Never miss a story — sign up for PLANSPONSOR newsletters to keep up on the latest retirement plan benefits news.
Compliance June 9, 2022
PSNC 2022: Preparing for Regulatory Audits and Investigations
One key takeaway from a panel discussion about DOL and IRS audits: the occurrence of an audit does not necessarily mean a plan is under suspicion of mistakes or wrongdoing.
Reported by John Manganaro
During the second day of the 2022 PLANSPONSOR National Conference in Orlando, a duo of expert panelists tackled the challenging topic of regulatory audits, explaining what to expect in an audit and how to effectively prepare for that inevitable knock on the door.
Speakers on the panel included Bradford Campbell, partner at Faegre Drinker, and Leah Sylvester, director of retirement plan services at Shepherd Financial. To begin, Sylvester and Campbell discussed why an audit may happen.
“Often, they find your plan through data mining of Form 5500s, and they may see a particular data point or feature on your Form 5500 that raises their interest in conducting a review,” Campbell said. “Additionally, you may simply be in a region where the local office is doing a push to conduct a series of targeted reviews. So, the important message here is that you should not assume that you have done something wrong or that they already have a particular thing they are investigating you for. Often the audits are more or less random.”
Given this potential for random reviews, Sylvester and Campbell agreed, it is a good idea to make an ongoing effort to stay ahead of the documentation one may need to produce in the case of an audit. They also said that plan sponsors should not be surprised or dismayed if an issue is discovered. Simply put, it happens, and more often than one might expect.
“Don’t be surprised if there is a violation,” Campbell said. “There is something like a 60% violation rate in random DOL audits. In targeted reviews, they find violations in 69% of cases. Many of these issues are going to be minor or technical, but they are going to be there more often than not. Assuming the issues are technical in nature and not related to allegations of wrongdoing, you will be able to work with the auditors to resolve the issues.”
According to Campbell and Sylvester, a typical DOL audit, even in cases where no violation is ultimately found, can run anywhere from six months to two years. Often, an investigation will involve weeks of significant activity and correspondence followed by months of relative silence. Sylvester and Campbell urged attendees to “not fear the quiet periods,” because oftentimes, the investigator is simply swamped with other projects.
“In any audit, having a good game plan and proper preparation is going to set you up for success,” Sylvester said. “In the event you are selected for an audit, again, don’t panic. For most prudent plan sponsors who are diligent and following generally prudent practices, there is no need to panic. You have advisers and counsel on your side, as well.”
Sylvester emphasized the importance of the first impression, and that auditors appreciate when plan sponsors come across as forthright, well-informed and open to review.
“Being able to quickly and easily access your files is comforting, both for you and for your auditor alike,” she explained. “To make this a reality, make sure your files are always current and up to date. If you are taking the time to do the right things for the plan, it just makes sense to take the time to document everything and to ensure that you can tell your story and prove your prudence. Frankly, DOL and IRS auditors are going to know right away if they are dealing with a diligent or a negligent plan sponsor.”
While the subject of any given audit can vary, the panelists agreed there are currently a few hot-button issues. These include missing participants, cryptocurrencies/digital assets and general cybersecurity matters. All three are coming up in audits, Sylvester and Campbell said, but the first topic, missing participants, tends to take up the most oxygen.
“The DOL has been talking about missing participants for years,” Campbell said. “Still, in their eyes, it is still a growing concern—making sure you know where participants are and that you can communicate with them and transmit their due benefits. When targeting their audits, they are looking for employers with large missing participant populations and for employers where it appears that there is substantial census information that is missing. This is of concern to the DOL for a lot of different reasons, because there are a lot of different things you should be doing in terms of trying to locate missing participants.”
As the panelists explained, retirement plan fiduciaries owe the selfsame duties of prudence and loyalty to participants who are no longer employed by the company as they do to current, actively participating staff. This means they must ensure required minimum distributions are being sent, for example.
“For some perspective, out of the approximately $2 billion of recoveries made by the DOL last year, about $1.5 billion of that amount stemmed from violations regarding the missing participant issue,” Campbell said. “Clearly the DOL continues to take this very seriously, and so plan sponsors must ensure they are exhausting all reasonable opportunities to locate any missing participants.”
Fortunately, the panelists said, many commercial services can help with the task, and they often have very reasonable pricing.
Looking to the future, Campbell and Sylvester said they expect the general matter of cybersecurity to become a major focus for the DOL as well.
“The maintenance of cybersecurity is now considered a fiduciary responsibility by the DOL,” Sylvester warned. “They have now come out with general guidance and best practices about how plan fiduciaries should be evaluating and monitoring services providers. It just makes sense given the extent of data and assets that we work with.”
Both Sylvester and Campbell suggested all requests for proposals, moving forward, should broach the topic of cybersecurity, and plan fiduciaries should be actively monitoring their providers and their own operations for potential cybersecurity lapses.
