Fiduciaries of a plan have a great deal of responsibility when it comes to oversight and operation of a qualified employee benefit plan. Consequences of a failure to comply with the requirements can range from fines to imprisonment, depending upon the severity of the breach. The current pandemic can make it challenging to ensure your plan is still operating as required. One of the most common challenges includes a more remote working environment, which brings cybersecurity concerns as well as difficulties in ensuring controls, such as key reviews of reports and transactions that continue to operate. The following is a checklist to help plan sponsors and other fiduciaries stay on track:
- Educate employees on new cybersecurity concerns, including remaining diligent when receiving suspicious emails, especially those that ask for sensitive information like log-in credentials. Employees should also ensure they are using secure networks for their VPN connections to prevent unauthorized attempts to hack into personnel and company networks. A review of the entity’s policies and update reminders may be necessary to address new remote workforce concerns.
- Monitor service providers and confirm that transactions are continuing to be processed according to the plan’s provisions and participant instructions and that they have their own cybersecurity policies in place for any remote employees.
- Monitor the control environment to make sure the same processes and controls continue to operate, including key controls like secondary reviews of reports and approvals when required. Key controls may include enrolling newly eligible employees, entering deferrals into the payroll system timely, and reviews and approvals over distributions/loans since activity may increase. This includes timely submission to the trust of deferral withholdings.
- Amendments to the plan are communicated and accepted if it makes sense for the company and status of the workforce, including those related to the CARES Act.
- Fiduciary meetings should still be held to review investments and any other plan concerns, including required notices, even if virtually.
- Implement additional controls where needed, which may include:
- further payroll reviews to identify eligible employees and status changes, which could occur quickly and in large volumes for laid off or furloughed employees
- additional reviews of reports where errors could occur easily with remote working or increased volume of transactions (e.g. terminations – don’t forget to consider correctly removing access to systems and network)
- monitoring of transactions continuing to be processed timely, such as remittance of contributions and computation of employer contributions
- monitoring of systems to watch for any attempted breaches.
Some additional resources as published by the AICPA’s Employee Benefit Plan Audit Quality Center include plan advisories that cover the importance of internal controls, which includes a listing of controls for the plan sponsor to consider, as well as a guide as to how to effectively monitor outsourced functions such as recordkeeping. To learn more and for access to additional resources, please email lara.stanton@sikich.com or contact us using the below form. A team member will get in touch with you.
