Recently I sat down with a Certified Public Accountant (CPA) who specializes in 401k plan audits.

This is Part 2 of the article. If you haven’t read Part 1 of 7 Common Problems Companies Have on Their DOL Audit, there it is. That included the first 4 problems. This week we address the last 3 problems on employer 401k plan audits.

401k auditAs a refresher, large 401k plans are required to be audited under Employee Retirement Income Security Act (ERISA). Bradley shared with me 7 problem areas for plan sponsors that he sees exposing the company and plan fiduciaries (Not sure if you’re a fiduciary to your plans?) to litigation and regulatory scrutiny.

4. Lack of documentation of plan fees review.

Another requirement under ERISA is that you must properly monitor fees in the plan. I can feel the eye roll. But this is a good thing! You don’t want your employees paying more 401k fees than they have to for 30 years. That could add up to tens of thousands of extra fees to pay. They need every dollar they can get for retirement.

Most people assume that is the investment fees. Yes, but that’s just some of the fees you’re paying (employees and employer). I know this sounds like a lot of work, but this is a good thing. ERISA requires you to look after your employees and keep their best interests in mind. And part of that is the amount they are paying in fees for their retirement plan.

A big myth out there is that your plan fees have to be the lowest; not true. This has caused plan sponsors to race to the bottom to find the lowest-cost provider. I tell them that nowhere in ERISA does it state you must have the lowest fees. It merely says the fees need to be “reasonable”. Sounds vague? It probably is for a reason. They are giving you some leeway to balance out fees and quality of service. As long as you can show you know what the fees are and how they compare to the marketplace for the same services I think you’ll be just fine.

Lack of documentation of annual review of service provider SOC-1 reports

Not sure what a SOC-1 report is? It’s ok, not many plan sponsors do. An experienced advisor will help you handle this.  The SOC-1 is a report of internal controls which have been tested at the service provider. The Plan Sponsor needs to obtain and review these reports on an annual basis to ensure there are no internal controls issues at the service provider which may impact the 401k plan. The review of the SOC-1 reports should be documented in the oversight committee meeting minutes, including management’s response to any issues noted in the SOC-1 report.

Typically, the Plan’s recordkeeper/custodian and the payroll provider are the key service providers for your plan. Pay attention to Complementary User Entity Controls (CUECs), also known as User Control Considerations (UCCs), are controls that the service provider has included within its system and rely on the user entity (plan sponsor and participants) to implement in order to achieve the service provider’s control objectives.

6. Continued instances of late remittances of employee deferrals.

Even with the use of payroll providers that automatically remit employee contributions to the custodian, there are still issues with late remittance of employee contributions. Large ERISA 401k plans are required to remit employee deferrals to the custodian by the 15th business day of the month following the month in which the deferral was withheld from the employee paycheck. But in reality, the deferrals must be remitted as soon as administratively feasible. Once a plan sponsor demonstrates the ability to remit employee deferrals in, for example, 2 or 3 days, this is now the standard which the plan sponsor will be held for all pay periods. In this example, any remittance taking longer than 3 days can be considered a “late remittance”, which will require the plan sponsor to remit a payment to the plan for lost earnings. This sounds like another hassle for companies but it’s good for the employee. If they are contributing their hard-earned money to the 401k, it should be invested in a timely manner.

Issues which tend to lead to late remittance are when there is an off-cycle paycheck issued, and when key employees responsible for remitting employee deferrals are absent from work and there is not a responsible backup employee. Plan sponsors need to review their procedures and controls for the timely remittance of employee deferrals to ensure deferrals are consistently remitted timely, even when the above issues are encountered.

7. Lack of cybersecurity controls and education to participants

It seems like everywhere you turn, you see another company successfully hacked. Now think about how much money is invested in 401k plans nationally (According to 401kSpecialist Magazine , it’s over $5 trillion!). Hackers are aware of this and are trying to get your money. Your 401k provider is the only thing that stands between your employees’ money and those hackers. Do you know how your 401k provider is protecting your money?

And they don’t just target the 401k providers. Hackers use other means like sending emails to your employees. Have you properly taught employees how to protect themselves, their data and the company?

Make sure your team is continuing to be skeptical of unexpected e-mails or e-mails from unknown sources regarding 401k accounts. If in doubt, make sure your staff knows to pick up the phone and call to verify information. Even e-mails from a known co-worker or business associate should be scrutinized if the message or request is unusual.

In Summary

As you can see, there is a lot more to offering a successful and compliant company retirement plan than just picking some funds and telling your employees how to access the plan online. There is so much to discuss regarding plan design. There are rules to follow and too many companies are not following them. This could lead to fines and liability during a Department of Labor (DOL) Audit.

And don’t forget, there are now law firms that specialize in suing companies on behalf of their employees (class action suits) for mismanagement of the 401k. This can be as simple as not adhering to plan document or IPS. Class action lawsuits is a topic for another day.

Have questions? Book a consult today to discuss.

Have questions? Let’s discuss your 401k or company retirement plan.


For plan sponsor use only, not for use with participants or the general public. This information is not intended as authoritative guidance or tax or legal advice. You should consult with your attorney or tax advisor for guidance on your specific situation.