This article covers what SAS 136 actually changed, how the ERISA Section 103(a)(3)(C) election works, who qualifies, and what plan sponsors must do to stay compliant. SAS 136 has been fully in force for plan years ending on or after December 15, 2021, so this isn't theoretical — it governs how audits are conducted right now.
Key Takeaways
- The 103(a)(3)(C) election replaces what was previously called a "limited scope audit" under the same statutory basis, with a new name and stricter requirements.
- Banks, trust companies, and regulated insurance carriers qualify to issue the required certification; broker/dealers do not.
- Plan sponsors must provide written acknowledgments confirming the election is permissible, a formal precondition before the audit can proceed.
- Auditors issue a dual opinion rather than disclaiming an opinion on the full financial statement.
- Form 5500 must be substantially complete before auditors can date their report.
What Is SAS 136 and Why Did It Change the Audit Landscape?
The AICPA's Auditing Standards Board issued SAS No. 136 in July 2019, codified as AU-C Section 703, specifically to address persistent audit quality concerns in the employee benefit plan space. The DOL's 2015 study of Form Year 2011 audits found that 39% of reviewed audits contained major deficiencies, and limited-scope audits had grown from 48% of the audit population in 2001 to 83% by 2013.
The DOL's November 2023 audit quality study confirms these problems haven't fully resolved even after SAS 136 took effect: 30% of audits still had major deficiencies. Firms auditing only one or two plans showed a 70% deficiency rate, compared to 17% for firms handling 100 or more plans annually.
SAS 136 responded by overhauling the entire audit framework, not just the investment certification piece. The standard affects:
- Engagement acceptance and precondition assessment
- Risk identification and audit planning
- Substantive procedures across all plan areas
- Written communications with those charged with governance
- The structure and content of the auditor's report
AU-C Section 703 applies to single-employer, multiple-employer, and multiemployer ERISA benefit plan audits — meaning plan administrators across virtually every organizational structure need to understand its requirements.
What Is the ERISA Section 103(a)(3)(C) Audit Election?
Under ERISA Section 103(a)(3)(C) (codified at 29 U.S.C. 1023(a)(3)(C)), plan management may elect to exclude certain investment information from the full scope of the audit, but only when a qualified institution certifies both the accuracy and completeness of that information.
SAS 136 made this distinction explicit: the 103(a)(3)(C) election is not a scope limitation — it's a fundamentally different type of audit. SAS 136 retired the old "limited scope audit" terminology entirely.
The Old Approach vs. the New
Under the prior standard, auditors simply disclaimed an opinion on certified investment information — stepping away from that portion of the financial statements. SAS 136 replaced that disclaimer with a dual opinion structure:
- Opinion on certified information: Whether financial statement amounts and disclosures related to certified assets agree with or are derived from the qualified institution's certification
- Opinion on non-certified information: Whether all other financial statement information is presented fairly in all material respects under the applicable financial reporting framework
This is a meaningful change. Auditors can no longer avoid the certified investment data — they must actively assess whether it agrees with the financial statements and confirm that related disclosures comply with GAAP.
What Auditors Must Now Do
Those procedural requirements translate directly into audit work. Under a 103(a)(3)(C) engagement, auditors must:
- Confirm the certifying institution is qualified under 29 CFR 2520.103-8
- Classify which investment information falls within the certification's scope
- Evaluate whether the certification itself satisfies regulatory requirements
- Assess whether certified amounts agree with financial statement presentations
- Review related disclosures for compliance with the applicable reporting framework
- Perform standard audit procedures on any investment information not covered by the certification
If the auditor finds the certification is incomplete, inaccurate, or otherwise unsatisfactory, they must discuss the discrepancies with plan management and determine next steps. There is no option to simply disclaim on that portion.
Who Qualifies for a Section 103(a)(3)(C) Audit?
Eligibility depends entirely on who holds the plan's assets. Qualified institutions under 29 CFR 2520.103-8 are limited to:
- Banks
- Trust companies
- Insurance carriers regulated by federal or state agencies
Who Does Not Qualify
Broker/dealers and mutual fund companies are not qualified institutions for 103(a)(3)(C) certification purposes, even if they hold plan assets. Plans primarily custodied through these entities cannot make the election and must undergo a full non-103(a)(3)(C) audit.
Gray Areas Plan Sponsors Encounter
Eligibility isn't always a clean yes or no. Several scenarios trip up plan sponsors who assume their custodian qualifies:
- Agent certifications: A brokerage arm of a qualified institution may issue a certification on the bank's behalf, but only if a contractual arrangement permits it. This is established practitioner guidance, not a formal DOL ruling. Ask the certifying entity to confirm their authority in writing and review service agreements directly.
- Hard-to-value assets: Limited partnership interests and private company stock must be reported at current fair value. If the institution reports these at original cost or a prior-year value, the certification may be inappropriate and the election invalid. Scrutinize how these assets are valued within any certification you receive.
- Incomplete certifications: A certification covering only accuracy, or only completeness, but not both, does not satisfy DOL requirements under 29 CFR 2520.103-5. Confirm the certification explicitly addresses both elements before relying on it.
- DOL rejection risk: If the DOL determines the certifying institution was not actually qualified, it can reject the election and require a full non-103(a)(3)(C) audit, with potential penalties for the plan sponsor.
New Responsibilities for Plan Sponsors Under SAS 136
Plan sponsors carry far more formal responsibility under SAS 136 than they did under prior standards. The election doesn't happen automatically. It requires documented management decisions before the engagement even begins.
Four Required Written Acknowledgments
Plan management must acknowledge in writing to the auditor that they have:
- Determined the 103(a)(3)(C) election is permissible for this plan
- Confirmed the certifying institution qualifies under 29 CFR 2520.103-8
- Confirmed the certification satisfies requirements under 29 CFR 2520.103-5
- Verified that certified investment information is appropriately measured, presented, and disclosed under the applicable financial reporting framework
The AICPA has published a plan management evaluation tool to help sponsors work through this assessment.
What the Election Does Not Eliminate
Plan administrators remain fully responsible for:
- Maintaining a current plan instrument, including all amendments
- Administering the plan in accordance with its terms
- Preparing financial statements in conformity with GAAP and DOL requirements
- Maintaining sufficient participant records to determine benefits owed
The Form 5500 Timing Issue
SAS 136 requires auditors to review a substantially complete draft of Form 5500 before dating the audit report. This is a significant procedural change that catches many plan sponsors off guard.
The old sequence — audit report first, Form 5500 after — no longer works. Plan sponsors need to treat Form 5500 preparation as a pre-audit task:
- Before: Sponsors often finalized Form 5500 after receiving the audit report
- Now: A substantially complete draft must be ready for auditor review before the report is dated
Documentation to Retain
If the DOL ever questions the election, plan sponsors need to produce:
- The written evaluation confirming the election is permissible
- Evidence the certifying institution is qualified
- The certification package itself
- Evidence the certification is complete and covers all required assets
- Management's assessment of how certified investment information is presented in the financial statements
103(a)(3)(C) vs. Non-103(a)(3)(C) Audits: Key Differences
| Item | 103(a)(3)(C) Audit | Non-103(a)(3)(C) Audit |
|---|---|---|
| Investment testing | Auditor assesses agreement with certification; no independent testing of certified assets | Auditor independently tests all investment information |
| Opinion structure | Dual opinion on certified and non-certified information | Standard ERISA plan audit opinion |
| Plan sponsor preconditions | Written election and certification assessment required | No certification election needed |
| Prevalence | 83% of EBP audits were this type (formerly "limited scope") in 2020 | Approximately 17% of audits |
| Typical fee | Generally lower due to reduced investment testing | Generally higher due to full investment procedures |
The 103(a)(3)(C) election no longer offers a meaningfully easier audit path. Auditors now carry significant new procedures even on certified investments, and plan sponsors face formal documentation obligations regardless of which route they take.
Quick decision framework:
- A bank, trust company, or regulated insurance carrier holds plan assets and can certify both accuracy and completeness → the election is likely available
- Assets are held by broker/dealers or mutual fund companies, or a valid certification cannot be obtained → a full non-103(a)(3)(C) audit is required
How to Prepare for Your ERISA Audit Under SAS 136
Pre-Audit Checklist for Plan Sponsors
- Verify custodian eligibility — Confirm whether your asset custodian qualifies as a bank, trust company, or regulated insurance carrier under 29 CFR 2520.103-8
- Obtain the certification early — Request and review the investment certification before your engagement begins; confirm it covers the full plan year and all plan assets, and certifies both accuracy and completeness
- Check hard-to-value assets — Identify any limited partnership interests, private company stock, or other illiquid holdings and confirm they're certified at current fair value
- Start Form 5500 early — Have a substantially complete draft ready before auditors need to date their report
- Gather plan documents — Compile the current plan instrument, all amendments, service agreements with the certifying institution, and prior-year audit reports
Governance and Communication
SAS 136 requires auditors to deliver reportable findings in writing to those charged with governance. Plan sponsors should:
- Establish a clear governance structure (plan committee, board committee, or designated fiduciary) before the audit begins
- Designate a point of contact authorized to receive and respond to written audit communications
- Be prepared to act on findings — if reportable matters exist, auditors must document them, and plan sponsors are expected to respond
Managing audit documentation alongside ongoing HR and benefits administration is a real operational strain for many plan sponsors. A PEO partner with strong benefits infrastructure can take over plan documentation management, compliance tracking, and provider coordination — letting internal staff focus directly on audit response. HRO Advisors helps businesses find the right PEO fit through a free, no-obligation comparison process, including for organizations working through ERISA compliance obligations.
Frequently Asked Questions
What is an ERISA Section 103(a)(3)(C) audit?
It's a type of ERISA employee benefit plan audit (formerly called a "limited scope audit") where plan management elects to exclude investment information from the full audit scope, provided a qualified institution (bank, trust company, or regulated insurance carrier) certifies both the accuracy and completeness of that investment data.
Who qualifies as a "qualified institution" for issuing a certification?
Qualified institutions are banks, trust companies, and insurance carriers regulated by federal or state agencies. Broker/dealers and mutual fund companies do not qualify. Plan sponsors must verify eligibility before making the election — review service agreements or contact the certifying entity to confirm their regulatory authority.
What happens if the DOL rejects a Section 103(a)(3)(C) election?
The DOL can determine the certifying entity was not qualified and require a full non-103(a)(3)(C) audit. The plan sponsor may face government-assessed penalties and the cost of an additional audit , making pre-election verification of the certifier's status essential.
When did SAS 136 take effect and rename the limited scope audit?
SAS 136 became effective for ERISA plan financial statements for periods ending on or after December 15, 2021 (delayed one year from the original 2020 effective date due to COVID-19). The first wave of 103(a)(3)(C) audits under the new standard were performed in 2022 for the 2021 plan year.
Does a 501(c)(3) organization require an ERISA plan audit?
Yes, if the organization sponsors an ERISA-covered benefit plan with 100 or more eligible participants. Tax-exempt status does not exempt a non-profit from ERISA audit requirements ; the same rules apply as for for-profit plan sponsors.
What is an A-133 audit, and is it the same as an ERISA audit?
No. An A-133 audit, now called a Single Audit under Uniform Guidance, applies to non-profits and government entities that expend $750,000 or more in federal financial assistance annually. It covers federally funded programs, not employee benefit plan assets, and is entirely separate from an ERISA plan audit.
