401k plan concerns – from the auditor perspective

As an auditor of large ERISA 401k plans which are required to have the audited financial statements attached to the Form 5500, I am fortunate to work on plans that have an effective system of oversight, polices, procedures and controls, and system of communications. I also see the opposite… plans that are missing these key items and are therefore exposing both management of the Plan Sponsor, as well as the fiduciaries of the plan, to potential litigation and corrective actions in the case of a Department of Labor or IRS exam.  I want to share my concerns that I see from a plan auditor perspective, which are leaving Plan Sponsors and fiduciaries exposed in the current environment to litigation and regulatory scrutiny.

No established retirement plan committee

I still come across 401k plans that do not have an established and formalized oversight committee for the 401k plan. A 401k plan needs to have an oversight committee which regularly meets to review plan activity and perform tasks that will be subsequently discussed. The oversight committee for the plan should include the named fiduciaries of the plan, as well as key members of management who are involved in the day to day operations of the plan. I recommend the oversight committee for the plan meet no less than quarterly.

No investment policy statement

A common document lacking from many 401k plans is an Investment Policy Statement (IPS). This document guides the fiduciaries and oversight committee as to their roles and responsibilities with respect to the plan, as well as include the allowable and unallowable plan activities. Key items to include in an IPS include, but are not limited to the following:

• Identification of the retirement plan name, participants, and fiduciaries
• A statement of purpose for the IPS
• For fiduciary-directed investment portfolios, a statement of asset allocation policy and rebalancing guidelines
• A description of the process and/or criteria to be used in choosing and monitoring the plan’s investments.
• Listing of approved asset classes, with a relevant industry benchmark index for each
• Identification of the replacement process or “watch list” for managers who no longer meet the selection/retention criteria
• Listing of unallowed investments, at the fiduciaries discretion (e.g., tobacco, alcohol, firearms, or gambling)
• Statement of frequency of investment performance reviews, and general communications procedures for service providers
• Identification of the service providers with roles, responsibilities, and deliverables to fiduciaries (e.g., the plan advisor, record keeper, administrator, custodian, directed trustee, and actuary)
• Listing of investment manager search, selection, and retention criteria identifying the process by which the plan’s Qualified Default Investment Alternative (QDIA) will be chosen

The IPS should be written to allow fiduciaries flexibility to use their best judgement based upon a given set of circumstances.

Definition of compensation issues

A very common error I see in many 401k plan audits is the Plan Sponsor not using the correct definition of compensation as stated in the Plan Document for calculating employee deferrals or employer matching calculations. This is typically caused due to the definition of compensation in the Plan Document being all-encompassing, such as “All W-2 wages”. But the Plan Sponsor then incorrectly excludes certain W-2 wage items, such as bonuses or vacation payouts, from the calculation of employee deferrals or employer matching calculations.  Plan Sponsors should periodically revisit the definition of compensation in their Plan Document to ensure the Plan is in compliance with the definition of compensation. The definition of compensation should also be very clearly defined, with nothing left to interpretation.

Lack of minutes from retirement plan oversight committee meetings

A very common finding in 401k audits. Many times I will be told by management that the oversight committee meets on a regular basis to review the Plan. However no minutes from these meetings are kept. From an auditor perspective…if it’s not documented, then it did not happen. If there are no minutes from the meetings of the oversight committee, then there is no evidence that the oversight committee is performing it’s duties with respect to the Plan. Meeting minutes are key documentation to show that the oversight committee is following the IPS and properly overseeing the activity of the Plan. In the litigious environment we live in, properly documented meeting minutes are a key document to defend against a lawsuit against the fiduciaries.

Lack of documentation of review of investment fees and other fees.

Clearly a hot topic due to the number of publicized lawsuits against plan sponsors. I rarely see this process documented in oversight committee meeting minutes. Plan sponsors need to document in the meeting minutes that they periodically go through a deliberate process to benchmark investment fees against other options, as well as document the decision making process for why a particular investment class was selected versus other options which might have lower fees. Plan sponsors who have documented this process in detail have been able to successfully defend against fee lawsuits.

Lack of documentation of annual review of service provider SOC-1 reports.

I am surprised by how many plan sponsors are unaware that SOC-1 reports exist. Typically the Plan’s recordkeeper/custodian and the payroll provider are the key service providers for your plan. The SOC-1 is a report of internal controls which have been tested at the service provider. Management of the Plan Sponsor needs to obtain and review these reports on an annual basis to ensure there are no internal controls issues at the service provider which may impact the 401k plan. The review of the SOC-1 reports should be documented in the oversight committee meeting minutes, including management’s response to any issues noted in the SOC-1 report.

Continued instances of late remittances of EE deferrals.

Even with the use of payroll providers that automatically remit employee contributions to the custodian, there are still issues with late remittance of employee contributions. Large ERISA 401k plans are required to remit employee deferrals to the custodian by the 15th business day of the month following the month in which the deferral with withheld from the employee paycheck. But in reality, the deferrals must be remitted as soon as administratively feasible. Once a plan sponsor demonstrates the ability to remit employee deferrals in, for example, 2 or 3 days, this is the standard which the plan sponsor will be held for all pay periods. In this example, any remittance taking longer than 3 days can be considered a late remittance, which will require the plan sponsor to remit a payment to the plan for lost earnings.  

Issues which tend to lead to late remittance are when there is an off-cycle paycheck issued, and when key employees responsible for remitting employee deferrals are absent from work and there is not a responsible backup employee. Plan sponsors need to review their procedures and controls for the timely remittance of employee deferrals to ensure deferrals are consistently remitted timely, even when the above issues are encountered.

Lack of cybersecurity controls and education to participants

Fraudsters and scammers are trying take advantage of your employee’s fears, confusions and unknowns. Tell your employees to be overly cautious of unexpected e-mails requesting information about, or a distribution from your employees 401k account. Make sure your team is continuing to be skeptical of unexpected e-mails or e-mails from unknown sources regarding 401k accounts. If in doubt, make sure your staff knows to pick up the phone and call to verify information. Even e-mails from a known co-worker or business associate should be scrutinized if the message or request is unusual, unexpected or somewhat confusing.

Those are the big ticket items from this plan auditor’s perspective. Happy to talk with you or your client to find solutions if they have these issues or concerns.

Bradley J. Bartells, CPA

Partner, MUN CPAs

916-609-7115

bjb@muncpas.com