401(k) plans are normally established and maintained by plan sponsors — usually the company — pursuant to a plan document or agreement. Fiduciaries (trustees) named in the plan document are responsible for the operation and administration of the plan. They, in turn, appoint an employee of the company to be the plan administrator. This individual is usually a member of management and typically reports to the trustees, who may be plan sponsors, owners or management.
The plan administrator has continuing responsibility for operation of the plan in accordance with the terms of the plan document and the laws and regulations that protect the assets in the plan and ensure that plan participants and company employees have been treated properly and fairly. According to the abstract of 2013 Form 5500 Annual Reports, published in the U.S. DOL’s September 2015 Private Pension Plan Bulletin, defined contribution plans, which include 401(k) plans, hold more than $5 trillion in assets and have more than 92 million participants.
Monitoring the plan’s service providers
The plan administrator utilizes third party service providers to assist with the administration of the plan. Service providers may include auditors, payroll companies, third-party administrators, investment custodians and record-keepers. An easy way for the plan sponsor to select and monitor third-party service providers is to obtain their Service Organization Controls (SOC) Reports. These reports provide assurance that the proper controls are in place at the service provider and allow plan administrators to identify weaknesses and strengths in their controls.
What is ERISA?
In response to the popularity of retirement plans and the need to protect plan participants, Congress enacted the Employee Retirement Income Security Act of 1974 (ERISA). The primary purpose of ERISA is to protect the interests of workers who participate in employee benefit plans and their beneficiaries.
ERISA rules and regulations require the plan sponsor and appointed individuals to control the plan’s assets and assume fiduciary responsibilities for its management. The primary responsibilities of the fiduciaries are to run the plan solely in the interest of the plan’s participants and to act prudently in order to safeguard the plan’s assets. If the plan sponsor and trustees are unable to do so, they may be responsible for loss of profits resulting from improper management and disqualification of the plan.
ERISA included the requirement for plans with more than 100 eligible participants to be audited by an independent CPA firm in order to protect the participants and ensure that the plan is operating properly. The CPA firm determines through testing whether the plan is being run in accordance with the plan document in conformity with ERISA. Plans with fewer than 100 eligible participants are not required to have an audit and most don’t, which saves money, but foregoes the benefits of independent auditor oversight.
The audit process
The audit focuses on whether the plan’s financial information is properly reported to the IRS on Form 5500 as well as on financial statements, and that participant accounts have been managed properly. The auditor will request a listing of plan-related information, including the plan document, IRS opinion letters, trust reports containing financial information, payroll information, prior 5500s, and prior financial statements. This information will assist the auditor in testing significant areas, including contributions, eligibility, distributions, entitlement to benefits, funding, remittances, loans and fees. Testing is designed to help determine if the plan is operating in compliance with the plan document and the DOL and IRS regulations that ensure a participant’s account is correct, as well as to determine that the financial information is properly reported on the financial statements and Form 5500.
As part of the audit, service organization controls reports are obtained from the investment custodian and other plan service providers. These reports provide information on the service provider’s internal controls and their operating effectiveness (SOC 1 Reports). These reports discuss what the service provider is responsible for in administrating the plan, and what the sponsor is responsible for in administering the plan and providing reliable information. There are also other reports on controls at the service organizations regarding security, availability, processing integrity, confidentiality, and privacy (SOC 2 Reports). These reports are prepared by independent CPA firms and provide some comfort that service providers are taking the proper precautions to protect client data.
The sponsor, trustees and administrator of a 401(k) plan have a lot of responsibilities. Understanding the administration requirements, including those around audits and service providers, are essential. Ensure that the audit team and your service providers are trusted resources that you can rely on, and make sure you use them to help safeguard your plan.