An Ounce of Prevention: The Case for Effective Internal Controls

There really is no understating the importance of implementing effective internal controls. With a solid system of controls in place, you can be reasonably sure that your employee benefit plan is achieving and maintaining compliance with regulatory requirements and the plan’s provisions, as well as achieving its financial reporting objectives. Without controls, you have little or no such assurance.

Unfortunately, plan audits — as well as submissions to the Voluntary Correction Program — sometimes show that necessary internal controls are not in place or are not being properly administered. But it’s clear that strong internal controls are important for a variety of reasons:

• To maintain your plan’s tax-favored status. Effective internal controls are essential for preventing — or at least quickly detecting — potentially costly mistakes that can jeopardize the plan’s tax-favored status.
• To be eligible for Self-Correction. Having effective practices and procedures to prevent compliance problems is a basic requirement for using the IRS Self-Correction Program to correct operational errors at any time.
• Because the feds are watching. When auditing a retirement plan, revenue agents begin by evaluating the plan’s internal controls to determine whether to perform either a focused or expanded audit. In addition, if the agent finds plan errors, the strength of internal controls is a factor in the negotiation of the sanctioned amount under the Audit Closing Agreement Program.

Where to Start

Obviously, internal controls will vary based upon the plan size and complexity. The size and qualification of the department responsible for financial reporting will also come into play, as will the use of outside service providers. The American Institute of CPAs suggests plan administrators follow at least these basic steps:

• Evaluate risk. By learning what processes and procedures are used at your plan, you can identify the related risks and determine controls to mitigate or eliminate those risks. The goal is to ensure that adequate controls are in place in areas with high risk, and that controls are not excessive in areas with low risk.
• Establish control objectives. Control objectives should be established for each of your plan’s financial statement assertions. For example, there could be a control that helps make sure that investments are measured at fair value. Another control could help determine that contributions by employers and participants meet authorized or required amounts.
• Implement appropriate controls. A valuable resource for setting up your plan’s internal controls is The Committee of Sponsoring Organizations of the Treadway Commission’s (COSO) Internal Control — Integrated Framework. COSO has been recognized by executives, board members and regulators as an appropriate comprehensive framework for internal controls.
• Document and communicate. Once controls are established, it is important that they be documented and communicated to staff members who are expected to follow the policies and procedures. Staff training is a key element in ensuring the effectiveness of the plan’s internal controls.
• Keep tabs on third-party providers. As part of your fiduciary responsibilities, you are required to periodically monitor service providers to whom you have outsourced any or all of your financial reporting responsibilities.This monitoring means making sure that service providers are properly performing the agreed-upon services and determining whether or not they maintain adequate internal controls over the transactions processed on behalf of your plan. This should include annual reviews of the service provider’s report on internal controls to be sure that both the design and operations of their internal controls is sufficient to meet the needs of your plan.
• Establish user controls. Depending on the nature of the services performed by the third-party service provider and the quality of the controls it has in place, additional controls may be necessary at your plan. These controls are referred to as “user controls”, and are typically described in the service provider’s report on internal controls.
• Monitor and review. You should periodically review the design and operation of your plan’s controls. Are internal controls in place and operating? Are exceptions and problems identified and resolved promptly? The idea is to identify and correct weaknesses before they can result in a significant misstatement in your plan’s financial statements. Staff turnover, plan mergers and other changes may necessitate that controls be reviewed for effectiveness.

Understanding Control Deficiencies

Under Generally Accepted Auditing Standards, plan auditors are required to disclose any “significant deficiencies” and “material weaknesses” in internal controls they find during a plan audit. Yet, many plan fiduciaries aren’t always sure how to respond to these findings.

A Matter of Semantics

The terms “significant deficiencies” and “material weaknesses” designate the degree of deficiency found in the plan’s internal controls. According to professional standards, these deficiencies occur when “the design or operation of a control does not allow management or employees, in the normal course of performing their assigned functions, to prevent or detect misstatements in a timely manner.”

Ultimately, the nature and severity of the deficiency will dictate whether it is a significant deficiency or a material weakness. For example, it likely would be considered at least a significant deficiency in a situation where no one at the plan has the required expertise to prepare the plan financial statements. If the person responsible for financial reporting lacks the ability even to understand the financial statements prepared by the auditor, the deficiency might escalate to the level of material weakness.

Other examples of circumstances that may be significant deficiencies or material weaknesses include:

• The plan does not adequately segregate accounting duties among personnel, increasing the risk that fraud could occur and go undetected.
• The plan does not effectively monitor the activities of third-party administrators or custodians, increasing the risk that errors in information provided by the service organization will go undetected.
• The plan audit identifies material misstatements in accounting records, which were not identified by the plan’s internal controls, indicating that the plan’s controls are not functioning effectively.

Your Response

Contact us to inquire whether there may be any opportunities to improve the plan’s internal control. Ultimate responsibility for establishing internal controls remains with you; however, we would be pleased to discuss with you what controls are necessary to achieve regulatory compliance, as well as complete and accurate financial reporting.