When it comes to maintaining an effective 401(k) savings program for employees, systematic audits of the plan are essential.
A common reason for an audit is to minimize the financial risk associated with annual tax-filing obligations. However, as certain issues, like financial wellness and cybersecurity, have grown more prominent, the scope of an audit has widened to provide a more complete view of a plan’s overall health and value.
Many CFOs approach a retirement plan audit from a pure expense perspective, and as the head of finance and risk for the retirement division of a large workplace plan provider, I can understand why. But there are broader aspects to consider, including how well a plan improves outcomes for its participants, how financially healthy employees are, and how the plan measures up as a tool for attracting and retaining talent.
It’s important for a company’s top financial executive to recognize how these elements fit into a comprehensive cost-benefit analysis in order to maximize the value of the retirement plan and protect against downside risk. Here is a brief look at several key areas of focus.
From a pure compliance perspective, many large employers with a retirement plan are required to conduct an annual audit. The Department of Labor governs qualified employee benefit plans and (with a few exceptions) an audit is mandatory for those with 100 or more eligible participants as part of the “Form 5500” tax return filing obligation. This review must be done by an independent third party.
Beyond satisfying the employer’s regulatory duties, this annual process is meant to keep the financial integrity of the retirement plan and its assets in check, making sure the plan is well-managed and that funds will be available for participants.
Having a prudent, structured process and hiring an independent, qualified public accountant for this audit are important duties of the plan administrator. Another role of the audit is to flag potential problems and suggest ways for the plan to improve its controls and operations.
In order to mitigate risk, the plan sponsor must make sure compensation is calculated properly and that contributions are accounted for to avoid a shortfall in employee deferrals, investment earnings, and employer matching. It is important for plan administrators to adhere to the provisions in their plan documents.
Also, employees must receive adequate information and education about the plan and their investment options. In this respect, an audit can help document how the sponsor is encouraging participation and savings. A regular cadence of education and communication campaigns is a way to make sure this happens, as well as passing along information about fees and costs in a transparent manner to all participants.
Many checklists and resources exist today, including those from the IRS, to help sponsors address these tactical, risk-mitigation aspects of an audit. A plan’s governing board may want to consider appointing an oversight committee that is well-versed on the plan and industry regulations and can dedicate sufficient time, expertise, and attention to overseeing the plan’s administration.
While a technology and cybersecurity audit was once a smart cautionary measure, it is now one of the most vital aspects of assessing a plan. Sponsors want to know how their service providers will handle technology disruptions and how IT environments will protect against fraud, cyber-threats, and unauthorized access.
Plan administrators should understand their provider’s capabilities, as well as their own plan’s policy for creating a secure environment that protects employee retirement assets and financial information.
Due diligence in this area is initially done during the request-for-proposal process and prior to entering a relationship with a new plan provider. But it shouldn’t stop there; technology, security, and cyber risk capabilities must be reviewed on a regular basis with the provider.
During a service review, it’s not uncommon for a sponsor to send the provider a questionnaire to address items such as general IT controls, business resilience, and cyber-preparedness. Many clients will want their provider to supply a multi-year overview of its “security roadmap” and outline its plan for addressing significant security challenges.
Audits should uncover specific details such as the type of encryption tactics a provider employs, whether it has multi-factor authentication, and the various business continuity and issues management response processes the provider has to protect against cyber incidents.
Finally, it’s important for a plan sponsor to be aware of how its retirement provider works with third-party vendors. That is imperative across all markets, but it is especially relevant for large employers that have complex and sophisticated arrangements with multiple vendors.
Some business relationships can involve multiple parties with technologies and services that connect, so part of the audit process will involve examining not only the plan provider, but the security at each touch point.
Most CFOs gravitate towards keeping the costs associated with the company’s 401(k) plan as low as possible. However, it’s arguably more important to frame the cost-benefit analysis in terms of the total “value” the plan is delivering, and whether it’s meeting the company’s objectives.
Viewed through that lens, an audit can help determine if employees are on track to retire on their terms — with sufficient replacement income — and at a standard retirement age.
If there are disconnects with those goals, a sponsor should know what its provider offers to help increase participation, savings rates, and average replacement income ratios, and whether it has tools and resources that advance broader financial wellness. This includes support for certain sub-groups such as special needs populations.
It is important to know whether your provider can engage and serve participants through the many different channels they want to be reached — face to face, over the phone, online, and through the latest digital and mobile applications that personalize the savings experience. You might also ask whether the provider has a way to track engagement and understand how to tailor solutions to meet a company’s unique needs.
A proactive approach to this type of audit may require a “check-up” to evaluate and advance the overall health of the plan. This includes looking at factors such as how the plan is designed. For example, does it automatically enroll new employees or step up their savings on an annual basis?
A regular check-up can also help sponsors review the composition of the plan’s participant base and whether it’s offering best-in-class diversified investment options such as target-date funds, bonds, equities or index funds, managed accounts, and advisory services. If any savings gaps are identified, the plan may consider a re-enrollment strategy that targets all participants or certain groups.
The growing use of data analytics and the field of behavioral science are allowing plan sponsors to look at metrics that track the digital engagement levels of participants – something that was unavailable before.
This information can lead to adopting solutions that “nudge” people to save more. Research from Voya’s Behavioral Finance Institute for Innovation found that increasing default savings rates from typical levels of 3% up to between 7% and 10% did not lower the enrollment rate. This suggests that employers can push the envelope with their automatic enrollment rates to help increase retirement income levels without decreasing employee participation.
There is no question that regular audits of a retirement plan serve a much broader purpose today and can lead to benefits that both mitigate an employer’s risk and enhance the health of the plan.
When viewed by a CFO in a bigger picture, this can translate to lower financial liability and a more satisfied workforce that saves more and is able to retire on time, creating less drain on company benefits.
Frank O’Neill is CFO and chief risk officer for retirement at Voya Financial.