The 401(k) Audit CPA Success Show: Episode 2
Many business owners are seeking help and clarity when it comes to the audit process. While they may not know where to start, they know it’s time to get started in seeking out auditing professionals who can help.
In this episode, Jamie Nau sits down with Kim Moore, director of auditing at Summit CPA, to shed some much-needed light on how the auditing process works and what you need to know to stay compliant.
Jamie Nau: Welcome to the 401(k) Audit CPA Success Show. I'm your host, Jimmy Nau, and today I'm joined again by our Director of Auditing, Kim Moore. In the last episode we talked a little bit about how Summit started the 401(k) process and also dug into Kim's background. Today we're going to talk a little bit more about the 401(k) process and find out more.
Jamie Nau: Kim how are you doing today?
Kim Moore: I'm doing really well, thanks Jamie. It’s good to be back.
Jamie Nau: It’s still a busy time of year for you.
Kim Moore: It is a very busy time. Yes. Yeah. We have four weeks left till our big deadline. So busy, busy, busy time here.
Jamie Nau: Awesome. So let’s jump into the process a little bit here. So let's start at the beginning. So if I'm someone that needs a 401(k) audit how should I go about finding a for 401(k) auditor? What steps should I take?
Kim Moore: Let's first talk, why would you need an auditor in the first place? Because not every plan needs an audit. Generally there is some kind of detailed rules around this. But generally, if you have over one hundred eligible participants you're going to need an audit. I won't go into all the details around the kind of exclusions to that. But generally, if you have over one hundred people now. People also get confused. The one hundred isn't just people that are participating in plan. Obviously if you have one hundred people that are participating in your plan they're putting money into the plan every payroll. Obviously you need an audit because you are over the hundred. But it also includes folks at your company that are eligible to participate in the plan. But if for whatever reason not to. that's not a problem that they elected not to participate. You still need to include those numbers in that count. So if you include the people that are participating in the plan, folks that are still in the plan that maybe left your company, they've terminated employment with you but their funds are still in the 401(k) plan, you have to count them, and you have to count the folks that are eligible to participate. If the total of that is over a hundred then you need an audit. So if you're in that category, lucky you. I tell people you win the lottery, you get to participate in the 401(k) lottery, and you need to find what's called a, qualified accountant. That is what the regulators call us. But you need to find a CPA that can perform the audit for you. And there's a variety of ways you can look around your locale, and see if you maybe you already know someone who's a CPA, you might want to talk to them. Maybe you already have a CPA, someone who does some tax work for you, maybe someone who does some other odd work for you. That would be a good starting point, reach out to them. And if none of the those play, you don't know anybody at all, what a lot of people do, and this is how they come to us, is they just get on Google search and look around for a n 401(k) auditor and Summit’s name will pop up. So that's another way, you can just Google audit just like you do for anything else and see who's out there. Some things to look for though, and what happens a lot of times with people that are looking for an auditor, is they focus on price. You know, I don't know what this thing is I just know I need one. Can you do it? And how much is it going to cost me? Obviously that matters you care about how much it costs, but you don't want to focus exclusively on price. The folks that need this audit, the people that are out there looking for the auditor, they are usually what are called plan fiduciaries, so they're held to a pretty high standard by the regulatory bodies, which in this case is primarily the Department of Labor from the federal government and they hold them to a really high standard. So believe it or not if you hire an auditor and that auditor doesn't know what they're doing and they don't do all the things in the audit that they're supposed to they will hold the company that is sponsoring this 401(k) plan, in they will hold them personally and liable at a company as well. So as an individual you can be held liable for a bad audit even though you didn't do the audit, you're not the CPA. So it is really important that you make sure you find an auditor that does a lot of these audits. Someone that really understands the nature of this type of audit, not just starting out in general, but this specific type of audit. They are unique compliance oriented audits and most auditors are not that familiar with the specifics involved. So what we recommend people do is ask a series of questions. Number one, obviously, do you do these kind of audits? Because some auditors don't even touch them. So, do you do these kind of audits? How many do you do a year? How long have you been doing them? What's the background experience of the people that will be doing the audit, not just the person in charge, but the person that's actually going to be doing your audit. What kind of training do you get on these types of audits? Again not audit specific, or general, but this specific type of audit. And then lastly there's something called the Employee Benefit Plan Audit Quality Center. I know that's a mouthful but that's a specific group from the AICPA which is the professional group for all of us accounting types. And it's a specialized group inside that big huge regulatory authority body that specializes for auditors in this specific type of auditing. It's a voluntary organization. You have to meet certain criteria to be able to belong. Summit CPA is a member and with members in that particular organization you get specific training. You get specific tools that are geared just to this unique type of audit. It helps make sure that the audits are quality audits. It helps make sure you're up to date with the latest regulatory information. Anything new that's coming down the pike we'll know ahead of everybody else. Just because our membership in that body. So that's another thing to ask. Do you belong to that? The last thing I would say, is that anybody who performs the audits across the country, doesn't matter what state you're in, you are required every three years to get something called a peer review. And what that basically means is another auditor is going to audit your work. They're going to come in, they're going to choose a few audits, and then they're going to give you feedback on the things that they saw that maybe you can work on to help improve, or things that they really like that you're doing. Maybe other people aren't doing. But at the end of that they're going to write a report and you can get one of three ratings. The highest ratings just sounds awful. But the highest rating is just that you passed, you know, they don't have anything like, wow you're great! Or anything, just a pass that’s the highest rating. But that's really what you want to see. So another thing you might want to ask as you're calling around vetting potential auditors, when do they have their last peer review and can you see the report? And actually if you belong to that quality center that I just mentioned, they will be become public so you can actually go on the AICPA website. You could look up Summit CPA and it will show you our most current peer reviewed report. That's another requirement. So even if they don't give it to you, you can usually see on the AICPA website. So another thing to ask them is about peer review. So ask all those questions, get that documentation. Take a look at it you might want to try to ask them for references or talk to some current clients. Another thing some of our new audit clients have done is putting all that information together from all of the people that they talked to, and from there selected the one that they think best fits their needs and is a quality auditor. You just want to make sure it's a quality auditor.
Jamie Nau: I think what you said that was really important is that it is a special kind of audit. So I grew up in audit. I worked for about 10 years and it was kind of a fun game. Every summer my firm decided how they were going to handle the 401(k) audits. Some summer it was the everybody did it. Everybody provided 401(k) audits whether you were doing financial audits or whatnot. That's what you did during the summer was 401(k) audits. And then some summers I didn't have to do them at all because we had a specialized unit that did these audits. And that's all they did all year round and so every summer our firm seemed to switch back and forth between whether we were going to do it or whether specialized people were going to go at it is that specialized it's not a typical audit. So I think it is really important that the people that are doing it have experience because it is definitely unique for the audit industry.
Kim Moore: That's very true. Yeah it's kind of a two part audit for those who know a little bit about what the typical company financial statement audits are like. And we get a mix are our new clients. Some of them are familiar with the audit process, some of them have never been through an audit they don't even know. It's like audit is a foreign word. They don't know what it means. But for anybody who doesn't know what a financial statement audit is, this is kind of a subset of that. So we will do all of the things you do in regular financial statement audit. The end product look is very much like a typical financial statement audit. It’s going to have the audit opinion letter. It's going to have a financial statement. It's going to have the footnotes disclosures. There are some additional things that get added there. Department of Labor additional things. But the front part of it all looks very similar, at a high level, as to what you'd get in in a regular financial statement audit. But there's this other set of work that you have to do. If you've ever been in a 401(k) plan and you think about all the things that you went through throughout the lifecycle of you being in that plan. From being eligible and first getting into the plan to contributing over a number of years. And then eventually in some fashion you're going to take your money out of the plan. All of those elements get tested as part of this audit. Obviously not every participant in every plan. We're going to select a sample. But every aspect of that from, did people get offered to plan appropriately? All the way through to they're taking their money out. Was all of that handled appropriately? And there's all kinds of regulatory requirements. There's congressional acts believe or not that affect this. So it is very socialized. And as you say a lot of the audit firms just find a body. It's this summer. So whoever you have, let’s give them something to do today. Let's give them this thing over here, it's just another audit, who cares. And maybe they're not looking at all the things that they should. Because a typical auditor would do the financial pieces. They'd probably do that fine. But all of the regulatory compliance participants, the specific pieces, they'd probably just ignore or wouldn't even do them because they are very unique.
Jamie Nau: It’s more compliance like you said. So it's more, yes, no. There's no materiality. There's no like, oh well it's close. You know. It's if something is being done or it's not being done. So as an auditor you have to have the right mindset going into it.
Kim Moore: Absolutely true. There is a concept that's very foreign for sure.
Jamie Nau: You definitely changed the way you're thinking about things and switching gears there. So you mentioned the term fiduciary. I'd like you to go into that a little bit. I think it's really important from someone who's getting audited to understand what that means. Like who is the fiduciary working for? What's the purpose of it, and how a fiduciary rule works in an organization.
Kim Moore: Fiduciary is a general term that applies to a lot of different things, but specific to benefit plans. It is a defined term. There's something called ERISA, I mentioned congressional acts that influence this. The main one is something called ERISA. It was passed back in the 70s. ERISA is an acronym. It stands for a big long term, which is the actual name of the act, but that covers all benefit plans sponsored by employers, for employees that fit certain criteria. Which almost all 401(k) plans fit into that category. And it defines fiduciary as a few sets of folks. There's always got to be a name to plan trustee, that will be someone that works at the company that's sponsoring the plan. And there can be one or multiple people and it can be a group of people. So you might have a committee that oversees the 401(k) plan and all of the individuals on that committee would be the fiduciary. So anybody that has oversight over the plan, the folks that make the decisions for the plan, the folks that would say we're going to have a plan or we're going to stop having plan, those are all fiduciary individuals. There's also something called a plan administrator. Those are the people that do the day-to-day work related to the plan. So they're making sure people get into the plan appropriately. They're doing the contributions into the plan, all the day-to-day stuff that has to happen. Those individuals again can be one or multiple people. All of those individuals are also fiduciaries to the plan. There also can be other subsidiary, kind of secondary folks. Summit for example can become that if we do certain tasks for the plan. The investment adviser to the plan depending on what level of service they're providing, they can become a fiduciary. So that’s a whole group of people. It's very important if you play a role with your company for a 401(k) plan to find out what is the definition, and fit that because it's not a real easy yes, or no kind of thing. It really kind of depends on what you do; facts and circumstances based type thing. But you really want to find out because the Department of Labor and the Internal Revenue Service both look at this. They are very strict on the rules surrounding a fiduciary. A fiduciary is not allowed to act in their own best interests with regard to the plan. There's never an exception to act in the best interest of the plan and most importantly the participants. So maybe you are the CFO of the company, and you're also a fiduciary for the 401(k) plan that your plan sponsors, and you're looking at something that you need to do with regard to the plan. Maybe taking course A is going to cost the company some additional money. Course B would be cheaper. And maybe both are allowed. And in that case you could always choose the cheaper option, but if it's a matter of, I want to go with A because that's cheaper for the company, you could be violating fiduciary rules, and if you are found to have violated a rule as a fiduciary you personally can be held liable. So that would mean potentially a fine which could be small. Or it could be a large dollar amount and you are personally liable for that. The company cannot reimburse you. They're not allowed. So you would personally have to pay that. And there's also criminal penalties. Now obviously that would have to be something that you done that's very egregious. It's not going to be a minor issue. But if you know, for example, people unfortunately, company owners will take funds that should have gone to the 401(k) plan, and they will take them for their own use, or maybe pay company bills. You could go to jail. The way the DOL looks at it, we were at training session that the AICPA sponsored back in May that thousands of auditors went through, specifically for benefit plans. And there were a couple of DOL folks speaking there, and one of them was from the enforcement division and he said the way that they look at it is that participants are taking money every payday that they could have used for who knows what. Their own personal use. And instead they're giving it to the company to invest on their behalf in their 401(k) plan so they have funds to retire with. And they're planning on retiring at some age, and that using that money to help and support them at that point time, if for some reason the employer is not doing that, then the person is going to get to retirement and have no money. They won't be able to retire. So they take it very seriously, and they gave us lots of examples where things went wrong, and they went after the employer or whoever was the main fiduciary, and they're very strict, very punitive. Like I said it can involve jail time. So it's very serious, and you need to find what applies to you, and that you make sure you're following the rules. And make sure you understand the rules, because the other thing that the DOL was very strict about is that saying, I didn't know as a fiduciary, you know, I didn't understand that I wasn't allowed to do that. Or I was supposed to do this and I didn't. But that's no excuse. And they will absolutely not accept that as any kind of rationale for some type of mis-compliant activity. So you know make sure you understand the rules and you follow the rules. If you don't understand something, ask. And you know the DOL they're very open. They absolutely want you to call and ask if you're confused about something. But don't just fly by the seat of your pants with this because you can get in a lot of trouble.
Jamie Nau: Definitely a lot of great points there. I think that the key points I took from that was as a fiduciary, I'm working for the plan. I need to have the plan first in mind, and then also again, this is a big deal. I've put money into my retirement. It's important to me and I want to make sure that there is a fiduciary out there thinking of my plan. Thinking about my money and not just thinking about the company. They work for us. I always thought that was really important. That was a great answer.
Jamie Nau: So I found my 401(k) auditor. I got this great auditing firm. Signed up for it. So now I'm getting ready to jump into the audit. What is the process? Where does it start? What do I need to have ready for when the auditor comes? Or maybe they're doing it remotely.. But what do I need to have ready and how does the audit process start?
Kim Moore: Well every audit is a little bit different as you can imagine. It partly depends on the plan and the level of activity in the plan. What the plan allows and what it doesn't. But at high level, there's a few different pieces, kind of components to an audit. You're going to start off with planning and it making sense. You just sort of get in and plan whatever it is you're going to do. But for an audit, planning has a specific purpose. We are required as auditors to understand whatever it is that we're auditing, which again kind of makes sense. And from a benefit plan perspective, there are a few things that we need to do. Once the client has engaged us, that's the absolute first thing that has happened. Is that we've both agreed. Yes. This particular firm is going to do the audit. There's something called an engagement letter that the company will sign, officially engaging the auditors. Once that's done and we've got a couple of the other paperwork things done up front, the very first thing that the firm is going to do is gain an understanding of the plan and they're going to want some basic information. There are things called plan documents, service agreements, various documents that govern how the plan works. And where they need to get a hold of all of those current copies, that can either come from our client, or most clients today use service providers. So somebody called our record keeper, a TPA custodian, they may have a variety of different organizational setups that they use of service providers. But we're going to need to know who those people are, and either get in contact with them to get the information, or the client will work with them to get the information on our behalf. However the client once organized, that will also need financial information for that plan year. From those service providers we're going to need various payroll information for the year, and then also for test sample items that we're going to do. So my suggestion to people when they first start the audit, it isn't anything specific to the eye. Hopefully they've been doing this all along. Make sure you HAVE good records. You should be keeping payroll records all along, whether you need for 401(k) audit or not. If you've got a 401(k) plan you should be keeping a separate file. Whether that's an electronic file or some people still have paper files in a file cabinet. However you are doing it you should have separate 401(k) set files, and you know make sure you're keeping that all long. So when the auditor comes and asks, here is a list of twenty thins I need, you can just go to your file and pull the things and provide them the information that they need. From the planning, once we have some basic information about the plan, we've kind of looked around at that information that you've provided. The next section of the audit is called the risk and control assessment phase. So we're going to take a look at all of the procedures related to the plan, both from the service provider level, as well as our client level. So we're going to talk to the client about how does 401(k) work from their side. What do they do relative to the 401(k)? What do they not do? What do they rely on their service providers to do for them? Now we're going to get some things called SOC reports. We get these things called SOC reports from the service providers, and we'll take a look at those. Those describe the procedures and controls at those service providers. We kind of put that all together. We do an assessment of how the procedures are working. We're going to do an assessment of risk. The What Could Go Wrong? So what could either the client, or one of these service providers do wrong. Whether it's just an error, maybe somebody's doing something they're not supposed to be doing. Or they're maliciously doing something. Just in general, maybe a control that's missing. So we do an overall assessment. Out of that we're going to determine what types of testing do we need to do, and that leads us into the next phase of the audit which is the testing phase. So from that we're going to determine the different tests we're going to put together; our audit test steps and our audit samples. As I mentioned earlier, we're not going to test everything. So you may have 500 people in the plan. We are not going to test all 500 people that put money into the plan at year. We're going to pick a sample. A subset of each of those. A subset of people that put money in the plan. A subset of people that could have become eligible during the year. A subset of people who took money out of the plan. And we're going to randomly pick those people and then we're going to ask for documentation supporting all of that activity. Inevitably almost, it seems like every time there are questions. So maybe we just need some additional documentation to figure something out. Maybe it looks like something wasn't handled properly. Maybe something is just missing. Good example. Every one of these plans has to have what's called a fidelity bond that covers the whole year. It has to have a certain type. It has to have a certain amount. Some of those fiduciaries, again we go back to the fiduciary, has a responsibility to have this bond and they don't know that they need it. So we ask for a copy of the bond. They have no idea what we're talking about. They don't have one. Sometimes they'll give us a copy of the bond and it ended mid-year and they forgot to renew it. Sometimes the assets of the plan went over a certain dollar amount. Now they need a bigger bond and they didn't know that. Didn't get the bond level increase. And that's a simple example of something that we could find. Every one of those, call them variances upfront, need to come to a resolution. So ultimately, maybe there's just documentation you can provide that help cleared up and then we're fine and we just move along. Sometimes we can, as an example of the bond, come to the conclusion that you didn't have the bond and you should have. So that's a finding, and we talk about it with the client, but that's the end of it. Then they may need to go away after the audit and obtain a bond. Sometimes there can be more complicated discrepancies, and it takes a lot of back and forth to figure it out. Sometimes it can be pretty significant errors. We may have to stop the audit and let the provider work with their service providers to figure out what happened. Get it corrected, and then we come back in and finish the audit. So once you get down to the nitty gritty of the errors that we are finding, or the discrepancies, they can go down thousands of paths. But ultimately we have to come to some type of resolution. And once all of that is worked through, and we're all done testing, then we move into the final phase of the audit. Which is the reporting, and kind of wrap up. Close out, obviously, reporting of it. Put together a report which is what we talked about, that's the final deliverable that's going to include that opinion financial statements, the footnotes, and the final supplemental requires schedules. We're going to get that out to the client, let them take a look at it. Walk them through it if need be. And then do our close. Our procedures. Few things we need to do at the end is just to finalize the audit, and then the final thing that happens is we give them the finalized report. They take that report, file it with something called a forum fifty five hundred which is actually a tax return. There's no money that goes along with it, It's an informational return. But they're going to file those two things together on DOL website and then that closes out the process on our end. We have to do some of that stuff on our end, but that basically wraps it up.
Jamie Nau: So in going through an audit, what I heard there, it sounds like there are three levels of requests. So you start off with kind of the broad requests, and then from there you select more details, ask for more details. Then you get the more detailed request. Then from there comes the third request, where investigating any differences and looking for any of additional support for those things you found out. Is that a summary process?
Kim Moore: Yeah. That's pretty accurate. And we have a pretty streamlined process. So we try to group the requests together. We don’t want the client sitting on their end, and every day, or you know I always say, every five minutes I'm sending you another email or a phone call saying, hey I also need this now.
That's annoying. I mean none of us like that. So we try to have a pretty straightforward but streamlined approach. Just as you mentioned that here's the first group of materials and then from that we're going to go away do some work. Then we'll come back and give you another set of requests. Then we are going to go away and do some work, and then at the end ,you know depending on what we find, you could get lucky and we don't have a whole lot of follow up at the end. But usually there is some. But that's pretty much how it works. And we try to keep to that and not have a bunch of the in-between, you know, one off type things, because that's that just gets in the way.
Jamie Nau: You don’t want to be in their hair the entire audit.
Kim Moore: Exactly.
Jamie Nau: So we have a couple of minutes here. So I want you to kind of summarize for me. So by the time this airs there is going to be two weeks before that deadline. You just described a pretty good process. But how long does it take for an audit to get done from start to finish? Is two weeks enough time? What should I do if I'm down to the wire in this final two weeks? I don't have an auditor yet…
Kim Moore: Yeah. Typical audits, of course they all vary, but we say about three weeks is the shortest period of time we've found to do a quality audit from beginning to end. Especially if it's our first time doing the audit. Now if we've done your audit before and there haven’t been a lot of changes, there are some things we can do to shorten it. But especially if it’s your first audit with us, about the shortest we can do is three weeks. And they can take anywhere from six to eight weeks too, it just depends on the plan; how complicated it is and what activity happened during the year. What we recommend to people, absolutely you want to file that fifty five hundred if at all possible. Calendar year plans, if you got the extension your drop deadline is October 15th. So before October 15th or on October 15th you want to file fifty five hundred even if you don't have an auditor or the audit is not done. We really recommend to people is get an auditor engaged with them, then go ahead and file a fifty five hundred, and put a letter with the filing saying, I've engaged you know ABC firm to do my audit. It is under way as soon as it's completed. We'll refile the fifty five hundred with the completed audit. Now have you really met the compliance requirement? No, but you're minimizing any impact to the company or to yourself by doing THIS. So that's what we recommend. Obviously the sooner you engage the auditor, the better and sooner they are going to be able to get it wrapped up. But absolutely you want to go ahead and file a fifty five hundred. There's two separate compliance requirements ones to file a fifty five hundred. The other is to have an audit completed and filed with fifty five hundred. Those are two separate rules. They carry two separate fines. So if you don't file anything then you're leaving open both potential fines, or at least, if you file the fifty five hundred, you've stopped the fine on the one hand.
Jamie Nau: So you’ll pay the fine on the audit side, but not on the five hundred side. But when you refile it you'll just pay that additional fine.
Kim Moore: Correct. Right. And there are different programs on both the Department of Labor side and the IRS side for various failures or mistakes that people encounter. Both regulatory agencies understand this is complicated. We all make mistakes. So they have different programs that you can go into. There's how to hold your hand up as a voluntary correction program ,and say, hey I made a mistake I didn't file this on time, and that will also help lessen your fine if you get into those programs. So there are options available to people.
Jamie Nau: Great. Well I think you provided a lot of great information and I appreciate you coming on. We are out of time but we're going to meet in a couple of weeks and I think at that time let's talk about the remote audit process, and talk about what it's like to work with a remote firm. I think that would be great.
Kim Moore: Yeah I would enjoy doing that. I think the listeners would really enjoy hearing our different approach.
Jamie Nau: Got it. Awesome. Well, thank you very much for joining us.
Want to listen to more Summit CPA podcasts?