What to Know About Financial Audits Filed with Form 5500s

Plan sponsors required to file a financial audit along with their Form 5500 should know how regulators use the information and how to pick the best auditor.

Any retirement plan with 100 or more participants must be independently audited by a certified public accountant (CPA) firm and include those findings along with the annual Form 5500 it electronically files with the Department of Labor (DOL), which in turn, shares it with the Internal Revenue Service (IRS).

It is imperative that plan sponsors work with qualified CPA firms since the “2015 Assessing the Quality of Employee Benefit Plan Audits” from the DOL found that 39% of plans that were audited had either unacceptable or major deficiencies, says Anne Morris, employee benefit plan practice leader at Windham Brannon in Atlanta. And the auditor must use Generally Accepted Accounting Principles (GAAP), says David Guadagnoli, a partner at Sullivan & Worcester in Boston.

The Form 5500, which includes the audited financial statements, is used by the DOL, IRS and, in the case of a defined benefit plan, the Pension Benefit Guaranty Corporation (PBGC), Guadagnoli adds. “The idea is that Congress felt that the plan administrator, the government and participants needed financial statements reviewed by an independent auditor to make sure retirement plans are properly managed for participants,” he says.

Essentially, “the whole idea of the audit is to ensure that a plan is being run in accordance with its plan documents,” adds Jennifer Moore, director of 401(k) audit service at PriceKubecka LLC in Addison, Texas. The agencies also want to make sure that “plan participants aren’t being defrauded,” adds Robert Forni, a partner at Ropers, Majeski, Kohn & Bentley in San Francisco.

There are two main types of audits that are permissible: limited scope and full scope, Morris says. A limited-scope audit is more focused on the participants in the plan, to ensure that their accounts are correct, whereas a full-scope audit delves into more detailed testing of the plan investments, Morris says.

To qualify for a limited scope audit, “the qualified institution holding the assets of the plan [must] certify the ‘completeness and accuracy’ of the reports,” Morris says.

“The areas of focus and testing in both types of audits include: contributions (employee and employer), distributions, participant eligibility testing, and investment income allocation to participant accounts,” she continues. “During the audit, samples of participants are selected in these areas and then tested. Tests are included to recalculate employee and employer contributions and to ensure the participant deferral percentages are correct and that the participant was allocated the correct amount of earnings based on the investments they have chosen in their account.” Distributions, vesting and forfeitures are tested, as well, Morris adds.

The audited financial statement package always includes an auditor opinion letter at the beginning from the accountant explaining the scope of his work, Guadagnoli says. This is followed by the financial statements and any necessary explanatory footnotes.

“The financial statements show changes in assets and liabilities over the preceding year, such as employer contributions, employee contributions, expenses and distributions,” Guadagnoli says. The organization of audited financial statements will look pretty much the same for every retirement plan, he says. However, a plan that holds illiquid assets, such as limited partnerships, real estate or private equity, may require more information relating to valuation, he says.

Should the audit find that, for instance, employee contributions were not made in a timely basis, the DOL expects plan sponsors to “calculate what the employees lost out on and pay that back into the plan to make them whole,” Moore says.

The DOL is not only concerned that contributions are made on a timely basis; it wants to see that “if any tasks were done incorrectly, that the proper steps were taken to fix the issues,” says Tom Foster, national spokesperson for workplace solutions at MassMutual in Enfield, Connecticut.

The financial audit may uncover red flags for regulators. These include “not keeping plan documents up to date, not following plan documents, incorrect definitions of compensation, not remitting contributions in a timely basis, not filing Form 5500 on time, and not overseeing hardship withdrawals and loans properly,” Forni says. If these mistakes are made, it can trigger further audits by the IRS, DOL or both, he says.

DOL’s rule on when to send in 401(k) deferrals “is a little ambiguous,” Moore concedes. That is why her firm believes it is a best practice to submit the payments at the same time the sponsor submits their payroll taxes, she says.

“Another relatively new DOL focus is missing participants,” Morris notes. “Missing participants are those who have not kept their address information current and could result in participants losing track of their benefits and account information. It is the plan sponsor’s responsibility to make an attempt to track down these missing participants, and the DOL will question how this is being done.”

Get more!  Sign up for PLANSPONSOR newsletters.

Use of the Data

“The Form 5500 series and audits are important compliance, research and disclosure tools for the DOL and a source of information and data for use by other federal agencies, Congress and the private sector in accessing employee benefit, tax and economic trends and policies,” Foster says.

“The DOL uses the information by data mining to determine if there are patterns that can help show which types of plans might commonly be non-compliant,” he continues. “The DOL also uses the information to determine the scope and breadth of retirement plan offers and uses among companies in geographic locations, by size and by other indicators such as industry.”

Qualities of a Sound Auditor

As to what to look for in a CPA firm, it is important to find one that specializes in retirement plan audits, as “this is a complicated field,” Forni says. “It isn’t going to be your run-of-the-mill CPAs.”

Morris recommends that sponsors look for firms that have conducted at least 100 audits. That said, the DOL will be concerned if it finds that the auditing firm conducts too many audits a year, Moore adds. In addition, the American Institute of Certified Public Accountants (AICPA) has a Plan Audit Quality Center that offers ongoing education on retirement plan audits, she adds. All PriceKubecka accountants that conduct retirement plan audits undergo this annual training, she says.

Sponsors should ask several questions of a potential auditor, such as whether they work with plans similar to theirs, Foster says. “What is the cost of the service and what, specifically, do they cover? Who in the firm will be performing the majority of the day-to-day work and what are their qualifications and experience? Who will review and have final sign-off on the audit and what are their qualifications and experience?”

It is also important to ask whether accountants at the CPA firm can be reached via phone to answer questions, Moore says.

CPA firms’ fees for retirement plan audits “vary significantly,” Guadagnoli says. “You can pay relatively little or a fair amount of money. It depends in part on the market you are in and your own negotiations with the auditor.”

It may not be in the best interest of sponsors to simply look for the least expensive retirement plan auditor, as that could lead to errors and the possibility of needing to hire yet a second auditor, Moore says. “You may not get as good of an audit, which could set you up for fiduciary risk.”

Driving Cybersecurity with Participants and Providers

Plan sponsors should evaluate providers’ cybersecurity practices, but there are also steps they and plan participants can take to safeguard retirement accounts.

Among a plan sponsor’s responsibilities, encouraging and enforcing cybersecurity are not the first tasks that come to mind.

 

For more stories like this, sign up for the PLANSPONSOR NEWSDash daily newsletter.

But, as modern technology takes over the common workplace, the concept of cybersecurity for retirement plans has started to see attention. In late 2018, the ERISA [Employee Retirement Income Security Act] Advisory Council requested guidance from the Department of Labor (DOL) on how employers should evaluate cybersecurity risks, and to mandate plan sponsors build a protection process and understand how these defenses work. In February, lawmakers sent a letter to the U.S. Government Accountability Office (GAO), asking it to examine cybersecurity in the U.S. retirement industry.

 

Plan sponsors, providers and participants are understanding how susceptible retirement plan and participant data are to hacks and online threats, but, what can they do to try to prevent attacks?

 

For starters, participants need to register their accounts online, says Charlie Nelson, CEO of Voya Retirement. Ensuring participants have registered can provide an additional degree of security in knowing that no one else is registering on a participant’s behalf.

 

“We sometimes hear people say, ‘My account is safe because I never registered for online access.’ That can be misguided. Fraudsters will sometimes try to get access to an unregistered account so they can set the original data points, such as a phone number or other piece of information,” Nelson says.

 

Not only should accounts be registered, personal devices including laptops, phones and tablets are important to cybersecurity as well, Nelson adds. He suggests that another step in securing private information is implementing two-factor authentication, where a one-time access code is sent to a participant via a phone call, text message or email, for example, to access his account.

 

“We recommend this feature as it provides another layer of security, in addition to a password,” Nelson says.  “Some may view this as an inconvenience, but when it comes to what is – for many people – their greatest financial asset, taking extra steps to protect their account is worth the time and effort.”

 

George Sepsakos, principal with Groom Law Group, says the industry has been seeing two-factor authorization features applied by plan sponsors recently. He adds that instituting required regular password changes could also aid in preventing hacks or online threats. “These are the type of actions that are low-hanging fruit,” he says.

 

Asking Providers About Cybersecurity

 

When selecting a recordkeeper or other plan provider, plan sponsors should ask about cybersecurity practices. They should be looking for a sense of partnership and communication on what is expected from a provider, and what it expects from them, says Allison Itami, principal at Groom Law Group.

 

“Cybersecurity is going to evolve, there is no static process,” she explains. “When you’re looking for a service provider, you want to be comfortable knowing that you’ll be in the loop and know that it is an evolving partnership.”

 

Instead of just asking about the number of incidents a service provider has had, plan sponsors should be asking how the provider will work with them in the event of a cyber incident in their plan, Itami says. The key is to not stress past data breaches, but stress the impact they will have for the provider in working with plan sponsors and the plan in the future.  

 

Sepsakos mentions asking whether a provider can present an audit of its cyber practices. Utilizing internal assistance, such as a plan sponsor’s own security team, to field questions and gain ideas to ask can be crucial in this process, and may help a plan sponsor better understand a provider’s cybersecurity measures, he adds.

 

“While we’re seeing more providers offer a cybersecurity guarantee, try to think about procedure and the technology the provider has, such as whether its site is data encrypted,” Sepsakos says.

 

At Voya, Nelson says, clients are protected by the S.A.F.E. program—if assets are taken out of an account, the company will restore its full value, given that participants have registered the account online and responded once notified about the potential unauthorized activity.

 

Nelson echoes Itami’s previous sentiments, mentioning the importance in engaging with plan providers to understand the tools educating their participants, and says that among other actions, plan sponsors can ask their providers to do predictive analytics on both the call center and websites.

 

He adds, “There’s a variety of information that a plan sponsor can and should get to understand the general level of security for the plan and the participants.”

«