Annual Retirement Plan Audit: 11 Common Concerns From an Auditor’s Perspective

By: Joe Dillon, CFP®
4 Minute Read

Does your organization’s retirement plan require an annual audit? If your eligible participant count (including terminated employees who maintain an account balance) exceeds 100 at the beginning of your plan year, you will be required to conduct a benefit plan audit. This audit includes financial statements attached to the Form 5500, with the one exception being the 80-120 rule*.

The audit is intended to confirm that your plan is operating within the guidelines of the plan documents and follows specific Department of Labor and IRS regulations.

This article outlines auditors’ most common concerns that may lead to litigation and regulatory breach exposure for retirement plan fiduciaries. The main areas that auditors identify for plan sponsors include:

  1. Documentation for all fiduciary-level decision-making: The Employee Retirement Income Security Act (ERISA) specifies that fiduciary decision-making must follow the ERISA definition of procedural prudence, which entails a specific and rigorous process. This process and all decisions for the plan must be recorded.
  2. Establishment of Retirement Plan Committee: Every retirement plan should establish an oversight committee, which meets regularly to review the plan’s status and conduct plan management functions. This committee should be memorialized with a committee charter, identifying fiduciaries and their functions, and should be adopted via a board resolution.
  3. Formal Investment Policy Statement (IPS): An IPS provides a “road map” that must be followed when selecting and monitoring all investments within the plan. A non-executed (unsigned) IPS is typically perceived by regulators and courts as not having an investment process, which may result in an indefensible fiduciary breach of duty.
  4. Definition of compensation: Definition of compensation is not always a simple matter. Because your plan may use different definitions of compensation for different purposes, it’s important to apply the proper definition for deferrals, allocations, and testing. A plan’s compensation definition must satisfy rules for determining the amount of contributions. If the definition of compensation found in the plan documents is not administrated precisely for 401(k) purposes, a fiduciary breach is likely. This can be a costly oversight.
  5. Minutes from retirement plan oversight committee meetings: Each plan committee meeting, with topics discussed and conclusions, must be documented to affirm procedural prudence.
  6. Definition of eligible employee: The definition of an employee, much like that of compensation, is often misunderstood or inaccurately administered. An example would be that of part-time employees being ineligible for plan participation. The term “part-time employee” itself has no meaning under ERISA, which focuses on hours worked when attributing eligibility to employees.
  7. Documentation of service provider selection and monitoring: The service providers selected by plan fiduciaries are determining reasonableness of fees, services, and investment opportunities. The documentation of this process, in accordance with procedural prudence, is essential for fiduciary liability mitigation as it’s the cause of much litigation.
  8. Cybersecurity controls: Plan sponsors need to be mindful of the sensitive data that they manage on behalf of their retirement plan participants, including dates of birth, Social Security numbers, and account balances. Security breaches could occur through phishing, malware, or a stolen laptop, etc. This is a relatively recent but rapidly expanding area of potential fiduciary liability.
  9. Education to participants: In addition to providing all pertinent plan-level information, it’s critical for plan sponsors to provide sufficient participant education so that participants can consistently make informed investment decisions.
  10. Delinquent remittances of EE deferrals: Delinquent remittances is a frequent and typically unintentional fiduciary operational breach. It has been stressed by ERISA and in litigation activity that participant deferrals should be remitted to the investment providers as soon as administratively feasible. This has been interpreted to mean as soon as you are able to remit payroll taxes.
  11. Plan Forfeitures: Plan forfeiture administration is another often misunderstood or overlooked operational responsibility for plan sponsors. Plan forfeitures, employer contribution amounts that accrue when an employee leaves the plan and their account is not fully vested, should be allocated at the end of each plan year in which they were accrued. If you hold forfeiture allocation longer, this becomes a fiduciary breach that can be time-consuming and administratively difficult to correct.

Many of these issues are time-consuming to manage and monitor—and they can also be costly for retirement plan sponsors.

Please reach out to Curi Capital’s Retirement Plan Solutions team at 984-202-2800 if you have any questions about the plan issues outlined above or if you would like to learn more about how we can support you and your business.

*The 80-120 rule provides an exception for growing businesses. If you (a) have between 80 and 120 participants, and, (b) were considered a small plan in the previous year, you can continue to file the shortened version of the form. When you report at least 121 participants, you must file as a large plan. If you file as a large plan after employing the 80-120 exception, you must continue to file as a large plan – even if your participant count drops below 120 – as long as you have at least 100 participants in your plan.


Curi Capital is an investment adviser registered with the U.S. Securities and Exchange Commission (SEC). Registration of an investment adviser does not imply any specific level of skill or training and does not constitute an endorsement of the firm by the SEC. Curi Capital only transacts business in states or jurisdictions in which it is properly registered or exempt from registration. A copy of Curi Capital’s current disclosure brochure, which describes, among other things, Curi Capital’s business practices, services and fees, is available through the SEC’s website at www.adviserinfo.sec.gov.

The opinions and analyses expressed herein are subject to change at any time. Any suggestions contained herein are general, and do not take into account an individual’s or entity’s specific circumstances or applicable governing law, which may vary from jurisdiction to jurisdiction and be subject to change. Distribution hereof does not constitute legal, tax, accounting, investment or other professional advice. Recipients should consult their professional advisors prior to acting on the information set forth herein.

Joe Dillon, CFP®

Joe Dillon is Curi Capital’s Managing Director of Retirement Plan Solutions, based in Raleigh, NC.

News & Knowledge
Curi RMB Capital, LLC (“Curi RMB”), is an investment adviser in Chicago, IL with other large offices in Raleigh, NC, Denver, CO, and Milwaukee, WI. Curi RMB is registered with the U.S. Securities and Exchange Commission (SEC) under the Investment Advisers Act of 1940. Registration as an investment adviser does not imply any specific level of skill or training and does not constitute an endorsement of the firm by the SEC. A copy of the firm’s current written disclosure brochure filed with the SEC which discusses, among other things, Curi RMB's business practices, services, and fees, is available through the SEC's website www.adviserinfo.sec.gov..