Peer reviews and Department of Labor inspections of 401(k) audits can be challenging for CPA firms, especially small and midsized firms. Auditors often find themselves facing questions about their methods, documentation, and procedures, with feedback ranging from legitimate findings to subjective preferences. 

Knowing how to distinguish between what is required by standards and what is opinion is crucial for auditors to confidently navigate these reviews and inspections.

Before diving into some real-world examples, it’s important to emphasize that understanding the standards governing 401(k) audits is non-negotiable. Compliance risks in auditing employee benefit plans can have serious consequences for CPA firms, including heavy fines, reputational damage, and, in extreme cases, the loss of a firm’s license to practice. 

BillionPhotos.com – stock.adobe.

These risks underscore why it’s vital for firms to fully understand the nature of any findings they face and the reasons behind them. To effectively defend against a reviewer’s findings, auditors must not only be familiar with the standards but also be able to reference them during reviews. Having a deep understanding of the standards empowers CPA firms to push back when necessary and confidently challenge findings that are based on subjective opinions rather than clear requirements.

The fine line between standards and opinion

A good example of this confusion is the issue of audit documentation for Form 5500 filings. As part of the audit procedures, the auditor must obtain and read the draft Form 5500 to identify material inconsistencies, if any, with the audited ERISA plan financial statements. However, nowhere in the codified standards does it say that a final copy must be maintained in the audit binder when management agrees to make the requested changes. 

Consider this real-world situation: As part of an audit, “Sam” reviewed the draft Form 5500, and identified material inconsistencies that needed to be corrected. Both management and the service provider agreed, and the changes were made to Form 5500 so no material inconsistencies remained. 

However, the changes were made on October 15, and Sam did not place the final draft in the audit binder, leaving only the original draft in the documentation. A peer reviewer dinged Sam’s firm, claiming that a final copy should have been in the binder.

What’s the standard? The standard is to review the draft Form 5500 to ensure that it is substantially complete and doesn’t contain material inconsistencies, which is exactly what they did. If Sam’s CPA firm had familiarized themselves with the standards — in this case, AU-C Section 703, “Considerations Relating to Form 5500 Filing” — they could have confidently pushed back against the peer reviewer. Instead, they accepted the penalty, not because of a legitimate issue, but because the auditor didn’t know the standard well enough to defend his position.

Key takeaway: If you’re facing findings, always refer to the specific standards. If the standards don’t explicitly require what the reviewer is claiming, it’s a subjective opinion, not a matter of compliance. Don’t be afraid to push back when necessary.

You don’t get points for extra credit

Confusion doesn’t always start at the peer review level. It can happen before the audit is submitted, among your own audit team. A good example of this involves whether auditors are required to verify the census data used for plan compliance tests, such as discrimination testing.

A compliance officer at a CPA firm wanted her audit team to verify the accuracy of the census data used in compliance testing. One of her auditors pushed back, pointing out that nowhere in the standards does it say auditors must reperform compliance tests or verify census data. 

Instead AU-C 703, Section .A31 only requires auditors to confirm that a plan’s TPA has performed the relevant IRC compliance tests, and whether any failures were identified and corrected. The auditor is only responsible for ensuring that the plan performed the required tests and passed, not for redoing the tests themselves.

What’s the lesson? Auditors are often pressured to perform steps that aren’t required by the standards. In this case, verifying the census data might seem like thorough auditing. How else would you know they passed correctly if you didn’t also know the census data was accurate? But it’s not required. As long as the compliance testing has been performed and reviewed by management, the standard is satisfied. Double-checking the compliance testing only adds unnecessary time to what is already a laborious audit process.

Key takeaway: Understand what is required by the standards and what is simply “nice to do.” Over-auditing isn’t necessary and can lead to inefficiencies. Know where to draw the line between what’s required and what’s not.

What you don’t know can hurt you

Another area of confusion arises when it comes to testing benefit payments and distributions in defined contribution plans. The AICPA Auditing and Accounting Guide for Employment Benefit Plans provides several acceptable methods for testing participant benefit distributions and withdrawals. Some methods make sense in today’s digital age — others, not so much. 

A DOL agent reviewing a 401(k) audit claimed the audit was deficient because the firm didn’t use cancelled checks to test benefit payments. However, the auditor had used an alternative method: comparing the payee’s name on electronic funds transfers to participant records, which is a satisfactory method explicitly mentioned in the AICPA Guide (Chapter 5, “Auditing Considerations for DC Plans”). The DOL agent argued that without the cancelled checks, the benefit payments couldn’t be fully tested.

What’s the lesson? The AICPA Guide lists several methods for testing benefit payments, including comparing EFT records. Cancelled checks, while still a valid testing approach, are no longer commonly returned by banks, making it an impractical method in today’s world. By pushing back with reference to the audit guide, the auditor successfully convinced the DOL agent that their approach was compliant, even though it wasn’t the method the agent preferred.

Key takeaway: Know the multiple methods allowed by the audit guide for testing benefit payments. If a peer reviewer or inspector prefers a method that’s not required by the guide, don’t hesitate to defend your choice of an alternative method.

Practical tips for navigating peer reviews and DOL inspections

While peer reviews and DOL inspections can seem intimidating, you can protect yourself and your firm by taking a few simple steps:
1. Know the standards: This can’t be emphasized enough. If you’re uncertain about a finding, look it up. Knowing the codified standards allows you to differentiate between subjective opinion and objective requirements.
2. Be ready to push back: Not all findings are grounded in standards. Some reflect personal preferences or common practices that aren’t required. Always ask for clarification on where the requirement is codified before accepting a finding.
3. Document, document, document: Proper documentation is key. Whether it’s the Form 5500 review or compliance testing, maintain thorough records. This doesn’t mean you need to over-audit, but it does mean you need clear evidence of compliance with the required steps.
4. Use the AICPA Audit Guide: This resource is invaluable for addressing many of the grey areas in 401(k) audits. Refer to the guide when determining which procedures to follow, especially in areas like benefit distributions where there are multiple testing methods.
5. Seek clarification on ambiguities: When faced with a finding that you’re unsure about, consult with the AICPA’s audit guide or the standards. Engage in a constructive dialogue with peer reviewers or DOL inspectors to clarify what’s required versus what’s a matter of personal preference.
Navigating a peer review or DOL inspection of your 401(k) audit can be complex, but it doesn’t have to be daunting. The key to success lies in your understanding of the standards, knowing when to push back against subjective opinions, and using the right resources to support your audit process. 

As demonstrated in the examples above, a strong grasp of the ASC and the AICPA’s audit guide can be the determining factor between a successful audit review and one that results in costly penalties or even a failed inspection. Stay informed, stay prepared, and always ensure your practices align with the written standards — not subjective opinions.