This is the archive of CPA Now blogs posted on the PICPA website through April 30, 2025. Want more recent blogs?

Read current blogs

By William J. Hayes, managing editor, Pennsylvania CPA Journal

The fiduciary responsibilities of the sponsors of organizational employee benefit plans are legion. They include maintaining adequate fidelity bond coverage, administrating timely and accurate depositing contributions, and safeguarding clients’ assets (such as ensuring strong cybersecurity). This is just some of what employee benefit plan CPAs have to monitor. At this year's online PICPA Employee Benefit Plans Conference, Thomas M. Murphy, senior vice president of Bridgeway Wealth Partners in New York, will provide a comprehensive review. He recently sat with us to offer a glimpse of his session.

How does one go about choosing a third-party investment adviser for employee benefit plans? What qualities should we be looking for?

When choosing a third-party investment adviser, you want to start from the top. Do you want a broker-dealer or a registered investment advisor (RIA)? An RIA is considered to be a fiduciary to his or her clients, with a duty to work in the best interest of the clients and to put their needs foremost. Broker-dealers are not bound to a fiduciary duty under federal law, but a broker-dealer is required to make suitable recommendations and disclose any conflicts of interest to a client. In short, RIAs are held to a higher standard of care when managing a plan. Also, understanding how you pay the adviser will be a good indicator of how your adviser will behave. Commission-based advisers have an incentive to make recommendations based on a need to create volume rather than the merits of the underlying investment. With fee-based arrangements, advisers will be able to sit on the same side of the table as you because their paychecks only go up when the account grows.

Make sure the investment adviser uses a reputable third-party custodian for your plan. It’s also important to make sure the custodian is a good fit based on your company’s goals and objectives for the plan. Your adviser should present you with multiple options and pricing levels for custodians. You want to make sure there is a prudent investment process for how your adviser selects and monitors the investment menu along with what type of ERISA liability are they willing to take. These questions and more should be asked when looking for an adviser who is a good fit for your company.

Paying reasonable plan expenses is expected, but how do you go about determining if an expense is reasonable?

For 401(k)s, plan sponsors and participants often believe these funds charge fewer fees than individual investments, but that isn’t always the case. Fees on 401(k)s fall into three basic categories: investment, plan administration, and individual service.

Investment fees are usually the largest portion of 401(k) fees, and they include the cost of investment management and other investment-related services. These fees are generally charged as a percentage of assets. Actively managed funds tend to have higher investment fees than passively managed funds. Plan sponsors want to make sure they have a clear understanding on how those fees are being charged. Often, the fees are baked into the expense ratios of the investments: in my personal opinion, this does a disservice to the participant. An additional few basis points can hurt fund performance and therefore hurt the compounding growth over time. I prefer the company to pay rather than put the burden on the participants. Mutual fund companies often offer a fund in multiple share classes – each with different fees. You need to determine the correct share class (when applicable) for your fund before you look for indirect fees. If the 401(k) provider is an insurance company, there is a good chance each fund expense ratio that is listed in the comparative chart includes a wrap fee.

Whether it’s a bank or another financial institution, someone will be managing your 401(k). Plan administration fees cover general management like record-keeping, accounting, legal, and trustee services. It also includes additional services you may have access to, such as customer service, educational seminars, and electronic access to plan information. Some employers pay this fee for account holders, but it’s usually passed on in the form of a flat fee or a percentage of the total balance.

Service fees cover features that are opted into, like taking out 401(k) loans, rolling 401(k) investments over to an IRA, or seeking financial advisory services. They’re charged separately to participant accounts whenever a participant takes advantage of the added feature. Before you do anything other than basic buying and selling within your 401(k), investigate whether the service will incur a fee; if it does, find out how much it will cost. After you digest all of the information about fees, you want to make sure plan fees are benchmarked to make sure they are reasonable within the marketplace.

How important is adequate fidelity bond coverage?

Sponsors of an employee benefit plan are required by the Employee Retirement Income Security Act of 1974 (ERISA) to maintain a fidelity bond for that plan. The purpose of the bond is to protect plan participants against losses caused by acts of fraud or dishonesty. The fidelity bond must provide coverage equal to 10% of beginning-of-the-year assets/investments up to $500,000 ($1 million if the plan holds employer securities), with a minimum of $1,000. The bond must cover the plan for the entire year. The plan-named fiduciary/trustee could be held personally liable for any losses that occur. Fidelity bonds are easy to put in place, are not expensive, and can be paid for from plan assets if needed. Plan sponsors should annually verify that their coverage is adequate. It is very important to maintain adequate coverage for peace of mind and to help cover losses related to larceny, theft, embezzlement, forgery, and misappropriation of funds.

What are some best practices for cybersecurity in the area of safeguarding assets and data?

Retirement plan participants are major targets for data breaches. The large sums of money and sensitive personal information within 401(k) plan accounts, for instance, are a big lure. Retirement plans are frequently excluded from an organization’s cybersecurity arrangement and there are virtually no cybersecurity regulations for retirement plans. A consensus has not been reached on whether sensitive plan information is considered a plan asset under the fiduciary criteria of ERISA, which requires those with discretionary control over plan assets, administrative power, or who provide investment advisory services to have fiduciary responsibilities. Fiduciaries must act exclusively in the absolute best interest of participants and beneficiaries, so neglecting cyberthreats could possibly violate this obligation. Regardless of whether it is a violation or not, fiduciaries still should consider the threats on retirement plans and implement protections over plan assets and data while continuously analyzing technological changes.

While plan administrators, employers, and fiduciaries retain a massive amount of responsibility in terms of retirement plans, plan participants also hold responsibility. Establishing online access with one’s account is the first step toward increasing security, because you don’t want a hacker to establish that connection first. Here are some critical, yet simple ways participants can further protect plan data and assets:

• Create a complex password. Strong, complicated passwords, with upwards of 10 characters containing numbers, symbols, and upper and lower case letters are the most effective. Creating passwords that are not words you can find in a dictionary are the most successful.
• Frequently change passwords.
• Establish alternate security questions, use multifactor authentication, and regularly monitor accounts. Be aware of any changes to personal information or asset balances, ensure you receive notifications when changes to your account are made, and never allow family or friends access to account.
• Be aware of phishing schemes. Never click attachments or links in suspicious emails.
• Avoid logging into an account in untrusted locations with unsecure Wi-Fi. Not all Wi-Fi networks are safe.

Plan to attend Thomas M. Murphy’s presentation on the fiduciary responsibilities of plan sponsors at this year's online-only PICPA Employee Benefit Plans Conference.

Sign up for weekly professional and technical updates in PICPA's blogs, podcasts, and discussion board topics by completing this form.