Abstract
Employee benefit plans require strong internal controls to operate effectively and efficiently. The Internal Revenue Service and the U.S. Department of Labor have given companies clear indication that they take note of plans that are governed by strong internal controls, and companies will notice more efficient, more focused examinations as a result. A strong system of internal control incorporates both preventive and detective controls to assure the plan is administered in an orderly manner, to safeguard plan assets, to deter wrongdoing, to ensure accuracy and completeness of information and to produce reliable and timely information. A strong control environment would be designed to assure the plan is run in accordance with the plan document and that funds are flowing to the correct trust or individual and according to the timing intended. This gives plan administrators a clear understanding of how the goals of the plan are being met. Good controls would assure policies and procedures are clearly established and are followed to keep the plan in compliance both with the plan document and with all relevant regulatory requirements.
Keywords
From Wall Street to Main Street, internal controls have risen to a new level of importance over the past decade in assuring account balances are fairly stated and fiduciary duties are met. Notorious corporate collapses following egregious accounting scandals brought on the Sarbanes-Oxley Act and its intense new focus on internal controls over financial reporting. As a result, an entire industry of regulation and compliance has evolved to swarm internal controls in an effort to rescue waning confidence among investors in the integrity of corporate balance sheets.
That may be helpful to investors in capital markets, but what about investors and employees who rely on companies to protect assets and deliver benefits promised in employee benefit plans? The Department of Labor (DOL) and the Internal Revenue Service (IRS) are keeping a watchful eye over employee benefit plan controls to assure they are in place. As the focus on internal controls has grown in recent years, DOL and IRS have provided indicators that they look more favorably upon plans that are governed by a clear set of internal controls.
At professional conferences, such as those offered by the American Institute of Certified Public Accountants, and at courses offered by the DOL, presenters often alert auditors and plan sponsors that the examination process is typically faster, simpler, and generally less onerous when examiners find the plan to be governed by a clear and effective flow chart of controls. Simply put, examiners recognize the assurance that internal controls provide, and they place faith in them. Having effective controls also sends a strong signal to employees that the plan sponsor is committed to assuring the safety and soundness of plan assets for the benefit of its beneficiaries.
The IRS has even enumerated the many reasons it urges plan sponsors to establish a strong control environment. In a recent presentation on internal controls, IRS examination leaders said good internal controls can eliminate or reduce errors in the operation of the plan. 1 They can help a plan sponsor quickly identify errors and initiate their own corrections without relying on regulators to catch mistakes, which reduces the cost of corrections. Good controls can help keep an audit of the plan focused, reducing the time dedicated to conducting an examination. They can shorten the turnaround time on any requests for additional information, and they generally promote clear communication between examiners and representatives of the plan.
The difference between strong and weak controls can determine whether a plan audit will be highly focused, perhaps drilling into three to five issues, or when the scope of the examination will be expanded. A discussion of the state of internal controls between the examiner and the plan representative will quickly reveal whether the plan is well run or whether there are serious compliance risks that give the examiner good reason to dig deeper.
The DOL and IRS have made it clear to auditors that they expect auditors to take a close look at internal controls as part of their routine audit procedures. It is an aspect of employee benefit audits that seems “widely misunderstood, or even widely unknown,” the DOL says on its website. 2 “Auditors do not merely reconcile financial statements. In addition to their many other audit tasks, auditors review internal controls to determine whether they provide adequate safeguards for plan participants.”
What Are Sound Internal Controls?
Internal controls represent any systematic measure that a company or other organization establishes to assure its business is conducted in an orderly manner, to safeguard its assets, to deter wrongdoing, to ensure accuracy and completeness of information, and to produce reliable and timely information. Controls can be broken into two major categories—preventive or detective. Preventive controls are used to detect potential errors before they occur, while detective controls are in place to find problems that preventive controls did not successfully prevent.
Even if not required by any regulatory mandate to have them, every business operates under controls of some kind. It can be as simple as having a second person signing checks that exceed a certain dollar amount, although most controls are much more complex. The key to having a sound system of controls is to establish a system that is based on the risks of what is most likely to go wrong, or what is most likely to have the most serious detrimental effect if it were to go wrong, and to document those controls so everyone is clear on the rules and responsibilities.
The plan sponsor and plan administrator are responsible for establishing and maintaining an effective system of internal control over employee benefit plans. Controls generally fall into a few specific areas: controls over the plan document and any amendments, plan testing and administration, contributions, participant data, compensation, distributions, loans, and plan expenses, plus reviewing controls at any third-party administrator. Depending on the organization, controls might also be necessary to address multiple plans, multiple subsidiaries or business units, or merging plans in the event of a business combination. Defined benefit pension plans also have additional controls to address actuarial assumptions and the proper distribution of funds.
The Committee of Sponsoring Organizations of the Treadway Commission (COSO) recently adopted an “Internal Control—Integrated Framework” that can guide an organization through the establishment of an internal control environment for virtually any corporate structure (see Table 1). 3 The COSO framework is most widely used by public companies to help them comply with their reporting requirements under Sarbanes-Oxley, but it is equally applicable to establishing a control environment for an employee benefit plan. COSO designed the framework, in fact, to be used for any kind of important business control environment, not just controls over financial reporting.
Five Components and 17 Principles of Effective Internal Control.
Source. Committee of Sponsoring Organizations of the Treadway Commission. Internal control—Integrated framework. Retrieved from http://www.coso.org/documents/990025P_Executive_Summary_final_may20_e.pdf
Areas Requiring Control
A solid control environment for an employee benefit plan would be designed to assure the plan is run in accordance with the plan document and that funds are flowing to the correct trust or individual and according to the timing intended. Good controls would assure policies and procedures are clearly established and are followed to keep the plan in compliance both with the plan document and with all relevant regulatory requirements.
It all sounds straightforward enough. In reality, however, the complexities of managing an employee benefit plan can present plenty of opportunities for error if not for strong controls to prevent or detect them. Consider, for example, a problem commonly spotted by auditors in employee benefit plan audits. Employee contributions to plans often are administered by payroll deductions. Auditors sometimes find that while contribution amounts are deducted from payroll according to a sound method, the funds are not always remitted timely to the employee benefit plan. For plans with more than 100 participants, funds must be remitted as soon as they reasonably can be segregated, but not more than 15 days into the month following the month in which they are withheld from payroll. The timing on this transaction is critical, but it is not uncommon to find plan administrators are not following a sound process for assuring it. The delay is not only a violation of DOL regulations, but it erodes plan assets by reducing the time they can spend appreciating in the plan.
Another tricky area flagged by the IRS is having controls to assure distributions and loans taken from the plan follow appropriate guidelines. This includes controls to assure that the employee is eligible for the loan, that the loan rules are followed, that the plan is not issuing too many loans, that the interest rate is properly stated and observed, and that improper distributions are not made, especially for employees who are not yet age-eligible to begin distributions.
Hardship distributions are especially tricky. Plan administrators and third-party administrators need a sound process for assuring the hardship reason is well established and eligible for withdrawal. Vesting percentage is another problem area in many plans. The plan sponsor needs a tight process for assuring the proper hire and termination date for an employee, and that the vesting percentage is calculated in accordance with the plan document to assure distributions are accurate.
With respect to the plan document and amendments, controls would address what process is in place to assure compliance with most recent laws and regulations, as well as who reviews the plan document to assure it is updated as necessary. They also address who monitors the timing of when to apply for a new determination letter as necessary, and who monitors transactions with the plan to determine if there are any prohibited transactions with related parties or parties-in-interest.
Such controls require strong communication between the plan administrator and the plan sponsor’s appointed representative, especially in larger organizations with many hundreds or thousands of employees. Keeping a plan in compliance requires vigilant adherence to a clear methodology to assure plans are current and amended as and when necessary.
Controls also are necessary to assure proper plan testing and administration. Who is responsible for assuring administration and investment committee minutes are taken? Who reviews and monitors the third-party administrator or other custodian? Who compares or reviews documentation to assure the correct employee information is sent to the third-party administrator for testing, and that the correct wage information is sent for testing? Who monitors fees, both participant fees and administrative fees. And who assures they are not out of line with the market?
Best practice is for a plan to have a benefit committee to evaluate how plan investments are performing and to make any recommended change in investment allocations. Internal controls would give the committee a framework for deciding when investment performance is out of line with expectations or risk tolerances and what corrective actions should be considered.
One important control that is often lacking in benefit plans is testing to assure the plan is compliant with IRS nondiscrimination requirements. The IRS wants to assure that plans do not unfairly benefit owners and highly compensated employees at the expense of middle managers or rank-and-file employees, thus serving as more of a tax shelter for shareholders than a benefit for employees. Annual nondiscrimination testing of the actual deferral percentage and the actual contribution percentage is high on the IRS checklist when examining or auditing a plan. The plan administrator needs to assure the third-party administrator has correct information with which to perform those tests.
Contributions represent another important area for control focus. Controls must be in place to assure someone reviews the contribution details to assure it matches payroll before funds are transferred, including contributions for newly enrolled or terminated employees. Timeliness is critical to assure compliance with the plan document. As such, a control backup should be considered to address instances where the person with primary duty is absent from the job for any reason. A follow-up control is equally critical to assure contributions occurred when and as intended. In smaller environments, it may be relatively straightforward to assure contributions are timely and accurate, but the larger the plan, the more complex the task, especially in large companies with multiple locations and multiple plans.
Controls over the proper management of participant data address multiple areas, such as eligibility and enrollment, compensation, and business combinations, such as acquisitions, mergers, or multiple locations. Plan sponsors must clearly establish who reviews new hires to assure all participants who are eligible to join the plan are given that opportunity, including focusing on employment types, such as salary versus hourly, union versus nonunion, part-time or seasonal employees, leased or temporary employees, and so on. For plans with automatic enrollment, controls must assure the third-party administrator receives information on new hires to determine when they are eligible and should begin making contributions. Proper controls can assure that employee deferral elections are uploaded timely, and contributions are stopped when employees reach the IRS wage limit.
Compensation codes must be reviewed at least annually or even quarterly to assure they are accurate and in accordance with the plan document, including focusing on reviewing different definitions of compensation for matching or profit sharing contributions. When multiple business units are involved, controls must assure employees from the proper subsidiaries are entered into the plan, and plan assets must be reconciled when a merger or acquisition occurs to assure accuracy at the plan level as well as the participant level.
In terms of errors, auditors find them most often in compensation and personal data, where communication between plan administrators and human resources may be allowing important details to fall through the cracks. Good controls must be established to minimize such errors. The relatively new practice of enrolling employees automatically has produced its own opportunity for error, commanding controls specifically to address this aspect of plan administration. Communication is key to assuring such details are adequately managed. A control structure around this area is particularly important.
Controls around loans also are important, assuring loan applications are reviewed to verify that they are within the provisions of the plan document and coordinating with payroll to assure correct amounts for loan repayments are withheld from employee pay. A control must be in place to assure loan balances are monitored to stop withholdings when loan payments are complete. Communication, once again, is key, between the plan or third-party administrator and payroll.
Where a company engages a third-party administrator, there are controls here as well. It is more difficult, however, to review and assess controls at an outside service organization, which is why third-party administrators should provide plan sponsors with an audit report of their own, commonly called an SOC 1 report. Under professional standards, it is known more formally as a Report on Controls at a Service Organization Relevant to User Entities’ Internal Control Over Financial Reporting.
An SOC 1 report is prepared by an auditor engaged by the third-party administrator to review and assess controls at that service organization, and the service organization provides the report to any entity relying on its controls. This is a more efficient means of showing controls are in place and operating effectively than having the service organization consent to audit requests from each of its individual clients.
Plan sponsor should review SOC 1 reports to assure not only that the third-party administrator provided one, but that it reflects the presence of controls that are important to the plan sponsor. If those controls are lacking, ultimately it is the plan sponsor who will be held accountable by regulators. Plan sponsors hold primary responsibility for assuring sound controls and cannot simply assign it to a third-party administrator by hiring and relying on them blindly.
Finally, plan sponsors need a process in place to review plan expenses and fees to assure service provider fees and expenses are evaluated for reasonableness. Plan sponsors are not obligated to buy the lowest-cost service, but they need controls in place to assure they are reviewing and pushing back as necessary on plan costs. A reasonable process might include regular meetings of an administrative committee or investment committee, with minutes, to show what issues have been considered and what was decided. If the committee is second-guessed for any reason, documentation would demonstrate the decision process that took place.
For defined benefit plans some additional controls may be warranted to address actuarial assumptions and funding contribution differences that are specific to these types of plans. Actuarial assumptions are complex and require both heavy documentation and carefully reached judgments. Plan sponsors need controls in place to review those assumptions and judgments. Again, the plan sponsor is ultimately responsible for such judgments and must take ownership over them rather than simply relying blindly on the advice of an outside service provider.
The IRS has taken note of where it most often sees control problems with employee benefit plans, and it provides checklists to help companies keep their plans in compliance (See Table 2). 4 Third party reports, the IRS says, frequently have inaccurate data, such as dates of hire and termination, employee age and service, and compensation. Decentralized payroll systems present opportunity for error, where each subsidiary determines eligibility, HCE status, or what constitutes “compensation,” resulting in incorrect coverage and allocations. The IRS also often finds data used for Form 5500 filings fails to conform to actual records, such as payroll data.
IRS 401(k) plan checklist.
Note. The IRS checklist for 401(k) plans provides a quick assessment of the extent to which a given benefit plan is in need of an internal control update.
Conclusion
Establishing a control environment over an employee benefit plan is not a simple exercise. Documentation is critical to assure anyone who picks up the control documents—whether an employee responsible for administering them or an auditor or regulator responsible for assessing them—can follow them readily. That might take the form of an outline, flow chart, a list or some other structure to make it easy to follow, and therefore more easily observed.
The IRS provides tools on its website that can be helpful to companies reviewing their controls or establishing controls in a more formal way. Companies with internal audit staff can certainly turn to the internal auditor for assistance in establishing or reviewing controls. Depending on the company and the nature of the plan, external auditors also can serve as a resource to companies to help shore up control weaknesses, although external auditors also must observe independence rules before offering such assistance. In some circumstances, external auditors might be prohibited from assisting if doing so would put the auditor in a position of auditing his or her own work.
Given the current and growing level of regulatory interest in internal controls surrounding employee benefit plans, companies can reduce their risk of adverse findings and excess scrutiny by taking a proactive approach to establishing or improving their controls around their benefit offerings.
Footnotes
Declaration of Conflicting Interests
The author declared no potential conflicts of interest with respect to the research, authorship, and/or publication of this article.
Funding
The author received no financial support for the research, authorship, and/or publication of this article.