Why internal controls are important to benefit plans

IRS focuses on retirement plan internal controls

Audit Financial reporting Employee benefit plans

Retirement plan regulations are complicated and frequently changing. As a result, plan sponsors need to understand the current requirements for their plan and be aware of the constantly changing compliance environment. Qualified plans must comply with these requirements both in form and in operation—and mistakes can be made by not following the terms of the plan or failing to revise the terms of the plan as the rules change. Failure to comply can lead to penalties, plan disqualification, loss of tax-exempt status and loss of tax deductions to the employer or tax benefits to the employee.

The Internal Revenue Service (IRS) is taking internal controls very seriously. In a recent Employee Plans Phone Forum, Monika Templeman, director of Employee Plans Examinations at the IRS, stated:

If a plan is selected for audit by the IRS, the EP agent conducting the retirement-plan examination will begin by evaluating the effectiveness of the plan's internal controls to determine whether to perform a focused audit—that is, just look at three to five issues - or expand the scope of the examination. In other words, based on the strength of the plan's internal controls, the agent will decide to examine more or less of the return than originally planned1.

For the past several years, the IRS has offered its Employee Plans Compliance Resolution System (EPCRS) as a mechanism by which plan sponsors can correct certain common plan failures to satisfy plan qualification requirements in a timely fashion and avoid the severe penalty of plan disqualification. This system includes the important Self-Correction Program (SCP) that permits a plan sponsor to correct certain plan operational failures without contacting the IRS or paying any penalties, provided the correction is made as outlined in EPCRS.

EPCRS has evolved over the years, and its most recently updated version attached a few new “strings” to program eligibility by requiring sponsors and administrators to demonstrate that an error was caused by a breakdown in controls, rather than through neglect or an absence of controls. To be eligible for the relief, the plan sponsor or administrator now must have established practices and procedures (formal or informal) that are reasonably designed to promote and facilitate overall compliance with the law. A plan document alone does not constitute evidence of established procedures. The introduction to EPCRS states that relief will not be granted if the established procedures are not in place. It is important to note that when the IRS changes its procedures in this way, RSM’s experience has been that the IRS typically phases in their expectations for compliance. The IRS has been doing a wide-spread and vigorous marketing campaign on their expectation that appropriate controls be in place. But to date, RSM has not seen the IRS actually reject a request for relief solely because the plan sponsor did not have adequate controls in place. Instead, they are requiring that the sponsor establish such controls as a condition of granting that relief. This behavior by the IRS reflects the fact that they are always looking at the past. Thus, their focus now on the need for controls means that they will expect plan sponsors to have controls in place for 2013 and later plan years. They are merely granting relief for prior years.

The notion of an internal control is familiar within the context of financial reporting or security controls. There are basic concepts such as segregation of duties, reconciliation, authorization and approval. The issue is how do these concepts change, how should the controls be monitored or what other controls must be added in the context of an employee benefit plan? This issue becomes particularly complicated because so much of the operation of a benefit plan is outsourced to other service providers.

The IRS is focused on the plan’s operating policies and procedures, as well as compliance and reporting controls. For example, the third party administrator (TPA) of a qualified retirement plan may include in its plan operating manual or compliance checklist a specific annual step to determine whether the plan is top-heavy and if so, to ensure that the minimum contribution requirements of the top-heavy rules are satisfied. Even though a TPA may be performing this step, it is imperative that the plan sponsor knows which information is used in the calculations and that the proper data is used. The plan sponsor must have procedures in place to ensure that the appropriate details, such as payroll information, family relationships, status as an officer or other details are being provided to the TPA completely and accurately and also have controls established to monitor the process of providing this data to the TPA. For a plan sponsor or administrator to use SCP, the IRS expects that the appropriate established procedures are in place and routinely followed, controls are in place to monitor or review that the processes are occurring, and an operational failure must have occurred through an oversight or mistake in applying the procedures and controls. As noted earlier, the fact that the top heavy rules are included in the plan document is not a sufficient control. The IRS is expecting there to be evidence that the rules are timely and accurately applied to the plan.

To assist plan sponsors and administrators, the IRS has issued Fix-It Guides that provide tips on how to find, fix and avoid common mistakes in retirement plans, such as failure to update the plan and failure to follow plan terms. Each guide also includes an overview of the EPCRS and an overview of the rules for each plan type, including 401(k) and 403(b) plans, among others. Importantly, the recently updated versions of the Fix-It Guides include general references to the kinds of controls the IRS would expect to see in each of the areas discussed in their guide to avoid a reoccurrence of the error.

The IRS is not the only regulatory agency that is concerned with proper plan practices and procedures. The U.S. Department of Labor (DOL) Employee Benefits Security Administration protects the interests of participants and beneficiaries of employee benefit plans, and therefore, is concerned about proper plan practices and procedures. The examination checklist used by the DOL in investigating plan fiduciaries includes the following specific inquiries:

Where appropriate this section of the report should include, but not be limited to, information concerning: identities and principal duties of all plan officials and principal employees and service providers during the relevant period, including dates of service; funding method; internal controls; investment policies and practices; benefit payment procedures; collection of contributions; and other relevant information relating to plan administration and financial operation.2

RSM has observed the impact of the DOL’s perspective, for example, in their assessment of the timeliness of deposit of employee salary deferrals. In situations where a plan sponsor has a clear and well defined system in place governing deposits, examining agents seem inclined to accept plan management’s assertions as to timeliness, if reasonable. In contrast, in situations where controls are absent and the timing of deposits ranges from the same business day to 15 or 20 business days, the DOL’s examiners seem inclined to conclude that since at least one deposit was made on the same business day; it must be possible for all deposits to be made on the same business day. Without a well-documented control system governing this process, it is very difficult for a plan sponsor to overturn that conclusion.

In addition to such controls being important to regulatory bodies, internal controls that are properly designed and functioning make plan operations more efficient and effective to reduce the risk of undiscovered errors.

The frequently changing and complicated legal framework governing benefit plans can make it difficult for plans to recognize the necessary controls and to design and implement the proper controls needed to stay in compliance. RSM audits more than 2,000 employee benefit plans nationwide, and in many of these engagements we may identify where weaknesses in controls may exist that contribute to inconsistencies between the plan’s operations, terms and what the plan sponsor is expecting. These inconsistencies may also constitute noncompliance with IRS rules or DOL requirements.

Benjamin Franklin once said, “An ounce of prevention is worth a pound of cure.” When it comes to employee benefit plan administration, an ounce of properly designed and functioning controls should result in a pound of prevention … potentially preventing plan disqualification, saving professional and service-provider fees that would be needed for correcting and managing future problems, and resulting in fewer frustrations for fiduciaries.

1 See the entire video of this presentation at

2 See DOL Enforcement Manual, Chapter 48 - Fiduciary Investigations Program, Figure 9. Item V.

RSM contributors

Subscribe to Financial Reporting Insights

Stay informed with our biweekly resource for recent financial reporting developments, including AICPA, SEC, PCAOB matters and other finance and accounting compliance considerations.