How effective are your organization’s internal controls? Do you know about the risks of being a fiduciary and do you comply with mandated requirements?
With more companies under scrutiny to employees, shareholders and the government, the accountability on employee benefit plans, has changed. As a consequence, in order to perform a quality audit in accordance with Generally Accepted Auditing Standards (GAAS), an auditor must understand the wide-reaching plan responsibilities placed on plan fiduciaries and the related liabilities resulting from failures of such responsibilities.
Those making decisions on behalf of an employee benefit plan are “fiduciaries.” Employee benefit plan sponsors, administrators or trustees are considered fiduciaries under ERISA (Employee Retirement Income Security Act of 1974). Under ERISA, standards of conduct must be followed, or these fiduciaries become liable for losses to the plan or the restoration of any profits made resulting from improper use of the plan’s assets.
Five-Step Guideline for Effective Internal Controls
Fiduciaries’ responsibilities include maintaining the books and records of the plan, and filing a complete annual return or report. Fiduciaries must establish safeguards, and one path to these safeguards is implementing internal controls over financial reporting. These controls cut the risk of asset loss due to errors or fraud, and help ensure that plan information is accurate, financial statements reliable, and laws and regulations are in compliance.
General characteristics of internal control include 1) policies and procedures that provide for appropriate segregation of duties to reduce the likelihood that deliberate fraud can occur, and 2) a system for proper authorization and recordation for financial transactions. Internal controls will vary depending on the plan’s size, type and complexity, and are based on a systematic, risk-oriented approach to ensure adequate controls in high-risk situations.
Before adopting a control, considerations include the potential benefits the control will provide and the possible consequences of not implementing it. First, an entity will need to determine the objectives of the controls. These include financial statements prepared in accordance with Generally Accepted Accounting Principles (GAAP), and addressing assertions inherent in the plan’s investments, contributions, benefits, participant data, plan obligations, participant loans and administrative expenses.
A five-step guideline based on GAAS assertions includes:
- Existence or occurrence – Do assets and liabilities actually exist at a given date? Did recorded transactions occur during the current year or in an earlier or later year?
- Completeness – Are all transactions and accounts included that should be in the financial statements?
- Rights and obligations – Do assets and liabilities reported in the statements represent the rights and obligations of your plan as of the date of the statement of net assets available for plan benefits?
- Valuation or allocation – Are assets and liabilities valued properly? Are costs allocated reasonably among time periods?
- Presentation and disclosure – Are transactions recorded in the proper accounts? Is each component of the statement classified, described and disclosed?
Control objectives for each of the plan’s financial statement assertions also should cover plan investments, contributions received and related receivables, benefit payments, participant data, plan obligations, and administrative expenses.
Once established, controls must be documented and communicated to staff members. Staff training is a key element to ensure the effectiveness of the plan’s internal control. Monitoring should be designed to identify and correct weaknesses in internal control before they result in a significant misstatement in your plan’s financial statements.
Monitoring should address whether internal controls are operating as designed; whether exceptions and problems are identified and resolved promptly; and whether the controls are periodically reviewed in light of staff turnover, plan mergers and other changes.
In situations where certain plan accounting and reporting functions are outsourced to third-party service providers, adequate internal controls must be maintained by those providers. The hiring of a service provider to perform any or all of financial reporting responsibilities is a fiduciary function. As a result, the fiduciary is required to periodically monitor the service provider. The ultimate fiduciary responsibility resides with the named plan administrator and plan trustee(s).
The Auditor’s Role and Scope
Auditors also are required to communicate – in writing to those charged with governance – deficiencies or weaknesses in a plan’s internal controls that are identified in an annual audit. These communications must be made every year in which the significant deficiency or material weakness exists, even if they were communicated in the past.
Examples of deficiencies or material weaknesses include:
- inadequate segregation of accounting duties among personnel;
- lack of internal expertise in financial accounting, reporting and internal control;
- ineffective monitoring of third-party administrators or custodians; and
- discovery through audit of material misstatements in accounting records that were not identified by the plan’s internal control.
Plans hire financial statement auditors to perform non-audit services for many reasons. However, Department of Labor (DOL) and American Institute of CPAs’ auditor independence rules restrict what non-audit (non-attest) services auditors can and can’t perform for a plan for which they perform the annual financial statement audit.
For example, the plan can use its auditor to assist in identifying adjusting entries and drafting the financial statements and footnote disclosures, but to have effective controls, the plan must designate an employee to oversee the service who understands the benefit plan industry and how accounting entries affect the plan’s financial statements, is capable of making management decisions related to the monthly and year-end closing activities, and approves and accepts full responsibility for the plan auditor’s work product.
Fees and Expenses
Plan fees and expenses generally fall into three categories:
- Plan Administration: The day-to-day operation of a 401(k) plan, including expenses for basic administrative services.
- Investment Fees: Fees for investment management and other investment-related services, generally assessed as a percentage of assets invested. These fees are not specifically identified on statements of investments and may not be immediately apparent.
- Individual Service Fees: These are charged separately to the accounts of individuals who choose to take advantage of a particular plan feature.
ERISA permits certain expenses incurred in connection with the administration or operation of a plan to be paid with plan assets. These include fees to obtain a determination letter, and fees for actuarial, appraisal, auditing, investment management, and to amend a plan to adopt a change required by law and fidelity bond premiums.
Following a wave of lawsuits against employers over 401(k) plan management, the DOL introduced several new initiatives to provide transparency in the administration of certain employee benefits plans subject to ERISA. The DOL revised the Form 5500, Schedule C reporting requirements, effective Jan. 1, 2009, and in December 2007, issued proposed regulations under ERISA Section 408(b)(2) to require disclosure by service providers to fiduciaries.
In July 2008, the DOL released proposed regulations under ERISA Sections 404(a) and 404(c), requiring disclosure by fiduciaries to plan participants.
For more information on employee benefit plan audits, including the role and responsibilities of the fiduciary and the auditing function, call Sonia Freeman or Michael Veuleman at 713.860.1400, or by e-mail at email@example.com or firstname.lastname@example.org.