Good fundamental internal controls in the operation of retirement plans are the bedrock of fiduciary and compliance requirements. Retirement plan operations and internal controls are complicated, frequently ignored, and a potential source of significant compliance breaches. The administration of retirement plans must comply with both the regulatory requirements as well as the plan document in form and in operation to maintain their tax preferential status. Many of the mistakes that occur emanate from not following the terms of the plan document, failing to revise the terms of the plan document, or failure to adhere to regulatory requirements. Penalties which may result from a failure to comply can include: plan disqualification, and/or loss of tax deductions to the employer and employees.
The Internal Revenue Service (IRS) and Department of Labor (DOL) are focused on the plan's operating policies and procedures, as well as compliance and reporting controls. The IRS in particular is taking internal controls very seriously. Monika Templeman, Director of Employee Plans Examinations at the IRS, stated recently in an Employee Plans Phone Forum:
"If a plan is selected for audit by the IRS, the EP agent conducting the retirement-plan examination will begin by evaluating the effectiveness of the plan's internal controls to determine whether to perform a focused audit - that is, just look at three to five issues - or expand the scope of the examination. In other words, based on the strength of the plan's internal controls, the agent will decide to examine more or less of the return than originally planned."1
The fundamental tenets of good internal controls are segregation of duties, reporting & reconciliation, and oversight of outsourced administration functions. These issues can become particularly complicated because so much of today's plan operations are outsourced to third party service providers. Good internal controls can eliminate or reduce errors in plan operations and reduce the amount of time the administrator spends with any plan auditors or regulatory bodies examining the plan.
In this paper I will broadly discuss these fundamental tenets for a plan to be considered having strong internal controls.
In The Importance of Internal Controls in Financial Reporting and Safeguarding Plan Assets2, the AICPA Employee Benefit Plan Audit Quality Center describes internal controls as being a process affected by plan management and other personnel charged with governance, and designed to provide reasonable assurance regarding the achievement of objectives in the reliability of financial reporting. A plan's policies, procedures, organizational design, and physical barriers are all part of the internal controls process. The following are some general characteristics of satisfactory plan internal controls over financial reporting:
Internal controls mitigate the likelihood of fraud. They target areas of risk and if properly designed and implemented, reduce the risk of material misstatements and malfeasance. They provide checks and balances over critical process and ensure accuracy of plan reporting and security of plan assets. Proper controls can help detect unnecessary mistakes thereby preventing costly corrections and potential participant issues.
Effective internal controls start with the separation of duties (SoD) within the plan sponsor and can be critical in reducing the risk of mistakes and inappropriate actions. It helps fight fraud by discouraging collusion. The basic idea underlying SoD is that no employee or group of employees should be in a position both to perpetrate and to conceal fraud in the normal course of their job. Therefore, there needs to be an adequate division of responsibilities among those who perform accounting procedures or controls activities, and those who handle assets. In general the flow of transaction processing and related activities should be designed so that the work of one individual is either independent of, or serves to check on, the work of another. Such arrangements reduce the risk of undetected error and limit opportunities to misappropriate assets or conceal intentional misstatements in the financial statements. SoD serves as a deterrent to fraud and concealment of error because of the need to recruit another individual's cooperation, via collusion, to conceal it. In general, the principal duties to be segregated are:
Traditionally, internal controls rely on assigning certain responsibilities to different individuals or segregating incompatible functions. A prudent plan management team will have checks and balances over the security of the plan assets and participants' information. They will have an independent review of the data input to verify accuracy of the data in payroll and accuracy of the information passed on to the vendors.
Reporting & Reconciliation of Plan Assets
The plan administrator and fiduciaries ("plan management") are responsible for establishing and maintaining internal controls and for the fair presentation of the net assets available for benefits and disclosure in the plan's financial statements. They are responsible for implementing effective internal controls over financial reporting to ensure that the plan's investments are reported in the financial statements at amounts in accordance with professional standards and the plan's stated accounting policies. The process and controls include having a sufficient understanding of the nature of the underlying investments, the portfolio strategy of the investments, and the method and significant assumptions used by the fund manager to value the underlying investments. In addition to the potential negative effect on participant account balances, this lack of internal controls may make it more difficult for the plan sponsor and plan management to ensure that plan information is complete and accurate, financial statements are reliable, and laws and regulations are adhered with. Periodically, plan management needs to reconcile the data being reported by the service providers and its own internal accounting. Reconciliations are an important internal control procedure to ensure that all assets are accounted for and that any errors are detected and corrected on a timely basis. The failure to perform reconciliations may result in undetected errors, stale uncashed benefit checks, or unusual or fraudulent activities.
Plan management's "control objectives" related to the plan financials reconciliation and reporting should at a minimum cover the following areas:
Reporting & Reconciliation of Plan Contributions & Distributions
Control objectives related to the plan's contributions and benefit distributions can include the following areas:
Oversight of Outsourced Administration Functions
When a plan sponsor hires a service organization to handle specific administration functions, the service organization will typically only have responsibility (and potential liability) for the performance of those functions specifically documented under an agreement. Those responsibilities under the agreement can be quite different from the plan management's expectations. By hiring a third party you can outsource the work, but you retain the responsibility to oversee the service provider's activities. The hiring of a service organization to perform any administration functions is a fiduciary action which needs to be monitored to ensure they are performing the agreed upon services and doing so accurately and correctly.
The review can be effectively monitored with the proper internal controls. Plan management can conduct a periodic review of the accuracy and timeliness of services outlined in the agreement, and the service providers' SOC 1 and SOC 2 reports. Plan management can also research any "User Control Considerations." This review should identify any deviations. Periodically, plan management can hire an independent review of the outsourced activities. Control objectives related to the plan's outsourced administration functions might include the following areas:
In addition to such controls being important to regulatory bodies, properly designed internal controls make plan operations more efficient and effective in reducing the risk of undiscovered errors. Proper controls can potentially prevent plan disqualification, saving professional and service-provider fees that would be needed for correcting and managing future problems resulting in fewer frustrations for plan management. Strong internal controls provide reasonable assurance that the plan will remain in compliance throughout its life. However, internal controls may change, fail, or need to be modified from time to time. Because an entity's internal controls are only effective when properly implemented, employers should establish a formal review process at reasonable intervals to ensure the accuracy and efficacy of their plan's internal controls.
Information herein is provided for general informational purposes and not intended to be completely comprehensive regarding the particular subject matter. Multnomah Group does not represent, guarantee, or provide any warranties (express or implied) regarding the completeness, accuracy, or currency of information or its suitability for any particular purpose. Receipt of information does not create an adviser-client relationship between Multnomah Group and you. Neither Multnomah Group nor our advisory affiliates provide tax or legal advice or opinions. You should consult with your own tax or legal adviser for advice about your specific situation.