Contributors: Gosia Kanda, abip CPA, Jesse Spence, abip CPA, Mona Fathinejad, abip CPA, and Robert Massa, Prime Capital.

For HR professionals and C-Suite executives, managing an ERISA retirement plan is more than just a routine administrative task; it’s a fiduciary responsibility that demands precision, coordination, and compliance with ever-evolving regulations. Navigating the complexities of ERISA plan compliance is a critical responsibility for plan sponsors, yet many organizations struggle to meet the rigorous standards set by the Department of Labor (DOL) and the Employee Retirement Income Security Act (ERISA). From plan document and eligibility oversights to late contributions and data errors, even seemingly minor missteps can lead to costly corrections, audit deficiencies, and potential regulatory scrutiny. As retirement plans continue to evolve under new legislation like the SECURE 2.0 Act and the ever-increasing need for improved cybersecurity, staying ahead of compliance challenges is more important than ever.

In this blog, we aim to highlight some of the most common 401(k) compliance issues uncovered during audits, providing practical insights and best practices to help employers and plan sponsors strengthen their internal controls, enhance data accuracy, and fulfill their fiduciary responsibilities. Whether you’re managing a large plan or overseeing a small business retirement offering, understanding these pitfalls and implementing prudent best practices to avoid or mitigate them can make a significant difference in your plan’s long-term success and demonstrate your commitment to fiduciary excellence and integrity.

1. Certification Gaps: The Foundation of a 103(a)(3)(C) Audit

The trustee or custodian certification is the cornerstone of an ERISA Section 103(a)(3)(C) audit, yet it remains one of the most misunderstood components. The DOL allows auditors to rely on a valid certification for certain plan assets, but only when it comes from a qualified institution—such as a bank, trust company, or similar regulated entity—and covers all plan assets and investment information for the year under audit. Common compliance failures include certifications issued by nonqualified service providers, unsigned or undated letters, or certifications that do not specify the covered period. These gaps can invalidate the auditor’s ability to limit testing, potentially converting the engagement into a full-scope audit. Plan management must also remember that certification does not relieve fiduciary responsibility; management remains accountable for determining that the certification meets ERISA requirements and for ensuring accuracy of non-certified components like contributions, loans, and distributions. A best practice is to request and review the certification early in the audit process, confirm the issuer’s qualifications, and maintain documentation of the review. Early verification saves significant time and mitigates the risk of an audit deficiency or regulatory finding.

2. Delayed Remittances: A Costly and Common DOL Finding

Timely remittance of participant contributions remains one of the most frequent, and avoidable, ERISA compliance failures. The DOL requires that employee deferrals and loan repayments be transferred to the plan as soon as administratively feasible, typically within a few business days of payroll. Many employers incorrectly assume that they have until the 15th business day of the following month, but that deadline applies only in rare cases where earlier remittance is genuinely impossible. Late deposits are treated as prohibited loans from the plan to the employer and can be corrected under the Voluntary Fiduciary Correction Program (VFCP) with lost earnings calculated and remitted. The issue often arises from inadequate internal coordination between payroll, human resources, and accounting teams, or from a lack of written procedures for contribution processing. To reduce risk, employers should benchmark remittance timing against each pay cycle, document any exceptions, and periodically test their remittance process. Implementing automated payroll integrations with the recordkeeper can also help ensure compliance. Consistent, documented procedures not only protect the plan’s participants but also demonstrate fiduciary diligence in the event of an audit or DOL review. 

3. Participant Data and Eligibility Errors: Small Details, Big Impact

Accurate participant data is the backbone of a compliant retirement plan, yet it remains one of the most error-prone areas uncovered during ERISA audits. Even small inaccuracies, such as incorrect hire or termination dates, missing birthdates, or misclassified compensation, can cause significant misstatements in participant allocations, employer match calculations, and vesting determinations. One of the most common findings involves employers failing to apply the plan’s defined compensation correctly, often excluding bonuses, overtime, or other pay codes that the plan document includes. These operational errors can lead to contribution shortfalls, correction costs, and potential plan disqualification if left unaddressed. To prevent issues, sponsors should perform an annual census reconciliation between payroll, HR, and recordkeeper systems before audit fieldwork begins. Employers should also review eligibility tracking processes, especially for part-time or rehired employees, to ensure they align with the plan document. Maintaining clear audit trails, documenting corrections, and providing training to HR and payroll staff are vital steps. Ultimately, accurate and reconciled participant data not only ensures audit readiness but also builds trust with plan participants, regulators, and auditors alike.

4. Internal Control Weaknesses: The Hidden Risk Beneath Compliance

Even when a plan appears compliant on the surface, weak internal controls can expose sponsors to significant fiduciary and operational risks. Auditors frequently identify deficiencies such as a lack of segregation of duties, inadequate reconciliations between payroll, recordkeeper, and custodian reports, or missing review of service organization (SOC 1 Type 2) reports. These weaknesses often occur in smaller organizations where a single employee manages multiple functions, from payroll processing to contribution submissions, creating opportunities for error or misappropriation. Without documented oversight, management may not detect discrepancies until well after they occur. Strengthening controls doesn’t necessarily mean hiring additional staff; it often starts with establishing documented review procedures, periodic reconciliations, and formal approval checklists. Plan sponsors should ensure all service providers supply current SOC 1 Type 2 reports and that management reviews the complementary user entity controls noted within them. Regular internal reviews and cross-checks among payroll, HR, and accounting teams further reinforce data integrity. By fostering a culture of control awareness and accountability, sponsors can significantly reduce audit findings, enhance financial accuracy, and demonstrate their commitment to fiduciary best practices under ERISA.

5. Delayed or Missed Auto Enrollment: SECURE 2.0 Provision for New Plans

One of the provisions of the SECURE 2.0 Act aimed at enhancing the plan administration is the auto enrollment feature required for new plans and an option for existing plans. If set up properly, it can greatly improve timely onboarding of new hires and increase plan participation. Unless an employee specifically opts out of the plan, the goal is to onboard all eligible newly hired employees, with a specified deferral percentage, and a potential annual increase, as per the plan document. For the auto enrollment feature to work effectively, all newly hired employees need to be properly onboarded within the recordkeeping system, as most often initial employee deferrals are set up on the recordkeeper’s systems are remitted to the employer for entry into payroll. A common 360-degree integration between the payroll and recordkeeping systems can streamline this process from the beginning and reduce human errors often stemming from any manual inputs. Any missed or delayed enrollments require plan sponsors to calculate and deposit corrective contributions to the affected participants, including Qualified Nonelective Contributions (QNEC) for any such missed deferral opportunity, including missed employer match and related lost earnings. Such corrections create unnecessary administrative burden and may lead to employee complaints and dissatisfaction. Periodic reconciliations of new hire records against the recordkeeping data help identify any missed participants timely and ensure new employees are properly onboarded within the plan.

6. Segregation of Duties: Common Issue for Smaller Companies

Our audits of smaller companies’ employee benefit plans often reveal lack of segregation of duties between plan operations and plan fiduciary. An easy control that separates various functions of the benefits department is often held within the hands of the same person. This is usually the case for plans of small size; however, any lack of segregation of duties increases fraud risk related to financial statement misstatement, misappropriation of assets, or both. It is the responsibility of management and those charged with governance to evaluate the cost and benefit and mitigate the risk of lack of the segregation of duties as a result. They both need to continuously oversee the plan and monitor the activities. Proper arrangements with an outsourced administrator can alleviate some of those risks and ensure sufficient controls are in place and the plan continues to operate in accordance with plan provisions.

7. Mandatory Distributions: Overlooking Terminated Participants

To reduce the administrative burden of maintaining terminated participant accounts, mandatory distributions are a common plan provision that aims at liquidating any open balances below a specified threshold. During our audits, we frequently identify participant accounts at year end that belong to employees who have been terminated with their account balances equal or less than that threshold. We find that there is a lack of control in place to ensure that mandatory distributions are processed timely following severance of employment for participants with such balances, pursuant to Plan provision. Plan management should consult with its service provider to develop a control to periodically (at least annually) review the accounts of terminated employees and process such mandatory distributions. In the case of missing participants, plan fiduciaries must be able to demonstrate compliance with DOL’s missing participants’ guidance regarding efforts made in locating missing participants or the distribution option selections for the benefit of missing participants. The DOL guidance can be found here.

HR professionals and C-Suite executives play a pivotal role in maintaining the integrity of their organization’s ERISA retirement plan. By proactively addressing common compliance challenges, such as delayed remittances, data errors, and weak internal controls, leaders can reduce audit risk, avoid costly corrections, and build trust with plan participants and regulators.

Establishing clear procedures, leveraging automation, and conducting regular reconciliations are not just best practices; they’re essential tools for demonstrating fiduciary diligence. With thoughtful oversight and cross-functional collaboration, organizations can have their retirement plans operate smoothly, remain compliant, and support long-term financial wellness for their employees.