It’s essential for 401(k) plans to have strong controls to prevent fraud, inaccuracies and remain in compliance with federal agencies. Layering a variety of controls into your 401(k) plan processes provides an extra layer of security, but they should be reviewed periodically to ensure they’re still effective. Five common controls can help keep your 401(k) plan in compliance, but are these controls being employed fully and correctly? Kim Moore, Director and 401(k) practice leader, and Karen Hill, audit and assurance manager, were joined by Kristin Cortez, an audit and assurance supervisor with the firm, to discuss best practices and share actionable tips to help manage your internal controls.
Topics discussed in this episode include:
Episode resources:
Narrator
Welcome to the 401K audit CPA success show where we're 100% focused on helping companies across the United States prepare for their 401K audits. If you have 100 eligible participants in your 401K plan, then this podcast is for you.
Kim Moore
Welcome everyone to our 401K plan audit CPA audit Success Show Podcast for this month. I'm Kim Moore. I'm the audit director here at Anders. Just for those who may be joining us for the first time. We are a CPA firm located out of Saint Louis, but my team is actually virtual, so we work all over the country and we have clients all over the country. I'm joined today by Karen Hill, the manager on the team and we have a new team member that's joining us today, Kristin Cortez. Kristin's audit supervisor on our team. So welcome to both of you guys. Happy to have you here.
Today we are going to talk about something a little bit different than we've talked about before. This is something that's been coming up in a lot of our audits recently, so we, thought it would be a good topic to get out there for all of you guys and the topic is: key controls. Key controls are important in an audit, but they're also very important for a business and for a 401K plan.
I'm going to first start off by saying we're going to focus on 401K plans because obviously that's what we deal with primarily. But if you happen to be listening to this, key controls relate to any kind of business and they relate to any kind of audit. So a lot of what we're going to talk about in general would apply to any audit or any financial area that you might be dealing with. But we're going to focus specifically on 401K plans. And especially for when key planned, key controls or controls areas that we'd want to focus on. So just kind of keep that in the back of your mind as we move forward.
And lastly before I we kind of get started here, I wanted to throw out my e-mail address. The letter K. Then more so KMOORE at Anders with an S, anderscpa.com. Again, it's KMOORE at anderscpa.com. If you have any questions about what we're talking about today. If you're interested in learning more about Anders or more about our 401K plan audit process. If you have an idea for our future podcast, also don't hesitate to reach out to me and I'll get back to you and we can talk about whatever your question or your area of interest is. So with that, let's talk about key controls. Karen, you want to kind of first off, tell us what is a key control?
Karen Hill
Well, key control is an action that the personnel that the company personnel takes to in order to identify, detect or prevent an error in the plan’s financial statements, in this case it would be in the 401K plan. You have controls that are company. Like the, they're it either process based or the company based. There could be various different things and you will have more controls than what we consider key controls, but you know the only those that would prevent or detect the significant errors are considered key. So while you there's various levels, there are various things that you do in the process, in your transaction processing that might be considered a control. You said that the key controls are there. There's a few of them. And also. Oh, I'm sorry. Were you gonna?
Kim Moore
Oh, no, I just... Yeah, the other thing I was going to add in is that from a company standpoint or a process standpoint, as Karen said there could be thousands of controls actually within any given process or any given business. We're really focused from a financial statement perspective. And also because again we're 401K, so there's a lot of regulatory potential problems. There are regulations that a plan has to adhere to. So also from a compliance standpoint. So a lot of what we're going to talk about is going to either focus on the financial statements themselves, the disclosures and the finance statements or compliance type issue that we want to make sure gets covered. But just keep in mind that controls cover everything and so you could have controls around effectiveness of something and making sure something is efficient. Those wouldn't necessarily- they may be key controls too, and depending on how you're looking at things, but for our purposes, again, we're auditors. So we're really focused on the financial statements and again the compliance. So a lot of this stuff is going to be geared around that. If you're going to hear a theme here, it doesn't mean that all your controls would be focused that way though too. So just kind of want to clarify that.
Karen Hill
And the we're going to prob- more than likely that they're going to be related to the larger balances for the significant balances in your financial statements, which doesn't mean that you wouldn't have controls over the smaller balances, but they're not usually considered key.
Kim Moore
Right, right. So you know that I don't know if that depending on your background that may make a lot of sense, but again, it may not, you know be like. I don't understand, what are you talking about? So I thought I would just give some examples here of what could be considered a key control. Also understand that a key control is going to vary depending on whatever you're focused on, it's going to depend on the business. It's going to depend on how in our case, the 401(k) plan is set up. So, these wouldn't all apply there. Some are going to apply different ways. So there… Any plan that you look at it, it is going to be different so there- This is one thing where it's not the same in every case.
One good example: segregation of duties. That's a good control when you have more than one person involved in something from a fraud perspective. Which we always talk about if you've heard some of our podcasts, you hear us talk about fraud a lot, some fraud perspective. It's more difficult to perpetrate a fraud when there's multiple people involved because one person is going to see it. And so it's very difficult to cover it up. Now, we get into management override of controls and then it's a whole different story. But in general segregation of duties is good because it does help with the fraud risk element which we have to consider with financial statements. The other thing with segregation of duties. So it's always good to have more than one person involved in anything because the second person is looking at what the first person did so they're more likely to say, hey, wait a minute. What you said two and two or six. What? What's that? But it's also good, because we all want to take vacations. We might get sick, something might come up. There might be emergency. So if you've got more than one person involved too, it's also just good from a backup perspective to have a second person that that can jump in and take over, you know, if need be. So that's one example of a control.
Karen Hill
Yeah. And as an auditor, if you have one person that processes payroll and they're taking payroll with you, with them on to do on vacation as an auditor, that's going to give me pause, I'm going to say wait a minute. Why does nobody cover for this person when they go on vacation? And I mean, I've seen it. I've had in in the past with a 401K plan where they found out that the payroll person was committing fraud because she would not let anybody else cover for her when she was on vacation.
Kim Moore
Yeah, a lot of financial institutions require everybody to take vacations for that very reason. Just because they will uncover fraudulent activity when the person is gone and, I mean cares absolutely right. When somebody you see somebody that's holding on to something and they won't, they won't let somebody else be involved. That's there's usually something going on there it. May not be fraud, but there is usually something going on there.
A second key control that we use a lot, we see a lot and is a very good key control is authorization or approval. So that could be someone in your, you know, the trustee of your 401K plan reviewing all the distributions. So the participants made a request for a distribution and they're looking at it to verify that it's appropriate that they know that person is eligible to receive that distribution. They're not saying, well, who is this person? And they've never worked here. You know, obviously it would be another fraudulent type of transaction. So an authorization is a good control. Approval over something. So that might be just someone reviewing, a second review and they're saying, Yep, I've looked at this and I'm kind of signing off saying that's OK. Those are all really good controls. We have a lot of our key controls that we see on the 401K plan side and even in payroll, you'll see that. So authorization for pay raise, authorization for someone to work overtime, authorization for someone to receive a bonus. You know those kinds of things come up a lot. So another one, Kristin: reconciliations. Tell us just a little bit of what, what is a, what is a reconciliation?
Kristin Cortez
You know, a reconciliation is where somebody is going to go in and verify that the activity that happened actually agrees to the source documents and to the activity that has taken place, the financial activity. And for employee benefit plans, we're mainly looking to see that you know the deferral’s remitted, the loan repayment’s remitted. Actually agree to the payroll registers and we can trace those funds to the bank statements and to eventually the record keeper and determine that what was remitted, it was actually received by the plan and allocate it correctly to the participant accounts, so.
Kim Moore
Right. Yeah. And you know, reconciliations are important. You'll see those just in general in your company things. I mean, we're all familiar with the bank reconciliation, I think so you know, those are, they're we, they're kind of nothing. So they just go on and you happen and people don't really think about them but they are actually a good control because if something's going on. And a lot of times it's going to it's going to fall out in cash. So. So if you, if you're doing a regular bank recon and it's just pretty clean, then it doesn't, doesn't mean nothing's going on, but it's a good idea that that you know you don't have some things happening that you're that you're not familiar with.
Kristin Cortez
I'm sorry, they also help with finding, you know.
Kim Moore
No, no, go ahead.
Kristin Cortez
They also help with finding items that are missing, you know, missing deposits, missing deferrals, things like that.
Kim Moore
Mm-hmm. So yeah, and on the 401(k)side, it's. The Recons are good because you're taking money out of a participant's paycheck and ultimately sending that in to whoever your record keeper/custodian is into that employee’s participant account and you want to make sure that all of that money gets across. So a Recon would detect that I withdrew $1000 out of this week's pay. Well, but wait a minute. Over in the 401K plan, they've only got $800, you know? Wait, there's something wrong here. So. So recons are really good even with automated processes sometimes. You know, the system can glitch right in the middle of a send. And so something happens and it doesn't all get across. Doesn't happen a lot, but it does happen. Even in today's day and age, so recons are a really good control. They serve a lot of purposes. So it's another good one that we like to rely on.
Kristin Cortez
And I think they go well with segregation of duties. You really want somebody who's not performing payroll to actually reconcile payroll, you know?
Kim Moore
Right. Yeah, very good point. Yeah, that would be a problem and would kind of negate some of the benefits of the control if the same person's doing it.
Another one I like to point out, which doesn't come up anymore a lot, but it's physical security. So you know we, you know, in the old days when you cut paper checks, this was kind of a big deal. Who had control over the checks and were they just laying around because somebody grabbed a check. But, you know, physical security in today's world couldn't be over things like payroll or HR information. You still have paper HR files which a lot of companies still do. You know that's not something we would necessarily look at in the audit, but it is a very important control and it could be a key control just depending on what kind of information is maintained in those files? But again, you know you don't want people's personal information laying around and you don't even want it in an office with an unlocked file cabinet either cause just a you know, visitor could come in and start rifling through it.
Karen Hill
Or an unlocked office. You know the payroll person if they leave their office and their computer is on, and maybe they left the log in. You know they didn't log. Well.
Kim Moore
Right. Yeah. And you know you we see very much when you physically go to places, pay the payroll folks should be in an office. They shouldn't be just out in a cubicle out in the middle of the floor with everybody else. They should be segregated. And the other thing, Karen you bring a very good point, the physical security doesn't have to be physical as in a piece of paper. How are you securing your HR payroll files if they're electronic? I mean, are you just running the payroll report each pay period and you throw it out on the generic, you know, file structure that everybody has access to? Well, there's, you know, you got a problem because anybody could go in and look and see. Oh, Susie makes so much. You know, Susie does the same job I do, but Susie makes more money than me. So you know it, it can cause you all kinds of problems, HR files. Obviously there is very confidential information in those files. You wouldn't want those. To be just on your regular shared drive that everybody can see. So. So physical security can extend beyond just the physical pieces of paper, but security in general is just a very important control.
Talking about computers is one of the last examples here that I listed, which again, are controls people just forget about, but there are controls built into your automated systems, so things like an edit. You know you're working through your system and it knows it's supposed to be a date. It's probably coded with an edit, so if you start typing in letters, it's going to say I can't take that. That's, you know, I I'm expecting numbers in a date. It may expect a date in a certain format. So if you try to give it something else, you know and digits after a period, you know, like a number would be. It's gonna say I don't. I don't know what that is. So edits are really useful in the system. We kind of forget about them because. You know, we're all working on automated systems all day anymore, and they're just built in and you don't even, they're just there. You don't even think about them, but, but those actually are very good controls and very preventative controls. They're going to stop you from doing typos, you know before they get recorded. So. So those are just some examples of controls we're going to talk a little bit more about controls here, specific 41K plans in a minute.
So why are they important? Obviously they're important because they help prevent mistakes they help detect frauds that may be going on. For an audit, they're important because they help us as auditors know that that the processes are working fairly well. So we can look at the financial statements and the compliance activities are going on and make the assumption going in, as we're developing our procedures, that all of the financial statements, the compliance of that they're going to be correct. There's not. We're not starting from a point that we're assuming the finance limits are wrong. We can assume that they're 100% correct.
If we didn't have that baseline then we would have to do a whole lot more work. You know, our audits would cost a lot more. Probably none of us would be here because we'd be get, get sick of just doing the same one client for months because that's what, that's what it would take to do them. So it's just kind of a built in, process built into the audit process, but we want to make sure that that baseline is there. That way we can rely on that and then we're going to build our audit processes on top of that. So. Karen, do you want to walk us through? I'm an, I'm an auditor. I'm getting started in an audit. I did my basic planning, so I've planned out kind of the audit. How it's going to go? But what? How would I even get into this key control? How does that come into play?
Karen Hill
Well, first you would have to discuss the different processes with the client and determine how they go about doing the different things. How do they when somebody's hired, how do they enter them into the systems and what paperwork do they use? Just basically, everything that happens around the process and then you're going to determine what the key controls are.
So for example you want to make sure the demographic data is accurate going into the payroll system and the record keeping system, which would be higher date and birth date. So what do they use to put those into the system, and you can you support it? So then what you after you get your different controls you say, OK, well they filled out an I an I-9 and I'm going to put those dates in because that's the day to hire maybe it's not a 99 maybe they have new hire paperwork that they have all that information and that's what they use to put in well then. Then your auditor is going to, after they get, figure out what all the key controls are or your processes, then determine the key controls. They're going to come in and they're going to conduct a walkthrough of those controls. And what that means is they're going to take one transaction and they're going to go through the process and make sure that all of that was done accurately and that the control exists. And that might mean that they're gonna grab that I-9, and they're gonna check the dates on the I-9 and see if that agrees to what's in. In the record keeper system or one of your controls or surrounding payroll is that somebody does a review of the payroll. They're gonna ask to see the review, proof of the review of the payroll. Maybe somebody, maybe your distribution, somebody signs off on the distribution. So they're going to want to see that approval from the distribution request. So they're going to do a walkthrough and try to make sure that those key controls not only are they that, that, that they're actually in place, that somebody is actually doing them. And this is different from the test controls testing controls you're going to do usually at least 25 of them for a walk through. You're only gonna. You're only going to do one. But just want to make sure that the control is designed correctly and that it's in place.
Kim Moore
Yeah. And you know the if you go kind of back to the audit methodology, the whole point of this is that you know we get in, we understand from the client. Here's how things work. We're identifying those key controls. And then we want to make sure that they actually are operating the way that they've told us that they do as long as that all goes through and you know, they really- they are working the way that they were described. And we feel like, yeah, those are adequate controls to cover the major risk that that we've identified, that allows us then to kind of stop at that point to develop our standard testing procedures to our standard sampling and we move forward if for some reason we feel like there's not adequate control. The controls are- there are some controls, but they're just not designed very well, or they might have been designed well, but that's not really what's happening. You know, someone is supposed to approve something and sign off. And and we go pull our walk through and it's like well, wait a minute. Where's the sign off? “Ohh, you know. Well, the manager’s supposed to do that, but they've been busy and so they haven't been reviewing anything.” Well, now we can't rely on that control because it's not really occurring.
Or you might look at a reconciliation that Kristin talked about earlier and OK, great. They got this reconciliation. You go in and you look at the one and it's like, well, wait a minute. There's. You know. Two and two are 8 and then I subtracted 4 and you know, and you're like, well that this is even right? This isn't like in really doing the job of reconciliation. So at that point, then we would have to back up and say OK, we thought we knew the processes we thought we had these key controls, but in reality we really don't because they're not working. The way that they were designed or they're just not working at all, they're just not doing the control. So it really the these whole key controls, the walkthroughs, all of this is really important because it determines what processes we need to use in the audit and what sampling that we need to do in the audit.
One thing that that we have kind of talked about is materiality, materiality is a is a process that all auditors use. So any audit, doesn't have 401K, will have a materiality calculation. And I got to go through all the details of it. But basically the the auditor is looking at whatever the entity is that they're auditing in this case a 401(k) plan, we use the net plan asset balance. So what was the ending assets? The ending investments in the plan as of the end the year, subtracting out any amounts that are that are due to be paid out and then we're kind of looking at that from a total perspective and you know if I have $20 million in assets, am I going to worry about a dollar mistake? Probably not. You know, that's we don't want to design our procedures to try to find a dollar because that audit would take a long time and would cost a lot of money for the client. And it's unnecessary. You know, the readers of the financial statements don't care that it's a dollar off. Now, do they care that it's $1,000,000 off probably. So that's really what I guess I don't wanna get into all the details of the calculations and there's different, there's different types of materiality not gonna get into all the details, but the materiality comes into play here because we're not gonna go chase processes that are below that level of materiality. It could be wrong, that the number that there could be wrong. But not to the extent that it's above that calculation that we did.
Same thing with the key controls. We're not going to go chase key controls in an area that's you know not going to generate an error that's large. So the materiality plays into this as well. And we also will look at that, the key controls and the and the walk through and so it may not be quite working the way it's designed. But again that materiality will factor into it what is that impact and does that cause us concern that those higher level errors wouldn't be either prevented or detected? It kind of all fits together if you think if you think about it, so, So, materiality does play in. So if your if your auditor seems to be digging really deep, you might want to be asking them about their materiality, calculation and just how did they determine what level of items that they need to look at cause that's where that comes from.
So, now we're going to talk a little bit and we've, we've. Kind of hit. A couple of these already, but some areas for 401K plans that are really important and where we typically see key controls. Karen, you talked about the demographic data, but you want to talk a little bit about compensation because I think that's an area where we've talked before, we tend to see errors and-
Karen Hill
Yeah, compensation definitely is where we tend to see the most issues in conducting the audit. And we just want to make sure that the compensation, I mean when you when you we get into our testing, we're looking to make sure the proper types of compensation are used. But first of all, you want to make sure that the calculation is accurate and that includes looking at if there's a pay rate increase or somebody's hired. And they had, you know, what they were hired at just to make sure that information that's authorized that was put into the payroll system correctly. And it goes to time cards as well, because you're going, if somebody is an hourly employee, you want to make sure that the time that they are that they work, that they're paid for. And if there's overtime involved, that that's calculated correctly, so it it goes into the controls around making sure that the payroll is calculated correctly, it's processed correctly. So that you don't have to go back and correct a lot of errors. And since that is the bulk of that, payroll is so important to our testing. That is a really important thing for us to get a handle on as far as controls.
Kristin Cortez
And I think- can I say something?
Kim Moore
Sure! Absolutely, go ahead!
Kristin Cortez
I think it's a good, it's a good time to remind auditors that, you know, this is where I think materiality doesn't really play a big role because if you're looking at the participant data information and the compensation, you know you find it, even if it's just a typo, it might just be a typo. They transpose the numbers and when they were entering the new rate. Well, that has a snowball effect throughout the year and those deferrals in that comp will be off and that's where you know, materiality doesn't play a role like you need to be able to fix that and have the team fix that.
Karen Hill
Right, right. Right, right.
Kim Moore
Yeah, absolutely. That's where the compliance element of it comes in. So I always tell people, you know, if I withhold $50 from you out of your payroll and I don't you know, I don't put it into your account. Does $50 on a $20 million plan matter? No. Probably not, but to that individual, does the $50 matter? Yeah, probably it probably does. So. So, yeah. So Kristin, you're absolutely right, the the materiality… when you're looking from a compliance and a participant level…
Karen Hill
Yes.
Kim Moore
…Is very a different calculation. Now we might say materiality at a participant level for $0.50. We're not gonna. We're not gonna chase it. Cause that could be rounding. But we use personally here at the firm we use a dollar.
Karen Hill
Yes and I and I have had instances where I'm questioning and somebody over, “Well, wait a minute. I calculated it. It's this and you actually… This is what you withheld and it's off by three dollars. I'm like, well, that can't be material,” like well. Something's off here and that goes into what I kind of alluded to a little bit earlier is the definition of compensation that's actually used for the deferrals. You want to make sure that if, like we've seen instances where overtime was excluded but it's not supposed to be excluded, but they they didn't include it or bonuses. Bonuses is a big one. Where they they mess up. Either they are calculating the deferrals on the bonuses and they're not supposed to, or vice versa. They're not supposed to and they and they do calculate on it and when you get into some of these fringe benefits that most of them don't allow, but then you have group term life.
Kim Moore
It can get very complicated.
Karen Hill
Yes!
Kim Moore
The other thing you have to remember too, is that we're kind of looking at things at for the area we're talking about at two different levels. So we're looking at it for our individual, in this case, a walkthrough of one participant, looking into that one participant. But we're also looking at it from a a systematized standpoint, so. If you are excluding bonuses if you. If you're just saying I mistakenly thought I could exclude bonuses from deferrals, even though if I looked at my planned document, it doesn't allow me to exclude them. But I thought it was OK to exclude them and maybe I talked to the people, you know, just in the hall. And they said, “oh, yeah, I'm getting this bonus. And by the way, don't take anything out of it. You know, you gotta take taxes, but don't take anything else out.” You're like, well, yeah. You know, I'm gonna. I'm gonna do a nice thing and I'm just. I'm gonna make sure I shut that off so that they don't. They're those deferrals coming out of it. You know, that's a problem. And it's gonna happen for everybody. The same thing if you're. If you set your system which believe it or not, we've actually seen where systems are set so sick days or vacation days or overtime don't get deferred on, you know, got set by mistake that was not intended to be that way, but it just by mistake got set that way where everybody that takes a vacation now. That pay, which is just regular pay, it's just coded as vacation, is now not gonna have deferrals. And so yeah, for that one person, it's important. And but maybe it's 50 bucks or something. But when you start multiplying that across the entire population of a whole year of everybody taking vacation... You know that that can end up being pretty big number and pretty big error. So. So those are the other… and that's really the point of the walk through is so that we're making sure that it's set up properly. Yes, we're going to come back and we're going to, we're going to do our testing and we're going to. Just a bigger number of participants, but it does give us comfort that we know that the system is set up right and we shouldn't be seeing that across the board. If we're. Seeing an error like that in the one walk through, then we're not going to spend a whole lot of time in the testing there going into it because. We already know it's probably going to be wrong for everybody. Because that's just how systems work.
Well, I'm going to hit on another just couple issues here are items that we've been seeing a lot in our audits recently. One of the areas that we look at is overall monitoring oversight, review of the plan, not on an individual transaction level, but overall in general. So usually companies will have maybe a once a year, sometimes it's twice a year, sometimes it's quarterly meeting with an investment advisor and they'll look at the investments in the plan. They'll also do reviews of other things. They'll talk about new options that are out there for planned documents. Maybe we want to consider those or maybe we don't. They'll talk about any kind of problems that they've had or you know how are we thinking about our providers. Are they giving us the service we need, or should we maybe do an an RFP out to see if there's other options out there? Those are very important meetings for your plan, not only from a key control standpoint, but just in general that's overseeing the actions that are happening for your plan. And as we've talked in other podcasts, there are a lot of class action lawsuits right now going on actually with 401K plans around fees being charged, believe it or not, usage of forfeitures by employers, it's not going to go into big detail about forfeitures, but some things that you would think are kind of obscure. But they're multi million dollar lawsuits against companies. So having these meetings, but the important thing is that you're documenting them, and that's what we've not been seeing. Most of our clients have some kind of meeting, can be more often or less often. You can have a lot of people in the meeting, can have fewer people in the meeting. They can talk about different kinds of things at the at these meetings.
But we're seeing a lot of, you know, we have the meetings. Well did anybody take any notes? No. Do you have an agenda copy of what you talked about? No. Didn't keep it. Can you tell me when it happened? Yeah. No, I don't know. We didn't keep track of that. So as an auditor, now I'm coming in. You're telling me all this happens, but I've got no proof that it happened. So for me I have to basically say it didn't happen because I can't see that it happened. I can't. That's part of what I'm doing here is verifying that things are happening that are supposed to be happening and I can't see that now because there's no documentation. So. We've been actually recommending a lot this year of documents with meeting minutes, document with just handwritten notes. Take out an agenda and make some notes on it of who's there. When did you have it? And here's what. We talked about no actions necessary.
Karen Hill
Send an e-mail, send an e-mail following up what you talk.
Kim Moore
Well, yeah, this does not need to be some big formal, “Oh, we need to go hire a stenographer or something. Yeah. You know, and and Kristin, I know she's been doing a lot with AI here. So you can use your AI to just record the meeting and let it make the notes. There's a lot of different options going on here. You know, that you can take advantage of.
Kim Moore
But doing nothing is not a good idea. It it's it bad from an audit standpoint, but from just a business and a fiduciary standpoint, if something were to come up and someone's questioning your oversight of the plan, the fact that you don't have any documentation of anything that you're doing, it's not gonna serve you very well if you end up in a in a courtroom or in some type of litigation, which is happening, believe it or not. More and more and more and more on 401K plans.
The other one I wanted to mention was review of payroll. We've been seeing a lot of that as well. You know your company, I'm sure, has some kind of payroll process that you use regardless of what payroll system you're using and how often you're running payroll and what kinds of payroll entries. You probably have some kind of of procedures in place. They may be documented, they may not. You may have a checklist of things that the person is supposed to review prior to actually executing the payroll run, but what we're looking for is some kind of review approval authorization talked about that at the beginning of the podcast. Again, doesn't have to be a big formal, I've got a big log I sign off on. If you want to do that, that's great. But again, send an e-mail and say hey Yep, checked. It’s good to go. Or, you know, just have a piece of paper that you're writing down. Yep. So and so approved it. There's various ways you can do it and we find that a. Lot of companies do have reviews. But they're just not documenting anything.
Karen Hill
If you send usually send an e-mail, make sure that you keep the e-mail somewhere, just put it into a fold or somewhere that says payroll approval. Because your auditor may ask to see.
Kim Moore
Yeah, we've, we've been doing a lot of that this past year, so. OK, well I think we've pretty much covered our topic today. I'm going to try to wrap this up. You know, we've kind of talked about key controls. We've talked about why they're important. We've given you some good examples. We could be here all day talking about full list of key controls and full examples. So obviously we just hit some important ones for a 401K plan, there's obviously a lot of others and your plan may have some different key controls which would be totally appropriate. So just because we didn't talk about them doesn't mean they wouldn't be important for your plan.
You know, from an audit standpoint, your auditor should be looking at that and should be doing walkthroughs and documenting. If they're not, I'd ask them. Why not? Because that's a problem in the audit if they're not doing that, you know it's a fair question for you to ask your auditor what key controls. They have in the work papers, ask them to see the work paper. That is not out of line for you to be asking for that and, you know, ask what they found. Because if they're finding things aren't working right, they should be sharing that information with you. And that gives you the opportunity to make some corrections, because ultimately you're responsible for the plan and to make sure that everything operates the way that it's supposed to, regardless of whether there's an audit or not. And so, you know, if you have an audit, that's a good opportunity for you to ask the auditor, what are they thinking, what are they seeing? Is there anything that you could do? There we always, we've done podcasts about kind of best practices for 401(k)s. So you might want to go back and check out that podcast because that will give you some examples of things that if you're looking to improve the controls in your, in your plans, that will give you some good areas to consider. So check out some of those past podcasts, if you're interested. With that, I think we're going to wrap up today's podcast. Karen. Kristin, any last thoughts you wanna share with our listeners?
Kristin Cortez
Well, I just wanted to say that, you know, as an auditor, doing the walkthrough helps me to educate my client when we come up with exceptions and differences. And sometimes it's just, they don't know, you know, you, I mean, it goes back to you don't know what you don't know. And so when we perform those walkthroughs and we find the exceptions and the errors, it allows us to help educate our clients. You know, so I think I think it's a very good idea to make sure that your auditor is performing walkthroughs to help you identify the key controls that maybe aren't strong in your company.
Karen Hill
Yes, yes. And maybe they'll do the walkthroughs and they won't find any issues and they'll tell you that your controls are you have good controls and theyre operating effectively.
Kim Moore
And that's good information. Yeah. I mean, that isn't that isn't a nothing. That's good information for you to have.
Karen Hill
Yes.
Kim Moore
So it also you know we and we've talked about this in other podcasts as well. You have a fiduciary responsibility to your plan and to your participants especially and you know again if you don't know what I'm talking about, check out some of those previous podcasts as we talked about that a lot in our in our podcast. But it's very important and you can be personally liable for things that go wrong in the plan that impact participants, especially if it's willing going wrong if you if you're doing something you shouldn't be doing and it's and. It's causing there. But even if it's just you didn't know it, but you didn't have proper controls in place to prevent it or detect it. That could also cause you problems and it can be very expensive and can even involve jail time. Doesn't happen a lot, but the DOL does go after people that are responsible for these plans and are doing things that they shouldn't be. So you do have a responsibility. It's important that you understand what that responsibility is and that you keep up on what's going on with your plan and the key controls is a good area for you to focus your time on to make sure that you're that you're addressing all of those things that you should be.
With that, we're gonna wrap it up. I'm going to throw my e-mail address out here one last time. It's the letter K. Then more so KMORE at Andrews with an sc-pa.com. If this topic piqued your interest and you'd like to talk more about it, or you'd just like to talk about Anders 41K audits. Just e-mail me and we can set up a time to chat. Thank you for listening. And we'll catch you next month on the 401K audit CPA Success Show podcast. Thanks for listening.
Narrator
Enjoy this podcast? Visit ourwebsite@anderscpa.com slash 401K to get more tips and strategies for achieving 401K audit success. We're here to be a resource with ever changing rules and regulations.