Among the many aspects of accounting that have been thrown upside down by the coronavirus is the employee benefit plan (EBP) audit, now largely being conducted remotely. Nancy Cox, partner at The Bonadio Group, joins us to discuss the new normal for EBP audits, including a heightened focus on data security, the impact of pandemic-related legislation, updated audit testing procedures, and more.

If you’d like, you can download this episode’s audio file. Additionally, you can follow us on iTunes, Google Play, or subscribe to our RSS feed.

View sponsorship and commercial opportunity details.

By: Bill Hayes, Pennsylvania CPA Journal Managing Editor

Podcast Transcript

The switch to a remote work environment brought on by coronavirus has affected the accounting landscape in innumerable ways. One of those is the conducting of employee benefit plan audits. Today, we will discuss those changes with Nancy Cox, partner at The Bonadio Group, touching on aspects such as data security, audit testing, plan terminations, and more.

How has that remote work environment exacerbated by COVID affected the way EBP audits are done?

[Cox] The good thing with employee benefit plan audits is it's not like we're auditing inventory or fixed assets where we physically need to be there to see and touch things. We're auditing investments and everything's pretty much available online, so they definitely can be done remotely and they have been being done remotely in the past. The thing is now almost all of them are totally being done remotely, whereas before there was some more physical contact. There's a couple of things to consider.

The first thing is efficiency. Well, I guess I should start with the first thing being, actually, relationships. I mean, a big part of what we do is developing relationships with those that we're working with. Taking time to make sure that you're still having the relationships, not just with the client, but with your teammates, is becoming more important, and finding creative ways to do that.

Another thing is efficiency. When we're physically sitting in an office doing an audit, questions come up. You might sit there and bounce things off of each other on the audit team, and then things that you need from the client, you would write down and maybe go speak to them once or twice a day with a list of items. Whereas when you're sitting at your computer and you come across something that you don't quite know, maybe you just start firing off 50 emails, which obviously is not efficient for anyone. That's one thing.

The other thing, when we're not physically sitting there, is that we ask for information, the client could just ignore us easier. It's easier to ignore us because we're not there being persistent and asking for the information. The problem with that is in an auditing environment, these employee benefit plans, let's say they take a week or two. Well, we have our staff members scheduled for that week to do that audit, finish it, then it's reviewed, and then it's provided to the client. The 5500 is filed with the audit report. Now, when they don't get us the information that we need, when we ask for it, it pushes that audit into the following week, which then pushes another audit into the following week. It's a trickle-down effect and it can become extremely inefficient to pick up and put down. The timing of the audit is key and essential and getting that buy-in from the client to say, yes, this is when we're doing it, yes, this one will provide the information, without us physically sitting there.

The last thing that I'll mention is the transmission of data. When you're doing an employee benefit plan audit, for the most part, almost everything you're transmitting is sensitive information. I mean, it's a lot of payroll information, participant data. You really have to be concerned with the transmission of data from plan sponsor to plan auditor. Ahead of time and in planning, figuring out what secure portals you're going to be using, or how you're going to password-protect information is also key.

Are there extra steps that have to be made in the area of data security as a result of remote auditing? What are the best practices there?

[Cox] It's funny because over the last, I don't even know, let's say 10 years, for employee benefit plans specifically, everything has been moving toward electronic. We don't audit plans anymore where we're going to get a physical form that someone has signed in order to either start enrolling in the plan or take out a distribution. It's by and large mostly just done online. We've been going in this direction for many years, so it's not a new concept certainly, but of course it is heightened at the moment because everything is done electronically. There's a lot at stake when you're dealing with employee benefit plans, because all the participant data and personal information is there, social security numbers, all of that, and the plan assets. The plan assets are big. There's a lot at stake and there's less of a paper trail. As I mentioned, things have been morphing in that direction where everything's done electronically with a third-party administrator.

Now there's also more and more remote situations. People aren't even pulling information from a secure network. They could be at their home, they can be at a coffee shop, they could be pulling it up on their phones. Yes, I don't think it's a new concept because of the pandemic, but certainly it's been growing increasingly heightened over the years.

Best practices ... I talk to my clients about this a lot actually because, like I said, it's been over the last few years that it's really ... it's something that committees need to be thinking about. Fiduciaries of the plan, it's their responsibility to protect participants. The first thing I would do is, if you haven't already, make sure if you have a planning committee ... first of all, if you don't have a planning committee, get one to make sure you've got fiduciaries in place. There are fiduciaries … I could go on a whole tangent about it because people don't often know that they are one. If they're working with the plan assets, they are. Anyway, have a committee that meets regularly, at least quarterly, and then start discussions with those fiduciaries saying, okay, first of all, what are we dealing with? Identify the information that's at risk, and then where is it stored? Likely, there's obviously information that's stored at the plan sponsor, at the company itself. Then, you're probably dealing with at least one or two service providers. A payroll company, perhaps. A third-party administrator custodian. What data do we have and where is it stored? That's number one.

Number two is figure out, okay, so the information that's stored here at the company, do we have information technology general controls in place? What are the controls we have here? Look at those and make sure that there's a plan in place for a retirement plan data breach. What will happen if there is a breach? What are the steps that the company would need to take? Oftentimes, at least in my experience with my clients, companies have a plan for the company. If there's a data breach at the company, here's what we'll do, but not always specifically for the retirement plan. That's something important, is that they just make sure there's a plan in place at the plan sponsor themselves.

The second thing is, these service providers that they're working with, they're audited also. They have something called a SOC 1 report or an SSAE 16, which basically lists out their internal controls. A third-party accountant has gone in and tested their controls to make sure that they're operating effectively. There's a report provided, like I said, called a SOC 1, where you'll see there's an audit opinion. Either these controls are operating effectively or they're not. Then it lists out the controls and how they were tested and things like that. As an auditor, this is part of the audit procedures. We get these SOC 1 reports. Oftentimes, the company and the plan sponsor don't and they're not reviewing them, and they really should. I mean, they should be monitoring these service providers and making sure there's nothing going on there.

The thing I'll caution about SOC 1 reports is that ... so the SOC 1 reports will be provided for the retirement plan administration, let's say. Sometimes they'll actually, within the document, they scope out the IT information technology controls. They'll scope them out and they'll say it. Anything that's scoped out, they'll say, “Oh, this report covers retirement plan operations. It does not cover information technology.” You have to be careful and make sure if it doesn't, they would have a report that does, you just have to ask for it. That happens to us a lot of times during the audit. We have to reach out and ask. Those are important.

The thing is for the plan sponsor ... the risk, when we identify risks related to employee benefit plans, it's really money coming out of the plan. When you look at the SOC 1 report, yes, that's a good fiduciary practice, making sure that you're monitoring your service providers, but you really can't stop there. You have to have controls in place that would mitigate anything that would happen there. An example would be for distributions, let's say, money coming out of the plan, it's handled at the third-party service provider. They get the request on their online portal, then they send out a check or ETF or whatever it is. That's how that occurs. Well, I always advise my clients that at least on a monthly basis, take a look at the distributions that came out of the plan, and make sure they make sense. If it's a terminating distribution, let's say, look at that participant, did they terminate? Does it make sense? Just looking at these reports and looking at the different transactions that occur in the plan and making sure they're reasonable.

Then, last thing with cybersecurity is obviously distributing user access. Just making sure that it makes sense based on who should have access.

What considerations have to be thought over as it relates to audit testing and those questions for the plan administrator that come up?

[Cox] As it relates to the audit in general, in my opinion – but we do audit a lot of plans – planning is really key in these because, as I mentioned earlier, scheduling is an issue, making sure things are happening when they should be. Getting in front of all these potential items, planning is key. Planning considerations need to be made specifically for 2020. I mean, always, but if we're talking about pandemic and COVID-related, there could have been a shift in staffing and resources. There could have been furloughs, people came and went during 2020. Again, a shift in priorities of what they needed to focus on and focus their efforts on, and it might not have been administering the 401k plan.

If they don't have those kinds of resources to dedicate to it, or they did have to shift their priorities, then the auditors need to make sure they consider, was there segregation of duties? Were things operating like they should have been during the year? Were there checks and balances? They might need to adjust their risk assessment as a result. Also, there's considerations to be made, again, in planning, about what provisions of the CARES Act may have been adopted. If the plan sponsor adopted coronavirus distribution, could it potentially increase your sample size, which makes the audit take longer.

For us specifically, as far as questions go for the clients, we actually put together a special 2020 considerations client questionnaire that just lists out, did the plan sponsor adopt any CARES Act provisions that would need to be considered during testing? Did they suspend employer contributions? Was there significant turnover? Stuff like that, that we're going to go through with every client in planning just to see what changed or didn't, and then how we would need to adjust our audit procedures as a result.

When we look at the changes that were brought about by pandemic-related legislation, how has that affected how auditors review certain aspects, whether it be loan testing or internal controls or others?

[Cox] It depends because, as I mentioned, when you go through planning and you figure out what you're dealing with, depending on what provisions may have been adopted. There's coronavirus-related distribution that they changed loan provision, suspension of required minimum distributions, whatever it may be. Number one, it could impact your sample sizes. There's a huge part of employee benefit plan audits that has to do with what we call compliance testing. It's basically looking at each individual participant. Not each, because you just select a sample, but the participant balances, and making sure the plan is operating effectively and in accordance with the plan provisions that are adopted in the plan document. For that, in order to fulfill that part of the audit, you have to go through and select a sample of participants to test. Now, your sample is oftentimes based on volume, so if distributions increased significantly during the year because the company adopted the coronavirus-related distribution, your sample size would increase, which would mean then it might take longer to audit. That's one thing: it could impact timing and just volume of work.

Then, as far as internal controls, the potential, as I mentioned earlier, for the lack of segregation of duties … it could lead to error. When you're auditing an employee benefit plan, you're working with a plan sponsor. That plan sponsor is in the business of selling or doing whatever that business does.

They're not in the business of administering a 401k plan. They just, that's what they're doing here. That's why they hire service providers and things like that, which is great. Through our experience, we do often find errors, which is totally normal because there's a lot of plan provisions and errors can occur. It's totally normal. In 2020, if there was either turnover or lack of segregation of duties, or if there was re-prioritization where they weren't focusing on administering the plan, there's even more potential for that. We'll always take time and look at the definition of plan compensation, the application of eligibility, timely deposits, things like that. We might spend a little more time and do a little bit more in depth with an analysis, depending on what went on with the plan sponsor.

Touching on a few additional areas that could be affected, what might be the concern in the area of plan terminations and partial plan terminations?

[Cox] I mentioned earlier about our checklist. One of the questions that we did incorporate this year, which again, these are not new concepts … we anticipate that we'll run into them more this year, perhaps … one of the questions is, did the employer have a significant reduction in employees during 2020? The reason that we ask is because the determination of whether a partial plan termination has occurred, just like everything, is gray. It's based on facts and circumstances, but as a general rule, the IRS has said that a more than 20% reduction in the number of participants is considered to be a partial plan termination.

What we would do is we would say, okay, did you have a significant reduction in employees during 2020? If the answer is yes, was it 20% or more of the workforce? If the answer is yes, then we're going to say, okay, so have you thought about partial plan termination? Have you looked at the actual participant counts? Was it reduced 20%? We'll get into that conversation.

There is good news this year. Typically, if a partial plan termination has occurred, that determination has to be made ... oh, and the consequences of partial plan termination is that any affected employee has to be 100% vested. That's the consequence. Typically, in a typical year, you would have to make that determination and 100% vest those affected participants by the end of that plan year. This year, the Consolidated Appropriations Act of 2021 extended that determination period to March 31 of 2021. It still has already occurred, but it did make it longer. Basically, you wouldn't have a partial plan termination if the active participant count as of March 31, 2021, is at least 80% of the active participant count on March 13, 2020, which is the date of the national emergency. That's a good thing. That's a partial plan termination.

Plan terminations, there's really been no change as a result of COVID or anything like that. The thing that we always look for, if you do have a plan termination, from an auditor's perspective, we're worried about timing. Basically, if you have a plan termination during the year, at the end of that month, you would start the clock of seven months. That's the filing date requirement, so it would be seven months after that month when the plan termination occurred. That's where we see errors, in that area. It's just the timing of filing. Again, that hasn't changed this year.

Might there need to be considerations that have to be made as it relates to going-concern matters?

[Cox] Again, it wouldn't be new, but we would be thinking about it a little bit more because, basically, you don't ... as far as going concern of the plan, you do have to look to the plan sponsor, because if there are issues with the plan sponsor where they might not be able to survive, what's going to happen to the plan? Number one, are they going to be able to fund it or make matching contributions like they're supposed to? Probably not. Number two, then the plan will need to be terminated and all of those other things would happen as a result. Really thinking about that and the going concern at the plan sponsor, because those considerations would trickle down then to the plan itself, it would be the same types of considerations and it would be disclosures, potentially a different way of reporting the financial statements on a liquidation basis. That's definitely a consideration.

How about employee benefit plan fraud? Has it become more of a concern?

[Cox] Well, I mean, you figure, again, it's always a concern, but you figure people ... desperate times call for desperate measures, number one, unfortunately. There's a lot at stake. There's a lot. It's an easy target because plan assets are big and the information is public. If you get on EFAST, you could pull up a 5500 of any company and you could see how much is in the plan. There's a lot at stake. The idea of fraud goes hand-in-hand with cybersecurity. If I'm thinking about advising clients on what they could do to help mitigate the risk, you can't eliminate the risk, can never do that, but what you could do to help mitigate it is number one, all of the things that I've previously discussed, good fiduciary practices, monitoring your service providers, looking at their SOC 1s, and then really just looking at that money coming out of the plan and making sure it looks reasonable.

Obviously the struggle is, everyone's pressed for time. Everyone's got a million things on their plate, so really, are you going to add another step? If I were to add any additional step, personally, as far as monitoring the plan, it would just be to look at that distribution report on a periodic basis and just make sure that the money coming out of the plan looks right. Unfortunately, it hasn't happened on any of my specific clients, but clients within the firm, we have had, we've seen fraud within employee benefit plans. A lot of times … the one that I can think of off the top of my head had to do with the company used the service provider and the way that you were able to get a distribution is you email this email address or whatever.

When it's done online where you have to have your login, they emailed the service provider that looked legitimate, they sent the money. That kind of thing can happen if people hack into the system or whatever it may be. I could go on a tangent about that, but really just implementing internal controls at the plan sponsor and monitoring that money coming out of the plan is key to try to mitigate that risk.