How This Year’s Plan Financial Audit Could Be Different

Auditors might be reviewing more transactions and processes, and they’ll need more time to handle audits remotely.

The COVID-19 pandemic has affected many plan sponsor processes. Staff furloughs, layoffs and terminations, a move to remote work, as well as new distribution and loan provisions of the Coronavirus Aid, Relief and Economic Security (CARES) Act had them shifting gears.

As Nancy L. Cox, partner at The Bonadio Group, points out, as a result, retirement plan financial audits performed with Form 5500s will be affected.

Cox says that depending on the plan sponsor’s situation, there could be a lot of changes to the audit process—or relatively few. Plan sponsors were not required to adopt the coronavirus-related distribution (CRD) and loan limit provisions of the CARES Act and some plan sponsors didn’t have to deal with the transition to remote work, as their employees continued in their normal workplaces. For those plan sponsors, the audit process might be business as usual.

But for plan sponsors that did adopt provisions of the CARES Act, auditors will have to look at more types of distributions, says Beth Garner, national practice leader for BDO’s employee benefit plan audits practice. The CARES Act created the new CRD, for example. Garner says auditors could possibly increase the number of samples they examine, but the type of evidence the auditor asks the plan sponsor to provide for distributions will be the same.

The CARES Act also expanded the limits on loan amounts and allowed participants to choose to defer loan repayments. Garner says this means auditors’ testing of loans will be different.

“They’ll have to look at whether a participant wanted to defer loan repayments or whether the participant truly defaulted on a loan,” she says. “The auditor will be looking at what the plan sponsor did to distinguish between the two and whether it properly processed loan defaults.”

If there were larger distributions and more loans in number and volume, auditors will make larger sample selections, so the audit might take longer, Cox says. “Plan with the auditor ahead of time, so if they need additional information, they can let plan sponsors know so sponsors can start putting information together.”

Auditors are always supposed to look for fraud, Garner says, but the pandemic might have created a situation where plan accounts are more susceptible to fraud with working remotely, children at home and other distractions.

“One thing auditors will ask is, ‘In 2019, your process was this. Did that process change?’” she says. “Auditors will want to know what the new process is and how plan sponsors know that a person can’t do something to divert contributions or take something they shouldn’t be taking. They will look for oversight of distribution or loan approval.”

Garner says while they’re working remotely, plan sponsors must be more diligent about knowing who their named and functional fiduciaries are and tightening up roles. They also should make sure computer system firewalls are good and employees do not use public WiFi. Also, plan sponsors should look at plan transaction reporting monthly, or at least more often than quarterly or yearly.

In addition, Cox says, plan sponsors should work with providers to make sure they have proper security measures in place. “Ask them to provide you with information showing they have proper controls. Plan sponsors can look in their service agreements to see whose responsibility it is to make sure information is protected, who’s responsible if there is a breach and who pays for remedies,” she says.

Cox notes that each service provider has an audit of its own processes—a Service Organization Control (SOC) 1 report or Statement on Standards for Attestation Engagements (SSAE) No. 16. Auditors obtain a copy of the report, which discusses provider information technology general controls, and will make sure there aren’t huge exceptions or gaps in a provider’s processes that would concern plan fiduciaries.

Because of the COVID-19 pandemic, there might have been turnover in human resources (HR) or payroll at the plan sponsor or furloughs, meaning there could have been a period of time when there were not as many resources dedicated to plan administration or when resources were dedicated to other things. Cox says plan sponsors should make sure there were no issues or errors during that time frame. For example, auditors will pay particular attention to the proper definition of compensation being used, make sure no eligible participants are being missed and confirm there’s no delay in depositing employee deferrals. “If plan sponsors have been depositing deferrals and loan repayments within two days of them being withheld from paychecks, the DOL [Department of Labor] holds sponsors to that standard,” Cox says. “If there was a lag, plan sponsors need to identify that and they could have to pay lost earnings.”

She notes that plan sponsors can self-correct such errors through the DOL’s Voluntary Fiduciary Correction Program (VFCP) or the IRS’ Self-Correction Program (SCP) or Voluntary Correction Program (VCP). Even if errors are not identified until the financial audit is processed, plan sponsors can self-correct.

Cox says there should be proper controls over every amount that comes out of the plan. If a plan provider makes determinations for withdrawal or loan eligibility, the plan sponsor should get a report monthly and make sure everything looks reasonable, she says. She adds that this is another reason to look at a provider’s SOC 1.

Auditors will be looking at partial plan terminations more closely in 2021. Generally, if there is a 20% reduction in eligible participants, it can trigger a partial plan termination and plan sponsors would have to make all participants 100% vested, Cox explains. However, Congress has said if an employee was furloughed and hired back, he or she is not considered in that 20%. Plan sponsors also have until March 31 to determine whether there was a partial plan termination.

“Auditors should help with determining whether a partial plan termination has occurred, but plan sponsors are ultimately responsible,” Cox says. She adds that for small plans with no audit requirement, sponsors can look to service providers to help with the determination.

The audit might be performed differently because people are still not in their offices or are not comfortable with having others in their offices, Garner says. “The audit might be done via email and Zoom. Some firms have been doing them remotely anyway, but we have not because we think the DOL and AICPA [the American Institute of Certified Public Accountants] expect auditors to do their due process, and there’s a lot involved to make sure everything is covered in a remote environment,” she says. “It’s a lot harder. Good communication will be key to getting the audit done well and in a timely manner.

“Obviously, some audits are being done remotely at this point, and that is definitely doable,” Cox says. “Since audits deal with a lot of sensitive information, ensuring it is protected is No. 1. When sharing information with auditors, plan sponsors should use secure portals or password protection for everything.”

Garner adds that auditors and plan sponsors might need more time to get information back and forth; auditors will not move forward without documentation. She suggests that plan sponsors ask for a detailed list of items the auditor wants and what items they’ll need if there is a question.

“Keep tabs on each level of review. Plan sponsors will need notification from auditors of where they are in the process,” she says. “If there’s time, plan sponsors should start the audit process earlier than usual, but the best thing is to ask the auditor for items up front and have them ready to go on the date the auditor says he needs them.”