When IRS examiners check retirement plans, they often find a lack of sufficient internal controls. Even if an IRS audit finds no other problems, the consequences for inadequate retirement plan internal controls can be severe. At worst, hackers could steal the organization’s plan assets. Such a scenario could bring not only financial damage to a company and its plan participants, but also the possibility of plan disqualification.

The IRS’ Retirement Plan Inspection Process

According to the IRS, plan sponsors often fall short with their internal controls because they may not always be clear on their obligations versus those of their service providers. Although hiring a service provider can help a company maintain compliance, the provider does not completely absolve sponsors of their responsibility to keep their plan in good standing with the IRS.

If a plan audit uncovers inadequate internal controls, then the plan can become ineligible to use the IRS’s self-correction program (SCP). In addition, when an IRS auditor determines that internal controls are weak, the auditor will conduct a more detailed audit than would otherwise have occurred. If that investigation reveals any errors, then the lack of adequate internal controls weakens the sponsor’s leverage to negotiate a favorable audit closing agreement with the IRS, such as a less-burdensome penalty to resolve the case.

Components of Retirement Plan Internal Controls 

The AICPA’s Employee Benefit Plan Audit Quality Center defines internal controls as “a process affected by plan management and other personnel charged with governance, and designed to provide reasonable assurance regarding the achievement of objectives in the reliability of financial reporting. A plan’s policies, procedures, organizational design and physical barriers are all part of the internal controls process.”

The following are key components of a comprehensive internal control system:

Segregation of duties. This control includes the way companies process, pay, and account for their invoices and receivables. According to the AICPA, this segregation “is based on shared responsibilities of a key process that disperses the critical functions of that process to more than one person or department. Without this separation in key processes, fraud and error risks are far less manageable.”


Segregation of duties is a natural starting point for businesses implementing internal controls. Learn more about why segregation of duties is fundamental to an internal controls system.

Reporting and reconciliation of plan assets, contributions, and distributions. This control includes ensuring the accuracy of participant benefit statements and asset valuation and the proper bonding of plan assets. Plans must reconcile cash disbursement records and match individual participant records to data reported by the asset custodian. Finally, organizations should ensure the timeliness and accuracy of required regulatory filings and the proper recording of investment transactions, income, and expenses.

Oversight of outsourced functions. Organizations should review the performance of their service providers against their service agreements and determine the causes of any deviations. In addition, review service providers’ own internal control procedures. Those are compiled in standardized reporting formats under SOC 1 and SOC 2 reports. The former covers the service provider’s financial controls, whereas the latter addresses controls pertinent to operations and compliance. You can hire an independent auditor to review outsourced services. But as with any other outsourced service, a system must be in place to vet that auditor.

The Key to Driving Internal Control

When reviewing internal control for their plans or the controls of a service provider, companies should be certain that:

  • participant enrollment is consistent with plan documents,
  • contributions satisfy required amounts and are within regulatory limits, and
  • employer and employee contributions to employee accounts are made on a timely basis.

In addition, they should do the following:

  • Review hardship withdrawal requests for compliance with regulatory standards prior to disbursement.
  • Implement and follow a documented process for approving participant loans and ensuring that payments are being made according to amortization schedules.
  • Maintain records of correspondence with current and former participants. Periodically compare signatures on endorsed checks to original signatures on file.
  • Establish a system in place for locating former participants with residual account balances who fall out of touch with the company.

Maintaing Your Retirement Plan Internal Controls

Periodic maintenance is so important for your retirement plan internal controls. Effective internal controls and annual reviews can help prevent costly mistakes that can jeopardize your plan’s tax-favored status. Contact CRI if your organization’s internal controls could use a tune-up.