Trust but Verify Your 401K Benefit Plan

By Sharon Bradley, CPA

In today’s increasingly-virtual world, businesses that offer employee benefit plans regulated by The Employee Retirement Income Security Act of 1974 (ERISA) must have updated policies and procedures for electronic handling and transfer of private and personal confidential data. That is true for your processes and operations, and those of your plan benefit counterparts, including your financial custodian and third-party administrator (TPA).

C-suite executives and plan administrators with fiduciary responsibility should ask their 401K plan partners questions such as, “how are you protecting my employees’ electronically transferred personal information”? or “what controls are in place to ensure that confidential data are protected on your site and are properly discarded after usage”? 

The COVID-19 pandemic has accelerated already fast-moving trends in financial management and data privacy. The challenges of remote audits, electronic transfer of personal information, virtual record retention, and document protection are suddenly commonplace for businesses, large and small.  

Differentiation of Benefit Plan Size

Under ERISA, benefit plan size defines the requirements for an audit and other obligations, but all fiduciaries should follow the best practices outlined below to protect sensitive data and ensure the integrity of plans regardless of size.

Large employee benefit plans, generally those with 120 or more eligible participants, must conduct an audit of their 401k Plans, file audited financial statements, and file Internal Revenue Service (IRS) Form 5500 with the Department of Labor (DOL) and IRS by October 15 each year. Small plans are entities generally with less than 120 eligible participants. Small plans need only file the IRS 5500SF (Short Form).  Employee eligibility depends on multiple factors such as length of employment, age, full or part-time status, opting in, and other criteria. 

Plan Records Need Protection

Records such as the original plan documents and amendments, contracts with service organizations, participant records, regulatory filings, payroll records, and others may be retained electronically and/or in paper files. ERISA requires plan records, including the annual Form 5500 be retained for a minimum of six years from the filing date. 

Record Retention Best Practices

Plan administrators, no matter the size of their plan, should ensure appropriate record retention and compliance with the legal requirements of ERISA, DOL, and IRS. Relying on a third-party service organization to handle record retention does not relieve the plan sponsor’s responsibility. However, utilizing these commonly accepted best practices can establish the right foundation for your plan.

–          Establish policies and procedures that govern your organization’s timely review of plan documents; 

–          Verify plan partners’ policies on electronic data transfer and storage;

–          Monitor compliance with the established policies and procedure;

–          Organize documents for ease of access and consistent usage;

–          Save and safeguard participant data records for the required time frame. 

Securing Personally Identifiable Information

Data security is paramount for all proprietary information held by a business whether it is personal or confidential. Privacy laws that comply with ERISA and HIPAA (The Health Insurance Portability and Accountability Act of 1996) pertain to personal data that are collected or stored, and anytime it is disclosed to another entity. While ERISA does not specify how personal information should be stored or transferred to third parties, it is necessary to put protections in place according to industry-standard safeguards to be compliant. 

Personal Identifiable Information (PII) is any data that can distinguish an individual such as name, social security number, or other unique labels that can be combined with other data such as an address, birthplace to establish identity. Plan administrators must take extra care to remove unnecessary identifiable information before it is transferred.  

Addressing Pain Points

Compliance audits should not be a painful process. Such audits are clear cut: are the plans in compliance with the plan documents or not? Auditors who specialize in this area have the experience to integrate a 360-degree view of the plan’s multiple components with knowledge of your payroll process and operations. 

Daszkal Bolton’s experienced audit team works hand in hand with your plan providers to simplify and expedite the process. Through accounting reports provided by the plan partners, we test the timeliness and validity of disbursements, contributions, remittances, and other plan functionality. With a well-trained staff and low turnover, the Daszkal Bolton audit team takes pride in creating consistent, user-friendly systems to make the audit process as painless as possible for all parties. 

Sharon Bradley, CPA

Sharon Bradley is a partner in Audit & Accounting Services Department. She has twenty-plus years of experience helping companies comply with state and federal rules and improving operational systems.

Latest Blog Posts

SOC It to Your Competition

If your company is a service organization that provides outsourced services or you are a company that uses such third-party providers, there’s a proven process to increase confidence, trust, and transparency in your business relationships. SOC certifications can help strengthen your internal control structures and protect against potential breaches or losses.

Read More

Pop Quiz: How Will Your Auditors Perform?

Every fall, students have a fresh start to build upon prior subjects and grow intellectually in the classroom. What if the same were true for your internal audit team? Why not test their knowledge and provide them with a fresh start of sorts?

Read More