Internal Controls for Retirement Plans

    Brian Montanez, AIF®, CPC, TGPC




    Good fundamental internal controls in the operation of retirement plans are the bedrock of fiduciary and compliance requirements. Retirement plan operations and internal controls are complicated, frequently ignored, and a potential source of significant compliance breaches. The administration of retirement plans must comply with both the regulatory requirements as well as the plan document in form and in operation to maintain their tax preferential status. Many of the mistakes that occur emanate from not following the terms of the plan document, failing to revise the terms of the plan document, or failure to adhere to regulatory requirements. Penalties which may result from a failure to comply can include: plan disqualification, and/or loss of tax deductions to the employer and employees. 

    The Internal Revenue Service (IRS) and Department of Labor (DOL) are focused on the plan's operating policies and procedures, as well as compliance and reporting controls. The IRS in particular is taking internal controls very seriously. Monika Templeman, Director of Employee Plans Examinations at the IRS, stated recently in an Employee Plans Phone Forum:

    "If a plan is selected for audit by the IRS, the EP agent conducting the retirement-plan examination will begin by evaluating the effectiveness of the plan's internal controls to determine whether to perform a focused audit - that is, just look at three to five issues - or expand the scope of the examination. In other words, based on the strength of the plan's internal controls, the agent will decide to examine more or less of the return than originally planned."1

    The fundamental tenets of good internal controls are segregation of duties, reporting & reconciliation, and oversight of outsourced administration functions. These issues can become particularly complicated because so much of today's plan operations are outsourced to third party service providers. Good internal controls can eliminate or reduce errors in plan operations and reduce the amount of time the administrator spends with any plan auditors or regulatory bodies examining the plan. 

    In this paper I will broadly discuss these fundamental tenets for a plan to be considered having strong internal controls. 


    What are Internal Controls

    In The Importance of Internal Controls in Financial Reporting and Safeguarding Plan Assets2, the AICPA Employee Benefit Plan Audit Quality Center describes internal controls as being a process affected by plan management and other personnel charged with governance, and designed to provide reasonable assurance regarding the achievement of objectives in the reliability of financial reporting. A plan's policies, procedures, organizational design, and physical barriers are all part of the internal controls process. The following are some general characteristics of satisfactory plan internal controls over financial reporting: 

    • Policies and procedures that provide for appropriate segregation of duties to reduce the likelihood that deliberate fraud can occur
    • Personnel qualified to perform their assigned responsibilities 
    • Sound practices to be followed by personnel in performing their duties and functions
    • A system that ensures proper authorization and recordation procedures for financial transactions


    Why are Internal Controls Important

    Internal controls mitigate the likelihood of fraud. They target areas of risk and if properly designed and implemented, reduce the risk of material misstatements and malfeasance. They provide checks and balances over critical process and ensure accuracy of plan reporting and security of plan assets. Proper controls can help detect unnecessary mistakes thereby preventing costly corrections and potential participant issues. 


    Plan Sponsor Segregation of Duties 

    Effective internal controls start with the separation of duties (SoD) within the plan sponsor and can be critical in reducing the risk of mistakes and inappropriate actions. It helps fight fraud by discouraging collusion. The basic idea underlying SoD is that no employee or group of employees should be in a position both to perpetrate and to conceal fraud in the normal course of their job. Therefore, there needs to be an adequate division of responsibilities among those who perform accounting procedures or controls activities, and those who handle assets. In general the flow of transaction processing and related activities should be designed so that the work of one individual is either independent of, or serves to check on, the work of another. Such arrangements reduce the risk of undetected error and limit opportunities to misappropriate assets or conceal intentional misstatements in the financial statements. SoD serves as a deterrent to fraud and concealment of error because of the need to recruit another individual's cooperation, via collusion, to conceal it. In general, the principal duties to be segregated are:

    • Custody of assets
    • Authorization or approval of transactions
    • Reconciling or reporting of transactions
    • Security of participant information (data security & asset bonding)

    Traditionally, internal controls rely on assigning certain responsibilities to different individuals or segregating incompatible functions. A prudent plan management team will have checks and balances over the security of the plan assets and participants' information. They will have an independent review of the data input to verify accuracy of the data in payroll and accuracy of the information passed on to the vendors. 


    Reporting & Reconciliation of Plan Assets

    The plan administrator and fiduciaries ("plan management") are responsible for establishing and maintaining internal controls and for the fair presentation of the net assets available for benefits and disclosure in the plan's financial statements. They are responsible for implementing effective internal controls over financial reporting to ensure that the plan's investments are reported in the financial statements at amounts in accordance with professional standards and the plan's stated accounting policies. The process and controls include having a sufficient understanding of the nature of the underlying investments, the portfolio strategy of the investments, and the method and significant assumptions used by the fund manager to value the underlying investments. In addition to the potential negative effect on participant account balances, this lack of internal controls may make it more difficult for the plan sponsor and plan management to ensure that plan information is complete and accurate, financial statements are reliable, and laws and regulations are adhered with. Periodically, plan management needs to reconcile the data being reported by the service providers and its own internal accounting. Reconciliations are an important internal control procedure to ensure that all assets are accounted for and that any errors are detected and corrected on a timely basis. The failure to perform reconciliations may result in undetected errors, stale uncashed benefit checks, or unusual or fraudulent activities.

    Plan management's "control objectives" related to the plan financials reconciliation and reporting should at a minimum cover the following areas:

    • Ensure that the valuation assertion related to investments are measured at fair value
    • Ensure accuracy of hard to value asset reporting
    • Ensure accuracy of trust reporting of prior period to current period reporting, adjusted for markets and any transactions
    • Compare internal participant records to the totals from trust reports regularly
    • Cash disbursement records are reconciled to ensure that all benefit payments are properly recorded
    • Review that investment transactions are recorded at the appropriate amounts and in the appropriate periods on a timely basis
    • Confirm that investment income and expenses are recorded at the appropriate amount and in the appropriate period on a timely basis
    • Review participant deferral totals as compared to recordkeeper totals
    • Ensure accuracy of participant benefit statement reporting
    • Ensure that the assessment and accounting for administrative expenses are allocated in accordance with applicable agreements, policies, and/or plan documents
    • Review accuracy and timeliness of required annual filings and reporting
    • Periodically review all financial reports and filings
    • Ensure plan assets are properly bonded


    Reporting & Reconciliation of Plan Contributions & Distributions

    Control objectives related to the plan's contributions and benefit distributions can include the following areas:

    • Controls should provide reasonable assurance that the appropriate asset purchases or redemptions are made in the appropriate plan to the appropriate participant as a result of activity
    • Ensure that participants are enrolled in accordance with plan document eligibility and entry date rules
    • Ensure that contributions by employers and participants meet authorized or required amounts and source, and are within IRS deferral or contribution limits
    • Cash disbursement records are reconciled to ensure that all benefit payments are properly recorded
    • Amounts of contributions by employers and participants meet authorized or required amounts and are deposited in a timely manner and periodically reviewed for accuracy
    • Responsibility for receiving and processing contributions is adequately segregated
    • Benefits and claims payable outstanding for a long period are investigated
    • Initial controls are established over hardship withdrawals and documentation is maintained, and future contributions are ceased for the appropriate amount of time
    • If required by the plan agreement, participant taking hardship withdrawals do not make any contributions to any plan during the months following the withdrawal
    • Initial controls are established over forfeitures and utilization/allocation of forfeitures is made in accordance with the plan agreement
    • Blank forms have authorized approvals
    • Responsibilities for benefit approval, recording of benefits, and maintenance of participant files are adequately segregated
    • Check endorsements are compared with signature in applicable participant records
    • Required notices and disclosures are distributed timely and documented
    • Loans are made only with proper authorization based on established and documented requirements 
    • Loan approvals, payments, and defaults are addressed accurately and timely 
    • Identify and attempt to locate lost participants with account balances
    • Past-due contributions are investigated on a timely basis
    • Periodic correspondence with beneficiary or terminated participant is maintained, and correspondence or payments are returnable to plan committee if undeliverable
    • Review of uncashed checks for cause
    • Access to computerized records is limited to those with a logical need for such access


    Oversight of Outsourced Administration Functions

    When a plan sponsor hires a service organization to handle specific administration functions, the service organization will typically only have responsibility (and potential liability) for the performance of those functions specifically documented under an agreement. Those responsibilities under the agreement can be quite different from the plan management's expectations. By hiring a third party you can outsource the work, but you retain the responsibility to oversee the service provider's activities. The hiring of a service organization to perform any administration functions is a fiduciary action which needs to be monitored to ensure they are performing the agreed upon services and doing so accurately and correctly. 

    The review can be effectively monitored with the proper internal controls. Plan management can conduct a periodic review of the accuracy and timeliness of services outlined in the agreement, and the service providers' SOC 1 and SOC 2 reports. Plan management can also research any "User Control Considerations." This review should identify any deviations. Periodically, plan management can hire an independent review of the outsourced activities. Control objectives related to the plan's outsourced administration functions might include the following areas:

    • Proper delegation of authority (committee/vendor delegation is documented, and a fiduciary file is created and secured)
    • Policy statements are current and consistent with best practices 
    • Data accuracy - review and confirm third parties have accurate and complete data
    • Date of hire and termination
    • Employee's age and service dates
    • Compensation
    • Complete information for 5500 when there are multiple vendors
    • Ensure fees charged are in accordance with agreements and assessed in the appropriate manner
    • Confirm third parties have current plan document(s)
    • Validation of accuracy and timeliness of deposits of employee and employer contributions into the trust
    • Validate that employee contributions are in agreement with what has been authorized
    • Completion and accuracy of nondiscrimination testing
    • Ensure that participant loans are being repaid timely, and defaulted loans are identified, distributed and taxed
    • Required Minimum Distributions rules have been identified and appropriate participants notified
    • Accuracy and completeness of hardship distribution proof of need is secured
    • Confirm that only eligible distributions are being approved
    • QDROs are being properly identified, documented, and proof of QDRO is secured
    • Accuracy and timeliness of annual filings and reporting
    • Controls are established over forfeitures and use of assets in accordance with the plan agreement and Department of Labor regulations
    • Uncashed checks are being reported to plan management and addressed
    • Access to participants' data is secured to prevent unauthorized access
    • Periodically review vendors SOC Report(s)



    In addition to such controls being important to regulatory bodies, properly designed internal controls make plan operations more efficient and effective in reducing the risk of undiscovered errors. Proper controls can potentially prevent plan disqualification, saving professional and service-provider fees that would be needed for correcting and managing future problems resulting in fewer frustrations for plan management. Strong internal controls provide reasonable assurance that the plan will remain in compliance throughout its life. However, internal controls may change, fail, or need to be modified from time to time. Because an entity's internal controls are only effective when properly implemented, employers should establish a formal review process at reasonable intervals to ensure the accuracy and efficacy of their plan's internal controls. 





    Information herein is provided for general informational purposes and not intended to be completely comprehensive regarding the particular subject matter. Multnomah Group does not represent, guarantee, or provide any warranties (express or implied) regarding the completeness, accuracy, or currency of information or its suitability for any particular purpose. Receipt of information does not create an adviser-client relationship between Multnomah Group and you. Neither Multnomah Group nor our advisory affiliates provide tax or legal advice or opinions. You should consult with your own tax or legal adviser for advice about your specific situation.