Internal Controls in a Retirement Plan

Posted by Chris Ciminera, CPA, QKA

Disclaimer: All blog posts are valid as of the date published.

2As auditors, we are required to review the controls in place at a plan sponsor of a retirement plan and its service providers to assess the risk of material misstatement resulting from control risk. In doing so, we constantly evaluate the adequacy of the control structure and recommend improvements to strengthen the processes to prevent errors.  Reviewing controls helps auditors understand the processes in place to administer each retirement plan and design the audit strategy to address any identified control weaknesses. Controls at the plan sponsor are important because they may help prevent mistakes in plan administration, help prevent fraud within the plan, and help the plan stay in compliance with laws and regulations. Although many plan sponsors are always looking to implement better controls, others are not as willing to strengthen controls, due to lack of time or resources.  Although lack of time or resources is understandable, controls are an important aspect of running a plan accurately and completely and should be constantly reviewed and improved.

The Importance of Controls

Generally Accepted Auditing Standards and the Committee of Sponsoring Organizations of the Treadway Commission’s Internal Control – Integrated Framework define internal control as:

A process effected by those charged with governance, management, and other personnel that is designed to provide reasonable assurance about the achievement of the entity’s objectives with regard to the reliability of financial reporting, effectiveness and efficiency of operations, and compliance with applicable laws and regulations.  Internal control over safeguarding of assets against unauthorized acquisition, use, or disposition may include controls relating to financial reporting and operations objectives.

To express it in another way, internal controls are designed and put in place by the plan sponsor to assure information is processed completely and accurately in accordance with plan provisions (specified in the plan document), legislative requirements (Internal Revenue Code and ERISA), and participant elections.  Without controls, errors may easily be made, employees involved in plan administration may act on an opportunity to commit fraud, and laws may be broken.  All of these issues could result in  participant account balances and/or benefits being incorrect, which could lead to participant complaints or even lawsuits,  DOL and IRS penalties and fines, and ultimately, the possible disqualification of the retirement plan.  Therefore, it is important that plan sponsors ensure that their retirement plan has controls in place.

Examples of Controls

One person manually calculating employee deferrals for hundreds of employees, on an adding machine, then throwing away the tape, is a recipe for disaster.  A second person that reviews the first person’s work strengthens the control by identifying errors before deferrals are processed.  Instead of calculating the deferrals manually, the deferral withholding process is generally computerized and calculated by a software program. A mechanical computation that is automated generally strengthens controls by minimizing manual processing errors other than initial input mistakes or election changes. Additionally, controls in the form of review by a second person may not only help minimize or eliminate processing errors, but also, will help prevent or detect fraud by creating less opportunity for one employee to misappropriate funds, since electronic processes often require collusion between employees to change an automated process. For example, if a payroll  person decreases one employee’s deferral deposit  and increases his/or her own, a second person that compares the deferrals withheld from each person’s payroll to the remittance to the plan trust accounts would uncover the override, unless the employees collude to hide the fraud. Another example would be for the person in charge of entering new employees into the payroll system to create a fictitious employee in the system and withhold money that could be diverted to that employee’s account.  Without review, it is easier for that employee to commit this fraud. Lastly, laws and regulations covering retirement plans are numerous and complex. Controls such as regular review of the plan document, regular attendance by the plan administrator to IRS or DOL webinars, and hiring competent and experienced service providers all act as controls to help the plan stay in compliance.

Working with many different plans and retirement service providers allows me to see the best and the worst controls over plan administration. Luckily, I’ve seen a lot of good processes. Below I wanted to mention a few areas where I see opportunities for controls to be strengthened. First, with the continued automation of plan processes comes less involvement by the plan sponsor. This may be a good control because automation minimizes manual errors and puts plan administration in the hands of an independent third-party that is more knowledgeable about plan provisions and legislation. However, in cases where processes are administered by a service provider, monitoring by the plan sponsor is still crucial to ensure that the automated process is working. For example, a third-party administrator may process a hardship distribution requested by a participant. The plan may have an agreement with the third-party administrator that allows them to process distributions without a plan sponsor’s approval. Giving a third-party administrator this automatic approval saves time and hassle, but this is where errors can occur.  In many cases, the plan sponsor doesn’t even know a hardship distribution has been taken, or that adequate proof of the hardship reason and amount was not obtained by the third-party administrator. Although the third-party administrator processes the hardship distribution, the IRS has stated that the plan administrator is responsible for the accuracy of transactions that a third-party administrator processes. Upon our audit or an IRS audit or DOL investigation, the plan sponsor is responsible for the support to back up a hardship distribution that the sponsor was not even aware of.   The point is that in an automatic processing world, this removes certain control points. It is always a good practice to have someone at the plan sponsor regularly monitor and review all transactions. The excuse that the third-party administrator processed the transaction is not a viable one in the eyes of the IRS or DOL.

List of Controls and Potential Plan Administration Improvements

Although not exhaustive, below is a list by area of some controls that when implemented will help strengthen plan operations and reduce the likelihood that errors, fraud, or non compliance will occur in a plan.

General Controls

  1. Review the plan document regularly to verify operations are in accordance with provisions in the plan document.
  2. Hire experienced and knowledgeable service providers to the retirement plan. Take adequate time to hire competent service providers.
  3. Review service agreements to verify which responsibilities the service provider will assume and which responsibilities the plan sponsor retains.
  4. Ensure the census sent to the third-party administrator is complete and accurate by tying gross wages on the census to gross wages reported on the payroll detail.
  5. Create a checklist of duties performed by each plan official and a process to ensure the checklist is completed with each relevant transaction. Distributions and contribution remittances are key processes for which checklists are often created.
  6. Sit in on IRS, DOL, or other industry webinars to learn the regulations and requirements necessary for proper plan administration.


  1. Review the plan document regularly to verify that employees are entering the plan according to the plan provisions.
  2. Ensure that newly hired employees are tracked, identified, and notified before they become eligible so that the employee has enough time to enroll in the plan timely.
  3. Review dates of birth and dates of hire input into the system for accuracy.


  1. Review the plan document to ensure an accurate definition of compensation is being utilized.
  2. Reconcile the deferrals reported on each W-2 to the amount deposited to each participant’s account.
  3. Annually review the contribution limits to verify participant contributions do not exceed the legislative maximum amounts.
  4. Review deferral elections to ensure they agree to the amounts being withheld through payroll.
  5. Segregate the duties of HR and payroll to separate the accounting function from the handling of the cash and establish review processes.
  6. Have the accounting department or management review all deferrals withheld to verify completeness and accuracy of amounts withheld from payroll and the complete deposit of this money into the trust.


  1. Review the plan document to ensure distributions are processed according to plan provisions.
  2. Reconcile total distributions on the 1099-R report to the total distributions reported by the custodian.
  3. Require management verification of all distributions.
  4. Upon termination of an employee, ensure that the employee is removed from payroll.


  1. Review the plan document to ensure loans are processed according to plan provisions.
  2. Require management oversight of all loans taken.
  3. Ensure that payroll repayments begin immediately once a loan is taken.
Why Controls May Not Be Put in Place by Sponsors

Understandably, plan sponsors have limited resources with which to administer plans. Some companies have only one employee performing HR, payroll, and accounting functions, but hiring an additional person for the sake of tighter controls may be cost prohibitive and not feasible. However, the potential for IRS and DOL penalties, as well as participant lawsuits, make it imperative for plan sponsors to put controls in place to ensure all requirements are being met and that potential errors are prevented or detected as soon as possible.

The complexity of retirement plans has given opportunities to many knowledgeable and qualified third-party service providers such as third-party administrators, investment advisors, ERISA attorneys, and CPAs to specialize and provide cost-effective expertise to sponsors with limited resources. It is important to remember that it takes a village to run a retirement plan, and choosing the right team internally as well as third-party providers is an effective way to put controls in place to avoid costly mistakes.

Photo by Ian Smith (License)