When was the last time you closely examined your retirement plan’s internal controls? If the answer is “not sure” or “a while ago,” then there is no time like the present to conduct a thorough assessment on your internal controls.

Strong internal controls are essential not only to ensure that your retirement plan remains in compliance with all regulatory requirements and plan provisions but also to help guard against the risk of fraud. Additionally, internal controls can help protect your plan’s tax-exempt status, assist in timely identification and resolution of issues through the IRS’ Self-Correction Program, and limit the risk that the IRS will perform an expanded audit of your plan.

Steps to Follow

The AICPA lists a number of steps plan sponsors should follow in the evaluation of a plan’s internal controls, including the following:

  1. Establish control objectives.  When establishing control objectives for employee benefit plans, it is prudent to also set objectives to verify you are meeting your fiduciary responsibilities. Timely and accurate remittance of employee contributions, periodic review of investment performance and evaluation of alternative investment options are a few examples of controls that help to maintain operational compliance.
  2. Evaluate control risks. Assess the areas that pose the greatest risk for your plan and design controls to mitigate those risks.
  3. Use COSO. The Committee of Sponsoring Organizations of the Treadway Commission  Internal Control—Integrated Framework is a widely recognized comprehensive framework for establishing appropriate internal controls.
  4. Document and Communicate. Once a control framework is established, formally document and communicate the internal controls to all employees who have a role in plan procedures and financial reporting.
  5.  Monitor your controls. Periodically monitor and review the design and operation of your plan’s internal controls to corroborate risk objectives and resolve any gaps.

Objectives and Internal Controls

Included are examples of common objectives with specific controls that can be used to substantiate them.

Objective: Verify investment transactions are recorded timely and accurately

Internal controls:

  • Timely review of reports submitted by trustees, asset custodians, and investment managers
  • Regular reconciliation of detailed subsidiary records to trust reports
  • Regular comparison of control totals from participant records to control totals from trust reports

Objective: Verify investment transactions are initiated in accordance with established investment policies

Internal controls:

  • Investment criteria, objectives in the plan document or formal investment policy must be documented
  • Identify individuals with authorization to execute transactions in the plan document or investment policy
  • Periodic review of investment transactions, and investment portfolio composition for adherence to investment policies by the investment committee (or other designated governing body)

Objective: Verify protection of investment assets from loss or misappropriation

Internal controls:

  • Segregation of responsibility for investment decisions and transactions from the custodian
  • Assessment of financial stability and viability of institutions holding participant investments
  • Documents should be stored in a limited access and fireproof area
  • Limit access to investment records on a need-to-know basis

Objective: Verify the employer and participant contribution amounts meet authorized or required amounts

Internal controls:

  • Description of contribution requirements or limitations in the plan instrument or collective bargaining agreement
  • Determination of contributions using an approved eligibility list
  • Use of an actuary to make periodic valuations and reports

Objective: Timely remittance and recording of contributions in the appropriate amount

Internal controls:

  • Comparison of plan sponsor payroll records with contribution calculations
  • Reconciliation of contribution forms to the cash receipts ledger and bank deposits
  • Confirmation of procedures that verify participant contributions are remitted to the investment custodian in accordance with Department of Labor guidelines

Service Organizations

Many organizations outsource payroll, recordkeeping, and investment management functions to third-party administrators (TPA). While outsourcing to these service organizations can help plan fiduciaries maximize investment return and reduce their administrative burdens, it does not absolve plan management from evaluating the controls at the TPA and/or designing plan level controls to mitigate risk.

Many of these TPAs issue a SOC-1 report that documents their control environment, opines on the operational effectiveness of the organization’s key controls, and details the plan level controls that should be considered by users of the service. A key consideration when establishing a control framework is implementing a process for review of the service organization’s SOC-1 reports and responding to any deficiencies noted. The AICPA has established guidelines on the effective monitoring of outsourced plan recordkeeping and reporting functions.

It’s Your Responsibility

As the plan sponsor, it is your fiduciary responsibility to establish and maintain appropriate internal controls. Your BMF auditor can help you in determining which controls are appropriate and necessary for your plan.

The AICPA Employee Benefit Plan Audit Quality Center prepares Plan Advisories for plan sponsors, administrators and trustees to assist in understanding their ficuciary and other responsibilities.  View AICPA Plan Advisories

About the Authors

Danielle J. Kimmell

CPA
Partner, Assurance and Advisory

Kristian R. Barr

CPA, MSA
Senior Manager, Assurance and Advisory

Subscribe

Stay up-to-date with the latest news and information delivered to your inbox.

Subscribe Now