Issues Identified for 403(b) Plan Audits

January 20, 2012 ( – Last year, Employee Retirement Income Security Act-governed 403(b) plans for the first time were required to perform an independent plan audit for the 2009 plan year.

Workshop participants at the National Tax-Sheltered Accounts Association (NTSAA) 403(b) Compliance Summit identify many issues that arose during these audits: 

  • How to select an experienced auditor; 
  • How to identify the plan(s); 
  • How to identify responsible parties to provide various pieces of information and plan history; 
  • How to establish opening balances: an important challenge for firsttime audit of the plan; 
  • How to demonstrate plan controls; 
  • How to qualify for a limited scope audit: 
    • Obtaining certifications: and from whom? 
    • What if you can’t get a certification? 


When selecting an auditor employers can go to third party resources, for example, the Department of Labor website and American Institute of Certified Public Accountants (AICPA) resources.  

In identifying the plan(s) and responsible parties, auditors can review plan documents, all amendments made since the inception of the plan, and where applicable, Summary Plan Descriptions; Summary of Material Modifications; HR department information (employee benefits booklets); plan highlight sheets; and any other materials that have been provided to the employees. Employers should build a timeline with this information so that plan compliance is ensured.  

The Summit report said AICPA has agreed to assist the NTSAA subgroup to come up with a standard audit checklist that all auditors can use.

Identifying financial data elements, including opening balances, can be accomplished by creating a standardized list of 5500 data elements. The SPARK Institute should be included in this discussion since at the present time the required data by auditors is more extensive than SPARK data that is being gathered.  

A demonstration of plan controls can be satisfied with SAS 70 level II, and other auditor reports. The workshop attendees said part of the problem in demonstrating these controls is the lack of understanding by the investment and service providers of what a SAS 70 is and the value of it when dealing with a large audited 403(b) plan. There are investment providers that can neither provide a SAS 70 audit nor can they provide the certification as outlined under ERISA (a typical problem in brokerdealer organizations).   

Educational material needs to be developed for plan sponsors, investment and service providers and TPAs on the limited scope audit and obtaining qualified certifications. The workshop attendees agreed that a description of who can certify, including insurance company, bank, trust company and IRSapproved nonbank custodian needs to be developed. The group said there should be more consistency built into the request and impact by different auditors.  

Employers need to identify those providers that can provide the needed information. Those that have an inability to comply should be deselected from the employer’s plan.  

According to the report, NTSAA, along with members of the industry and AICPA, will work together to craft a checklist specific to 403(b) that can assist auditors not familiar with 403(b) plans.