Employee Benefit Plans: Internal Controls for Processes and Governance

Many of the processes that support employee benefit plans are automated and carried out by third-party service providers. These include the allocation of employee and employer contributions to participants’ accounts as well as the investment options selected by participants; allocation of gains and losses on those investments; transfers among investment options; changes to participant deferral percentages; and distribution requests from participant accounts, along with calculating the proper vested portion. Outsourcing these processes is a great option for plan sponsors, as long as they understand their ultimate responsibility.

While many plan sponsors can and do outsource most of their plan’s operations, it is important to note that they cannot fully outsource responsibility for the plan and its operations. The plan sponsor maintains the plan document that drives the plan’s operations as well as the payroll information and participant demographic data. Most problems we see occur from the lack of both oversight and attention to a plan’s governing documents and service agreements. Strong plan governance and the implementation of internal controls will assist in a plan’s compliance with applicable laws and regulations. Preventative controls are designed to discourage errors or fraud, while detective controls are designed to identify errors or fraud after they have occurred. Let’s examine sample plan controls and user controls related to third-party service providers of a plan. 

Attention to Plan Operations and Internal Control

• Often ignored by plan sponsors given significant outsourcing.
• Plan sponsors cannot outsource ultimate responsibility for the plan and its operations.
• Most problems occur from both lack of oversight and attention to governing documents and service agreements.
• Most popular operational defects:
  • Definition of compensation
  • Eligibility provisions
  • Timeliness of deposit of deferrals
  • Automatic enrollment shortfalls

What Is Internal Control?

Internal control is a process that is effected by those charged with governance, management and other personnel. The process is designed to provide reasonable assurance about the achievement of a plan's objectives with regard to the reliability of financial reporting, effectiveness and efficiency of operations, and compliance with applicable laws and regulations.

Internal Control

Internal control protects plans by (1) minimizing opportunities for unintentional errors or intentional fraud that may harm the plan. Preventive controls, which are designed to discourage errors or fraud, help accomplish this objective; and (2) discovering small errors before they become big problems. Detective controls are designed to identify an error or fraud after it has occurred.

Sample Plan-Related Internal Controls

• A plan document is executed outlining the terms of the plan.
• Contribution requirements and calculation bases and limitations are described in the plan document and consistently reviewed, along with updating processes. Initial controls are established over contribution records for both employer and participant contributions (e.g., salary reduction amounts, after tax and rollovers).
• Procedures in place to assure compliance with regulatory requirements and reporting requirements, including appropriate levels of review.
• Reports submitted by trustees/asset custodians or investment managers are reviewed. Formalize and document this process.
• Control totals from participant's records are compared to control totals from trust reports on a regular basis.
• Responsibilities for benefit approval, recording of benefits, and maintenance of participant files are adequately segregated.
• Periodic correspondence with retirees is maintained.
• Third-Party Service Provider System and Organization Control Reports (“SOC 1 Type 2”) are reviewed, including complementary user controls.
• Sponsor or employer payroll records are compared with contribution calculations.
• Subsidiary contribution records are reconciled to the trustee/asset custodian or third-party administrator reports.
• Participant contributions are remitted to the plan’s trust within guidelines prescribed by the plan's policies and procedures and Department of Labor regulations.

 Considerations Based on the IRS 401(k) Fix-It Guide

• Are the plan's operations based on the terms of the plan document? Failure to follow plan terms is a very common mistake.
• Is the plan's definition of compensation for all deferrals and allocations used correctly? Were employer matching contributions made to all appropriate employees under the terms of the plan?
• Are the plan’s eligibility provisions being properly applied?
• Has the plan satisfied the 401(k) nondiscrimination tests (ADP and ACP)?

Maintaining Plan Information

The Employee Retirement Income Security Act (“ERISA”) requires plan administrators to retain records that:

• Support information included in the reports and disclosures for six years from the date the annual reports were filed (ERISA Sec. 107); and
• Are sufficient to determine the benefits due or which may become due (ERISA Sec. 209).

Common Internal Control Mishaps

• Controls are often overlooked by plan management.
• Plan management acts as if the plan is on autopilot.
• Many functions are outsourced without proper oversight.
• Responsibility is misplaced and misunderstood.
• Third parties make the responsibility clear, yet this is generally overlooked by plan sponsors (user manuals and user controls).
• Third-party internal controls are considered part of the plan's internal controls without proper oversight.
• SOC 1 Type 2 Reports are not only for auditors, yet plan sponsors do not properly utilize or review them.

SOC reports are reports on controls at a service organization relevant to user entities’ internal control over financial reporting. SOC 1s are specifically intended to meet the needs of entities that use service organizations and the auditors that audit the user entities’ financial statements in evaluating the effect of the controls at the service organization on the user entities’ financial statements. SOC1s should be reviewed by plan sponsors during their annual due diligence and in assessing user controls. They are also reviewed by plan auditors in relation to understanding and evaluating financial reporting controls at service organizations.

A key aspect of relying on a SOC report is for the plan sponsor to understand its responsibilities. If the plan sponsor does not have certain controls in place, then they are unable to rely on the SOC report for comfort, basically because if incorrect information is sent to be processed by the third-party service provider, then the output is incorrect and therefore unreliable.

A newer report that is helpful to a plan sponsor is a SOC for Cybersecurity Report. The American Institute of CPAs (“AICPA”) SOC for Cybersecurity is a risk framework that establishes common criteria and guidelines for communicating about an organization’s cybersecurity risk management program. It enables plan management to report on the plan’s cybersecurity management program to external stakeholders with the credibility associated with an independent examination report. The SOC for Cybersecurity is focused on an entity’s cybersecurity risk management program, which differs from a SOC 2 Report, which is specific to a service organization processing transactions for another entity. A SOC for Cybersecurity is designed to meet the needs of a broad range of users.

Plan operations should be taken seriously, and plan sponsors should take the time to understand their responsibilities, because they are making a fiduciary decision to engage their service providers to provide the processing of plan transactions.

Additional Guidance:

The AICPA Employee Benefit Plan Audit Quality Center prepares advisories for plan sponsors, administrators and trustees. These comprehensive documents contain information to assist you in understanding your fiduciary and other responsibilities with respect to various aspects of your plans. The advisories include:

• The Importance of Retaining and Protecting Employee Benefit Plan Records
• Limited Scope Audits of Employee Benefit Plans
• The Importance of Hiring a Quality Auditor to Perform Your Employee Benefit Plan
• Employee Benefit Plans–Financial Statement Audits
• Understanding Auditor Communications
• Effective Monitoring of Outsourced Plan Recordkeeping and Reporting Functions
• The Importance of Internal Controls in Financial Reporting and Safeguarding Plan Assets
• Valuing and Reporting Plan Assets

View these advisories here.