Employee Benefit Plan Internal Controls TriCounty Human Resource Management Association August 19, 2014 Presented by Zoe Davis, CPA, CFE EPB Auditor Extraordinaire

Key Take-Aways • Importance of Effective Internal Controls over Plans • Identifying significant controls activities for plans • What is the importance of the auditor request – Especially these crazy SOC 1 reports

• Common control deficiencies and how to avoid them

What are Internal Controls?

Internal controls are business processes designed to detect and prevent mistakes in your retirement plan.

Internal controls should include procedures for: 1.

Plan operations review - verify that you operate your plan according to its written terms

2.

Plan document updates - meet with your benefits professional to see if the plan document needs updating for: •

changes in plan operations

•

law changes

The exact procedures will depend on your organization, your plan type and its features. - Internal Revenue Service Examinations of Plans

An ounce of prevention is worth a pound of cure” definitely applies to keeping retirement plans tax-qualified. – Per the IRS.

Consider the importance of segregation of duties to reduce fraud and errors. Make sure personnel are qualified to performed their assigned duties. You have to actually implement the controls or they are not good Make sure there is proper authorization and recording procedures for financial transaction. - AICPA Employee Benefit Audi t Quality Center

Who is involved with the Plan? • Plan Sponsor – CEO/Owner – Controller/Finance personnel – HR Manager – Payroll Clerk

Who is involved with the Plan? Plan Advisors • Investment advisors • Retirement plan consultants

Third party Administrators - recordkeeping Custodians/Trustees – holds assets ERISA attorney Plan Auditor (not a part of controls – ever)

Significant EBP Internal Controls • Participant enrollments and elections are complete, accurate and applied timely • Contributions are deposited timely and accurately • Plan assets are safeguarded • Participant data is authorized and secured • Income is allocated to participant accounts accurately, completely and timely

Significant EBP Internal Controls • Distributions (including loans) are authorized, accurate and compliant • Plan and participant financial statements are complete, accurate and timely

What is a Preventative Control? • Controls designed to prevent errors and fraud before they occur • Primarily authorization, structure and input controls • Examples – – – – –

Hire qualified personnel Segregate duties or outsource certain functions Control access to data Use well-designed documents (prevent errors) Establish suitable procedures for authorization of transactions.

What are Detective Controls? • Controls designed to detect errors soon after they arise • Primarily reconciliations and reviews • Examples – Reconciliations of contributions, distributions, enrollment data – Spot checks of risky areas or sampling transactions for review – Duplicate checking of calculations and secondary signoffs

Significant EBP Entity Level Controls • • • •

Plan committee designated by Board Regular committee meetings and minutes Investment policy statement Familiarity and compliance with plan documents – Definition of plan compensation – All eligible employee groups able to participate in the plan

Significant EBP Entity Level Controls • Segregation of duties in payroll and plan operations • Monitoring and safeguarding of plan assets • Monitor compliance with laws and regulations - AICPA Employee Benefit Plan Conference May 2014

What is the importance of auditor requests?

Generally, auditor requests should include information the Plan Sponsor or Plan Service Providers have already created and use in administration of the Plan.

Statement of Controls Reports Who has the SOC 1 report? Why is there a SOC 1 report? Who reads these crazy SOC 1 reports? User controls considerations Who here has actually read a SOC 1 report?

Common Mistakes Identified by IRS (1) Failure to timely amend the plan or to follow the terms of the plan (2) Failure to review in-service, termination, and loan distribution forms to make sure they follow the plan terms (3) Failure to count all eligible employees in testing

Other Common Mistakes • No review of participant data used by actuary for actuarial valuation • Benefit calculations are not reviewed prior to initiating payment to participant • Hardship withdrawals are not reviewed and approved • Untimely remittance of employee contributions to the trust • Payroll changes (i.e. salary, date of hire, date of birth, etc.) were not approved

Other Common Mistakes • No review of employer matching contributions • No review of investment classification • No review of financial reporting (i.e. financial statements and Form 5500) • Lack of segregation of duties for the payroll function • Lack of oversight of third party administrators • No reconciliation between payroll deferrals and amounts reported in participant account statements

Other Common Mistakes • No plan committee designated by Board of Directors • No plan minutes • No investment policy document • No compliance with plan document – Inaccurate definition of plan compensation – Population of eligible employees not participating in the plan

Other Common Mistakes • No reconciliation performed between participant account details and custodian reports.

Action Items Plan sponsors need to re-evaluate their control environment in light of these matters. Other benefit plan consultants need to discuss client service expectations with their clients to identify potential gaps between deliverable and expectations from client. Make sure you have a plan auditor asking the right questions to help identify control issues.

Final Comment

“Trust, but verify” – Ronald Regan

Thank you!

Questions? Contact Information Zoe Davis, CPA, CFE Hubbard Davis CPAs, LLP [email protected] (843) 822-0190