Employee Benefit Plans Can Mitigate Risk With Strong Internal Controls
Can fraud occur in an employee benefit plan? Absolutely. One factor that creates risk is a lack of strong internal controls. Plan sponsors can mitigate the risk of fraud by creating a system of internal controls; however, knowing where to start can be a difficult and time-consuming task.
Look for the warning signs of fraud
Of course, you shouldn’t wait until fraud is occurring to develop the internal controls to combat it. Recognizing the warning signs may provide your organization the incentive it needs to apply itself to mitigating risk.
See if any of the following red flags apply to your organization:
- Participant statements are late or do not appear accurate.
- Participants are complaining about inaccurate account balances.
- Investments listed on the custodian statements are not authorized by the plan sponsor.
- The fluctuations in plan investment income activity do not correspond to overall market fluctuations.
- Employees eligible for a distribution are having a hard time obtaining the distribution or the amount paid out is improper.
- Contributions reported on the custodial and recordkeeping system do not appear reasonable when compared to payroll.
- Unusual transactions or one-time transactions are noted in the custodian or recordkeeping statements.
- Employees of the plan sponsor demonstrate a change in lifestyle, by purchasing a sports car or buying a vacation home in Florida.
- Expenses paid from the plan vary significantly or are paid to unknown vendors.
Any of these symptoms should be a call to action, but even if no fraud is occurring, exploring these red flag areas is the first step to improving your internal controls.
Basic steps to mitigate risk and improve internal controls
Many plan sponsors outsource plan operations to a third party that includes a third party administrator, record keeper, payroll provider, and investment custodian. These parties typically perform most, if not all, functions related to the plan and have minimal interaction with the plan sponsor. This is particularly true in 401(k) arrangements with a bundled provider.
Plan sponsors should develop a plan to properly monitor third party service providers, as well as internal employees involved with the plan, and document the process. Taking the following steps and asking certain questions will improve your basic internal controls.
Step one: Review and reconcile reports provided by the record keeper and the custodian for plans with participant account balances.
- Do the contributions reported in the custodian and recordkeeping system align with the payroll system reports?
- Is everything that is held at the custodian accounted for in the participant account statements at the record keeper?
- Does the activity overall appear reasonable?
Step two: Spot check and recalculate payroll items.
- Are the deferral rates applied appropriately and timely when initiated or changed?
- Was compensation properly included or excluded in the contribution calculations, based on the definition of compensation in the plan document?
- Are the deferral contributions withheld from payroll accurate (i.e., the deferral rate elected by the participant is multiplied by the eligible compensation, remitted to the trust, and posted to the participant’s account)? Perform similar recalculations for employer contributions determined through payroll.
- For health plans, are amounts elected by the employee being properly withheld and remitted to premium payments?
Step three: Review and recalculate distributions and vesting calculations for selected benefit payments.
- Did the vesting percentage used in the distribution calculation consider the appropriate years of vested service?
- Was the distribution processed in accordance with the plan document and the participant’s election?
- Is the reason for the distribution appropriate based on your knowledge of the employee’s employment situation?
- Are hardship distributions proper and in accordance with plan provisions? Consider asking those requesting a distribution if they received the funds.
- Review of distributions throughout the year is extremely important, especially when the distributions are handled directly between the participants and the service provider.
- For health plans, are employees and dependents eligible to receive benefits?
Step four: Review and understand expenses paid by the plan in relation to the service agreements.
- Are there significant fluctuations in expenses throughout the year?
- Are amounts paid out of the trust reviewed to ensure they are paid to the appropriate parties and are allowable plan expenses?
- Do the service agreements state the fee arrangement, and does management understand how fees are assessed and who pays (employer versus plan forfeitures, paid through revenue sharing, or allocated amongst participants)?
Step five: Monitor access rights to payroll and recordkeeping.
- What are the review procedures around data entry and new employee set-up?
- Is there a control between the person who processes new employees or employee changes and the calculation of payroll amounts?
- Can the same person involved with the plan add a new employee in the human resource information system, the payroll system, and the plan recordkeeping system?
- Who provides payroll information to the third party service provider?
- Who reconciles the payroll bank account and compares it to the payroll withholdings deposited at the service provider?
- Is the person who enters terminations into the human resources information system the same person who enters or provides the data to the record keeper? Does that person also approve or process benefit payments?
How we can help
CLA can help you review, update, and document your internal controls. We can also review and monitor controls related to service providers, and separate access rights for employees involved with plan operations. We can also help you document the benefit plan’s processes and operations and confirm that the plan sponsor is fulfilling necessary fiduciary responsibilities. All these steps can significantly reduce errors and the risk of fraud.