Plan sponsors need to establish: What should be done, how and by whom? Policies and procedures regarding: Performance Information processing and reporting Physical controls Segregation of duties. These processes help plan management and employees ensure their directives are carried out and are working to achieve their objectives. A plan s control activities should be tailored to its specific needs. Information and Communication The best policies and procedures will be ineffective unless they are communicated effectively. This includes insuring that: 48 benefits magazine april 2014

4 Financial results are recorded and communicated in a timely manner. Documentation is retained in accordance with plan rules and legal requirements. Employees are kept well-informed. Communication breakdown could be a recipe for disaster. Departments within the fund office should routinely meet and discuss individual roles and processes. Monitoring This includes any activity ensuring controls are operating as planned and designed and entails: Ongoing evaluations Identifying and correcting deficiencies. Examples of monitoring could be a discussion by the fund administrator at a board meeting, communications with the plan s external auditor as a routine part of the audit committee function or a chat with the fund administrator. The objective would be to determine if established procedures are being followed and what areas require corrective enhancement. External Independent Auditor Responsibilities A common misconception is that internal control is the responsibility of the external independent auditor. Internal control is an inside job; a management function. Under current audit rules, the auditor is required to obtain an understanding of internal control relevant to the audit. That means in order to design audit tests, the auditor must first gain an understanding of the key internal processes related to the area he or she is testing. For example, while reviewing cash disbursements, the auditor generally would need to know: Who prepares bank reconciliations? Who reviews bank reconciliations? Who approves invoices prior to writing checks? Who signs the checks and by what means (manual signature or stamp)? How often are accounts payable processed? By obtaining the information related to that area s process, the auditor can develop a plan on how to audit that key area. Generally, the audit approach is broken down to focus on key reporting cycles including but not limited to: Cash disbursements Employer contributions and receipts Benefit payments Investment holdings and valuation Related party transactions. Your auditor is required to inquire of plan personnel in order to understand what controls and processes are in place and to determine if they have been implemented and functioning properly. Control evaluation usually consists of the following: What processes exist? Is the plan using them? Are they effective in preventing errors? After evaluating the control design, the auditor is required to report in writing any control deficiencies he or she has discovered. From the auditor s perspective, a deficiency is any process, or lack thereof, that will not timely prevent a misstatement to the financial statements. This reporting could also include violations of current practices that have not resulted in a financial reporting error but could lead to such an event. Below are a few examples of internal control deficiencies: Trustee expense reports are not reviewed prior to payment. There is no monitoring of outside providers. Money paid to the pharmacy benefits manager is not reconciled to detailed claims registers. No employer payroll audits are performed. learn more >> Education Essentials of Multiemployer Trust Fund Administration June 2-6, Brookfield (Milwaukee), Wisconsin Visit for more information. Accounting and Auditing Institute for Employee Benefit Plans June 23-25, Las Vegas, Nevada Visit for more information. From the Bookstore Payroll Auditing: A Guide for Multiemployer Plans, Second Edition Lawrence R. Beebe and Philip Vivirito. International Foundation Visit for more details. Trustee Handbook: A Guide to Labor- Management Employee Benefit Plans, Seventh Edition Edited by Claude L. Kordus. International Foundation Visit for more details. april 2014 benefits magazine 49

5 << bios Patrick C. Stines, CPA, is a partner at SaxBST, a New York, New Yorkbased multidisciplinary public accounting firm with a specialty in providing accounting and auditing services to multiemployer employee benefit funds. He has nearly 15 years of experience in public accounting, working exclusively with Taft-Hartley employee benefit plans and labor unions. Stines earned a B.S. degree from State University of New York at Old Westbury. He can be contacted at pstines@saxbst.com. Ann Kellen, CPA, is the director of finance for Wilson-McShane Corporation, a third-party administrator based out of Bloomington, Minnesota. She manages the bookkeeping and compliance departments for all Wilson-McShane offices and oversees external audits of funds the firm administers. Kellen previously worked for over 16 years auditing multiemployer pension, welfare and apprentice plans, as well as nonprofit organizations including school districts, labor unions and small foundations. Kellen holds an active license as a certified public accountant. She can be contacted at At the conclusion of the audit, the auditor will remind trustees of the following: Internal management assesses risk and develops policies and procedures. Internal policies should be implemented and monitored. The auditor obtains an understanding of the controls during audit planning. The auditor evaluates controls and reports deficiencies in writing to the trustees. Trustees evaluate recommendations and correct control deficiencies as needed. Controls at the TPA A TPA is a separate organization hired by plan trustees to perform duties and guidelines established by the trustees. The TPA, much like the external auditor, advises on and implements decisions, but does not make them. TPAs are hired to interpret the contractual plan language and can provide full benefit administration of the plan or only specific aspects of the plan, for example to pay dental benefits according to the plan design. The TPA typically dictates the flow of information and internal controls. The external auditors may go to the TPA s office to perform the audit, depending on the services the TPA performs and the location of financial records. The fund has the same governance regulations under ERISA, reporting requirements and deadlines whether it uses a TPA or is self-administered. It is still the fiduciary responsibility of the trustees to monitor the TPA, as with all service providers. The trustees retain the ultimate legal authority of the benefit plan. Audit Committee Trustee board meetings normally have full agendas. The presentation of the latest audited financial statements can be limited, and discussions related to internal controls can be nonexistent. A formal audit committee can be an effective tool for trustees to learn about plan operations. In a multiemployer environment, it is not uncommon for trustees, especially management trustees, to have very limited connection to the daily ongoing operations of the plans for which they can have personal liability. An audit committee can provide some of the following benefits: Documented risk assessment Documented policies Discussions related to fraud Enhanced discussions with the plan auditor Focus on compliance with plan policies Compliance with laws and regulations Oversight of the financial statement process Efficiency of plan operations Direct contact with internal department managers. Basic Plan Controls and Policies Regardless of the size and complexity of the plan, following the five components of the COSO model is a great place to start. Additionally, the following underlying principles are helpful in developing specific procedures for any plan pro- 50 benefits magazine april 2014

6 cess (e.g., benefit payments, contribution collections): Establish objectives: what you want to achieve, prevent or detect. Document processes and steps for approval and documentation. Segregation of duties: Divide employee responsibilities to reduce opportunities for any one person to both commit and conceal errors. Define policies. Hire qualified personnel for each job function. As part of the financial statement audit, the auditors collect plan policies and vendor contracts as part of their permanent file. One way the auditor could be of additional assistance would be to inform the board or management if any plan policies and contracts have expired or are nonexistent. Your plan may have written policies in the following areas: Investment guidelines Cost sharing with related funds and union Delinquent employer collections and payroll audit Lease agreements with related funds and union Trustee travel and expense reimbursement Cash disbursements Personnel manual Conflict-of-interest policy Whistle-blower policy HIPAA and disaster recovery policies Records retention policy. Internal controls are an integral part of every organization. How they are established, used and monitored can be the basis for success or failure for an employee benefit plan. New York Public Sector Scholarship Available Do you know of a recent New York public university system graduate or current graduate student who is interested in exploring a career in the public sector benefits field? The International Foundation is seeking candidates for a scholarship that will allow a recent graduate or current student of a New York state public university to attend the 60th Annual Employee Benefits Conference, October in Boston, Massachusetts. The scholarship, made possible through funding from the former New York State Public Sector Coalition on Health Benefits, covers conference registration, transportation, hotel accommodations and a one-year individual membership with the Foundation. The recipient will be recognized during a keynote session and at the Public Sector Reception held at the Annual Conference. Applications are due September 12 and will be evaluated by a panel of public employee representatives who are Foundation members. Visit for more information and an application form each candidate must complete. Questions can be directed to Connie Wells at (262) or conniew@ifebp.org or Stacy Van Alstyne at (262) or stacyv@ifebp.org. april 2014 benefits magazine 51