Being a plan sponsor, hearing the words “401(k) audit” can feel confusing or even scary. But think of it like a health check for your employee benefit plan. Instead of seeing it as a hassle, it can actually help you keep your plan strong and safe.
A yearly audit is very important. It helps you protect your employees’ money, make sure everything runs correctly, and do your important responsibilities as a plan sponsor. This guide will explain the audit process in simple steps so you can feel confident and ready for your next Employee Benefit Plan Audit. We will cover:
- Why audits are needed
- Who needs an audit
- What happens during an audit
- How you can plan ahead to stay compliant and keep your plan successful
With the right understanding, a 401(k) audit is not just a requirement—it’s a way to make your plan better, safer, and successful in the long run.
Introduction: Handling Your 401(k) Audit Confidently
A 401(k) plan audit is not just paperwork—it’s an important check to make sure everything in your plan is being done correctly. It helps you, as a plan sponsor, follow the rules and take care of your employees’ retirement money. Knowing why an audit is done, how it works, and what to watch out for is very important. This guide will explain every step—from finding out if you need an audit to using the audit results to make your plan better. By following the process, you can protect your participants, reduce risks, and keep your 401(k) plan healthy.
Why Audits Matter: The Purpose of a 401(k) Audit
A 401(k) audit is done to make sure the plan is financially safe and fair for everyone involved. A certified public accountant (CPA) checks the plan’s financial statements, internal rules, and operations. The goal is to confirm that the numbers are correct and the plan follows all rules.
More Than Just Rules: Protecting Your Employees’ Money
The main reason for an audit is to protect employees’ retirement savings. When someone puts money into their 401(k), they trust you to manage it safely. The audit acts as an independent check, making sure:
- Contributions are added correctly
- Assets are properly valued
- Withdrawals are made according to the rules
It ensures the money is safe and the plan is run for the benefit of employees only.
Audits also help build trust. Employees feel confident their retirement money is safe. This is very important because mistakes are common—about 30% of 401(k) audits find serious problems according to the Department of Labor. A good audit helps catch issues early and keep the plan strong.
Regulatory Foundations: ERISA, DOL, and IRS Oversight
The rule for 401(k) audits comes from a federal law called ERISA (Employee Retirement Income Security Act of 1974). ERISA was created to protect the retirement money of millions of American workers.
Two government groups make sure these rules are followed:
- DOL (Department of Labor) – Their EBSA department checks if plan sponsors are following the rules and reporting correctly.
- IRS (Internal Revenue Service) – They make sure the plan keeps its tax benefits by following the tax rules.
These agencies have strong legal power. In 2024, EBSA’s actions helped return almost $1.4 billion back to employee retirement plans.
The yearly audit helps these agencies make sure that plan sponsors are doing everything legally and correctly.
Does Your Plan Need an Audit? Key Triggers and Thresholds
One of the biggest questions plan sponsors ask is:
“Does my 401(k) plan need an audit?”
The answer mostly depends on how many participants your plan has at the start of the plan year. This number decides whether your plan is considered a small plan or a large plan.
The 100-Participant Rule: The Main Audit Trigger
If your plan has 100 or more eligible participants on the first day of the plan year, it becomes a large plan and must complete a yearly audit.
This number includes:
- Employees who are eligible to join (even if they don’t join)
- Former employees who still have money in the plan
- Beneficiaries of deceased employees
This is the most important rule for deciding if an audit is required.
How to Count Participants Correctly
The counting method is very specific. You must count everyone who is eligible, even if they:
- Are active workers and currently in the plan
- Are retired or have left the company but still have money in the plan
- Are eligible but chose not to participate
Many plan sponsors make the mistake of counting only people who are actively contributing, which can cause them to miss an audit they legally needed to do.
That’s why understanding this counting rule is extremely important.
Impact of the SECURE Act: Making Audits Easier for Some Small Plans
A new law called the SECURE 2.0 Act has made things easier for some small businesses.
Earlier, if a plan had 80–120 participants, it could still file as a “small plan” if it did so the year before.
Now, SECURE 2.0 changed the rules.
Only participants who actually have money in their account on the first day of the plan year are counted.
This rule applies to plan years starting on or after January 1, 2023.
Because of this change, many plans that used to look “large” (because many employees were eligible but didn’t join) may no longer need an audit.
This helps small or growing businesses save time, money, and effort.
Form 5500: The Annual Reporting Requirement
The need for an audit is connected to a form called Form 5500.
This form is sent every year to the DOL and IRS, and it shows:
- The plan’s finances
- Investments
- Operations
If your plan is a large plan, you must attach the auditor’s report with this form.
The participant count you write on Form 5500 decides whether your plan is “small” or “large,” so the numbers must be 100% accurate.
Understanding the Types of 401(k) Audits
If your plan needs an audit, you should know there are two main types of audits under ERISA:
- Full-scope audit
- Limited-scope audit (ERISA Section 103(a)(3)(C))
Full Scope vs. Limited Scope Audits
Full-Scope Audit
In this audit, the auditor checks everything, including:
- All financial statements
- All plan operations
- Investment assets held by banks or custodians
The auditor must verify that the investments exist and are valued correctly.
Limited-Scope Audit
Because of this certificate:
This type is allowed when the plan’s investments are held by a qualified institution (like a bank, insurance company, or trust company).
The institution gives a certificate saying the investment information is correct.
- The auditor does not need to check the investment assets
- The work becomes easier and cheaper
But the auditor still checks everything else, such as:
- Participant information
- Contributions
- Withdrawals
- Loans
Following Auditing Standards (GAAS)
No matter what type of audit you choose, all audits must follow GAAS (Generally Accepted Auditing Standards).
These standards come from the AICPA and make sure the audit is:
- Professional
- Independent
- Done with care
The final audit report will clearly say it was done following GAAS, which helps the DOL, plan managers, and employees trust the results.
Form 5500: The Annual Reporting Link
The audit requirement is directly linked to your annual reporting obligation, the Form 5500, “Annual Return/Report of Employee Benefit Plan.” This form is filed with the DOL and IRS to report on the plan’s financial condition, investments, and operations. Large plans must attach the independent auditor’s report directly to their Form 5500 filing. The participant count you report on this form is what officially determines your status as a large or small plan, making accuracy paramount.
The 401(k) Audit Process: A Step-by-Step Guide for Plan Sponsors
For plan sponsors, the audit process can be broken down into a series of manageable steps. A proactive and organized approach can make the experience smoother and more efficient for everyone involved.
A 401(k) audit is built on four key pillars designed to verify plan health and protect participant assets.
Initiating the Audit: Engagement and Information Request
The process begins with selecting and formally engaging a qualified, independent CPA firm. Once engaged, the auditor will provide you with a “Prepared by Client” (PBC) list. This is a comprehensive information request detailing all the documents, reports, and data they will need to conduct their fieldwork. This list typically arrives several weeks before the fieldwork is scheduled to begin, giving you time to gather the necessary information.
Essential Documentation for Auditor Review
The PBC list will be extensive, but some key documents are almost always required. These include:
- The executed Plan Document, adoption agreement, and all amendments.
- The Summary Plan Description (SPD).
- Trust reports and investment statements from the custodian.
- A detailed employee census with demographic and payroll data.
- Payroll records to test employee and employer contributions.
- Loan documentation and distribution paperwork.
- Minutes from plan governance committee meetings.
- Proof of fidelity bond coverage.
- Third-Party Administrator (TPA) and recordkeeper reports, including SOC 1 reports.
Understanding the Auditor’s Procedures
During fieldwork, the auditor will execute various Audit Procedures to test the plan’s compliance and financial accuracy. This includes:
- Reconciling financial data from the trustee and recordkeeper to the plan’s financial statements.
- Testing a sample of participants to verify eligibility, contributions, and compensation data.
- Reviewing a sample of distributions and loans to ensure they were processed according to the plan document and ERISA rules.
- Analyzing internal controls at your organization and at your service providers (like your TPA).
- Confirming that contributions were remitted to the plan in a timely manner.
The Audit Report and Communication of Findings
Upon completion of the audit, the auditor will issue an audit report. This report contains their opinion on whether the plan’s financial statements are presented fairly, in all material respects. The opinion can be “unmodified” (a clean opinion), “qualified,” “adverse,” or a “disclaimer” of opinion. The auditor will also communicate any identified issues, such as compliance errors or internal control weaknesses, in a separate management letter.
Integrating the Audit Report with Form 5500 Filing
The final audit report is a required attachment to the Form 5500 for all large plan filers. The plan sponsor is responsible for ensuring the report is attached to the electronic filing submitted to the DOL. The Form 5500 filing deadline is seven months after the end of the plan year (e.g., July 31 for a calendar year-end plan), but it can be extended by 2.5 months.
Proactive Strategies for Audit Success: Beyond Basic Compliance
A smooth audit is not the result of last-minute scrambling but of year-round diligence. Adopting a proactive mindset toward plan administration is the best way to ensure compliance and a successful audit outcome.
Cultivating a Fiduciary Mindset: Continuous Vigilance
Your role as a plan sponsor comes with significant fiduciary responsibility. However, a concerning J.P. Morgan Asset Management survey found that 53% of plan sponsors do not realize they are a plan fiduciary. Understanding and accepting this role is the foundation of good governance. This means acting solely in the interest of participants and their beneficiaries, diversifying plan investments, and ensuring plan expenses are reasonable. A strong fiduciary process involves regular meetings, documented decisions, and ongoing education.
Keeping Clean and Accurate Records
Clean and correct data is the most important part of a smooth audit.
You must keep detailed records for everything in your 401(k) plan, including:
- Contributions
- Distributions
- Loans
Also, regularly check your employee census data to make sure dates like birth, hire, and termination are correct.
Bad or messy data can cause mistakes, and auditors will quickly find these problems.
Reviewing Your Plan Document Regularly
Your plan document is the main rulebook for how your 401(k) plan should work.
You must review it from time to time so you clearly understand rules about:
- Eligibility
- Compensation
- Contributions
- Vesting
It’s also important to make sure your daily operations match exactly what the document says.
Many audit problems happen because the plan document says one thing but the company does something different. This is easy to avoid with regular review.
Strong Internal Controls: Your First Protection
Good internal controls help you prevent mistakes and fraud.
This includes:
- Having different people handle different jobs (for example: one person does payroll, another sends contributions)
- A supervisor checking all plan-related work
If your controls are strong and clearly documented, auditors will see that your plan is managed safely.
Using Your TPA and Advisors Wisely
Your TPA, recordkeeper, and financial advisor are very helpful partners.
Use their knowledge and skills.
Have regular meetings with them to talk about:
- Plan performance
- Plan administration
- Possible compliance issues
A good TPA will provide a lot of the data needed for the audit.
But remember: you, the plan sponsor, still have the final responsibility.
Common Audit Problems and How to Prevent Them
Auditors often find the same types of mistakes in many plans.
Knowing these issues can help you avoid them.
Eligibility and Entry Date Mistakes
One common problem is when employees are allowed to join the plan at the wrong time.
This usually happens because HR and payroll systems are not following the exact rules written in the plan document.
How to Prevent This:
- Do a self-check of employee eligibility regularly
- Create a simple checklist based on the plan document
- Use the checklist for every new employee
This helps ensure that everyone enters the plan at the correct time.
Common Audit Findings and How to Prevent Them
Auditors frequently uncover similar issues across many plans. Being aware of these common pitfalls can help you strengthen your own processes and avoid them.
Eligibility and Entry Date Errors
Mistakes in determining employee eligibility or their correct plan entry date are common. This can happen when HR and payroll systems are not aligned with the plan document’s specific definition of service or hours worked.
- Prevention: Conduct a periodic self-audit of employee eligibility. Create a checklist based on the plan document’s rules and apply it consistently to all new hires.
Contribution and Remittance Issues
Late remittance of employee contributions is a significant compliance issue and a prohibited transaction under ERISA. The DOL requires that employee contributions be deposited into the plan as soon as they can be reasonably segregated from the employer’s general assets. Another common issue is using an incorrect definition of compensation to calculate contributions. A DOL Audit Quality Study highlighted that 15.3% of audits had deficiencies related to contributions, often due to failures in recalculating them correctly.
- Prevention: Establish a firm, documented process for remitting contributions immediately following each payroll. Ensure your payroll system is correctly programmed with the plan document’s definition of compensation (e.g., including or excluding bonuses, overtime, etc.).
Participant Loan and Distribution Violations
Participant loans must comply with both the plan document’s rules and federal regulations regarding maximum amounts and repayment terms. Auditors often find loans that exceed statutory limits or have improper repayment schedules. Similarly, hardship distributions must be properly documented to prove an immediate and heavy financial need.
- Prevention: Create a standardized process and checklist for processing all loan and distribution requests. Ensure proper documentation is collected and retained for every transaction.
Plan Document vs. Operational Discrepancies
This is a catch-all category for any instance where the plan’s daily operations do not follow the written terms of the plan document. This could involve using the wrong vesting schedule, incorrect matching formulas, or failing to automatically enroll employees as required.
- Prevention: Treat your plan document as your operational bible. Before making any administrative changes or decisions, consult the document to ensure compliance. Regular training for anyone involved in plan administration is key.
The Value of the Annual 401(k) Audit
The yearly 401(k) audit is very important. Instead of being afraid of it, plan sponsors should see it as a helpful tool.
The audit gives you a chance to make sure:
- Your plan is working the right way
- Your employees’ money is safe
- You are following your duties under ERISA
When you understand why the audit is done, when you need one, and how the process works, the audit becomes a positive way to reduce risks and improve your plan.
What You Should Remember
There are three main things you should focus on:
- Be careful all year long – Don’t wait until audit time.
- Keep good records – Save everything clearly and correctly.
- Think like a fiduciary – Always act in the best interest of your employees.
Make sure to regularly:
- Check your plan document
- Improve your internal controls
- Get help from your TPA and other advisors
By avoiding common mistakes with contributions, eligibility, and distributions, you can make the audit smooth and successful.
Why This Matters
A well-handled audit helps you:
- Follow DOL and IRS rules
- Protect your employees’ retirement money
- Build trust with your participants
When employees trust that their retirement savings are safe, your plan becomes stronger, and your responsibilities as a plan sponsor are fulfilled.
More Learn IRS Is Scrutinizing Returns
