What to Expect During The 401(k) or 403(b) Audit Process

If your company sponsors a 401(k) or 403(b) plan, you may be required to undergo an Employee Benefit Plan (EBP) audit. Understanding what to expect can help you prepare, ensure compliance, and make the audit process as smooth as possible. Sensiba’s dedicated professionals can help your company navigate each step of the audit smoothly and efficiently.

An EBP audit is a specialized examination of a retirement plan’s financial statements and operations. Mandated by the Department of Labor (DOL) and the Employee Retirement Income Security Act (ERISA), these audits protect both employees and employers by ensuring plan administrators fulfill their fiduciary responsibilities.

The requirement for a third-party audit is determined by the number of participants with account balances at the beginning of the plan year.

To prevent plans near the 100-participant balances threshold from frequently switching between “large” and “small” filing statuses, the DOL and ERISA implemented the 80–120 Rule:

For more on how these rules have evolved, see our guide: Regulatory Changes Streamline Form 5500 Audits.

While most plans aim to avoid audits to reduce costs, some administrators choose to maintain “large plan” status for transparency. It is important to understand the difference in workload between the two:

The typical 401(k) or 403(b) audit process may vary based on factors such as the audit firm, plan details, and the personnel involved. The overview below highlights common steps in EBP audits.

The process begins with an initial meeting with the audit firm to confirm the audit scope and plan the initial timeline. This step may also include signing an engagement letter documenting the scope, applicable fees, and other important details. The auditor will also provide a list of data requests.

Sensiba Tip: Designate one internal contact to coordinate audit requests across multiple departments and third-party providers.

You’ll need to provide signed copies of all plan documents, current trust statements (and any previous years, if available), payroll reports for the plan year, and SOC 1 reports (System and Organization Controls) from all third-party service providers utilized by the plan. Reconciliations between payroll reports and plan accounting records must be both documented and provided to the audit team early to prevent delays.

Auditors test participant eligibility, contributions, distributions, loans, rollovers, and investment accuracy. Common data sampling and participant-level testing require plan administrators to provide evidentiary support for the multiple transactions selected for testing.

Our Approach: We apply a risk-based approach to minimize the number of requests for audit evidence. We also leverage automated testing to improve efficiency.

Near the conclusion of the engagement, auditors will verify that the draft financial statements tie out to a draft copy of Form 5500. Auditors will also request written acknowledgement of certain representations applicable to the audit and testing results, as well as provide recommendations for improvements over the plan’s internal control environment, if any.

Once the audit report is issued, Form 5500 needs to be filed with the audited financials attached.

Reminder: Form 5500 is due seven months after the plan’s year-end. Typically, July 31 for calendar-year plans with the option to extend 2 ½ months.

After determining whether a plan audit is required, management will need to assess the type of audit the plan requires by determining whether a qualified institution under DOL rules and regulations has issued a certification of the plan’s assets. With a certification, the plan will qualify for what has historically been called a limited-scope audit. Lacking such certifications will require a full-scope audit.

The name change took effect in 2021 and primarily affects the auditor’s presentation, with no significant impact on plan administrators. Your plan’s third-party custodian should be able to advise on the certification status of the plan’s assets. Reach out to your representative to confirm that the provider is a qualified institution and has issued a signed certification for the plan assets in the year of the audit. 

Many 401k and 403b audit timelines follow the framework outlined below. It’s important to note that common bottlenecks that can delay filing include late or incomplete responses to audit requests, such as plan-year census data, and delays with custodians. Early preparation is key to avoiding such issues and anticipating potential bottlenecks.

Our dedicated EBP audit team streamlines all audit data requests via secure file portals and collaborates closely with third-party administrators and custodians to deliver quality audit products on time. We provide guidance on best practices to help you stay compliant, confident, and prepared for the future.

While a 401k or 403b audit may seem overwhelming, Sensiba is confident that a little bit of guidance and dedication can drive positive changes for any employee benefit plan audit.

Connect with a Sensiba Auditor to learn how we can bring clarity and compliance to your plan.