Generally, Federal law requires employee benefit plans with more than 100 participants with account balances to have an independent audit of the plan performed and to include audited financial statements with the Form 5500 filing.

One of the most important decisions a plan administrator makes as part of their fiduciary duties is selecting a qualified, independent audit firm. So when making this decision, what really matters? Here is a guide to walk you through the aspects of an initial plan audit including how to choose an auditor.

Review the Employee Benefit Plan Audit Guide

How companies can prepare for a 401(k) audit

As companies grow, often so do regulatory requirements. One important requirement that leaders of growing companies need to stay on top of is that they must have their 401(k) plans audited if they have more than 100 participants.

Of course, every company with a 401(k) plan must file a Form 5500 with the IRS, regardless of size. It’s important for businesses to be familiar with audit rules to prevent a situation in which a company realizes a 401(k) audit is needed only after its Form 5500 is rejected. (It should be noted that companies can file for an automatic extension of the filing deadline to Oct. 15, so long as they do so before July 31.)

As with many government regulations, even the 100-participant threshold is not as straightforward as it sounds. The count of participants is as of the first day of the plan year, and employees are considered participants once they have met the plan’s eligibility requirements, regardless of whether they have actually enrolled in the program.

If your company has crossed that 100-participant threshold, the prospect of an audit may sound a little overwhelming. However, with proper preparation, the process can go smoothly.

Selecting an Auditor

Licensing for a Benefit Plan Auditor

Federal law requires an employee benefit plan auditor to be licensed or certified as a public accountant by a State regulatory authority. In addition, the auditor must be independent and not have any financial interests in the plan or the plan sponsor.

Experience and Training

Employee benefit plan audits are quite different from corporate audits. One of the most common reasons for deficient accountants’ reports is the failure of the auditor to perform tests in areas unique to benefit plans. The more training and experience an auditor has with employee benefit plan audits, the more familiar the auditor will be with specialized benefit plan auditing standards.

Some key questions to ask when considering an auditor are:

  • How many employee benefit plan audits do you perform each year?
  • Does your audit firm have a dedicated team that focuses on employee benefit plan audits?
  • Is there specialized employee benefit plan audit training?

Association Memberships

Is the audit firm a member of the American Institute of Certified Public Accountants (AICPA) and the Employee Benefit Plan Audit Quality Center (EBPAQC)?

The EBPAQC is a voluntary membership center to help firms meet the challenges of performing audits of employee benefit plans. Being a member requires the firm to be in compliance with rigorous standards and practices specific to plan audits. In addition, both the AICPA and EBPAQC require members to have their audit practices reviewed by internal and external qualified auditors. Visit the EBPAQC site to learn more about the requirements.

Importance of Selecting a Qualified Auditor

Employee benefit plan audits have increasingly become the subject of examination by the DOL and IRS. An adverse examination from the DOL or the IRS related to an incomplete, inadequate, or untimely annual report may result in penalties being assessed against the plan administrator, so it is imperative to select a qualified employee benefit plan auditor.

What to Expect in an Initial Retirement Plan Audit

We frequently work with retirement plans undergoing their first required audit and find that many of the plan sponsors are not aware of all the requirements necessary for completing and filing the audit. If you currently have a small plan but anticipate growing to large plan status, we recommend you start addressing these requirements in the years leading up to the first audit. The more prepared your company is when the audit starts, the more time and resource efficient both your company personnel and the independent auditor can be.

When is a 401(K) Plan Required to be Audited?

Generally, a plan must be audited when it has more than 100 participants with account balances on the first day of the plan year (120 if the plan filed as a small plan in the prior year, and 100 every year after).

Audits must be completed seven months after the end of the month the plan year ends, with an option to extend the deadline for two and a half months. For example, if you have a calendar year-end plan (December 31), audits must be completed by July 31 of the following year, with an option to extend through October 15.

What Does the Auditor Look for?

An audit of a retirement plan will look at two main areas:

  1. COMPLIANCE – To verify the plan is operating in compliance with the plan-related documents.
  2. FINANCIAL REPORTING – To determine the accuracy of the financial information as reported on Form 5500 and plan financial statements (including required disclosures).

How Best to Prepare for a 401(K) Plan Audit?

It is important to understand the following five areas to better prepare for a plan audit.

  1. Document Gathering and Organization
  2. Fiduciary Responsibility
  3. Operational Compliance
  4. Internal Controls
  5. Financial Reporting

Let’s dig into the details of these five areas.

1. Document Gathering and Organization

Among the first things your independent auditor will request are plan-related documents. Plan sponsors may not be familiar with all these documents or where they are kept within the company’s records. These documents include:

  • Executed plan document (including executed adoption agreement for a prototype or volume submitter plan)
  • Current IRS determination or opinion letter for the executed plan document
  • Any executed amendments to the plan document
  • Current and historical summary plan descriptions and summaries of material modifications
  • Executed 401(k) administrative committee minutes for the plan (see below on fiduciary responsibility)
  • Executed board minutes as they pertain to the plan
  • Trust and record keeping agreements with plan custodian and record keeper
  • Copies of prior years’ Form 5500 filed with the DOL
  • Copy of the plan’s fidelity bond insurance
  • Any other agreements or significant correspondence related to the plan

As a best practice, these documents should be easily accessible, organized, and current. These documents will also be required if your plan is selected for audit by the DOL.

2. Fiduciary Responsibility

Many plan sponsors are unfamiliar with the risks associated with being a fiduciary of their company’s 401(k) plan and can be held personally liable for breach of their responsibility. Most are not even aware that they are a fiduciary of the plan.

A person is a plan fiduciary if he or she:

  • Exercises any discretionary authority or control over plan management
  • Exercises any authority or control over plan assets
  • Renders, or has any authority or responsibility to render, investment advice for a fee
  • Has any discretionary authority or responsibility over plan administration

How do plan fiduciaries act in the interest of plan participants while protecting themselves from liability? Plan sponsors should implement the following best practices to ensure the fiduciaries of the plan are acting in the participants’ best interest and are performing the duties required by law.

Form A 401(K) Administrative Committee

The board of directors should authorize this committee to take fiduciary, compliance, and reporting responsibility for the plan. It should be composed of senior-level company officials that have insight into the operations of the plan. For example, the heads of finance, human resources, and benefits as well as in-house legal counsel may be good choices to serve on the committee.

Hold Regular Committee Meetings and Retain Minutes

Once the administrative committee is formed, it should meet on a regular basis to review investment performance, plan compliance issues, and plan reporting issues. A quarterly meeting is usually sufficient. Minutes should be maintained for all meetings. Without documentation, it’s difficult to demonstrate that fiduciaries have performed their duties and have acted in the best interest of the participants of the plan.

Develop and Follow an Investment Policy Statement

An investment policy is a road map documenting which types of investments will be offered as options in a plan. An investment policy will help the committee identify which options are performing within acceptable benchmarks and which should be replaced with similar, better performing investment options.

Review Administrative Fees Being Charged to the Plan for Reasonableness

Many plan sponsors believe the administration of a 401(k) plan is free, or close to free, because they are not writing checks for plan record keeping services. In reality, all 401(k) plans cost money to administer, and most of the fees are “hidden” within the investment returns of the plan which are paid by the participants who earn those returns.

Consider an Outside Investment Advisor

Plans sponsors overwhelmed by these tasks can employ the help of independent investment advisors who can perform some, if not all, of the above functions. They can be objective in their evaluation of fund performances and the need for change, and they can advise on other fiduciary responsibilities. They may also assist the 401(k) committee in evaluating the reasonableness of plan expenses by benchmarking against similar fund families and other service provider fees.

3. Operational Compliance

It’s easy to set up a 401(k) plan, and it’s almost as easy to change some of the provisions to accomplish company goals, such as allowing for automatic enrollment with the intention of increasing plan participation. If the plan is not being operated in accordance with the provisions of the plan document, then the plan and the sponsor have a compliance issue that will likely need to be corrected. Below are some of the more common plan issues which are often the focus of regulators as well.

Reviewing Plan Eligibility Provisions and Comparing Them to Actual Practices

Often there are employees allowed to participate in the plan who were defined as ineligible in the plan document. The opposite can also be true. If a plan has a waiting period or an age limit, more issues can arise. The most common cause of these errors is assuming employees eligible for health benefits are also eligible for 401(k) benefits and vice versa.

Reviewing the Plan’s Definition of Compensation and Comparing it to Actual Payroll Procedures

The plan’s definition of compensation sets the types of compensation eligible for 401(k) plan deferral withholdings. For example, the definition in a plan document may read, “all compensation reported for W-2 purposes.” In this case, all salaries, wages, bonuses, and commissions would be eligible for 401(k) withholdings, while items such as moving expenses and deferred compensation would not. Errors can occur due to unclear wording regarding eligible pay types.

Depositing Participant Deferrals in a Timely Manner

The timely deposit of participant deferrals (and participant loan repayments) with the plan custodian is the most significant issue for independent auditors and the DOL. Provisions or guidelines for these transactions cannot be found in the plan document; the DOL has created regulations designed to protect the participants of the plan from unauthorized use of their money by the plan sponsor.

For large plans (those with over 100 participants), deposits of participant contributions must be segregated from the general assets of the plan sponsor as soon as administratively feasible but no later than the 15th business day following the month-end of the applicable pay date.

However, the DOL doesn’t consider this a safe harbor. For example, if a sponsor demonstrates that deposits can be made three business days after the pay date on a regular basis, then any deposits in excess of three business days may be considered late and classified as a prohibited transaction by the DOL. Late deposits are required to be corrected by depositing lost earnings into the affected participants’ accounts and making compliance filings.

For plans with fewer than 100 participants (small plans) the DOL has ruled that participant contributions deposited within seven business days are not late. Once there are over 100 participants in your plan, the large plan rules apply.

4. Internal Controls

For many plan sponsors, controls over the plan are not often given substantive attention, especially in a company of 100 or fewer employees. Most sponsors feel that if an outside custodian and record keeper are employed, then there isn’t any opportunity for fraud or errors. Even with the best third party administrators (TPAs), there are plenty of opportunities for errors to occur if the sponsor doesn’t implement proper authorization and review of controls. Where there is lack of oversight, there is the opportunity to commit fraud.

Most TPA organizations have what is called an SSAE 16 report, also known as a SOC 1 report. This is a special audit report that describes the control structure at the TPA also details the testing and results of the effectiveness of the control structure. These reports can be used by plan sponsors and auditors to gain an understanding of the controls at the TPA. To find out more about SOC reports, visit our SOC service page.

There is a section in each report that details “user controls.” These are the controls that are expected to be put in place by a plan sponsor so it can rely on the TPA’s controls. As a best practice, obtain a copy of this report on an annual basis and review it. If you have any questions about the report, contact your service representative.

5. Financial Reporting

The final area that will be new on your first 401(k) plan audit is financial reporting for the plan. The Form 5500 is filed for both small and large plans. However, once you are considered a large plan and require an audit, additional financial reporting is required.

For a large plan, the Form 5500 requires a Schedule H to be attached in lieu of a Schedule I. Schedule H requires more information to be reported than a Schedule I. In addition, it’s the auditor’s responsibility to make sure the information on the Schedule H is consistent with the audited financial statements.

Audited financial statements, prepared in accordance with accounting principles generally accepted in the United States of America, are required to be attached to Form 5500 when filed. For 401(k) plans, the accounting, presentation, and disclosure requirements for defined contribution plans are detailed under the Financial Accounting Standards Board Accounting Standards Codification (ASC) 962, Plan Accounting-Defined Contribution Plans.

Plan assets and liabilities are reported using a net asset approach, focusing on the assets that are available for benefits. The changes in these assets and liabilities are also reported, which could be compared to a traditional income statement; however, the significant line items usually seen on an income statement are not the same for a plan’s financial statements.

ERISA Section 103(a)(3)(C) VS. Non ERISA Section 103(a)(3)(C)

As permitted under ERISA, a plan administrator is permitted to instruct their auditor not to perform any auditing procedures with respect to the information prepared and certified by a qualified institution. A qualified institution is a bank or similar institution or an insurance carrier that is regulated, supervised, and subject to periodic examination by a state or federal agency.

When performing an ERISA Section 103(a)(3)(C) audit of the financial statements, the auditor need not perform any auditing procedures with respect to information that was certified, including investments and investment income, as well as participant loans and the related interest income. In a non ERISA Section 103(a)(3)(C) audit, the investments and related investment income, as well as participant loans and related income will be audited.

Key Takeaways

When selecting an auditor for a first-year audit, it is important to understand his or her expertise with benefit plan accounting. An experienced benefit plan auditor can help educate you on the reporting requirements and in the preparation of plan financial statements filed with Form 5500.

Also, at the conclusion of the audit, the auditor will communicate to management certain procedures, practices, or other matters that raise potential problems or could be improved. We have seen that most companies are not prepared for a detailed examination of plan compliance, fiduciary responsibility, internal controls, and best practices, but our extensive knowledge of auditing benefit plans will be a great benefit to you.

Finally, hiring a plan auditor is considered a fiduciary responsibility. By not following the basic standards of conduct, the fiduciary could be held personally liable to restore losses to the plan.

The DOL conducted a study examining audits of employee benefit plan financial statements for the 2020 filing year for Form 5500, Annual Return/Report of Employee Benefit Plans. The DOL’s EBSA found serious problems with 30% of employee benefit plan audits having one or more major deficiencies. This represents a decline from the 39% major deficiency rate reported in the previous study conducted in 2015.

The statistics show that the size of an independent accounting firm’s employee benefit plan practice correlates with the audit quality. As the study demonstrates, deficiencies with audits were less common with firms auditing more than 100 plans per year. LBMC audits approximately 400 employee benefit plans annually.

What's Next?

The completed audit is required to be filed with the Plan’s Form 5500. We provide you with a pdf copy of the audited financial statements that can be utilized in filing the Form 5500. More importantly, we also provide a communication letter to the plan sponsor. This letter contains the details of any operational matters or other errors that we discovered during our testing, as well as any suggestions that we have regarding ways to better operate your plan. This gives the plan sponsor the opportunity to correct any errors noted.

The required audit procedures are designed to test whether the participants are receiving proper benefits. Finding ways to help protect the plan sponsor is not part of the required audit procedures. Hiring an auditor that understands plans and is knowledgeable about how they operate can provide a real benefit to a plan sponsor. Our suggestions include things that a plan sponsor can do to better document their processes, which will be a benefit in case of a DOL audit of the plan.

Definitions of Terms and Acronyms

  • AICPA (American Institute of CPAs): A professional organization for Certified Public Accountants (CPAs) in the United States. It maintains an Employee Benefit Plan Audit Quality Center to improve the quality of audits by providing resources and guidance.
  • DOL (Department of Labor): A U.S. government department responsible for occupational safety, wage and hour standards, unemployment insurance benefits, reemployment services, and some economic statistics; it plays a key role in enforcing ERISA regulations.
  • EFAST2 (Electronic Filing Acceptance System 2): The electronic system used to file Form 5500, which is required for employee benefit plans. Since 2010, the filing must be done electronically.
  • ERISA (Employee Retirement Income Security Act of 1974): A federal law that sets minimum standards for most voluntarily established pension and health plans in private industry, aiming to protect individuals in these plans.
  • Form 5500: The annual report filed for employee benefit plans. It must include an audited financial statement and, as of 2010, must be filed electronically.
  • Adoption Agreement: For pre-approved plans, this agreement is a supplement to the basic plan document, listing selectable plan features. It becomes a part of the plan document.
  • Investment Policy: A document outlining the types of investments offered as options in a plan, serving as a guideline for plan investment decisions.
  • Small Plan and Large Plan: Classification based on participant count; small plans have fewer than 100 participants, while large plans have 100 or more.
  • SOC/SSAE 16 (Service Organization Controls/Statement on Standards for Attestation Engagements 16): A report detailing controls at a service organization relevant to the internal control over financial reporting of user entities.
  • TPA (Third Party Administrator): An organization hired to handle claims processing, billing, and other administrative functions for employee benefit plans.

At LBMC, we put the most experienced audit experts to work for you. It’s how we’ve become one of the largest employee benefit plan auditors in the U.S.

Because of our experience, we are able to ensure your audit goes smoothly and reduce the amount of time you have to be involved in the process. As a top 25 benefit plan auditor in the nation, our in-depth knowledge includes ongoing training guaranteeing a keen understanding of the latest technical and financial requirements. This experience also allows us to tailor our audit approach to the needs and characteristics of each client.

We specialize in these type of employee benefit plan audits:

  • Defined Contribution Plans – 401(k) Plans; SEC Form 11-K Filings 403(b) Plans; Profit Sharing Plans
  • Defined Benefit Plans – Pension Plans; Money Purchase Pension Plans
  • Health and Welfare Plans
  • Employee Stock Ownership Plans (ESOP)
  • Form 5500 preparation

AICPA logo