Employee Benefit Plans: Processes and Governance - Internal Controls

November 03, 2011

Plan sponsors outsource most of the Plan’s operations, but Plan sponsors cannot outsource responsibility for the Plan and its operations. Most problems occur from the lack of oversight and lack of attention to governing documents and service agreements. Strong plan governance and the implementation of internal controls will assist in the Plan’s compliance with applicable laws and regulations. Preventative controls are designed to discourage errors or fraud while detective controls are designed to identify errors or fraud after they have occurred. This presentation will take us through sample Plan controls and discuss user controls related to service providers of the Plan.  We will also discuss the auditor’s responsibility to communicate deficiencies in the Plan’s internal controls noted during their audit to those charged with Plan governance. 

Attention to Plan Operations and Internal Control
  • Often ignored by Plan Sponsors given significant outsourcing
  • Plan Sponsors cannot outsource ultimate responsibility for the Plan and its operations
  • Most problems occur from lack of oversight and lack of attention to governing documents and service agreements
  • Most popular operational defects
    • Definition of compensation
    • Eligibility provisions
    • Timeliness of deposit of deferrals
    • Automatic enrollment shortfalls
What is Internal Control?

Internal control is a process – effected by those charged with governance, management, and other personnel –designed to provide reasonable assurance about the achievement of the Plan's objectives with regard to the reliability of financial reporting, effectiveness and efficiency of operations, and compliance with applicable laws and regulations.

Internal Control 

  • Internal control protects plans in two ways:
  • By minimizing opportunities for unintentional errors or intentional fraud that may harm the plan. Preventive controls, which are designed to discourage errors or fraud, help accomplish this objective.
  • By discovering small errors before they become big problems. Detective controls are designed to identify an error or fraud after it has occurred.
Sample Plan Controls
  • Auditors' Guidance for Plan Controls
    • A Plan document is executed outlining the terms of the Plan.
    • Contribution requirements and calculation bases and limitations are described in the plan document and consistently reviewed and processes updated. Initial controls are established over contribution records for both employer and participant contributions (e.g., salary reduction amounts, after tax and rollovers).
    • Procedures in place to assure compliance with regulatory requirements and reporting requirements, including appropriate levels of review.
  • IRS 401(k) Fix-It GuidePotential Mistake
    • Are the plan's operations based on the terms of the plan document? Failure to follow plan terms is a very common mistake.
    • Is the plan's definition of compensation for all deferrals and allocations used correctly? Were employer matching contributions made to all appropriate employees under the terms of the plan?
    • Has the plan satisfied the 401(k) nondiscrimination tests (ADP and ACP)?
  • Reports submitted by trustees/asset custodians or investment managers are reviewed. Process should be formalized and documented.
  • Control totals from participant's records are compared to control totals from trust reports on a regular basis.
  • Responsibilities for benefit approval, recording of benefits, and maintenance of participant files are adequately segregated.
  • Periodic correspondence with retirees is maintained.
  • Third Party Service Provider SAS 70 (SSAE 16) Reports are reviewed, including user controls.
  • Sponsor or employer payroll records are compared with contribution calculations.
  • Subsidiary contribution records are reconciled to the trustee/asset custodian or third-party administrator reports.
  • Participant contributions are remitted to the trust within guidelines prescribed by the plan's policies and procedures and Department of Labor regulations.
Maintaining Plan Information
  • ERISA requires plan administrators to retain records that:
    • Support information included in the reports and disclosures for SIX years from the date the annual reports were filed (ERISA Sec. 107) and
    • Are sufficient to determine the benefits due or which may become due (ERISA Sec. 209)
All Internal Controls are Not Outsourced
  • Controls are often overlooked by plan management
  • Plan is on auto pilot
  • Many functions are outsourced
  • Responsibility is misplaced and misunderstood
  • Third parties make the responsibility clear, yet such is generally overlooked (user manuals and user controls)
  • Third party internal controls are considered part of the Plan's internal controls
  • SAS 70's are not only for auditors
SAS 70/SOC 1/SSAE 16 Report
  • SAS No. 70 was the original source of guidance for service auditors and user auditors
  • SAS No. 70 was divided and replaced by two standards
    • Auditing Standard - Clarified SAS, Considerations Relating to an Entity Using a Service Organization
      • For users and auditors  
      • Effective for audits of financial statements for periods ending on or after December 15, 2012 
    • Attestation Standard - SSAE No. 16, Reporting on Controls at a Service Organization
      • Contains guidance for service auditors 
      • Effective for service auditors' reports for periods ending on or after June 15, 2011 
  • Service Organization Control Reports (SOC Reports) -
    • SOC 1 Report – Report on Controls at a Service Organization Relevant to User Entities' Internal Control over Financial Reporting
    • SOC 1 Report is for users and auditors (can be type 1 or type 2)
      • Type 2 design implementation and operating effectiveness
    • Reports on controls over financial reporting at a service organization related to financial statements
    • SOC 2 Report on controls at service organization relevant to user entities nonfinancial internal controls
    • SOC 3 Report – general use report
User Controls Related to SAS 70's
  • Instructions and information provided to XXXX from plan sponsors are in accordance with the provisions of the servicing agreement or documents between XXXX and the plan sponsor.
  • Timely written notification of changes to the plan, participants, and investment managers is adequately communicated to XXXX.
  • Timely written notification of changes in the individuals authorized to instruct XXXX activities on behalf of the plan sponsor is adequately communicated to XXXX.
  • Timely review of plan reports prepared by XXXX is performed by the plan sponsor, and written notice of any discrepancies between the plan sponsor's records and the reports prepared by XXXX are reported on a timely basis.
  • DB & DC Plan Sponsors are responsible for ensuring that information provided to YYYY is complete and accurate and filed timely.
  • DB & DC Plan Sponsors are required to authorize Investment Agreements prior to initiating a new contract, contract conversion or an internal spin-off.
  • DB Plan Sponsors are responsible for reviewing the Plan Provision Guide provided by YYYY for completeness and accuracy of plan interpretation and notifying YYYY of any discrepancies.
  • DC Plan Participants are responsible for contacting YYYY if they do not receive a PIN following notification by YYYY that an account has been established for them.
  • Plan Sponsors and Participants are responsible for providing timely and accurate notification of changes to plan and participant information to YYYY.
  • Plan Sponsors are responsible for authorizing and submitting qualified employee enrollments to YYYY timely and accurately.
  • For plans that have elected the automatic enrollment feature using a data file transmitted through the System, Plan Sponsors are responsible for ensuring that all participants are setup in System in accordance with plan parameters (e.g. investment selections and deferral percentages).
  • Plan Sponsors and Participants are responsible for reviewing their respective account information for accuracy of all changes made and notifying YYYY in a timely manner of any discrepancies that are identified.
  • Plan Sponsors are responsible for ensuring that instructions and information provided to YYYY are in accordance with the provisions of the contract, service agreement or other applicable governing agreements or documents in effect between YYYY and the Plan Sponsor.
  • Participants are responsible for reviewing the confirmations of indicative changes sent to them by YYYY and providing timely notification to YYYY of any discrepancies.
  • Plan Sponsors should ensure only authorized customer representatives have access through the System and timely notify YYYY of changes needed.
Auditor Responsibility for Internal Controls
  • An audit of a plan's financial statements is planned and performed to obtain reasonable assurance about whether the financial statements are free of material misstatement, whether caused by error or fraud.
  • Plan auditors are not engaged to report on the plan's internal control.
  • An audit is not designed to detect fraud.
Statement on Auditing Standards No. 115
  • Communicating Internal Control Related Matters Identified in an Audit 
  • SAS No. 115 was issued by the Auditing Standards Board to provide guidance to auditors with respect to what should be communicated to management and those charged with governance in an organization.
  • SAS No. 115 requires the auditor make communications, in writing, to management and those charged with governance regarding significant deficiencies and material weaknesses in internal controls that noted in audits.
  • In an audit of financial statements, the auditor is not required to perform procedures to identify deficiencies in internal control or to express an opinion on the effectiveness of the entity's internal control.
  • However, during the course of an audit, the auditor may become aware of deficiencies in internal control while obtaining an understanding of the entity and its environment, including its internal control, assessing the risks of material misstatement of the financial statements due to error or fraud, performing further audit procedures to respond to assessed risks, communicating with management or others (for example, internal auditors or governmental authorities), or otherwise.
  • The auditor's awareness of deficiencies in internal control varies with each audit and is influenced by the nature, timing, and extent of audit procedures performed, as well as other factors.
  • A deficiency in internal control exists when the design or operation of a control does not allow management or employees, in the normal course of performing their assigned functions, to prevent, or detect and correct misstatements on a timely basis.
  • A material weakness is a deficiency, or combination of deficiencies, in internal control, such that there is a reasonable possibility that a material misstatement of the Plan's financial statements will not be prevented, or detected and corrected on a timely basis.
  • A significant deficiency is a deficiency, or a combination of deficiencies, in internal control that is less severe than a material weakness, yet important enough to merit attention by those charged with governance.
  • A deficiency in design exists when a control necessary to meet the control objective is missing; or an existing control is not properly designed so that, even if the control operates as designed, the control objective would not be met.
  • A deficiency in operation exists when a properly designed control does not operate as designed; or the person performing the control does not possess the necessary authority or competence to perform the control effectively.
  • Awareness, governance committees, appropriate reviews
  • Maintaining current Plan Service Agreements and Plan Documents and requiring consistent review
  • Understanding Plan Document provisions
  • Designing daily Plan operations to comply with Plan documents and government regulations, including a review process
  • Attention to third party service agreements
  • Attention to user controls dictated by third party service providers

Employee Benefit Plan Audit Quality Center Useful Resources for Plan Sponsors  

    • The Importance of Internal Controls in Financial Reporting and Safeguarding Plan Assets
    • Effective Monitoring of Outsourced Plan Recordkeeping and Reporting Functions ebpaqc.aicpa.org
  • Plan Sponsor Resource Center
  • Plan Advisories
    The AICPA Employee Benefit Plan Audit Quality Center prepares Plan Advisories for plan sponsors, administrators, and trustees. These comprehensive documents contain information to assist them in understanding their fiduciary and other responsibilities with respect to various aspects of their plans. Understanding Auditor Communications
  • Effective Monitoring of Outsourced Plan Recordkeeping and Reporting Functions.  
  • The Importance of Internal Controls in Financial Reporting and Safeguarding Plan Assets.  
  • Valuing and Reporting Plan Investments.  
  • Tools Resources and Articles
    • RFP and Auditor Evaluation Process Checklist for Plan Sponsors

      Audit Quality and Auditor Selection  


IRS Circular 230 disclosure: To ensure compliance with requirements imposed by the IRS, we inform you that any U.S. federal tax advice contained in this document is not intended or written to be used, and cannot be used, for the purpose of (i) avoiding penalties under the Internal Revenue Code or (ii) promoting, marketing or recommending to another party any tax-related matter(s) addressed herein. 

Have Questions or Comments?

If you have any questions, we'd like to hear from you.

Primary Contacts