Retirement plan operational compliance

Aug 16, 2021
Audit Financial reporting Employee benefit plans Compensation & benefits

With regulators focused more than ever on a plan's controls, it is imperative that plan sponsors have the proper procedures and controls in place. This third in a series of articles on the importance of internal controls for employee benefit plans looks at the operational compliance controls.

It is not sufficient that a retirement plan be covered by a plan document that meets all the terms and conditions of the applicable law. It is also necessary that the day-to-day operations of the plan be consistent with that plan document and with the law. While this may seem redundant, the law or regulations may change before a sponsor is required to amend the plan. In these cases, the plan's operations could be required to vary from the written terms of the plan in order to satisfy the law. Additionally, facts may change so that even if the plan sponsor follows the terms of the plan, the result does not comply with the law. For example, it is permissible for a defined contribution plan to require that an individual be an active employee at the end of the plan year to receive a contribution; however, any employee who worked more than 1,000 hours before they were terminated counts in determining whether or not the plan satisfies certain compliance tests. For a company that experienced fairly high turnover during the year; following the plan's terms on eligibility may not be enough to satisfy the qualification requirements regarding coverage.

If a plan fails to follow its terms or the applicable law, the plan faces the potential loss of qualified status. A loss of qualified status could mean taxation of plan participants, taxation of plan earnings to the trust and loss or limitation on the employer deduction for plan contributions. Since the formation of the Employee Plan's Compliance Resolution System, it is unlikely that a plan will be disqualified. Nonetheless, the plan sponsor may be exposed to significant costs to correct any errors and for penalties payable to the IRS in the event errors are discovered upon audit. It is always best to have controls in place to guard the plan's operations and its tax-advantaged status.

This gives rise to the second critical set of controls over a plan's operations—compliance controls. These controls apply in two broad areas:

  • Are the plan's operations in compliance with the written terms of the plan (i.e. - controls over the "accuracy" of the plan's operations relative to its governing instruments)?
  • Is plan management or their delegate applying all the required tests to the plan's operations to demonstrate compliance with the law (i.e. - controls over the "testing" of the plan's operations with applicable law and regulations)?

These are distinct, but interrelated areas. A plan may follow its terms, yet fail an applicable test under the Code. Likewise, tests may appear to have been passed, but be based on inaccurate data where the plan's operations failed to follow its terms.

The easiest way to evaluate the controls over the plan's operation is to follow the life cycle of an employee as they enter the plan, accumulate benefits, make investment elections (if applicable), vest and eventually receive a distribution. The following discussion is primarily focused on participation in a defined contribution plan1. The following questions are intended to illustrate the types of controls that relate to IRS or DOL compliance with respect to the plan's operations and are not intended to be an exhaustive list of considerations. These questions are merely intended to prompt the reader to consider the types of controls that may be appropriate to their plan.

Plan entry

  1. Are there controls in place to verify the accuracy of the data required for entry? Depending upon plan terms this would include items such as the date of birth, date of hire, hours worked, status as an eligible participant (i.e., union versus non-union).
  2. Do controls over plan entry properly consider special circumstances such as rehires, employees returning from approved leaves of absence (e.g., returning from military duty),  employees changing classification from ineligible employment to eligible, business acquisitions or other status changes?
  3. Are there controls in place to enroll eligible participants on a timely basis? Do those procedures specify what constitutes "timely" enrollment for plans that involve employee contributions?
  4. Where specific notices are required regarding safe harbor contributions or automatic enrollment, are there controls in place to make sure such notices are delivered and on time? Is a record retained to document the delivery of such notices?
  5. Is there someone charged with reviewing eligibility determinations for accuracy on a periodic basis? In today's world of very short waiting periods for entry into employee savings plans, an annual review of eligibility determinations would generally not be considered to operate frequently enough to be a sufficient control. Reviews should correlate to the waiting period for entry (e.g., monthly entry dates should include monthly reviews for eligibility determinations.)
  6. If workers are from employee leasing or temporary employment agencies, are controls in place to properly recognize whether leased employees must be considered as eligible participants in the plan or if excluded, participants eligible but not participating for the applicable compliance tests? If the plan has a waiting period, are procedures in place to give appropriate prior service credit to leased or temporary workers who are subsequently hired by the plan sponsor?
  7. Are there controls to make sure that any compliance tests applicable to plan eligibility are recognized and performed on a timely basis? Does someone periodically verify which compliance tests apply and whether such tests are performed on time? If such tests are to be performed by a vendor, does the contract with that vendor specify that they are responsible for performing these tests and when they do such tests? Is there someone at the plan sponsor responsible for verifying that the data provided for such tests is accurate, that such tests have been performed and what action must be taken, if any?
  8. Are controls in place to make sure that the testing on plan coverage includes all members of the controlled group as defined in the IRC? Are controls in place to advise the party performing such testing of any changes in that group? Is there someone at the plan sponsor with sufficient familiarity with these rules to recognize when such a change might have happened? If not, are there procedures in place to contact the appropriate service provider for assistance in the event of any significant change in the workforce or the controlled group structure?
  9. Where the results of a compliance test require action by the plan sponsor, are there controls in place to make sure such action takes place within the required timeframe? Is someone from plan management charged with verifying that the action taken was sufficient and timely?

Benefit accumulation

  1. Are there controls in place to make sure that any employee salary deferrals are calculated properly? These calculations would include the following considerations:
  2. a. The deferral election is consistent with the participant's most recent election.
    b. The covered compensation is properly determined.
    c. Changes made in deferral elections are executed promptly.
    d. If an employee returns from leave, a new election is solicited or the prior election is implemented, as authorized by the plan document.

  3. Is someone charged with reviewing employee salary deferrals on a periodic basis to make sure that the correct compensation definition is used and the deferral percentages are consistent with the participant's elections? Is this review done periodically throughout the year so any errors can be identified and corrected timely?
  4. Is there a control system over the timeliness of deposit of any employee contributions or loan payments?
  5. In the event of any changes in employment practices, in compensation practices or in the associated systems, is there a control structure in place to verify that such changes have been properly integrated into the plan's operations or that the plan is amended, as appropriate, to coordinate plan operations with these workplace changes
  6. Are there controls in place to make sure that any employer matching or other employer contribution is calculated and allocated properly? Is the proper definition of compensation used for this calculation? If there are limitations on eligibility for such contributions (i.e., age, years of service, eligible employment category or end of year employment requirement), are such limitations functioning properly? Does someone at the plan sponsor review this calculation periodically?
  7. Are there controls in place to make sure that the applicable tax code limitations on employee salary deferrals, catch up contributions, compensation or total benefit allocations are satisfied? Are such limitations updated annually when the IRS issues the limits for the following plan year? Where the plan sponsor offers more than one defined contribution or defined benefit plan, are controls in place to coordinate these limits between the plans in accordance with the plan terms
  8. Where the participant is permitted to direct investments, do controls over the authorization and execution of such activity exist with the investment vendor or TPA through whom the trading platform is established? In such cases, the plan sponsor needs to verify that all controls required by the vendor to exist at the sponsor level do, in fact, exist and are functioning. Typically, the vendor will have a report on their control system highlighting user controls. In addition to having such user controls implemented and functioning, plan management should review the report on the effectiveness of the vendor's controls to obtain an appropriate level of comfort that their vendor selection remains appropriate.
The Real World

During the current audit season, RSM audited a “safe harbor plan,” which is generally exempt from nondiscrimination testing, and the plan sponsor had not performed or engaged any firm to perform such testing. However, the plan sponsor selected a non-safe harbor definition of compensation for allocating employer contributions. This action imposed a compliance test to prove that the definition of compensation was not discriminatory. The sponsor had not been advised of this when the adoption agreement was completed. The TPA was aware of the impact but had not been engaged to perform the test and assumed that someone at the plan sponsor or another party was performing the test.

The good news was that once the test was performed, it was determined that the plan satisfied the standard. But, it could have been a much sadder story, so the auditor’s communication to the plan sponsor highlighted this as a control weakness in their operation of the plan. The client addressed the weakness by engaging the TPA to perform the test for subsequent years and revised their data transmittal to the TPA to include total compensation, excluded compensation and plan compensation.

This experience illustrates how critical it is for the plan sponsor to completely understand all agreements with service providers, such as the TPA, to ensure all compliance controls are in place and functioning.

8. Does someone at the plan sponsor know which discrimination tests apply, whether they have been performed and whether passed or if other actions must be taken? If the plan is designed to be a "safe harbor plan," are controls in place to ascertain whether plan operations are consistent with that status?

9. Where an error has been recognized in enrollment, the execution or deposit of salary deferrals or other aspects of the accumulation of plan benefits is someone from plan management charged with verifying that the appropriate correction action taken was sufficient and timely?


  1. Where hours of service are used to measure vesting, are controls in place to make sure that all applicable hours are counted?
  2. Are controls in place to give vesting credit for nonstandard circumstances such as military leave, rehires, merged in enterprises, service as a leased or temporary worker, or service for an affiliate who is not participating in the plan?
  3. Are controls in place to verify the determination of vesting prior to the distribution of benefits?
The Real World

In a recent plan audit, we discovered over $1 million of unallocated forfeitures. They were to be used to reduce the employer contribution, but the TPA was waiting for the employer to notify them of their intent to apply the forfeitures to the match. The control procedure missing was that there was no periodic notice given to the employer of the existence of the forfeiture balance and the option to offset this against their contribution. Needless to say, the employer was delighted to satisfy its matching obligation through the use of such forfeitures.

4. Are controls in place to make sure that any unallocated forfeitures are used on a timely basis as authorized by the plan's terms? Is there someone at the plan sponsor who tracks forfeitures and directs the TPA or other service provider with respect to the application of such forfeitures?

5. Is someone within plan management sufficiently familiar with the intricacies of service crediting and vesting measurement to recognize when guidance should be obtained for unusual situations, such as the termination of a segment of the workforce, which could trigger a partial plan termination?

Distributions, loans or other withdrawals

  1. Has a clear understanding of the plan's distribution provisions been communicated to all parties involved in the distribution process?
  2. Has a summary of the plan's provisions for distributions been communicated to all parties involved in the distribution authorization and approval process in clear action points? This summary should include the following events with an understanding of what party authorizes or reviews any request:
  3. a. Triggering events as applicable under the plan's terms, such as death disability; normal, early or deferred retirement; termination of employment; hardship; other in service distributions; deferred distributions for former employees; and required minimum distributions
    b. Specific conditions associated with distribution forms, such as hardship or other in service distributions
    c. Commencement date for distributions
    d. Form of distributions–lump sum, installments, annuity, nonperiodic payments, etc.
    e. Notices and consents
    f. Withholding of income taxes, deposit and reporting
    g. Retaining evidence of proof of payment

  4. Have controls been established with respect to any lost participants? Lost participants are recognized when a participant fails to return a distribution request, when they fail to cash a distribution check or when beneficiaries of deceased participants cannot be located.
  5. If the plan permits participant loans, are there controls in place over the uniform procedures required by the DOL prohibited transaction exemption standards? As with distributions, it is important that there is a clear understanding of those procedures by each party involved in administering the loan program.
  6. Are periodic reviews of the plan's operations conducted over distribution or loan procedures? To the extent that a review identifies any failures to follow procedures, are there established actions to be taken to address such failure, the parties to take such action and the parties who review the results of such corrective action?

Record retention

Plan sponsors need to have procedures in place to organize and retain plan demographic information, testing results, participant benefits determination, consent forms, distributions, evidence of correction of any errors, trustee or plan administrative committee minutes and all applicable government filings. The AICPA is working with the IRS to publish a set of standards for benefit plan record retention by plan type. With regards to how long to retain information, the key factor is that the information needs to be retained for as long as it is relevant, which could be many years after the actions took place or an individual received a distribution from the plan.


To design effective controls over the plan's operations, plan management needs to recognize all the action points taken when operating a plan, what information is required relative to that action, where that information comes from, and who approves and reviews the action. This listing covers the general action points–eligibility, accrual, vesting, testing and distribution–as an outline for plan management to start filling in the details.

For a defined benefit plan, the controls over benefit accumulation will focus primarily on the accuracy of the data used by the actuary. The controls over plan entry, vesting, data and distribution may be similar to the controls outlined for defined contribution plans.

RSM contributors