Auditing 401s With CAATs - k - employee retirement plans, computer assisted audit tools

Internal Auditor, Oct, 2001 by Chris N. Bacon

Automated testing can help boost the effectiveness and efficiency of company savings plan audits.

MPLOYEE RETIREMENT savings plans, also commonly referred to as 401(k)s, often serve as the backbone of a company's benefits package. These plans can help an organization attract and retain staff, as well as enhance employee motivation and performance.

Because 401(k)s can play an important role in a firm's success, internal auditors are often charged with ensuring the effectiveness and efficiency of these plans. Auditors can help determine whether or not the company is properly executing its fiduciary responsibilities on behalf of the plan's participants and ensure that the company's regular contributions to the plan are properly calculated and applied.

Savings-plan systems can be highly automated and complex, are subject to various government and corporate requirements, and manage both company and employee funds. Due to this combination of factors, these systems are often ideal candidates for automated testing. The greatest difficulty, however, can be determining precisely which tests will best evaluate the health and functioning of the system.

At Northrop Grumman Corp., a global aerospace and defense company, our audit department has identified four specific aspects of the organization's 401(k) plan that are well-suited to automated reviews: adherence to the U.S. Internal Revenue Code (IRC) contribution requirements, compliance with the company's plan specifications, agreement of employee contributions with payroll deductions, and the reasonableness of growth in participants' accounts. Testing these areas with the aid of computer assisted audit tools (CAATs) helps us provide assurance to management that the company's 401(k) program is operating as intended and minimize risks to the company and its program participants.

IRC CONTRIBUTION REQUIREMENTS

Company 401(k) plans offer several advantages to participants. For example, many employers will match a portion of the participant's contribution and apply it toward the employee's account. In addition, contributions from both the participant and the company, as well as any earnings arising from those contributions, are made on a tax-deferred basis. Not only does this feature enable the account to grow at a higher rate, but when tax is eventually paid, the participant often falls into a lower tax bracket.

The substantial tax implications of 401(k)s have led to government-imposed regulations regarding plan contributions. To ensure that savings plans are not abused, the IRC dictates the following contribution limits.

* Pre-tax employee contributions are limited to a maximum of $10,500.

* Total contributions by the employee and company cannot exceed $35,000, or 25 percent of the employee's total compensation -- whichever is less.

* An employee's contributions can be based only on the first $170,000 of earnings in a calendar year.

Although appropriate edits in the company's savings-plan and payroll systems should exist to enforce these limits, using CAATs to examine appropriate year-end files can help auditors to determine whether or not the edits are functioning properly.

To ensure compliance with employee and total contribution limits, auditors should first obtain a data file containing all activity for the year from the savings-plan administrator. The file must contain the following year-to-date (YTD) information: deferred employee contributions, deferred company contributions, standard employee contributions, and standard company contributions. Auditors can then obtain YTD-compensation data from the company's year-end payroll file and merge this information with the YTD-contribution data to test for IRC compliance.

Auditors can also use CAATs to perform a partial compliance test to review employees' contributions in light of their overall earnings. One way to verify compliance with the IRC's requirement in this area is to calculate the maximum employee contribution for a participant who earns 5170,000, and then search the savings-plan file for instances where that amount has been exceeded.

IRC requirements will be raised from 2002 to 2006 as a result of congressional action aimed at improving 401(k) plans. Auditors should therefore check the latest IRC contribution limits before conducting a savings-plan audit.

PLAN SPECIFICATIONS

A company's 401(k) Summary Plan Description details the specific rules to be followed in administrating the savings plan. These rules typically cover such subjects as eligibility, contribution limits, company contribution match regimen, vesting, investment fund options, and valuing accounts. Auditors may want to include these items in their reviews, some of which may be facilitated by CAATs.

The accuracy of the company match, for example, should be considered for testing, as it represents a direct outflow of the company's funds. Because employees can change their contribution percentage on a daily, weekly, or monthly basis, using CAATs to evaluate YTD data would be impractical except for ensuring that the maximum company match amount has not been exceeded. Partial tests, however, can still be performed using data from one pay period.