Why Does My 401(k) Auditor Ask Me About the Controls and Processes in my Plan?

July 6, 2021

The simple answer to this question is that your 401(k) auditor (and for that matter, any auditor of a financial statement) is required by audit standards to understand the controls and processes in place behind significant transactions, and a walkthrough is one method of gaining this understanding. For a 401(k) plan, those significant transactions include employee and employer contributions made to the plan, benefits paid from the plan, and loans taken from the plan.

Why should we have controls? Doesn’t my TPA (third-party administrator) handle all that?

Controls cover the plan administrator to ensure transactions are processed correctly and then avoid the need for corrections to the plan, which could become costly. While in some cases, TPAs do handle some transactions and have a SOC-1 report to cover those transactions, there are often processes on the plan sponsor’s side that go hand in hand with those. For example, even if deferral elections and changes are made online with the TPA, it is the plan sponsor’s responsibility to ensure those changes are entered into the payroll system timely and correctly. In the event those changes are missed, entered incorrectly or untimely, the plan sponsor could be on the hook for missed employee and employer contributions.

What is an example of a best practice to ensure we have controls in our processes?

For the example above, the best practice for online enrollment or deferral election changes is for the notification of the change from the TPA to be retained and formally signed off as entered into the payroll system timely and correctly. Even better would be if the process involved two individuals, one to enter the information into payroll and another to review the entry’s accuracy.

Where are other areas I could improve controls?

Any time information is entered into a TPA system (such as a date of hire, date of termination, or hours worked), it is best to ensure the data was entered correctly and to retain evidence that it was done so. This information is often used to ensure eligibility is offered timely or vested payments are made correctly, so it is important that it is entered accurately to avoid the need for a correction.

A formal process to ensure contributions are remitted timely (as soon as they can be segregated from general assets) to the plan after they are withheld in payroll is a best practice to avoid potential late contributions. This can be as simple as documenting that contributions will be remitted within 2 days of payroll and ensuring the submitter and approver both have reminders and sign offs to ensure that the remittance occurs. Additionally, ensuring everything that was withheld was remitted is a good control to avoid missed/late contributions. A plan sponsor should ensure the totals withheld (employee contributions, loan repayments) were not only remitted, but were accepted by the TPA. A plan sponsor should retain a confirmation of the remittance from the TPA and formally reconcile and sign off that the accepted funds agree to what was withheld.

Another important control is the review of employer contributions that are calculated outside of the system. Employer contributions can be difficult to calculate and if they are done outside of the payroll system, that can complicate matters more. These calculations should be prepared and reviewed prior to processing and a best practice would be for the reviewer to formally sign off they approved the calculations. Perhaps most important is the regular review of reports received from your TPA. Someone at a level above the individuals responsible for the day to day transactions should be reviewing the monthly or quarterly reports from the provider for unusual transactions.  Such a review can timely detect errors in processing, missing deposits, payments to unauthorized parties or unexpected fee charges.