When IRS examiners check under the hood of many retirement plans, they often find a lack of sufficient internal controls. The consequences can be severe — even if an IRS audit doesn’t turn up any other problems. The worst-case scenario? Theft of plan assets that’s financially damaging to participants and your company, and can also lead to plan disqualification.
Internal controls and IRS audits
Plan sponsors often fall short with their internal controls, the IRS warns, because of a misunderstanding of their obligations vs. those handled by service providers. The IRS cautions that hiring a service provider doesn’t relieve sponsors of their responsibility to keep their plan in compliance.
If an audit uncovers inadequate internal controls, your plan can become ineligible to use the IRS’s self-correction program (SCP). The SCP allows plans to fix insignificant operational errors at any time and preserve the plan’s tax-favored status without paying any fees.
In addition, when an IRS auditor determines that internal controls are weak, the auditor will conduct a more detailed audit than would otherwise have occurred. What’s more, if that closer look leads to the discovery of errors, the lack of adequate internal controls weakens your leverage to negotiate a favorable audit closing agreement with the IRS, such as a less-onerous penalty to resolve the case.
Internal control categories
The AICPA’s Employee Benefit Plan Audit Quality Center deems internal controls as “a process affected by plan management and other personnel charged with governance, and designed to provide reasonable assurance regarding the achievement of objectives in the reliability of financial reporting. A plan’s policies, procedures, organizational design and physical barriers are all part of the internal controls process.”
The key components of a comprehensive internal control system are:
Segregation of Duties (SoD). This is fundamental to all internal control systems and includes the way your company’s invoices and receivables are processed, paid and accounted for. According to the AICPA, SoD “is based on shared responsibilities of a key process that disperses the critical functions of that process to more than one person or department. Without this separation in key processes, fraud and error risks are far less manageable.” SoD includes asset custody, authorization or approval of transactions, transaction reporting and reconciling, and security of participant data.
Reporting and reconciliation of plan assets, contributions and distributions. This includes ensuring the accuracy of participant benefit statements and asset valuation and the proper bonding of plan assets. Plans must reconcile cash disbursement records and match individual participant records to data reported by the asset custodian. Finally, ensure the timeliness and accuracy of required regulatory filings and the proper recording of investment transactions, income and expenses.
Oversight of outsourced functions. Review the performance of your service providers against your service agreements and determine the causes of any deviations. In addition, review service providers’ own internal control procedures. Those are compiled in standardized reporting formats under the AICPA’s Service Organization Control (SOC) Report 1 and SOC 2. The former covers the service provider’s financial controls, whereas the latter addresses controls pertinent to operations and compliance. You can hire an independent auditor to review outsourced services. But as with any other outsourced service, a system must be in place to vet that auditor.
Keys to control
When reviewing internal control for your plan or the controls of a service provider, there are many considerations. At a minimum, be sure that:
- Participant enrollment is consistent with plan documents,
- Contributions satisfy required amounts and are within regulatory limits, and
- Employer and employee contributions to employee accounts are made on a timely basis.
In addition, review hardship withdrawal requests for compliance with regulatory standards prior to disbursement. Implement and follow a documented process for approving participant loans and ensuring that payments are being made according to amortization schedules. Maintain records of correspondence with participants and former participants and periodically compare signatures on endorsed checks to original signatures on file. Finally, have a system in place to locate former participants with residual account balances who fall off the radar.
It’s up to you
The saying “an ounce of prevention is worth a pound of cure” applies to your internal controls. Effective internal controls and annual reviews can help prevent costly mistakes that can jeopardize your plan’s tax-favored status. Take the time to review and update yours now.
BPM is one of the largest California-based accounting and consulting firms, ranking in the top 50 in the country. It has served the San Francisco Bay Area's emerging and mid-cap businesses, as well as high-net-worth individuals, since 1986. Our Employee Benefits team consists of professionals with extensive knowledge of ERISA guidelines and deep expertise performing employee benefit plan audits. We can help you craft a smooth-running plan that serves your employees while mitigating associated risk. For more information or for a free expert consultation, Jenise Gaskin at (925) 296-1016 or Mike Spence at (408) 961-6303 or visit us at www.bpmcpa.com/ebp.