The Last 401(k) Audit Checklist You'll Ever Need

January 12, 2017 By Dustin Wood

As an employer with a 401k plan, you may have wondered at some point:

  • What is a 401k audit?

  • What does a 401k audit entail?

  • Are 401k audit's necessary?

The checklist below has been developed to aid in identifying basic information and documentation that is required as part of an ERISA Audit. Often, plan administrators (employers) are unfamiliar with what a 401(k) plan audit entails and what information needs to be gathered and provided to facilitate the audit.

401(k) Audit Checklist - 1-1

The checklist isn’t meant to be a comprehensive list, but rather a tool for identifying, locating, and providing information commonly requested for 401(k) plan audits. Not all plans are alike and some of the items may not be applicable to your specific plan.

While many items would need to be provided on an annual basis, there are also items that would only need to be provided for an initial audit engagement unless they are amended or updated, such as plan documents, amendments, or an IRS determination letter.

The majority of the information listed in the checklist can be provided to us by the third-party administrator and custodian of the plan’s investments. We will also request from the plan administrator (employer) selected copies of reports generated from its HR and Payroll department as it relates to the 401(k) plan participants. These reports can be scanned and emailed, mailed, or faxed to us.

The checklist is divided into sections as follows:

The essence of a 401(k) plan audit is understanding the documents and agreements the plan has in place and examining whether plan operations conform and comply with those documents and agreements. Items in this area of the checklist are typically provided by the 401(k) plan administrator (employer).

The most time-sensitive item tends to be, particularly for initial audits, the granting of access and setting up login information for our audit team to access the custodian’s plan sponsor website to obtain plan reports and participant information for the audit. Failure to provide us with access to that information in a timely manner is a common reason for delays in commencing and consequently completing an audit.

A common audit finding as it relates to planning documents and definitions is properly understanding and applying the definition of compensation as it is applied to participant and employer contributions. Plan administrators should be careful to understand the definition of compensation in their plan documents and comply with the provisions of the documents in calculating and allocating contributions to participant accounts.

Download Your Free Checklist: Bulletproof Your 401(k) Plans!


Financial Reporting Information

Items in this area are most commonly provided by the plan’s third-party administrator and custodian of plan assets. The items typically include:

1) An audit package with year-end reports for plan records.

2) A certification letter from the custodian or trustee allows the scope of audit procedures in the investments area to be reduced if a bank or insurance company has certified that the year-end reports are complete and accurate.

3) A draft of Form 5500 which should be reviewed by the plan administrator and is compared to the financial statements for the audit.

4) Plan compliance testing results (which are discussed in further detail in the Compliance Testing Documentation section below).

5) Plan activity subsequent to the end of the plan year to identify any significant items occurring after year-end that would impact the plan year being audited.

Plan Internal Controls

Many of the internal control processes and procedures relevant to 401(k) plan operations are performed by service providers who have an auditor assess and test their controls and issue a report that can be obtained and used by the plan auditor in their work (the report is known as a SOC 1 or SSAE 16 report). This report can reduce the amount of testing related to those controls that need to be performed by the plan auditor if they believe they can rely on the information provided by the auditor of the service provider.

Even with that information, as part of the plan audit, we will obtain an understanding of the plan’s internal controls related to payroll and plan operations and perform walkthroughs of the controls to determine whether or not they are operating effectively.

Participant Account Balances

This information can often be obtained by accessing participant account information online through the custodian’s plan sponsor website using the access information requested in the Financial Reporting Information section.

Cash and Investments

This information is typically provided by the third-party administrator and custodian who maintain the plan records for investments, participant accounts, and participant loans (if allowed by plan documents).

As noted in the Financial Reporting Information section above, many plans use custodians who provide a certification letter stating that the investment information is both complete and accurate, which allows more limited audit testing specifically in the investments area.

Contributions, Rollovers, and Forfeitures

Documents in this area are prepared and provided by the plan administrator (employer) and third-party administrator and custodian. 

Contribution information is provided to facilitate the comparison of participant contributions to amounts per payroll forms (W-3 and W-2) and payroll summary reports.  Employer contributions are also recalculated to determine whether they appear to have been calculated in accordance with the provisions in the plan documents. 

To make the process simpler and minimize the risk of errors in federal income tax withholding, we have created a short guide. The guide will provide you with all the necessary information to Fill Out a W-4 Form Employee's Withholding Certificate correctly.

Information is also prepared and provided by the plan administrator (employer) so the audit team can assess whether participant contributions were remitted to the plan timely. This is a common area for an audit finding, particularly in initial audits, as many companies are not familiar with the requirements for timely remittance of participant contributions.

For large plans that are subject to audits (100 participants or more at the beginning of the plan year), there is no safe harbor rule (there is a safe harbor rule of seven business days for small plans which have fewer than 100 participants at the beginning of the plan year), but rather once a pattern has been established for the ability to segregate participant amounts from the employer’s general assets, and remit them to the plan, that pattern must be applied consistently to avoid delinquent remittance(s).

If instances of delinquent remittance(s) are noted during the audit they are identified in the financial statements and a supplementary schedule as well as on Form 5500 for the plan.  It is also recommended that a correction be calculated and remitted for earnings lost by participants due to the delinquent remittance(s).

If the plan allows and has received rollover contributions, a report is obtained from the third-party administrator or custodian showing details for the rollover contributions during the plan year. As part of the audit, the plan documents are read to determine whether rollover contributions are allowed by the plan and whether they appear to have been properly applied to participant balances.

Forfeiture account details are also provided by the third-party administrator or custodian including the beginning balance, amounts forfeited by participants during the plan year, the amount applied to reduce employer contributions, and/or plan administrative expenses (depending on what is allowed by the plan documents), and the ending balance of the account.

A common suggestion we provide to clients in this area is to use/apply available forfeiture amounts when possible as the IRS has increased scrutiny for plans that have significant forfeiture balances and continue to make the employer contribution amounts which are deducted from the company’s income tax return when forfeiture balances could have been applied to reduce the contributions.

Benefits Payable and Expenses 

The majority of this information would be prepared and provided by the third-party administrator and custodian and would provide details about amounts paid out by the plan in the form of distributions and plan administrative expenses.

We often discover issues in auditing this area due to incorrect vesting information being provided to the third-party administrator. The custodian and the plan administrator (employer) should carefully review plan provisions within their plan documents, and vesting percentages of participants, to avoid errors in distribution calculations, which the third-party administrator or custodian typically performs.

Compliance Testing Documentation

This information is prepared and provided by the third-party administrator or custodian of plan assets and identifies whether required compliance testing has been performed and if the plan passed the testing or failed and made corrections as necessary.

The compliance testing would typically be performed prior to the commencement of the audit and any failed tests and potential corrections should be discussed by the third-party administrator or custodian with the plan administrator and remedied as soon as feasible.


The above list of items required to successfully audit a 401(k) plan is provided in an effort to furnish a helpful resource to you in the planning of your audit.

Avoid compliance issues with your employee benefit plan and start protecting your business today. Request your free employee benefit plan assessment by clicking the button below.

Avoid IRS Fines. Schedule an Assessment Today

Subscribe to Email Updates