Retirement plan sponsors need to know the clear difference between internal controls and outsourced controls and know their responsibility in either case, David M. Kot, a partner at BKD CPAs & Advisors, told attendees of the Plan Sponsor Council of America (PSCA) 71st Annual National Conference.
“If an auditor or exam agent comes in and you don’t have documentation of controls in place, it will lead to more questions,” he said. “Internal controls should be part of a plan sponsor’s day-to-day operations.”
Kot focused on internal controls for eligibility, compensation, and contributions and loans—which he noted all flow into participant statements and records of plan providers. He said all departments—accounting, human resources (HR) and payroll—should understand their roles in internal controls.
For eligibility, plan sponsors need to make sure hours reported are monitored and have a procedure in place for reviewing when participants become eligible for the plan. He suggested following up with the employee when his waiting period or age requirement is met. If employees are eligible after 30 days, plan sponsors should review the new-hire list every 45 days to make sure employees are aware of their eligibility and enrolled on time. Plan sponsors should also have procedures in place to make sure no one is added to the plan before his eligibility requirements are met.
For plans with automatic enrollment, sponsors should have procedures in place to make sure no one was missed. And, Kot said, rehires are a difficult situation; plan sponsors should review eligibility of new hires often.
Regarding compensation, plan sponsors should make sure they know the definitions per the plan document; there can be different definitions of compensation for different purposes. Payroll departments should make sure payroll codes are created for the different uses of compensation. Additionally, plan sponsors should review how to treat bonuses under the plan’s definitions of compensation.
Kot also pointed out that payroll should protect against fraud. He suggested that a good practice is for employers not to be able to add employees through the recordkeeping system; it’s good to have a clear line there.
There should be a reconciliation of payroll to contribution remittance totals, and plan sponsors should have controls in place to make sure employee elections are followed, Kot said. He suggested that plan sponsors periodically pick a sample and review it. He also pointed out that if an employee hands his plan sponsor staff an election form but is told to enter the information online and he never does, this could amount to problem if the plan gets audited. Plan sponsors need to document when a deferral change is effective and how often the recordkeeper receives a data dump.
There should also be procedures in place for timely remittance of deferrals. “The only safe harbor [that] plan sponsors have is the day of payroll,” Kot noted. He urged plan sponsors to be consistent; if a payroll is remitted the day of deferral, but then other times it is remitted later, an auditor could say, “You proved you could do it the day of payroll. Why are the others remitted later than that?”
Plan sponsors need to consider procedures for when the human resources person who remits payroll is on vacation or when to remit contribution information when there is a holiday. Kot said it is good to keep documentation of when contribution information is transmitted and why there may be differences from the norm. Plan sponsors also need to pay attention to when contributions are deposited and allocated by the recordkeeper and keep informed if there is an issue.
For distributions and loans, Kot said, the key is to have a documented process about approvals. Who is reviewing to make sure the loan is a qualified loan and that it does not exceed the plan’s limit on number of loans or the statutory limit on loan amount?
Plan sponsors should also check vesting accuracy, even if calculated by the recordkeeper or third-party administrator (TPA). They also need to keep up with the forfeiture balance and how it is handled; it shouldn’t build up year after year. Plan sponsors can use forfeitures for plan expenses or reallocate them to participants. Kot suggested plan sponsors keep documentation on how and when forfeitures are used.
The plan’s recordkeeper, payroll provider and investment custodian play a key role in controls relating to plan design and operation, Kot said. Plan sponsors should develop a plan to monitor these providers.
It’s important for plan sponsors to perform an annual review of providers’ SSAE 16 report—an internal report done by an independent accounting firm about user entity controls, testing of operating effectiveness, and sub-service organizations, as providers may use other companies for fund management/pricing, education and advice. Plan sponsors need to know what sub-service organizations are being used and what they are doing.
User entity controls in the report show what the provider is assuming the plan sponsor is doing. For example, access to website account logins and passwords is given only to authorized personnel; the plan sponsor maintains plan documents; information from employee payroll files is accurate, complete, applicable to plan guidelines and provided in a timely way; written instruction for application of forfeitures is provided; disbursements are approved by an appropriate party; changes in the fund lineup are authorized; and monitoring applicable contribution limits.
Regarding the testing of operating effectiveness, Kot said income/valuations and asset purchases/redemptions are two areas of the report plan auditors are most concerned about. If a plan sponsor sees discrepancies in the SSAE 16, it should ask the provider about it. If there are no discrepancies, the auditor will not need to do further testing, except maybe pull out some samples and review them. The report would also show how the provider deals with float income.
If there is a change in plan year, providers will provide a gap letter to make sure nothing was done differently during the short plan year.
Kot points out that SSAE reports given to plan sponsors are the same for a particular recordkeeper, so the auditor will have outside controls information for all plans that use that recordkeper, but internal controls are different for every plan.