A Practical 401(k) Audit Checklist, Timeline, and Key Steps Every Plan Sponsor Should Know

For a plan sponsor, the first 401(k) audit can feel like an administrative mountain — and even the tenth doesn’t always get easier. Approached with a structured process and a clear understanding of Department of Labor (DOL) expectations, however, the audit becomes less of a burden and more of a tool for fiduciary protection. At Caron Bletzer, we’ve found that transparency into the audit process is the single most effective way to cut the anxiety that comes with signing off on complex plan financials.

Understanding Your 401(k) Audit Requirement

Before getting into the mechanics, it’s worth understanding why this process exists. The Employee Retirement Income Security Act of 1974 (ERISA) was designed to protect the interests of employee benefit plan participants. The threshold that determines whether a plan needs an independent audit is best thought of as the 80-120 participant rule.

Generally, a plan with 100 or more participants with account balances at the beginning of the plan year is classified as a “large plan” and must file audited financial statements with its Form 5500. The 80-120 rule gives sponsors near that threshold a measure of stability: if your plan filed in one category (small or large) in the prior year, you can generally continue in the same category as long as your participant count stays between 80 and 120. The category only changes once the count exceeds 120 (moving you up to large) or drops below 80 (moving you down to small).

It’s also worth noting that for plan years beginning on or after January 1, 2023, the DOL formally moved to counting participants with account balances rather than all eligible employees. Some sponsors who were historically large filers may now qualify as small plans under the updated method, and vice versa, so the threshold should be re-evaluated every plan year.

Missing audit and filing requirements is costly. The DOL can assess penalties under ERISA §502(c)(2) of more than $2,700 per day, with no cap — a figure that is adjusted annually for inflation. The IRS separately imposes penalties under IRC §6652(e) of $250 per day, up to $150,000 per plan year per return, for late or deficient filings. Engaging specialized Employee Benefit Plan Audits is one of the most direct ways to ensure compliance is handled by professionals who work in ERISA every day.

Your 401(k) Audit Timeline: Staying Ahead of the Curve

Timing is everything in ERISA compliance. A typical audit follows a well-defined lifecycle, and knowing the rhythm helps prevent the last-minute rush that overwhelms many HR and finance teams.

• Q4 — Preparation: Review internal controls, refresh vendor contact lists, and gather preliminary data.
• January to March — Data Collection: Once the plan year closes, the auditor requests reports from the recordkeeper and TPA.
• April to June — Fieldwork: Auditors test contributions, distributions, participant data, and investment activity.
• July to September — Finalization: The audit report is drafted, reviewed by the plan sponsor, and attached to the Form 5500 filing.

A proactive approach prevents the October scramble to track down missing files before the extended filing deadline. Working with a team that follows a transparent, well-defined audit process year over year significantly reduces delays, especially once the auditors are familiar with your plan structure and recordkeeping systems.

Key Items for Your 401(k) Audit Checklist

To streamline the experience, we’ve outlined the items most plan sponsors should have ready before the auditor’s first request. This isn’t the complete request list — it’s the set of items that, when assembled early, eliminates the biggest sources of back-and-forth.

1. Plan Documents and Amendments

The foundation of the audit is the plan document itself. Provide the most current executed version, all amendments, the adoption agreement (if applicable), and the latest Summary Plan Description (SPD). Auditors use these to verify that the plan is being operated in accordance with its written terms — a common area of DOL scrutiny.

2. Financial Reporting

Most of the financial data behind the audit comes directly from the custodian or recordkeeper. Under our audit standards, we obtain trust reports, participant-level reports, and the qualifying institution certification of investments and investment income (for ERISA Section 103(a)(3)(C) engagements, formerly known as “limited-scope” audits prior to SAS 136) straight from the source, typically through read-only website access that you grant the audit team.

Our team also typically drafts your plan’s financial statements as part of the engagement, which is why specialized Defined Contribution Plan Audits add so much value on the financial reporting side — the firm preparing the statements understands every nuance of how the data was tested.

3. Participant Data and Testing

This is where the bulk of the testing occurs. Be ready to provide:

• Payroll records showing gross compensation, hours worked, and employee deferrals.
• Evidence of timely remittance of employee contributions (and any corrective action taken for late deposits).
• Documentation for distributions, including hardship withdrawals, in-service distributions, and loan activity.
• Census data for all eligible employees — not just those currently participating in the plan.

Why Specialization Matters for Your Plan

A common misstep is assuming a generalist tax CPA is the right choice for a benefit plan audit. ERISA is a highly technical niche, and a generalist firm may not have the dedicated team or deep specialization needed to catch subtle compliance issues before they grow into plan qualification issues or costly operational corrections.

Firms focused exclusively on retirement plan audits — predominantly Defined Contribution Plan Audits, along with Defined Benefit Plan Audits, ESOP, and 403(b) engagements — deliver greater cost predictability and a faster, more efficient process. Proprietary technology platforms like Atlura™ further reduce the administrative friction and billing volatility often associated with generalist CPA practices.

Managing a 401(k) audit is a fiduciary act. Plan sponsors have a legal obligation to act in the best interest of participants and beneficiaries, and selecting an auditor who truly understands IRS and DOL regulations is a meaningful piece of meeting that obligation.

Your Key Steps to a Stress-Free Audit

Beyond the checklist, several strategic habits make the audit run smoothly year after year.

Open Communication With Stakeholders

The auditor, TPA, and recordkeeper need to work as one team. Granting the auditor direct, read-only access to the recordkeeping portal eliminates dozens of document requests routed through HR. That level of coordination is the hallmark of a practical, no-fluff ERISA engagement.

Reviewing Internal Controls

The DOL is increasingly focused on plan governance — how vendors are selected and monitored, how payroll accuracy is verified, and how operational adherence to the plan document is documented. Sponsors that also manage Non-Retirement Benefit Plan Audits benefit even more from a strong control environment, since the same governance discipline carries across the broader benefits package.

Addressing Prior Year Findings

If the prior audit produced management letter comments or operational findings, the first thing the current auditor will look for is evidence of remediation. Unresolved prior-year issues are a major red flag for regulators and can lead to plan qualification issues that are far more expensive to fix after the fact.

Expanded Focus: Specialized Audit Types You May Need

The broad term “401(k) audit” often encompasses several variations, depending on plan structure and regulatory framework.

• Form 11-K Audits: SEC-registered plans require an additional layer of rigor and PCAOB compliance for the audit firm.
• 403(b) Plan Audits: Nonprofit, healthcare, and education plans have unique contribution structures and historical compliance challenges that differ from standard 401(k) plans.
• ESOP Audits: Employee Stock Ownership Plans carry complex valuation requirements and specific ERISA testing that generalist auditors frequently overlook.

Each of these benefits from a niche-firm approach that avoids the rework and inefficiency typical of generalist practices.

The Role of Technology in Your Modern Audit

The days of mailing paper files or emailing unencrypted spreadsheets of participant data should be behind every plan sponsor. Modern 401(k) audits run on secure technology platforms that automate document collection, request tracking, and workflow management.

Platforms like Atlura™ provide real-time visibility into audit progress, so the sponsor is never left wondering where their filing stands. They also protect participant Personally Identifiable Information (PII) at a level that meets the expectations of any modern CFO or HR director.

Pairing strong technology with a consistent engagement team — the same auditors working your plan year after year — compounds the efficiency gains. There is no need to re-explain your payroll system or plan history every January.

Strategic Geographic Considerations for Your Plan

While the 401(k) audit is a federal requirement, plan-sponsor concentration varies by region. Employers in high-growth hubs such as California, Texas, and the Northeast (including NY, MA, and NH) often face a denser competitive market for mid-to-large employer talent and for high-quality plan administration services.

Selecting an audit firm with national reach ensures that, regardless of where the headquarters sits, the auditor understands localized operational nuances while maintaining a consistent ERISA-compliance perspective across the organization.

Meeting Your Final Deadline

As the final 401(k) audit requirements come together, attention shifts to the Form 5500. For calendar-year plans, the initial filing deadline is July 31, with a 2½-month extension available via Form 5558, pushing the deadline to October 15.

“Waiting until October” is not a strategy. The objective should be a clean audit opinion well before the final deadline, leaving real time for fiduciary review. A rushed audit is where mistakes happen — and in ERISA, mistakes are expensive.

If an upcoming audit feels rushed, or if there’s any concern that the current auditor doesn’t fully understand the plan, a second opinion from a firm that specializes exclusively in ERISA audits can quickly identify gaps, streamline the process, and rebuild confidence.

Moving Toward Compliance and Peace of Mind

A 401(k) audit doesn’t have to be a source of dread. With a clear checklist, a well-understood timeline, and a firm that specializes exclusively in ERISA, a compliance requirement becomes a routine, transparent annual exercise.

The ultimate goal is a clean audit, an on-time filing, and the peace of mind that comes from knowing the plan is protected. Whether you’re a first-time filer or a seasoned HR director, the fundamentals don’t change: preparation, communication, and specialization.

FAQs