Internal Controls Best Practices By Jennifer Downs, CPA Benefit Audit Group, LLC
Internal control consists of: Entity level controls these controls relate to the overall control environment and can potentially influence the design and operating effectiveness of other controls. IT and general computer controls these controls relate to the way transactions are initiated, authorized, recorded, processed, and reported. Activity level controls these controls relate to the financial close and reporting process and the processing of transactions for each significant transaction class.
Internal Controls Audit relevance The overriding criterion for the understanding of internal control is that it be sufficient to assess the risk of material misstatement of the financial statements due to error or fraud and to design the nature, timing, and extent of further audit procedures. Audit effect Increased sample sizes and participant data required Increased inquiries Increased deficiencies noted in management correspondence
Entity Level Controls Do you have a plan document and is it up to date? Who are those charged with governance? Is there a retirement/benefit plan committee overseeing the plan? Who are the parties in interest relative to the plan? Does a code of conduct or ethics policy exist? Are there human resource policies and procedures that demonstrate its commitment to integrity, ethical behavior, and competence and are they clearly communicated to employees? Is there a risk assessment policy in place? Do you know what kinds of fraud could be committed against your plan? Is your plan in compliance with all laws and regulations? Is appropriate attention given to internal controls and does management correct any known weaknesses in internal controls on a timely basis?
Entity Level Controls Best Practices All those involved need to know the provisions of the plan document. If you are not sure of a provision inquire. And do not sign amendments unless you understand the implications. Identify those charged with governance and maintain a list of all parties in interest. Regularly review and update where needed. Coordinate a retirement/benefit plan committee and have it meet at least annually. Discuss significant items affecting the plan. Document discussions in minutes Develop policies to be rolled out to employees. Regularly review and update where needed. Review the processes surrounding the plan to determine where fraud or errors could occur. Review your service providers and utilize them to assist with compliance. Institute internal control recommendations by your auditors. Perform a self audit.
General Computer Controls What computer applications does your plan use? What plan developed spreadsheets are used and 1) are they password protected and, 2) are there logical controls built in to protect their integrity? Are there appropriate data backup and recovery processes in place? Are the physical security and access to programs and data appropriately controlled to prevent unauthorized use, disclosure, modification, damage or loss of data? For internally developed software, are program changes and development appropriately managed?
General Computer Controls Best Practices Evaluate your computer applications. Determine proper use of passwords and access to source code. Ensure data backup and recovery processes in place. For service organizations used, ensure computer controls addressed in SOC 1/SSAE 16 reports. Ensure process in place for changes in personnel.
Activity Level Controls Eligibility determination and enrollment process Contribution calculation and remittance process Rollover contribution process Loan initiation and remittance process Distribution (including hardships) process Investment management process Plan expenses process SOC 1/SSAE 16 review process
Activity Level Controls Best Practices Eligibility determination and enrollment process Know the process and identify areas where eligible employees could be excluded or ineligible employees be included. Deferral calculation and remittance process How are the deferrals calculated? If automated, what is process for manual checks? What is the definition of compensation for deferral calculations? Is the same person overseeing the calculation and remittance process? If so, is the work reviewed? Are your deposits being made timely?
Activity Level Controls Best Practices Employer match or discretionary contribution calculation and remittance process How are the contribution(s) calculated? If automated, what is process for manual checks? What is the definition of compensation for each contribution calculation? Are there different eligibility requirements for match vs discretionary? If so, how monitored? Is the same person overseeing the calculation(s) and remittance process? If so, is the work reviewed?
Activity Level Controls Best Practices Rollover contribution process Who is monitoring this process? Are only amounts from other qualified plans permitted to be rolled over? Loan initiation and remittance process How is the loan repayment entered/stopped in payroll? Is the same person overseeing the repayment and remittance process? If so, is the work reviewed? Is loan policy being adhered to? Who is monitoring deemed loans? Are your deposits being made timely?
Activity Level Controls Best Practices Distribution process Who approves and what types of distributions require approval? Is the person approving also able to make address changes? Do you know the hardship rules and are they being properly adhered to? What is process for ceasing deferrals after a hardship taken and restarting them six months later? Are vesting schedules properly adhered to?
Activity Level Controls Best Practices Investment management process Do you understand your investments and how they are valued? Do you have an investment policy statement (IPS)? How often does your plan s investment advisor meet to review your investments and adherence to the IPS? Do you have all pertinent contracts for investments in your plan? What are the commitments and/or restrictions that have been placed on your plan s investments?
Activity Level Controls Best Practices Plan expenses process For expenses paid directly out of plan assets, are there proper segregation of duties? Are expenses in accordance with service agreements? Do you utilize an ERISA budget account and is the balance of this account included in plan assets?
Effect on Internal Controls Consider internal controls when there has been a change Changes in personnel Changes in payroll systems Mergers/Spin offs Changes in vesting schedules Changes in plan document
References Materials See Various DOL Publications http://www.dol.gov/ebsa/fiduciaryeducation.html Understanding Retirement Plan Fees And Expenses This booklet will help retirement plan sponsors better understand and evaluate their plan's fees and expenses. While the focus is on fees and expenses involved with 401(k) plans, many of the principles discussed in the booklet also will have application to all types of retirement plans. 401(k) Plan Fee Disclosure Tool A form developed by banking, insurance and mutual fund trade groups to provide employers with a way to collect and compare investment fees and administrative costs of competing providers of plan services, now available in MS Word format. This form was not developed by the Department and was not designed to ensure compliance with the Department's regulations on service provider fee disclosure to plans or plan fee disclosure to 401(k) plan participants and beneficiaries. Selecting An Auditor For Your Employee Benefit Plan Federal law requires employee benefit plans with 100 or more participants to have an audit as part of their obligation to file the Form 5500. This booklet will assist plan administrators in selecting an auditor and reviewing the audit work and report. Selecting And Monitoring Pension Consultants Tips For Plan Fiduciaries ERISA requires that fiduciaries of employee benefit plans administer and manage their plans prudently and in the interest of the plan s participants and beneficiaries. In carrying out these responsibilities, plan fiduciaries often rely heavily on pension consultants and other professionals for help. Findings included in a report by the SEC released in May 2005, however, raise serious questions concerning whether some pension consultants are fully disclosing potential conflicts of interest that may affect the objectivity of the advice they are providing to their pension plan clients. Tips For Selecting And Monitoring Service Providers For Your Employee Benefit Plan Business owners are responsible for ensuring that their 401(k) plans comply with Federal law and rely on other professionals to assist them with their plan duties. Selecting a service provider is one of the most important responsibilities of a plan sponsor. Target Date Retirement Funds Tips for ERISA Plan Fiduciaries Target date retirement funds (also called target date funds or TDFs) have become an increasingly popular investment option in 401(k) plans and similar employee directed retirement plans. EBSA prepared the following general guidance to assist plan fiduciaries in selecting and monitoring TDFs and other investment options in 401(k) and similar participant directed individual account plans. Reporting and Disclosure Guide for Employee Benefit Plans This guide is intended to be used as a quick reference tool for certain basic reporting and disclosure requirements under ERISA. See IRS Fix It Guides http://www.irs.gov/retirement Plans/Plan Sponsor/Fix It Guides Common Problems Real Solutions
Q & A