What Does a 401(k) Audit Encompass?

The determining factor for whether your 401(k) plan (“Plan”) needs an audit depends on the number of participants in the Plan on the first day of the Plan year. First, you must determine whether the 401(k) Plan is considered small or large under the Employee Retirement Security Act of 1974 (“ERISA”). 

A 401(k) Plan is generally considered small if it has less than 100 eligible participants at the beginning of the Plan year and the Plan sponsor may be eligible to file Form 5500-SF. If the 401(k) Plan has more than 100 eligible participants as of the beginning of the Plan year, then it would generally be considered large and the Plan sponsor should file the Form 5500, which would then require audited financial statements as an attachment to the Form 5500 submission. However, there is an exception to the general rule, which is commonly referred to as the 80-120 rule, which allows for growing Plans with between 80 and 120 participants, as of the first day of the Plan year, to file the Form 5500 in a consistent manner as indicated on the prior year Form 5500 filing. Once you have exceeded 121 participants, the Plan must file as large and an audit is required. If it is determined by the administrator that the Plan requires an audit, there are two types that the administrator can instruct the auditor to perform:

• Limited scope 401(k) Plan audit, which has been revised and will be referred to as an “ERISA Section 103(a)(3)(C) Audit” under SAS 136.
• Full scope 401(k) Plan audit, which has been revised and will be referred to as an “ERISA Plan Audit” under SAS 136.

Note: Statement on Auditing Standards No. 136, Forming an Opinion and Reporting on Financial Statements of Employee Benefit Plans, will be effective for audits with periods ending on or after December 15, 2021, with optional early implementation.

The difference between these two audits with regard to audit procedures is that in an ERISA Plan Audit, the 401(k) Plan’s investment information is subject to audit procedures, while in an ERISA Section 103(a)(3)(C) Audit, the auditor will not perform audit procedures on the investment information that is prepared and certified to be complete and accurate by a qualified institution. A qualified institution is an organization as defined in accordance with 29 CFR 2520.103-5 and 29 CFR 2520.103-8 as a bank or similar institution that holds Plan assets, or an insurance carrier that provides benefits under the Plan or holds Plan assets that are regulated, supervised and subject to periodic examination by a state or federal agency and certifies the investment information. If a qualified institution is unable to certify that the investments and investment activity information is complete and accurate, then an ERISA Plan audit must be performed.

Within both types of 401(k) Plan audits, the following is a high-level look into the various areas of the Plan that an auditor will test:

Participant-Level Testing – The auditor will make selections of different types of transactions and activity during the year at the participant level to ensure that they are in compliance with the Plan document.  Examples include eligibility, definition of compensation, employee and employer contributions, distributions, forfeitures and rollovers.

Plan-Level Contributions – The auditor will perform auditing procedures to ensure that the employee and employer contributions received by the Plan’s custodian reconcile to the contributions as reflected in the company’s payroll and related records. In addition, the auditor will test contributions for timeliness in accordance with Department of Labor Regulation 29 CFR 2510.3-102, which states that employee deferrals must be contributed into the Plan as of the earliest date on which contributions can reasonably be segregated from the employer’s general assets. Late remittances, if any, must be reported on Form 5500 and the Schedule of Delinquent Participant Contributions.   

Loans – The auditor will generally review the Plan’s written loan policy and compare the terms, such as amount, interest rate and number of loans allowed to the Plan’s loan operations.

Non-Discrimination Testing – The auditor will secure the Plan testing performed by the third-party administrator and read the results to determine if the 401(k) Plan passed or failed its required non-discrimination testing during the Plan year. If the Plan failed any of its testing, the auditor will review to ensure the Plan sponsor has corrected the failure.

Administrative Expenses – The auditor will generally review the Plan document to determine if expenses are allowed to be paid from the 401(k) Plan. Typical Plan expenses may include investment management, custodian, recordkeeping, professional fees, and other transaction or processing fees.  

Fidelity Bond Policy – The auditor will read the policy to determine it meets the guidelines set by ERISA, which include the 401(k) Plan listed as the named insured and the bond amount at least equal to the lesser of 10% of the funds handled, or $500,000 as of the beginning of the Plan year (or $1 million for Plans that have employer securities). 

The above is not all-inclusive of an auditor’s testing and does not include considerations such as partial and full Plan terminations, Plan mergers, changes to a recordkeeper or custodian, or additional audit procedures if errors occurred and there are operational defects as a result of not following the Plan provisions. Each Plan is different and, therefore, procedures and auditor judgement play a part in every audit.