Large Plan Audits: what to expect?

Our firm pretty much exclusively has done small / micro plans (90% of our plans are <1M in assets and under 30 participants). As we grow, I know large plans are likely something we'll have to deal with eventually. We have one plan that's getting close enough to the threshold for requiring a large plan audit that we know we need to start thinking about that in the next few years. With our plan demographic, we've never once actually had a large plan audit. 

What kind of things should we expect? Does the auditing firm just ask us for a bunch of reports, and if so, what kind of information is generally requested? In the case that anything out of place is found, how much leeway is there in terms of them talking to us about correcting it vs reporting failures on an audit? I'd hate for a large plan audit to be the way we find out we're operating something wrong & cause problems for a client. Any guidance as we start to move into plans that may require audits?

In my experience, auditors typically send a formal Request for Information (RFI) or Prepared By Client (PBC) list, outlining exactly what they need and the expected date of their arrival. 

The scope depends on the type of audit. 

Below is what is generally requested in a retirement/benefits environment.

Auditors almost always request foundational documents first:

• Plan document (current and prior versions)
• Adoption agreement
• Summary Plan Description (SPD)
• Trust agreement
• Service agreements (TPA, recordkeeper, custodian)
• IRS determination or opinion letter (if applicable)
• Most recent Form 5500 and schedules

Auditors will request detailed census data such as:

• Employee eligibility dates

• Compensation used for deferrals

• Hire/termination dates

• Date of birth (for testing)

• Hours worked (if eligibility is hours-based)

• Ownership status (for controlled group testing)

They may ask for other items as they review the files.

30 minutes ago, Marjorie Lucas said:

In my experience, auditors typically send a formal Request for Information (RFI) or Prepared By Client (PBC) list, outlining exactly what they need and the expected date of their arrival. 

The scope depends on the type of audit. 

Below is what is generally requested in a retirement/benefits environment.

Auditors almost always request foundational documents first:

• Plan document (current and prior versions)
• Adoption agreement
• Summary Plan Description (SPD)
• Trust agreement
• Service agreements (TPA, recordkeeper, custodian)
• IRS determination or opinion letter (if applicable)
• Most recent Form 5500 and schedules

Auditors will request detailed census data such as:

• Employee eligibility dates

• Compensation used for deferrals

• Hire/termination dates

• Date of birth (for testing)

• Hours worked (if eligibility is hours-based)

• Ownership status (for controlled group testing)

They may ask for other items as they review the files.

This is very helpful, thank you! 

We put together a binder with all documents requested and tabbed, locate the auditor in a closed room, limit any communication with anyone other than counsel, and any interviews they request should be in the presence of counsel. Not hostile - just managed.

The first question that I would ask is the type of services you are providing for the client. If you are providing recordkeeping services, I recommend that you have a SOC Audit (aka SSAE-18) of your firm and your processes.  The large plan auditor will be able to have some reliance on your recordkeeping processes when performing the audit.  It will also help you to identify any deficiencies in your recordkeeping processes and address them.

If you are providing compliance services only, the auditor is going to be looking at what you do in the course of your normal services, and essentially re-perform the plan tests and review the financial statements.  The data listed by Marjorie above is a common ask for audits.  You should have a draft 5500 for them to review when they start their audit. If this is the first year audit, expect them to be asking for data for the previous year. The auditor is then going to review the employer and/or Plan Administrator's policies and procedures regarding remitting contributions, their role in distributions and loans and the eligibility/enrollment process, etc. If the employer/PA is maintaining paper forms, they are going to either sample audit or fully audit that paperwork. If your firm is responsible for maintaining forms, they may ask you for copies.  If the records are kept electronically, the auditor is going to sample or fully audit the electronic records.  They will most likely ask to see participant statements.  If your role is compliance only, most of these asks will need to be fulfilled by the recordkeeper.  Most likely, the employer will need to obtain these records from the provider's website.

The auditor is also going to want to review the SOC/SSAE-18 for the recordkeeping firm, review the (certified) custodial trust reports, compare trust reports from the recordkeeper to the custodian and possibly review SOC/SSAE-18 reports for software providers/other vendors (if applicable).  You should ask for the SOC reports for the recordkeeper and custodian ahead of time. Many recordkeepers automatically post the SOC to the website for the sponsor to access.  Read them over to see if there are any deficiencies. If there are any deficiencies on the SOC report, the auditor may ask what is being done to mitigate those by the employer (if possible).

I would look up ERISA Section 103(a)(3)(c) and review to determine if your employer qualifies for this type of audit. 

If you know a CPA firm that audits a significant number of benefit plans, you may want to contact them and ask for a sample request list and see if they are available to take on new clients.

Lastly, the DOL has published a lot of information concerning the selection of auditors and what is necessary for quality audits. I would google those articles, as well as those published by the AICPA concerning benefit plan audits.