Internal controls in employee benefit plans

Listen to this article

Does your organization maintain a 401(k) or other employee benefit plan≠
Are you responsible for the administration or assets of the plan≠ If so, you are considered a fiduciary under ERISA, which creates certain responsibilities and guidelines to be followed. Failure to adhere to the basic standards of conduct for fiduciaries can subject you to personal liability, including restoration of any losses to the plan or refund of any profits made while improperly using plan funds.
Maintaining proper internal controls over plan assets and operations is an important step in performing any fiduciary duty. Internal controls should be designed to protect the plan by minimizing opportunities for errors or fraud.
Some characteristics of strong controls include appropriate segregation of duties, trained and qualified personnel and a system that includes proper approvals and documentation for financial transactions. Depending on the nature and operations of the plan, and the possible use of third-party service providers (such as investment managers or recordkeepers), the design of plans’ internal controls can differ significantly.
The first step in designing an adequate system is to determine the purpose of the controls: What type of error or fraud should the control prevent or detect≠ It is often helpful to document the current procedures in place, then review the documentation with that question in mind.
You may find there are duplicate controls over some areas, or no controls at all over others. Consider controls in place with regard to participant eligibility, contributions to the plan, benefit payments, investment transactions, preparation of financial statements, IT-related controls, vesting percentages and review of actuarial assumptions in the case of a defined benefit plan. Commonly overlooked in such a review are procedures outsourced to third-party vendors. Although engaged a custodian or recordkeeper may be overseeing the plan, your fiduciary duties are not over. Adequate internal controls over services provided by third parties are vital to a plan’s financial well-being.
Some well-designed internal controls include:
· Comparing investments’ recorded values with quotation sources or appraisal reports;
· Describing contribution requirements or limitations in the plan document;
· Comparing employer payroll records with contribution calculations;
· Remitting participant contributions to the plan within guidelines prescribed by the Department of Labor;
· Making loans only with proper authorization based on guidelines established in the plan document, in conformance with ERISA and tax requirements;
· Checking calculations’ supporting payments for clerical accuracy;
· Controlling and maintaining articipant forms (i.e. enrollment, transfers, investment allocation, etc.) in personnel files;
· Updating and reconciling participant data with personnel and payroll records;
· Defining participant eligibility in the plan instrument;
· Authorizing all participant-initiated enrollments, transfers, changes in investment allocations and other change requests by a participant’s submitting a manually signed request form.Restrict the ability to perform such activities electronically or directly with a third-party administrator to authorized participants through the use of specific identification and personnel identification numbers.
· In defined contribution plans, reconcile the total of all participant account balances to net assets in the trustee/custodian report on a periodic and timely basis.
· Controls should provide reasonable assurance that contribution remittances are applied to the appropriate participant accounts and processed accurately and completely by type (i.e., contributions versus loan repayments) according to the investment options selected by the participant.
Now that a system of internal controls is established, how can one know which procedures are being followed≠ Monitoring the controls in place is just as important as the system’s original design. Some appropriate steps in monitoring internal controls include:
· Ensuring employees are aware of the policies and procedures in place;
· Maintaining evidence that the procedures were followed (such as documentation of review by a second person, approval of wire transfers, benefit payments, etc.);
· Investigating or following up on any exceptions or problems in a timely manner;
· Periodically reviewing the system of internal controls, especially if changes are made to the way the plan operates.
Some plan fiduciaries rely on a plan’s external auditor to detect any errors during the year since those items often are brought to light through the procedures an auditor uses. Reliance on an auditor often indicates that a plan’s system of internal controls is deficient in one area or more.
Under professional auditing standards, a plan’s auditor cannot be a part of the design of a plan’s internal controls. A system must operate effectively to detect or correct misstatements without assistance from a plan auditor. An auditor can, however, offer assistance or guidance in designing a control system.
A well designed system of internal controls can help an employee benefit plan operate efficiently while also fulfilling a plan administrator’s or trustee’s responsibilities under ERISA.
Jackie Boone, CPA, is a manager with Mengel, Metzger, Barr & Co. LLP. She may be reached at [email protected].