Timothy J. Desmond, CPA, Director of Employee Benefit Services at PKF O’Connor Davies in Harrison, New York and Joshua Meltzer, at Sentinel Benefits & Financial Group in Reading, Massachusetts, led the discussion into retirement plan audits.
First they covered some basic requirements for who needs to conduct an audit. The Employee Retirement Income Security Act requires an audit for all large plans (plans filing Form 5500 as large plan). Generally, this would be plans with more than 100 eligible participants. However, some plans with 80-120 eligible participants may fall into a safe harbor and not have to conduct an audit.
Desmond and Meltzer described two types of audits, the full scope and the limited scope. In a full scope audit, the auditor expresses an opinion on the financial statements and tests investments and investment income. In a limited scope audit, the auditor disclaims an opinion on investments; the trustee/custodian provides a certification that the investment reports are “complete and accurate”; and certifications need to be manually signed and issued by a trust company, an insurance company or a bank.
What do Plan Auditors Like?
Having the point of view of auditors, Desmond and Meltzer were able to share certain things that would please an auditor. First, it’s always nice when the client understands the plan, understands their fiduciary responsibility, has an active audit or pension committee, prepares the plan’s financial statements, and manages coordination between service providers and management.
Auditors like to see a complete and informative audit package including: a signed certification (if performing a limited scope audit); schedule of assets; statement of changes in net assets available for benefits; a work-paper detailing the adjustment from FV to CV for all fully benefit responsive investment contracts; a detailed schedule by participant (for the entire year) of benefits paid; rollover contributions; administrative expenses; participant account detail for all participants (from 1/1 through 12/31); detail on participant loans (activity, terms, etc.); SAS 70 and bridge/gap letter; and contribution listing by pay period (for timeliness test).
Additionally, compliance testing needs to have been for ACP and ADP testing, IRS Limits, to check if the plan document up-to-date, adoption of applicable and appropriate amendments, and the determination letter.
If a full scope audit is underway, there will been investment testing, said Desmond and Meltzer. This includes units held and valuation, investment activity (gains/interest/dividends), participant investment elections, and participant investment earnings allocations.
Testing on employee contributions will check to reconcile deferrals withheld per payroll records to deposits recorded by the plan, eligible compensation definition, and that a timely remittance of employee deferrals is regular. Employer contributions will be tested for a discretionary match or profit sharing contributions approval and calculation, and allocation to participants. Eligibility concerns will also be tested; which employees are given the opportunity to join the plan?
Distributions out of the plan will also be examined. Questions such as are the employees taking distributions eligible to do so? Was there financial need as defined by the IRS? Are deferrals stopped after the distribution? And is the distribution payment method what the employee elected?
Common Audit Deficiencies
Desmond and Meltzer said certain problems arise during an audit more frequently than others. The most prevalent area for a deficiency is with participant data – it may be a case of not testing for eligibility, not testing the investment earnings allocation to participants, or not testing payroll data (dates of hire/termination, age, etc.).
Other areas that commonly have deficiencies are:
- Benefit payments: failure to test eligibility to receive payments, failure to test approval of payments, or inappropriate reliance on SAS 70 without any testing performed.
- Contributions: failure to consider payroll controls, failure to test deferrals (proper amount based on eligible compensation), or timeliness of employee contributions not tested.
- Investments: failure to obtain proper certification, failure to test participant loans, or failure to test year end asset values.
- Miscellaneous: lack of investment policy, lack of minutes of Board/Trustees, lack of monitoring service providers, or obtain and review SAS 70 reports from service providers and not consider the “user controls”.
Desmond and Meltzer said auditors are especially keen on detecting fraud, due to increased incentive and pressure caused by current economic conditions. Some of the common types of fraud include:
- HR manager requested and cashed distribution checks of terminated employees
- Pensioner’s checks fraudulently endorsed and cashed after death (are death searches being performed?)
- Payments to fictitious employees/pensioners/vendors
- No allocation of expenses/losses to HCE’s
- Use of forfeitures for ER or personal expenses
- Plan record keeper was paid by Plan but was also being paid by the custodian
- HR manager diverted contributions to his account by manipulating payroll data file prior to remittance
Questions to Consider
Plan sponsors are responsible for having an audit done on their plan. Desmond and Meltzer said there are some key points to consider before undergoing the process. One question they posed is does audit quality matter? The resounding answer was yes, because it helps plan fiduciaries carry out the legal responsibility to file a complete and accurate Form 5500, it helps ensure the financial integrity of the plan, and ultimately it helps protect participants.
Also, a deficient audit has a real cost, they said; penalties by the Department of Labor are considerable. If an audit is considered deficient, the sponsor may need to pay for an additional audit.