Top 5 Internal Controls Risks Facing Benefit Plans

by Gosia Kanda

One factor that creates risk for benefit plans is a lack of effective internal controls.  As we prepare for another benefit plan audit season, now is the time for plan sponsors to review internal processes and make necessary improvements.

Below are the five most common areas included in management letters to our clients, aimed to improve internal controls for benefit plans:

  1. Timely reconciliation of contributions.

During our audits, we often notice that the total contributions and the census information per the payroll reports do not agree with the total contributions and census information per the record keeper reports. If not due to the timing difference of the year-end deferrals, other adjustments may affect the comparability of these reports. For best audit efficiency, Plan management should provide auditors with the reports already reconciled to record keeper statements. We recommend that these reports be reconciled on a periodic basis and that differences be investigated and corrected by Plan management and/or the recordkeeper. Failure to reconcile these reports and statements may result in a material misstatement or omission in the plan’s financial statements and Form 5500. In addition, it adds to time spent by auditors and the cost of the audit.

  1. Documentation of remittance process and base line for timely transmittal of contributions.

Contrary to various publications, the 15th business day after the pay date is NOT the safe harbor threshold for timely remittance for plans with over 100 participants. Failure to remit participant contributions to the plan in a timely manner results in prohibited transactions which must be separately reported to the Department of Labor (DOL) and may result in lost earnings for the plan and penalties to the Plan Sponsor. Rather, Plan management should determine the earliest date the company can reasonably segregate participant deferrals from the general assets of the company and remit into the plan. That timeframe, usually within 1-3 days, becomes the base line above which any contribution would be considered late. These processes should be documented, followed consistently and checked periodically throughout the year for any instances that exceeded established base line and require correction.

  1. Understanding of the plan’s investments and their classification.

With the growing complexity of the plans’ investment options, it is Plan management’s responsibility to understand the various funds and their classification in accordance with Accounting Standards Codification (ASC) 820, Fair Value Measurements and Disclosures. More and more common now are these alternative investments, particularly in defined benefit plans, where they help diversify the portfolio to improve total returns and the minimum funding requirement. Very often, investments bearing familiar names can be misclassified as mutual funds, where in fact they are pooled separate accounts or common collective trust funds. These alternative investments are not registered with the Securities and Exchange Commission and often have transfer restrictions. Also, with the adoption of Accounting Standard Update (ASU) 2015-12 Part I, the determination of fully benefit responsive investment contracts required some clients to reach out to their fund managers for any direct contracts between such funds and the plan, which were not on file with Plan management until requested by auditors. We recommend our clients to keep a memo specifying the classification of various funds to support the financial statement disclosures.

  1. Establishing reasonable interest rate for participant loans.

The reasonableness of interest rate can cause some confusion if it is not clearly defined by the plan documents. Some of the loan provisions have vague language that does not clearly provide the guidelines, and in turn, it requires that Plan management periodically review the rates and update as necessary. Some of our clients have not seen this as a priority in many years, and we noted the interest rates charged for their loan agrees to the general “prime rate +2%” rule. However, the prime rate used has not been updated since it was last changed. It is Plan management’s duty to ensure the rate adheres to the plan document, is reviewed frequently, and updated with the record keeper to correctly process participant loans.

  1. Plan management review of SOC-1 reports

Lack of Plan management’s review of the Service Organization Controls (SOC) No. 1 continued to be an issue this past audit season. Many of our clients either don’t have resources to review those reports or such a review is beyond the scope of their SOX compliance testing. SOC-1 reports are critical to fulfilling plan management’s fiduciary duty to monitor the quality and effectiveness of their processes. We remind our clients to review those reports and follow up with vendors on any exceptions on controls testing, basis for qualification of opinion, and also to evaluate their own controls to ensure they align with complimentary user controls as listed in those SOC-1 reports.

McConnell & Jones is committed to helping clients understand their fiduciary responsibilities related to benefit plan management and continues to share information from our hands-on experience and training that you can use.  All the control matters noted above are required by ERISA and within the scope of Plan management’s role as a fiduciary.


Gosia Kanda is an audit supervisor within the firm’s ERISA Assurance and Compliance Service Team.  Having joined McConnell & Jones in 2012, she is in charge of audits for employee benefit plans including defined contribution, defined benefit and health & welfare with asset base ranging from $1 million to $5 billion. She has knowledge of the requirements of DOL, ERISA, IRS and SEC for the 11-k filings and assists clients with regulatory updates and recommendations for administration of their plans. Gosia also trains and supervises staff on audit engagements and is part of the team that prepares and files clients’ Forms 5500. Connect with Gosia on LinkedIn or follow her on Twitter @KandaGosia.