Internal Controls Best Practices By Jennifer Downs, CPA Benefit Audit Group, LLC

(1)

Internal Controls – Best Practices

By Jennifer Downs, CPA

(2)

Internal control consists of:

• Entity level controls ‐ these controls relate to the

overall control environment and can potentially

influence the design and operating effectiveness

of other controls.

–

IT and general computer controls – these controls

relate to the way transactions are initiated,

authorized, recorded, processed, and reported.

–

Activity level controls – these controls relate to the

financial close and reporting process and the

processing of transactions for each significant

transaction class.

(3)

Internal Controls

• Audit relevance – The overriding criterion for the

understanding of internal control is that it be

sufficient to assess the risk of material

misstatement of the financial statements due to

error or fraud and to design the nature, timing,

and extent of further audit procedures.

• Audit effect ‐

–

Increased sample sizes and participant data required

–

Increased inquiries

–

Increased deficiencies noted in management

correspondence

(4)

Entity Level Controls

• Do you have a plan document and is it up to date?

• Who are “those charged with governance”?

• Is there a retirement/benefit plan committee overseeing the plan?

• Who are the parties in interest relative to the plan?

• Does a code of conduct or ethics policy exist?

• Are there human resource policies and procedures that demonstrate its

commitment to integrity, ethical behavior, and competence and are they

clearly communicated to employees?

• Is there a risk assessment policy in place?

• Do you know what kinds of fraud could be committed against your plan?

• Is your plan in compliance with all laws and regulations?

• Is appropriate attention given to internal controls and does management

correct any known weaknesses in internal controls on a timely basis?

(5)

Entity Level Controls – Best Practices

• _{All those involved need to know the provisions of the plan document.}

–

If you are not sure of a provision – inquire.

–

And do not sign amendments unless you understand the implications.

• Identify those charged with governance and maintain a list of all parties in

interest. Regularly review and update where needed.

• Coordinate a retirement/benefit plan committee and have it meet at least

annually.

–

Discuss significant items affecting the plan.

–

Document discussions in minutes

• Develop policies to be rolled out to employees. Regularly review and update

where needed.

• Review the processes surrounding the plan to determine where fraud or errors

could occur.

• Review your service providers and utilize them to assist with compliance.

• Institute internal control recommendations by your auditors.

• Perform a self‐audit.

(6)

General Computer Controls

• _{What computer applications does your plan use?}

• _{What plan developed spreadsheets are used and 1) are}

they password protected and, 2) are there logical

controls built in to protect their integrity?

• Are there appropriate data backup and recovery

processes in place?

• _{Are the physical security and access to programs and}

data appropriately controlled to prevent unauthorized

use, disclosure, modification, damage or loss of data?

• _{For internally developed software, are program}

changes and development appropriately managed?

(7)

General Computer Controls –

Best Practices

• Evaluate your computer applications.

• Determine proper use of passwords and access to

source code.

• Ensure data backup and recovery processes in

place.

• For service organizations used, ensure computer

controls addressed in SOC 1/SSAE 16 reports.

• Ensure process in place for changes in personnel.

(8)

Activity Level Controls

• Eligibility determination and enrollment process

• Contribution calculation and remittance process

• Rollover contribution process

• Loan initiation and remittance process

• Distribution (including hardships) process

• Investment management process

• Plan expenses process

• SOC 1/SSAE 16 review process

(9)

Activity Level Controls – Best Practices

• _{Eligibility determination and enrollment process}

–

Know the process and identify areas where eligible

employees could be excluded or ineligible employees be

included.

• _{Deferral calculation and remittance process}

–

How are the deferrals calculated?

• If automated, what is process for manual checks?

–

What is the definition of compensation for deferral

calculations?

–

Is the same person overseeing the calculation and

remittance process?

• If so, is the work reviewed?

–

Are your deposits being made timely?

(10)

Activity Level Controls – Best Practices

• Employer match or discretionary contribution

calculation and remittance process

–

How are the contribution(s) calculated?

• If automated, what is process for manual checks?

–

What is the definition of compensation for each

contribution calculation?

–

Are there different eligibility requirements for match

vs discretionary? If so, how monitored?

–

Is the same person overseeing the calculation(s) and

remittance process?

• If so, is the work reviewed?

(11)

Activity Level Controls – Best Practices

• _{Rollover contribution process}

–

Who is monitoring this process?

–

Are only amounts from other qualified plans permitted to

be rolled over?

• _{Loan initiation and remittance process}

–

How is the loan repayment entered/stopped in payroll?

–

Is the same person overseeing the repayment and

remittance process?

• If so, is the work reviewed?

–

Is loan policy being adhered to?

–

Who is monitoring deemed loans?

–

Are your deposits being made timely?

(12)

Activity Level Controls – Best Practices

• _{Distribution process}

–

Who approves and what types of distributions

require approval?

–

Is the person approving also able to make address

changes?

–

Do you know the hardship rules and are they

being properly adhered to?

• What is process for ceasing deferrals after a hardship

taken and restarting them six months later?

–

Are vesting schedules properly adhered to?

(13)

Activity Level Controls – Best Practices

• Investment management process

–

Do you understand your investments and how they

are valued?

–

Do you have an investment policy statement (IPS)?

–

How often does your plan’s investment advisor meet

to review your investments and adherence to the IPS?

–

Do you have all pertinent contracts for investments in

your plan?

–

What are the commitments and/or restrictions that

have been placed on your plan’s investments?

(14)

Activity Level Controls – Best Practices

• Plan expenses process

–

For expenses paid directly out of plan assets, are

there proper segregation of duties?

–

Are expenses in accordance with service

agreements?

–

Do you utilize an ERISA budget account and is the

balance of this account included in plan assets?

(15)

Effect on Internal Controls

• Consider internal controls when there has

been a change

–

Changes in personnel

–

Changes in payroll systems

–

Mergers/Spin offs

–

Changes in vesting schedules

–

Changes in plan document

(16)

References Materials

• See Various DOL Publications ‐ http://www.dol.gov/ebsa/fiduciaryeducation.html – Understanding Retirement Plan Fees And Expenses This booklet will help retirement plan sponsors better understand and evaluate their plan's fees and expenses. While the focus is on fees and expenses involved with 401(k) plans, many of the principles discussed in the booklet also will have application to all types of retirement plans. – 401(k) Plan Fee Disclosure Tool A form developed by banking, insurance and mutual fund trade groups to provide employers with a way to collect and compare investment fees and administrative costs of competing providers of plan services, now available in MS Word format. This form was not developed by the Department and was not designed to ensure compliance with the Department's regulations on service provider fee disclosure to plans or plan fee disclosure to 401(k) plan participants and beneficiaries. – Selecting An Auditor For Your Employee Benefit Plan Federal law requires employee benefit plans with 100 or more participants to have an audit as part of their obligation to file the Form 5500. This booklet will assist plan administrators in selecting an auditor and reviewing the audit work and report. – Selecting And Monitoring Pension Consultants ‐ Tips For Plan Fiduciaries ERISA requires that fiduciaries of employee benefit plans administer and manage their plans prudently and in the interest of the plan’s participants and beneficiaries. In carrying out these responsibilities, plan fiduciaries often rely heavily on pension consultants and other professionals for help. Findings included in a report by the SEC released in May 2005, however, raise serious questions concerning whether some pension consultants are fully disclosing potential conflicts of interest that may affect the objectivity of the advice they are providing to their pension plan clients. – Tips For Selecting And Monitoring Service Providers For Your Employee Benefit Plan Business owners are responsible for ensuring that their 401(k) plans comply with Federal law and rely on other professionals to assist them with their plan duties. Selecting a service provider is one of the most important responsibilities of a plan sponsor.

– Target Date Retirement Funds ‐ Tips for ERISA Plan Fiduciaries ‐ Target date retirement funds (also called target date funds or TDFs) have become an increasingly popular investment option in 401(k) plans and similar employee‐directed retirement plans. EBSA prepared the following general guidance to assist plan fiduciaries in selecting and monitoring TDFs and other investment options in 401(k) and similar participant‐directed individual account plans. – Reporting and Disclosure Guide for Employee Benefit Plans This guide is intended to be used as a quick reference tool for certain basic reporting and disclosure requirements under ERISA. • See IRS Fix‐It Guides ‐ http://www.irs.gov/Retirement‐Plans/Plan‐Sponsor/Fix‐It‐Guides‐Common‐Problems‐Real‐Solutions

(17)