You might not have thought much about the risk related to your 401(k) Plan specifically created because of the pandemic. The standard risks are still out there, and you may be finding it difficult to spend time on the general controls for your plan. Now is not the time to slack off on monitoring, oversight, and good standard controls for your plan, however. Due to the pandemic, more employees are working from home and they may not have the robust IT controls they would have if working from their office PC. In addition, many are without work, and this increases the risk of litigation against the plan, and could increase the number of cyber-security attackers looking for an easy dollar by taking it from your plan. Here are some good general controls to make sure are in place to help protect you from these risks:
- Check those with administrative access to the plan (you may need to work with your service provider for this). Remove any access that is not required. Verify the levels of access for each ID are appropriate, and adjust as necessary. Ensure passwords to plan websites are changed approximately every 90 days. Discuss with those that have the access the need for strong passwords, and the requirement to not write down passwords that are left out for everyone to see, especially while working from home.
- For online access, make sure everyone that actually needs access has a unique ID and password. No sharing of ID’s!
- Implement dual authentication whenever possible. This requires the user to enter a code that is sent to their cellphone or e-mail account to verify they are the actual individual using the ID. It adds a layer of security that may thwart an attack against your plan.
- Ensure someone is monitoring the general activity occurring in your plan. Look for unusual or large transactions, especially disbursements or loans. Verify you have different individuals reconciling your payroll bank account, performing the payroll, and handling the plan contributions. Review the reconciliations periodically to look for variances or uncleared items that stay outstanding.
- Encourage your participants to review their own 401(k) accounts. Give them a contact if they notice anything unexpected on their plan statements.
- Review your plan governance. Who is responsible for review of investment performance and fees charged periodically? These are two areas that are most often the target of litigation against the plan. Make sure you also document these reviews to provide support in case of a lawsuit. Take any action that is recommended from these reviews.
- Education about fiduciary duties is especially important in these challenging times. If you have had turnover in the personnel responsible for plan administration, monitoring or oversight, make sure the individuals new to their responsibilities receive training on their duties. Have someone review the transactions they complete initially to ensure the individuals fully understand what is required. If no one is available in-house for this training, consider outside options, such as online courses or documentation that may be available from your service providers. A little extra expense now in this area may avoid large fines and penalties later on if this is ignored.
We know everyone is busy and these are challenging times. However, lack of focus on the above areas in your 401(k) plan administration can be very costly. Take a little time now to ensure your plan remains protected and compliant.
It’s vital that you hire a trusted auditor when it’s time for your plan's audit. At Summit CPA, we specialize in retirement plan audits. We have the ability to offer assistance entirely off-site with little or no distraction to your daily office routine. We also offer flat-fee pricing so there are no surprises on your bill when the job is complete. For assistance contact our office at (866) 497-9761 to schedule an appointment.