Internal Control Essentials for Retirement Plans
When was the last time you closely examined your retirement plan’s internal controls? If the answer is “not sure” or “a while ago,” then there is no time like the present to conduct a thorough assessment on your internal controls.
Strong internal controls are essential not only to ensure that your retirement plan remains in compliance with all regulatory requirements and plan provisions but also to help guard against the risk of fraud. Additionally, internal controls can help protect your plan’s tax-exempt status, assist in timely identification and resolution of issues through the IRS’ Self-Correction Program, and limit the risk that the IRS will perform an expanded audit of your plan.
Steps to Follow
- Establish control objectives. When establishing control objectives for employee benefit plans, it is prudent to also set objectives to verify you are meeting your fiduciary responsibilities. Timely and accurate remittance of employee contributions, periodic review of investment performance and evaluation of alternative investment options are a few examples of controls that help to maintain operational compliance.
- Evaluate control risks. Assess the areas that pose the greatest risk for your plan and design controls to mitigate those risks.
- Use COSO. The Committee of Sponsoring Organizations of the Treadway Commission Internal Control—Integrated Framework is a widely recognized comprehensive framework for establishing appropriate internal controls.
- Document and Communicate. Once a control framework is established, formally document and communicate the internal controls to all employees who have a role in plan procedures and financial reporting.
- Monitor your controls. Periodically monitor and review the design and operation of your plan’s internal controls to corroborate risk objectives and resolve any gaps.
Objectives and Internal Controls
Included are examples of common objectives with specific controls that can be used to substantiate them.
- Timely review of reports submitted by trustees, asset custodians, and investment managers
- Regular reconciliation of detailed subsidiary records to trust reports
- Regular comparison of control totals from participant records to control totals from trust reports
- Investment criteria, objectives in the plan document or formal investment policy must be documented
- Identify individuals with authorization to execute transactions in the plan document or investment policy
- Periodic review of investment transactions, and investment portfolio composition for adherence to investment policies by the investment committee (or other designated governing body)
- Segregation of responsibility for investment decisions and transactions from the custodian
- Assessment of financial stability and viability of institutions holding participant investments
- Documents should be stored in a limited access and fireproof area
- Limit access to investment records on a need-to-know basis
- Description of contribution requirements or limitations in the plan instrument or collective bargaining agreement
- Determination of contributions using an approved eligibility list
- Use of an actuary to make periodic valuations and reports
- Comparison of plan sponsor payroll records with contribution calculations
- Reconciliation of contribution forms to the cash receipts ledger and bank deposits
- Confirmation of procedures that verify participant contributions are remitted to the investment custodian in accordance with Department of Labor guidelines
Many organizations outsource payroll, recordkeeping, and investment management functions to third-party administrators (TPA). While outsourcing to these service organizations can help plan fiduciaries maximize investment return and reduce their administrative burdens, it does not absolve plan management from evaluating the controls at the TPA and/or designing plan level controls to mitigate risk.
Many of these TPAs issue a SOC-1 report that documents their control environment, opines on the operational effectiveness of the organization’s key controls, and details the plan level controls that should be considered by users of the service. A key consideration when establishing a control framework is implementing a process for review of the service organization’s SOC-1 reports and responding to any deficiencies noted. The AICPA has established guidelines on the effective monitoring of outsourced plan recordkeeping and reporting functions.
It’s Your Responsibility
As the plan sponsor, it is your fiduciary responsibility to establish and maintain appropriate internal controls. Your BMF auditor can help you in determining which controls are appropriate and necessary for your plan.
The AICPA Employee Benefit Plan Audit Quality Center prepares Plan Advisories for plan sponsors, administrators and trustees to assist in understanding their fiduciary and other responsibilities.
Danielle J. Kimmell?>
Kristian R. Barr?>
About the Authors
Stay up-to-date with the latest news and information delivered to your inbox.