Over the past decade or so, I have reviewed countless management letters written by retirement plan auditors that cite a number of control deficiencies, requiring additional work for the auditor and plan sponsor to correct easily preventable mistakes.
Inevitably, these issues stem from a lack of oversight by the persons charged with administering the plan’s internal operations and outsourced services, such as payroll, recordkeeping, and loan or distribution approvals. Many of these issues begin with the misconception that once the persons in charge have selected a service provider, their responsibilities have been fulfilled. It has been my uncomfortable experience to inform plan fiduciaries that new responsibilities arise once the outsourcing has begun, in addition to the already present duties of safeguarding plan assets and administering the plan in accordance with the plan document, IRS, and/or ERISA requirements.
Many of the mistakes that occur emanate from errors in following the terms of the plan document as is, failing to revise the terms of the plan document, failure to notify the vendor of document changes, or failure to adhere to regulatory requirements. Such errors can lead to penalties, plan disqualification, and/or loss of tax deductions to the employer and employees. The good news is that these mistakes can be avoided by implementing a strong internal controls process.
The internal controls process is affected by plan management and other personnel charged with retirement plan governance, and is designed to provide reasonable assurances in the reliability of financial reporting and accuracy of plan administration. The plan’s policies, procedures, organizational design, and payroll operations all are part of the internal controls process. The general characteristics of good internal controls are:
- Policies and procedures that provide for appropriate segregation of duties to reduce the likelihood that deliberate fraud can occur
- Personnel that are qualified to perform their assigned responsibilities
- Sound practices to be followed by personnel in performing their duties and functions
- A system that ensures proper authorization and recordation procedures for financial transactions
Good fundamental internal controls are the bedrock of prudent fiduciary and compliance management. They target areas of risk, and if properly designed and implemented, reduce the risk of material misstatements and malfeasance. They provide checks and balances over critical processes, help to ensure the accuracy of plan reporting, and assist in safeguarding plan assets. Proper controls can help detect inevitable mistakes, thereby preventing costly corrections and potential participant issues.
I have always found that the fundamental tenets of good internal controls are segregation of duties, reporting & reconciliation, and oversight of outsourced administration functions. These issues can become particularly complicated because so much of today’s plan operations are outsourced to third party service providers. Strong internal controls can eliminate or reduce errors in plan operations and reduce the amount of time the administrator spends with plan auditors or regulatory bodies examining the plan…which is always a good thing.
I recently wrote a white paper called Internal Controls for Retirement Plans, which provides a deeper dive into the fundamental tenets of internal controls. To access the paper, click the button below.
