Blog

By Mark Olsen, Managing Director at PlanPILOT

For retirement and benefit plan sponsors, a Department of Labor (DOL) audit is normally not a welcomed event. Audits, though, are designed to make sure plans such as 401(k)s, 403(b)s, and pension programs are administered properly and comply with ERISA and tax rules. 

Under ERISA, the DOL enforces fiduciary and reporting standards. Every covered plan must file an annual Form 5500, and plans of 100 or more participants must include an independent audit as part of their policies and procedures.

At PlanPILOT, “plan governance” is a core service we deliver to our plan sponsor clients. In our view, having a well-designed program with efficient documentation procedures and fiduciary training can help mitigate and avoid issues with ERISA regulations and auditors. 

Let’s take a look at how sponsors can plan and prepare for the inevitable audit examination.

Prepare to Succeed 

Plan sponsors should first establish robust internal controls and proactively organize comprehensive documentation. The best approach is to maintain compliance with ERISA regulations ahead of time and have a systematic, audit-ready recordkeeping system in place. 

Internal Preparation

Effective internal preparation focuses on ongoing compliance and organization, not just a last-minute scramble. 

• Designate a point of contact: Appoint one primary internal contact to manage all communications and document requests.
• Engage legal counsel and advisors: Consider engaging experienced ERISA legal counsel and experienced plan consultants. Consultants can assist in documentation preparation and advise on audit procedures and responses while attorneys can provide guidance, representation, and help maintain attorney-client privilege.
• Conduct self-audits: Periodically review plan operations against plan documents and regulatory requirements to identify and correct issues proactively. Utilize plan consultants and use periodic “mock audits” to test the program’s procedures and documentation.
• Establish strong internal controls: Implement and document clear policies and procedures for all plan activities, including eligibility, contributions, distributions, and loans.
• Document fiduciary meetings: Maintain detailed minutes of all board and/or administrative committee meetings where plan decisions (e.g., investment choices, fee reviews, service provider selection) are discussed and approved.
• Ensure proper bonding: Annually verify and document that all individuals who handle plan funds or property are covered by an adequate ERISA fidelity bond (typically at least 10% of the funds handled, with a minimum of $1,000 and generally a maximum of $500,000 unless the plan holds employer securities).
• Communicate with service providers: Confirm that third-party administrators (TPAs), recordkeepers, and other vendors can readily provide their records or a SOC 1 report upon request. 

Keep Essential Documentation

The DOL typically sends an initial letter outlining the required documentation. Having these items organized and readily accessible helps streamline the process. 

• Plan Legal Documents
  • Executed Plan Document and all amendments
  • Summary Plan Description (SPD) and any Summaries of Material Modification (SMMs)
  • Current IRS determination or opinion letter
  • Trust Agreement
• Financial and Operational Records
  • Prior years’ Form 5500 filings, including all associated schedules (e.g., Schedule H/I, Schedule A, Schedule C) and the independent auditor’s report (if applicable)
  • Plan financial statements, general ledgers, account statements, and ledgers
  • Payroll records and employee census data (list of all employees, including hire dates, compensation, and demographics)
  • Detailed records of contributions remitted to the trust, by pay period, with proof of timely deposit
  • Documentation of participant activity (enrollment forms, loan agreements, distribution paperwork)
• Service Provider and Compliance Documentation

• • All contracts and service agreements with plan providers (TPAs, investment managers, etc.), including fee schedules and compensation details
  • The plan’s Investment Policy Statement (IPS) and documentation of adherence to a prudent process for selecting and monitoring investments
  • Results of non-discrimination testing (ADP/ACP, top-heavy, coverage)
  • Proof of the plan’s fidelity bond and fiduciary liability insurance policies 

By proactively preparing this documentation and establishing clear internal procedures, plan sponsors can navigate a DOL audit efficiently and demonstrate a strong commitment to their fiduciary responsibilities.

When the Audit Notification Arrives

An audit of your retirement plan typically involves a thorough, multi-stage review of your plan’s compliance with the ERISA regulations, focusing heavily on documentation, fiduciary practices, and participant interactions. The process can take weeks to several months, depending on the complexity of the plan and any issues found. 

The Audit Process: Step-by-Step

1. Initial Contact: You will receive a formal letter from the DOL’s Employee Benefits Security Administration (EBSA) notifying you of the audit and requesting a comprehensive list of documents to be submitted by a certain date.
2. Document Submission & Review: You must gather and provide extensive documentation, including plan documents and amendments, Form 5500 filings, payroll records, participant communications (e.g., Summary Plan Descriptions), and records of fiduciary meetings. An auditor will review these records and may request additional information.
3. On-Site or Virtual Interviews: The investigator may conduct interviews with plan fiduciaries, administrators, and potentially even participant-employees to verify that actual operations match the plan’s written documents and legal requirements.
4. Findings & Resolution
   1. No Violations: You will receive a formal closing letter stating the investigation is complete.
   2. Violations Found: EBSA will issue a letter detailing the violations and asking plan officials to voluntarily correct them. This may involve using programs like the Voluntary Fiduciary Correction Program (VFCP) to correct certain fiduciary breaches.
5. Penalties and Closing: After corrections are made and any penalties are paid, EBSA will issue a final closing letter. If plan sponsors refuse to cooperate or if the violations are severe (e.g., fraud), the case can be referred for litigation. 

Key Areas of Focus

Auditors will primarily focus on:

• Timeliness of contributions: Ensuring employee deferrals and loan repayments are deposited into the plan’s trust as soon as administratively possible (but no later than the 15th business day of the following month)
• Fiduciary oversight: Verifying plan fiduciaries are acting in the best interest of participants by prudently selecting and monitoring investments, ensuring reasonable fees, and documenting all decisions
• Compliance with plan documents: Confirming that the plan’s operations (e.g., eligibility, vesting, distributions) strictly adhere to the terms outlined in the official plan document
• Reporting and disclosure: Checking that all required filings (Form 5500) were complete and timely, and all required participant notices were distributed 

What to Do Initially

Your best initial response would be to cooperate promptly: respond to information requests quickly and professionally. As mentioned, designate a single point of contact to streamline communication with the investigator. Consult with your experienced legal counsel and plan consultant to help navigate the process.

Are You Prepared for a Visit From the DOL?

No one likes to learn they have been selected for a DOL audit, but knowing your plan is well-designed, compliant with ERISA regulations, and operating smoothly can provide confidence and assurance that the result of the audit will likely be a “No Violation” closing letter. 

At PlanPILOT, we’re creating the standard for client experience. Independent and impartial by design, we apply our skill to every facet of plan development, governance, and implementation to help you enjoy meaningful results. Our client partnerships are built on trust, communication, and responsibility—cornerstones of a healthy, prosperous relationship. We’re committed to providing objective guidance, informed innovation, and an integrated approach tailored to your unique objectives.

Our team of seasoned professionals upholds the highest professional standards, so every strategy we recommend aims to support both your organization and the participants who depend on it.

Reach out to us at (312) 973-4913 or send an email to mark.olsen@PlanPILOT.com to learn more about how we can customize our services and your plan to fit your unique needs.

About Mark

Mark Olsen is the managing director at PlanPILOT, an independent retirement plan consulting firm headquartered in Chicago. PlanPILOT delivers comprehensive retirement plan advisory services to 401(k), 403(b), and 457 plan sponsors. His specialties include plan governance, investment searches, investment monitoring, and plan oversight. Mark is recognized as a leader in the industry and speaks at national conferences, including those organized by Pensions & Investments, and CUPA-HR.

By Mark Olsen, Managing Director at PlanPILOT

While October is recognized as Cybersecurity Awareness Month, the topic deserves attention year-round. For retirement plan sponsors, creating and maintaining an incident response plan is a critical fiduciary responsibility. It involves developing procedures for handling breaches, learning from real-world examples, and training internal teams and committee members on cybersecurity awareness. 

At PlanPILOT, we are all too aware of the havoc a cybersecurity breach can cause to operations and participant confidence. Implementing a sound and effective plan to combat cyberattacks and preserve sensitive participant and plan information can not only boost employee morale and confidence, but also demonstrate fiduciary responsibility as a plan sponsor.

Let’s take a look at how such a Cybersecurity Response Plan might be implemented.

Steps for Creating and Maintaining an Incident Response Plan

According to the Department of Labor (DOL) and cybersecurity experts, a robust incident response plan (IRP) follows these steps: 

1. Preparation

• Create a formal cybersecurity program: Document your policies and establish a clear plan. Require senior management and response teams to review and clearly understand these policies and procedures. Have the “manual” readily available for review and retrieval when requested in an audit.
• Conduct risk assessments: Annually identify and address vulnerabilities in your IT systems, including those of third-party vendors. Work with IT consultants who have up-to-date knowledge of ever-changing cyber threats and breach techniques.
• Establish an incident response team: Define roles, responsibilities, and authority levels for a dedicated team (also known as a Computer Security Incident Response Team, or CSIRT) that can act swiftly.
• Identify and categorize incidents: Define what constitutes a cybersecurity incident for your organization based on severity and potential impact.
• Define communication protocols: Create procedures for internal and external communication with stakeholders, including participants, regulators, and legal counsel. Some P&C insurers will require inclusion in communications if claims for breaches are part of covered risks. 

2. Detection and analysis

• Monitor systems: Use monitoring tools and alert systems to detect potential security incidents. Schedule and document regular testing of such systems.
• Validate potential threats: Thoroughly investigate and confirm whether a detected event is a real security incident. 

3. Containment, eradication, and recovery

• Contain the breach: Implement response protocols to quickly isolate affected systems and limit the exposure of data.
• Engage experts: Bring in cybersecurity and forensics professionals to help remediate the breach.
• Remove the threat: Eradicate the root cause of the incident, such as malware or unauthorized access, and patch vulnerabilities.
• Recover and restore: Restore systems from clean backups and resume normal operations as quickly as possible.

4. Post-incident activities

• Conduct a blameless retrospective: Document the full incident timeline and analyze the effectiveness of the response.
• Update the plan: Learn from the incident to improve the IRP and overall security posture. Revise the plan annually or after any significant organizational change.
• Document and report: Create detailed incident reports for legal and regulatory purposes.

Examples of Breaches and Lessons Learned

Recent breaches targeting retirement plans and associated third-party vendors offer valuable lessons for plan sponsors. 

• JP Morgan Chase data breach (2024): A software flaw exposed the personal information of over 451,000 retirement plan participants for an extended period. JP Morgan Chase is not only one of the world’s largest banks, but also a financial powerhouse, subject to scrutiny and cybersecurity regulations in banking and securities trading.
  • Lesson: Vulnerabilities in systems and third-party software can lead to data breaches even without a direct cyberattack. Regular, thorough security reviews of all software are essential.

• MOVEit cyberattack (2023): Vulnerabilities in a third-party file transfer tool led to breaches at several public pension systems and major recordkeepers, affecting millions of individuals.
  • Lesson: Third-party vendors are a major source of risk. Plan sponsors must conduct strict due diligence on all vendors and maintain robust security controls.

• Account takeovers: Criminals are increasingly aware that retirement plans are a valuable target. They use stolen participant data to take out unapproved loans or redirect funds.
  • Lesson: Encourage participants to use strong, unique passwords and multi-factor authentication. Plan sponsors should also invest in modern fraud surveillance systems. 

Training Internal Teams and Committee Members

Effective training can significantly reduce the risk of a breach and improve a plan’s response. The training should be tailored to the audience and provided regularly. 

• Regular awareness training: Educate all staff on how to recognize phishing emails, social engineering tactics, and other common threats.
• Phishing simulations: Conduct regular phishing tests to measure employee vulnerability and reinforce lessons learned from training.
• Data handling protocols: Train employees on how to securely handle sensitive data, use corporate devices, and access plan information.
• Breach action plan: Train teams on their specific roles within the incident response plan, including detection, containment, and notification procedures.
• Best practices: Promote strong passwords, use of multi-factor authentication, and vigilance against suspicious communications. 

For Retirement Plan Committee Members

• Understand fiduciary duty: Train committee members on their fiduciary responsibility for protecting plan assets and participant data.
• Address key risks: Educate the committee on the specific cybersecurity risks facing the plan, including third-party vendor risks and account takeovers.
• Review and approve policies: Train committee members on how to evaluate and approve the plan’s cybersecurity policies and incident response procedures.
• Discuss vendor controls: Review Service Organization Control (SOC) reports and other security audits from recordkeepers and other vendors.
• Conduct tabletop exercises: Simulate a breach scenario with the committee to test the incident response plan and evaluate decision-making under pressure. 

In today’s fast-changing world of technology, cybersecurity and guarding against attacks on company IT systems is not only critical to protecting company information and operations, but an essential part of robust fiduciary responsibilities for retirement plan sponsors.

Plan sponsors interested in upgrading or implementing a cybersecurity protection and response plan would be wise to work with qualified benefit consultants who can offer customized plan design tailored to company objectives and resources as well as a good match with participant goals and demographics.

Is Your Company Retirement Plan Protected Against Cyberattacks?

Are you ready to upgrade to a new standard for your benefit planning and company retirement plan? Reach out to us at (312) 973-4913 or send an email to mark.olsen@PlanPILOT.com to learn more about how we can customize our services and your plan to fit your unique needs.

About Mark

Mark Olsen is the managing director at PlanPILOT, an independent retirement plan consulting firm headquartered in Chicago. PlanPILOT delivers comprehensive retirement plan advisory services to 401(k), 403(b), and 457 plan sponsors. His specialties include plan governance, investment searches, investment monitoring, and plan oversight. Mark is recognized as a leader in the industry and speaks at national conferences, including those organized by Pensions & Investments, and CUPA-HR.

By Mark Olsen, Managing Director at PlanPILOT

For many years, employer-sponsored defined contribution retirement plans have relied on target-date funds (TDFs) as a core investment option. In many cases, these funds also serve as the plan’s Qualified Default Investment Alternative (QDIA), the investment automatically assigned to new participants who have not selected their own holdings.

For employers who sponsor defined contribution retirement plans for their employees, TDFs offer numerous advantages to both the company and the employee participants. These include:

• Simplicity in choice and application: Target-date funds offer a simple, understandable, and automated choice for participants. Since the allocation is age or retirement-based, the funds are designed to adjust to lower risk over time in tandem as the participant approaches their designated retirement age. TDF investment and their popularity have grown over the years and have helped to increase plan participation.
• A prudent QDIA holding: As the default choice for new participants, TDFs have helped millions of participants get started with saving for retirement, helping these employees overcome investing anxiety and decision paralysis. For employers, TDFs are viewed favorably by regulators when assessing a plan sponsor’s prudence and oversight.

The Rise of Managed Accounts

While TDFs remain overwhelmingly popular, demand has grown for more personalized options that include greater asset and sector diversification, customization, and the ability to incorporate more individualized data points than the rather limited scope of a selected retirement timeline. 

Managed accounts are portfolios supervised by professional investment managers who direct the asset allocation based not only on retirement age, but also other material financial factors (such as expected pension income or other assets) that target-date funds don’t consider.

One potential fatal flaw of target-date funds is the one-size-fits-all approach that fails to consider relevant investment criteria like the participant’s risk tolerance or investment experience. With managed accounts, portfolios may be tailored to account for these variables among participants, as well as whether accounts are sufficiently large enough to prudently accommodate wider diversification and alternative assets.

In essence, including managed accounts in a plan may allow for similar types of personalized investment advice that may be found with traditional financial advisors but in a more scalable and cost-efficient manner. Depending upon the composition of the participant demographic (for example, a high percentage of higher-balance accounts with older, experienced employees with more complex personal financial situations), managed accounts may serve as a favorable option for those seeking a more sophisticated solution to achieving their retirement savings objectives.

Pros of Managed Accounts

In addition to the ability to develop a highly personalized strategy, managed accounts offer several other advantages:

• Comprehensive advice: Plans may include an advice component that allows participants to interact with a financial advisor, something still highly desired among older participants. This feature can help to alleviate investor anxiety and emotionally based investment decisions, as well as provide clarity and objectivity.
• Flexible investment management: Today’s investors are well aware of the many alternatives to traditional stocks and bonds and increasing their interest and further participation may require the ability to diversify their investments with such alternatives. In addition, the ability to periodically rebalance or adjust allocations based on market conditions may also be desirable features.

Cons of Managed Accounts

Managed accounts do come with drawbacks, however, that ought to be considered in plan design or upgrades:

• Higher cost: Of course, with more features and services comes greater expense, especially for those with higher account balances if fees are percentage-based.
• Participant engagement: One feature of TDFs is the general “hands-off” nature of the investment. Managed accounts, on the other hand, require the participant to, well, participate, by providing additional personal financial information, preferences, and objectives, etc., to fully realize the benefit. Many could fail to do so.
• Increased plan sponsor fiduciary responsibility: Increased fees and complexity means employer sponsors need to exercise thoughtful care, due diligence, and document decision-making when implementing a managed account feature within their plan. Doing so could help avoid future adverse issues with regulators, auditors, and dissatisfied participants.

In summary, even if implemented as a hybrid solution with TDFs, managed accounts offer a flexible alternative investment solution for those participants desiring a more sophisticated, personalized approach to retirement savings and investment within their employer-sponsored plan. 

Plan sponsors interested in upgrading their plan or implementing a new one would be wise to work with qualified benefit consultants who can offer customized plan design tailored to company objectives and resources as well as a good match with participant goals and demographics.

Are You Maximizing the Potential and Cost Efficiency of Your Benefits Program? Talk With Us.

Are you ready to upgrade to a new standard for your benefit planning and company retirement plan? Reach out to us at (312) 973-4913 or send an email to mark.olsen@PlanPILOT.com to learn more about how we can customize our services and your plan to fit your unique needs.

About Mark

Mark Olsen is the managing director at PlanPILOT, an independent retirement plan consulting firm headquartered in Chicago. PlanPILOT delivers comprehensive retirement plan advisory services to 401(k), 403(b), and 457 plan sponsors. His specialties include plan governance, investment searches, investment monitoring, and plan oversight. Mark is recognized as a leader in the industry and speaks at national conferences, including those organized by Pensions & Investments, and CUPA-HR.

By Mark Olsen, Managing Director at PlanPILOT

There’s little doubt that company culture and workplace benefits are undergoing a profound evolution today. As younger generations become a greater part of the workforce, companies will need to adjust and adapt their benefit programs to their needs if they want to retain young talent.

One area that PlanPILOT first examines for clients in this regard is the company-sponsored retirement savings plan. Younger workers may feel more pressure to depend upon their own savings and investments to secure a financial future instead of Social Security. In addition, many features may be added that address their own particular needs (such as paying down student loan debt) and their values (such as socially-based investments).

Here are recommendations that may appeal to younger workers.

Make Saving for Retirement Easier

While younger workers may be quicker with technology and have a head start on investing than their parents did at the same age, they still may need assistance in getting started and navigating the ever-changing investment world. Consider implementing these tools:

• Auto-enrollment: Even small payroll deferrals can help get a retirement account started and build confidence that regular contributions and compounding can work. Get younger eligible workers started, especially if you can also provide a matching contribution.
• Matching contributions: Don’t be stingy with the employer match. A 6% salary matching contribution sounds a whole lot better than 3%, even to a younger person.
• Financial wellness and investing education: Help younger workers make sense of a changing investment world with interactive web-based educational tutorials, webinars and videos. Bring in financial experts who can not only discuss investing, but other relevant topics, such as debt management or a first home purchase.
• Implement student loan match programs: Younger workers face a dilemma in whether to contribute to their retirement accounts or pay down student loans and forgo the employer match. To make the choice easier, the SECURE Act 2.0 allows for employers to make matching contributions based upon the worker’s student loan repayments instead of payroll deferrals to their retirement account. The worker gets the best of both choices.

Enhance the Plan’s Investment Menu

Limited choices of fee-heavy insurance-based mutual funds are financial dinosaurs in the retirement plan space. Make sure your plan offers modern features to attract young workers’ attention.

• Offer a Roth Option: Younger workers may not need the annual income tax deduction as much as they want tax-free retirement resources. Include a Roth 401(k) feature to allow this choice. SECURE 2.0 also allows employees to designate their employer match and nonelective contributions to a Roth contribution within their account.
• Include index-based investments: Actively managed mutual funds are still the predominant type of investment holdings within retirement plans, but low-expense index-based funds and “exchange-traded funds” (ETFs) are growing in popularity. Younger workers are well aware of these advantages and may prefer index funds.
• Consider adding socially responsible investment choices: Today’s younger generation may be more socially and environmentally aware and want their investments to reflect their values. Environmental, social, and governance (ESG) investments consider factors such as environmental and societal impact when choosing holdings—something younger people consider important. 
• Increase the “menu” of investment choices: A major complaint about older plans is the limited choice of investment options, particularly in the fixed-income space. Make sure your plan includes a reasonable variety, perhaps with some alternative asset classes that may help with diversification objectives.
• Include target-date retirement funds: Target-date funds (especially as a default investment choice) allow a one-choice solution for those inexperienced with investing and may reduce enrollment anxiety. These funds provide wide diversification and a time horizon-based allocation that adjusts to a more balanced or conservative selection as the participant gets closer to their anticipated retirement age.

Implement Technology Tools and Features

Today’s younger workers live in a technology-based world. It’s how they communicate with each other and organize their lives, particularly through their smartphone. Any aspect that cannot be accessed or managed via their phone will be a hindrance to them.

• Your retirement plan should be tech-friendly: Plan features need to include an “app” for quick retrieval with a thumb press and access via a user/password app as well.
• Easy to find and read statements or change investment choices: As Steve Jobs demanded with his 3-click rule for Apple products, make sure participants can find what they want in their account easily.
• Include video tutorials or education materials: Younger participants embrace TikTok not only for entertainment, but to access and share information. Capitalize on this by including instructional or other types of videos to disseminate information or help them learn how to best utilize their retirement plan benefits.

In conclusion, by understanding the needs and preferences among younger workers, employers can demonstrate their commitment to their satisfaction by offering relevant features and enhancements to encourage retirement plan participation and retain young talent. Plan sponsors can also help fulfill their fiduciary obligation for proper oversight and management of their retirement plan and be confident they’re not missing important deficiencies that could hamper their plan’s effectiveness with their young workers.

We Can Analyze Your Plan and Improve It

Are you ready to upgrade to a new standard for your benefit planning and company retirement plan? Reach out to us at (312) 973-4913 or send an email to mark.olsen@PlanPILOT.com to learn more about how we can customize our services and your plan to fit your unique needs.

About Mark

Mark Olsen is the managing director at PlanPILOT, an independent retirement plan consulting firm headquartered in Chicago. PlanPILOT delivers comprehensive retirement plan advisory services to 401(k), 403(b), and 457 plan sponsors. His specialties include plan governance, investment searches, investment monitoring, and plan oversight. Mark is recognized as a leader in the industry and speaks at national conferences, including those organized by Pensions & Investments, and CUPA-HR.