Plans’ Financial Statements and Audit Considerations
Comprehensive coverage of employee benefit plan financial statement requirements, emphasizing controls over participant data, contributions, and distributions for robust audit readiness.
18.4 Plans’ Financial Statements and Audit Considerations
Employee benefit plans, whether defined benefit, defined contribution, or health and welfare arrangements, are entrusted with significant assets on behalf of participants. Stakeholders such as plan sponsors, participants, regulators, and auditors rely on accurate and transparent financial statements to evaluate a plan’s financial stability and compliance with regulatory requirements (e.g., ERISA, Department of Labor (DOL) regulations). This section delves into the core components of employee benefit plan financial statements, the specific considerations when auditing these statements, and the internal controls essential for safeguarding participant data, contributions, and distributions. It builds upon material covered in Chapter 18 of this guide, focusing on best practices, controls, and risk mitigation techniques that keep plans operationally sound and auditor-ready.
Maintaining robust internal controls over participant data, contributions, and distributions is crucial. If participant data is incomplete or inaccurate, everything from contribution amounts to eligibility and vesting schedules may be compromised. Likewise, late or misallocated contributions erode participant and regulator confidence, while unverified distributions can lead to unauthorized or fraudulent outflows. Properly designed controls ensure verified data flows into the plan’s books and is accurately represented in the financial statements.
This detailed overview presents the primary statements prepared by employee benefit plans, the unique items included in those statements, and how audits test the reliability of reported amounts and disclosures. We also examine best practices for plan sponsors to strengthen related controls, common pitfalls that can lead to audit findings, and real-world examples illustrating how internal controls function in practice.
Purpose and Scope of Plan Financial Statements
Employee benefit plans typically prepare financial statements in accordance with U.S. Generally Accepted Accounting Principles (GAAP), specifically under Accounting Standards Codification (ASC) 960 (Defined Benefit Pension Plans), ASC 962 (Defined Contribution Pension Plans), or ASC 965 (Health and Welfare Benefit Plans). These statements aim to provide participants and regulatory agencies with timely, relevant, and reliable information on:
• The plan’s net assets available for benefits and the changes in those net assets over time
• The nature of investments, administrative expenses, and plan obligations
• The plan’s compliance with key regulations, including timely remittances of participant and employer contributions
The main financial statements include:
• Statement of Net Assets Available for Benefits
• Statement of Changes in Net Assets Available for Benefits
• Notes to financial statements (including significant accounting policies, plan description, and investment details)
• Supplementary schedules (such as the Schedule of Assets, Schedule of Reportable Transactions, and Schedule of Nonexempt Transactions)
In addition, defined benefit plans must account for the plan’s actuarial present value of future benefits, while defined contribution plans emphasize participant-directed investment holdings and changes in those holdings. Health and welfare plans typically report promises for medical, life insurance, disability, and other benefits.
Importance of Internal Control Over Participant Data
At the heart of accuracy in plan financial statements is the integrity of participant data. Each participant’s eligibility status, vesting percentage, compensation details, and selected contribution rates feed directly into the calculation of contributions and distributions. Erroneous or incomplete data leads not only to financial statement misrepresentations but also to possible fiduciary violations.
Common participant data elements include:
• Personal identification information (name, address, date of birth, Social Security Number)
• Employment data (date of hire, compensation, overtime, bonuses)
• Plan entry dates, eligibility status, and vesting schedules
• Contribution elections (percentage of salary or fixed amounts)
• Beneficiary designations and spousal consent forms, where applicable
Strong IT controls, secure data transmission channels, and frequent reconciliations between HR and payroll systems serve as cornerstones of reliable participant data. Plan sponsors often collaborate with recordkeepers, third-party administrators (TPAs), and custodians/trustees to maintain this data. Clear delineation of responsibilities, thorough documentation of participant changes (e.g., status changes, deferrals, addresses), and timely data updates all help ensure a controlled flow of information.
In the event of an audit, plan auditors test participant data accuracy by selecting samples of participants and verifying attributes such as date of birth, hire date, compensation history, and contribution allocations. They then trace this information through the payroll system and into the plan’s accounting records to confirm consistent and proper processing of contributions and benefit calculations.
Contributions: Ensuring Timeliness and Accuracy
Contributions are typically the primary inflows of plan assets. They can come from participants’ elective deferrals, employer matches or profit-sharing contributions, and sometimes from additional employer contributions such as safe harbor or profit-sharing amounts. If contributions are not remitted accurately and on time, the plan risks DOL enforcement actions and potential participant losses.
Key controls around contributions seek to ensure each participant’s deferral election is implemented, contribution amounts are properly calculated based on compensation definitions, and that deposits are sent to the trust or custodian in a timely manner. Common procedures include:
• Frequency of remittances: The DOL generally requires participant contributions be deposited “as soon as administratively feasible,” but no later than the 15th business day of the following month for large plans (though best practice is generally to coincide with payroll).
• Monitoring of payroll feeds: Automating the flow of compensation data from payroll software to the plan’s recordkeeper or TPA facilitates accurate calculations of deferral amounts.
• Reconciliation processes: Periodic reconciliations of participant contributions in the plan trust with the employer’s payroll reports ensure no discrepancies, omissions, or delayed deposits.
During an audit, contributions represent a high-risk area. Auditors typically confirm a sample of contributions tied to participants’ payroll records, verifying the consistency of deferral rates, payroll periods, and the dates of deposit to the plan trust. Any late contribution or shortfall must be investigated and corrected, often requiring the employer to make corrective contributions (including lost earnings) to compensate participants for missed or delayed amounts.
Distributions: Validation and Authorization
Distributions represent outflows from the plan to participants or beneficiaries—often upon retirement, termination of employment, hardship, or for in-service withdrawals (if the plan permits). The risk of fraud or errors in processing distributions is significant because an unauthorized distribution directly depletes plan assets without a matching inflow. Common types of distributions include:
• Lump-sum payouts upon termination
• Required Minimum Distributions (RMDs) for older participants
• Hardship withdrawals for defined hardship events
• Loan disbursements (for plans that permit participant loans)
Effective controls ensure distributions are appropriately documented, authorized, and accurately computed. Plans should verify:
• Participant eligibility or event triggering the distribution (e.g., retirement, hardship)
• Availability of vested balances
• Tax withholding and reporting requirements (appropriate withholding, Form 1099-R)
• Spousal consent or beneficiary authorization where required
Auditors commonly test distributions by selecting a sample of paid benefits and verifying participant eligibility, recalculating the distribution amounts using plan provisions, and confirming the distribution was authorized by both the sponsor and the participant (or beneficiary). Additional focus is placed on the timeliness of required distributions and verifying compliance with regulations (e.g., ensuring that participants who reached the required minimum distribution age have indeed received payments).
Types of Employee Benefit Plan Audits
The DOL and ERISA guidelines frequently require an annual audit of large employee benefit plans. For many 401(k) or other defined contribution plans, sponsors may elect a “limited-scope audit” if a qualified institution (e.g., certain banks or insurance carriers) certifies both the completeness and accuracy of investment information. However, the limited-scope approach still requires the auditor to test participant data, contributions, distributions, and other areas.
Full-scope audits, on the other hand, demand that auditors examine all facets of the plan’s financial statements, including both participant and investment transaction detail. They provide a greater degree of assurance but are more extensive, time-consuming, and expensive.
Common Financial Statement Components
Although plan financial statements may vary somewhat by plan type, most statements contain at least two primary pieces of information:
-
Statement of Net Assets Available for Benefits
• Shows the plan’s net assets—generally composed of investments in mutual funds, stocks, bonds, alternative investments, or insurance contracts—at the end of the year.
• Discloses contributions receivable, benefit claims payable, and any plan liabilities. -
Statement of Changes in Net Assets Available for Benefits
• Presents how net assets changed due to contributions, distributions, investment income, and administrative expenses.
• May detail realized and unrealized appreciation or depreciation on the plan’s investments.
Supplementary schedules demanded by ERISA regulations provide additional clarity. Examples include:
• Schedule of Assets Held at End of Year (identifying each investment type and value)
• Schedule of Reportable Transactions (showing specified large or significant transactions)
• Schedule of Nonexempt Transactions (highlighting any prohibited or noncompliant transactions with related parties or other infractions)
Special Considerations for Defined Benefit Plans
Defined benefit (DB) plans face unique complexity in measuring obligations. An actuary calculates the present value of future plan benefits, incorporating assumptions around mortality, discount rates, and future compensation levels if the plan formula accounts for that. The plan then compares these future obligations to assets held to measure any funded status surplus or deficit. Key risks include:
• Actuarial valuation errors
• Inaccurate or incomplete census data
• Mismatch between plan investment strategy and obligation timings
Auditors typically perform specialized audit procedures around actuarial data, verifying participant census data and the reasonableness of assumptions. Additionally, the Statement of Accumulated Plan Benefits or a footnote summarizing the plan’s funded status is generally included in the financial statements to inform readers of future obligations.
Special Considerations for Health and Welfare Plans
Health and welfare benefit plans (e.g., medical, dental, disability, life insurance) differ from pension plans by focusing on periodic coverage of participant claims rather than accumulations of plan assets. Major audit considerations revolve around verifying eligibility, claims administration, premium payments, and the plan’s obligations for incurred-but-not-reported (IBNR) claims. These can be confirmed through:
• Reviewing participant-level claims data for coverage periods and eligibility accuracy
• Testing claims processing controls and verifying claims are valid and supported
• Comparing claims liabilities reported to actual claims paid subsequent to the period-end
If a plan self-insures, the financial statements must reflect accrued claims liabilities. Proper internal controls ensure the plan retains enough funds to meet near-term obligations to participants and beneficiaries.
Controls Over Participant Data, Contributions, and Distributions
Employee benefit plans process significant merges of data from HR, payroll, recordkeeping, and third-party platforms. Effective internal control over financial reporting (ICFR) in the plan context requires robust policies and procedures at multiple checkpoints. The following highlights standard best practices:
• Participant Data Governance:
– Use role-based access controls to restrict who can modify participant information.
– Conduct periodic reviews of participant data for changes in employment status, deferral rates, or addresses.
– Document changes comprehensively, requiring approvals for unusual transactions such as retroactive adjustments or out-of-cycle eligibility.
• Contributions and Payroll Integration:
– Automate contributions via direct linkage between payroll systems and trust/custodian accounts.
– Reconcile payroll records to trust statements monthly or quarterly to detect any erroneous or missing deposits.
– Trigger alerts for missed or late contributions, ensuring immediate corrective action.
• Distribution Authorization:
– Adopt dual-authorization procedures for all distributions over a certain threshold.
– Require third-party verification for spousal consent or beneficiary payouts.
– Enforce documented approvals for hardship withdrawals, verifying the correctness of supporting documentation (e.g., medical bills, eviction notices).
• Cybersecurity Measures:
– Encrypt participant data at rest and in transit.
– Vet third-party vendors’ security practices to ensure plan data remains protected.
– Train internal staff on phishing and other social engineering threats, given the sensitivity of participant data.
These internal controls, when effectively designed and consistently applied, drastically reduce the risk of financial misstatement and secure plan assets and participant privacy.
Common Pitfalls and Challenges
Despite sound design, various pitfalls often arise in employee benefit plan administration and audits, potentially undermining a plan’s compliance and credibility:
• Late or Partial Remittance of Contributions: Even one instance of a contribution being deposited well past the payroll date can constitute a fiduciary breach under DOL regulations.
• Inconsistent Compensation Definitions: Plans often define “compensation” differently for match vs. profit-sharing contributions. Failing to accurately implement these definitions causes plan-level operational errors.
• Incorrect Participant Eligibility Dates: Inaccuracies in the HR system or mishandled rehires lead to participants entering the plan late or too early, resulting in errors in contributions and distributions.
• Unrecorded or Undocumented Distributions: Without robust distribution controls, participants (or unscrupulous insiders) might request disbursements that go undetected, leading to asset misappropriation.
• Lack of Reconciliation: Discrepancies between recordkeeper reports, payroll feeds, and custodian statements can persist if reconciliation processes are weak or inconsistent.
When confronted with these issues, sponsors must take immediate corrective action. This may include making participants whole for missed contributions, recalculating benefits, or filing corrected regulatory forms (e.g., Form 5330 with the IRS or informing DOL of late remittances).
Sample Case Study: Internal Control Gaps in a 401(k) Plan
Consider the “ABC Manufacturing 401(k) Plan,” a mid-size plan with around 300 participants. During the year, the plan upgraded its HR and payroll systems but did not implement robust integration controls. As a result:
• Some employees’ deferral rates did not migrate correctly, causing inaccurate contribution amounts.
• Outdated participant addresses stayed in the system, leading participants to miss out on timely distribution notifications.
• The plan sponsor noticed several $0 contributions for employees who had historically contributed 5% of compensation.
Upon audit, these errors resulted in findings that contributions were late for a subset of employees; additionally, two distributions exceeded the authorized limit because the plan sponsor’s new system permitted an override without the required second-level approval. Based on these findings, the plan sponsor:
• Performed a 100% review of all employees’ contribution elections to correct any mismatches.
• Implemented a reconciliation process between HR records and payroll data, running at month-end.
• Updated distribution authorization levels, requiring a written signoff for amounts exceeding a certain threshold.
This case underscores how new processes or systems can create unforeseen control gaps if not thoroughly tested and monitored, particularly with participant data and contribution flows.
Diagram: Simplified Flow of Participant Data, Contributions, and Distributions
Below is a Mermaid flowchart illustrating the typical data and financial flows from participants to the plan’s final financial statements:
flowchart LR
A["Participant Data <br/> & Elections"] --> B["Payroll System <br/> (Comp & Deferrals)"]
B --> C["Plan Recordkeeper <br/> or TPA"]
C --> D["Custodian/Trustee <br/> Manages Plan Assets"]
D --> E["Financial Statements <br/> & Disclosures"]
• Participants set or change their deferral elections, which feed into the payroll system.
• Payroll data is transmitted to the plan’s recordkeeper or TPA, who uses it to monitor participant balances, contributions, and vesting.
• Funds flow to the custodian or trustee, which invests plan assets in accordance with the plan’s investment policy and participant directions (in the case of participant-directed plans).
• Financial statements aggregate and present plan assets, liabilities, contributions, distributions, and other transactions for public or regulatory review.
Audit Strategies and Testing Procedures
Auditors approach employee benefit plan audits with a risk-based mindset, focusing on the areas most susceptible to error or fraud. Typical procedures include:
• Review of Internal Controls: The auditor evaluates the design and implementation of key controls related to participant data, contributions, and distributions. This stage often involves interviews with plan personnel, walkthroughs of processes, and inspection of control documentation.
• Participant Data Testing: Auditors select samples of participants to verify personal information, compensation details, and plan eligibility. This includes matching HR records with payroll data, checking vesting, and ensuring any significant changes were approved.
• Contribution and Benefit Payment Testing: Using a sample approach, auditors recalculate contribution amounts and trace the proceeds to the custodian. They likewise verify distributions, checking eligibility, amounts, and authorization.
• Confirmation of Investments and Balances: In full-scope audits, direct confirmations are sent to custodians, banks, or investment managers for plan asset balances. For limited-scope audits, the auditor relies on a certification from an authorized institution for investment information, but continues to test participant transactions and non-investment data.
• Review of Plan Provisions: The auditor ensures that the plan’s operational practices align with the plan document, verifying if compensation definitions, eligibility criteria, and distribution restrictions match actual practice.
• Analytical Procedures: High-level reasonableness tests, such as comparing total contributions to total eligible compensation or analyzing distribution patterns relative to the participant population, help detect anomalies.
Best Practices for Plan Sponsors
Plan sponsors can mitigate risks and ensure efficient audits by adopting the following approaches:
• Streamline Recordkeeping Processes: Use one integrated HR/payroll/TPA platform or ensure robust data mapping and reconciliation protocols between separate systems.
• Document Roles and Responsibilities: Clarify which department or external provider handles eligibility oversight, contribution calculations, and distribution approvals.
• Perform Quarterly Self-Audits: Proactively identify and correct errors in participant data or remittance amounts before the annual audit begins.
• Stay Current with Regulatory Changes: Monitor updates from the DOL, IRS, and AICPA regarding reporting requirements, deadlines, or authoritative guidance that may affect benefit plan audits.
• Oversee Service Providers: Conduct due diligence of TPAs and recordkeepers to confirm adequate cybersecurity, data protection, and error resolution practices.
When these best practices are part of a continuous improvement mindset, plan sponsors establish a culture of accountability that fosters participant trust and ensures smoother audits.
Looking Ahead
Employee benefit plans will likely continue to see evolution in both regulatory expectations and participant demands, especially related to technology. The rise of automated payroll interfaces, mobile plan apps, and blockchain-based recordkeeping brings both opportunities and new challenges for controlling data and validating transactions. Moreover, heightened cybersecurity threats place additional pressure on plan sponsors to protect sensitive participant information.
Through thoughtful control structures, robust audit procedures, and a proactive stance in monitoring emerging best practices, plan sponsors and auditors can collaborate to deliver transparent, reliable plan financial statements that stand up to regulatory scrutiny and participant inquiries alike.
Employee Benefit Plans: Financial Statement & Audit Essentials Quiz
For Additional Practice and Deeper Preparation
Business Analysis and Reporting (BAR) CPA Mock Exams
Business Analysis and Reporting (BAR) CPA Mocks: 6 Full (1,500 Qs), Harder Than Real! In-Depth & Clear. Crush With Confidence!
- Tackle full-length mock exams designed to mirror real BAR questions.
- Refine your exam-day strategies with detailed, step-by-step solutions for every scenario.
- Explore in-depth rationales that reinforce higher-level concepts, giving you an edge on test day.
- Boost confidence and minimize anxiety by mastering every corner of the BAR blueprint.
- Perfect for those seeking exceptionally hard mocks and real-world readiness.
Disclaimer: This course is not endorsed by or affiliated with the AICPA, NASBA, or any official CPA Examination authority. All content is for educational and preparatory purposes only.
