Internal 401(k) Controls:
Your Auditors Will Be Looking in 2008!
By: David P. Boucher, CFP®, AIF®
Associate Director, Retirement Plan Services
Longfellow Benefits
As a Plan Sponsor, Administrator, or Trustee of a retirement plan, you are considered to be a Fiduciary under ERISA. As fiduciaries, you have certain responsibilities to the participants in retirement plans. Fiduciaries that do not follow basic rules or standards of conduct may be subject to personal liability of plan losses as a result of their improper management of plan assets.
The phone rings. I pick it up. The conversation lasted 30 minutes and outlined how a participant called HR frantically asking why they received a 1099r in the mail for a 401(k) distribution in 2007. The HR Manager shares with me that 7 other participants were in a similar situation. The fact of the matter was loan repayments never started for 8 participants and once the loans reached 90 days of delinquency, they were automatically defaulted. 1099r notifications were sent out the first of the month following 90 days of default. How could this happen? How did HR not look at the plan sponsor webstation for 6 months to see the loan initiation feedback files? The answer is a lack of internal controls or Risk Assessment Standards.
It is for this reason that internal controls need to be set up to safeguard against unintentional or intentional misuse of plan assets. Effective for plan years commencing after December 15, 2006, 401(k) plans will be required to substantiate a level of internal controls that coincide with the recommendations put forth by the American Institute of Certified Public Accountants (AICPA) and the Committee of Sponsoring Organizations of the Treadway Commission’s Internal Control (COSO). These controls are intended to reduce the risk of loss, and help ensure that the plan information is complete and accurate. As auditors, your independent firm will be asking to see your set of controls as it relates to specific day-to-day operations of a successful plan. Please set up time with your Longfellow Benefits consultant for a list of controls that auditors will be requesting.
Controls can be broken into two categories, preventative and detective controls. Preventative controls are controls that attempt to eliminate errors from happening, while detective controls attempt to minimize errors from becoming major problems. The following are general characteristics of satisfactory plan internal controls:
- Policies and procedures that provide for appropriate segregation of duties to reduce the likelihood that deliberate fraud can occur
- Personnel qualified to perform their assigned responsibilities
- Sound practices to be followed by personnel in performing their duties and functions
- A system that ensures proper authorization and recordation procedures for financial transactions
Internal controls will vary depending on the plan size, type and complexity; whether the plan uses outside service providers to process transactions and manage plan investments; and the size and qualifications of the department responsible for running the plan. Even in situations where you have hired a third-party service provider to perform accounting and reporting functions, it is very likely that certain controls will be necessary at the plan level. Staff training is a key element in ensuring the effectiveness of the plan’s internal controls.
Additional resources for internal controls can be found by:
Examples of Selected Controls for Employee Benefit Plans (Source: American Institute of Certified Public Accountants and Accounting Guide Employee Benefit Plans (Appendix B))
- Payroll Controls:
- Who is responsible
- Who is the backup
- Who is the emergency contacts at your payroll and 401(k) service providers
- What is the consistent timeframe that deposits are made into your plan trust
- Reports are reviewed per payroll for accuracy
- Detailed subsidiary records are reconciled quarterly
- Control totals from participant’s records are compared to trust reports annually
- Payrolls were deposited in the same manner/timeframe throughout the year
- Participant Data Controls:
- Who is responsible to inputting new participant data
- Who is responsible for inputting participant demographic changes
- Participant forms, if applicable, are controlled and are maintained for future reference
- The number of plan participants is reconciled periodically
- Employees are notified of their eligibility
- Authorized Signatories
- Are known
- Are up-to-date
- Understand their fiduciary responsibilities
- Investment Committee
- You have one
- You meet at least annually, but more frequently is highly recommended and quarterly is Best Practice
- You have an Investment Policy Statement (IPS)
- You amend your IPS upon changes
- You have Bylaws for your committee
These are just three topics from many that plan sponsors will need to have documentation on and be able to prove adequate internal controls are in place.
Finally, because internal control is only effective when properly designed and operating as intended, monitoring the quality of your internal control’s performance over time is an essential task.