The Trigger: Understanding Your Audit Requirements
The Department of Labor's Employee Benefits Security Administration (EBSA) mandates that "large" employee benefit plans undergo an annual independent financial statement audit performed by a qualified Certified Public Accountant (CPA).
The Shift in Participant Counting Methodology for Defined Contribution Plans
Historically, determining if you were a "large" plan depended on the number of eligible employees, which often penalized companies with generous eligibility but low participation. For plan years beginning on or after January 1, 2023, the DOL instituted a critical methodology change:
- The New Rule: Only participants with an account balance at the beginning of the plan year are counted toward the 100-participant threshold.
- Who is Included: This revised count includes actively contributing employees, as well as separated, deceased, or retired employees whose assets remain in the plan.
The 80-120 Rule
The transition between filing a Form 5500-SF (Small Form, no audit required) and a standard Form 5500 (Large Form, audit required) is governed by the 80-120 rule. If your plan filed a Short Form 5500 in the preceding year, it remains exempt from the audit requirement until the participant count strictly exceeds 120 on the first day of the current plan year. Conversely, if your plan was previously classified as a large plan and has already been subject to an audit requirement, it may continue filing as a large plan until the participant count falls below 80 — meaning a plan between 80 and 120 participants is not required to switch filing status in either direction.
If you filed a 5500-SF last year with fewer than 121 participants at the start of the current year, you may still qualify for the small plan exemption — even if you cross the 100-participant mark during the year.
The Audit Process and Timeline
A first-time plan audit can induce organizational anxiety, primarily because the auditor will typically need to review historical records going back several years to establish accurate opening balances. This means you should retain and be prepared to produce recordkeeper and payroll files from prior plan years.
The audited financial statements must be attached to your Form 5500, which is due on the last day of the seventh month after the plan year ends (e.g., July 31 for a calendar year plan), though an extension can push this to October 15.
The Three Phases of Your Audit
Your audit firm will provide a detailed document request list through the Atlura platform well in advance of fieldwork. The audit team works directly with your Recordkeeper and Third-Party Administrator (TPA) to aggregate data, and can add them directly to the Atlura platform as well.
An initial planning call with your HR, Payroll, and Finance teams allows auditors to document your internal controls and assess fraud risk areas. Following this, the auditor selects a sample of participants and tests their individual transactions against your legal plan document. The actual testing and sampling phase duration will vary based on plan size, complexity, and the completeness of your submitted documents.
The auditor issues the final auditor's report along with the final financial statements and a Governance Letter. The Governance Letter outlines internal control and operational deficiencies uncovered and provides actionable recommendations for improvement. Some findings may also be communicated verbally during the course of the engagement.
The Audit Prep Checklist
Efficient preparation starts with document readiness. To ensure a frictionless audit, begin gathering these documents in your centralized fiduciary file long before the auditor requests them.
Top Operational Frictions and Fiduciary Pitfalls
Your auditor will communicate findings related to operational defects directly to you as the plan sponsor. Based on DOL enforcement data and standard audit findings, plan sponsors should proactively monitor these high-risk areas:
The single most frequently penalized misstep. ERISA mandates that participant contributions be deposited into the plan as soon as they can reasonably be segregated from general corporate assets. Manual human intervention in payroll processing is the primary vector for these remittance failures.
Discrepancies in applying the definition of compensation — such as inadvertently including or excluding bonuses, commissions, and overtime contrary to the legal plan document — are among the most common audit findings.
Millions of dollars sit in uncashed checks issued from retirement plans. You remain a fiduciary for funds left behind by missing or unresponsive terminated employees and must document a robust search process to avoid DOL scrutiny.
A massive wave of aggressive class-action litigation has recently emerged regarding how employers use forfeitures of non-vested contributions. Plaintiffs are arguing that using these funds to offset employer contributions, rather than paying plan administrative fees, violates fiduciary duties. Your auditor will heavily scrutinize your forfeiture balances.
One of the most common governance gaps among smaller plans is the absence of a dedicated retirement or investment committee. Without a formal committee structure, plan sponsors often lack documented evidence that fiduciary responsibilities — such as investment menu reviews, fee benchmarking, and plan amendment approvals — are being performed and recorded. Auditors and the DOL expect to see consistent, written documentation of these oversight activities.
The SECURE 2.0 Act introduces significant mandatory amendments that auditors will probe during fieldwork — including mandatory automatic enrollment for new plans, expanded coverage for long-term part-time employees, and updated catch-up contribution requirements for highly compensated earners. Unlike the operational issues above, these are not errors a sponsor has made, but areas where your plan's current administration must be verified against the applicable effective dates and your plan document amendments.
Technological Transformation: The Atlura Platform
The sheer volume of sensitive data, strict regulatory timelines, and the multitude of disparate stakeholders involved in an ERISA audit (Sponsor, Advisor, TPA, Recordkeeper, CPA) create an environment highly susceptible to communication breakdowns and data loss.
Traditional workflows relying on encrypted emails, fragmented Excel spreadsheets, and disparate file-sharing portals invariably lead to miscommunication, lost documents, and heightened "audit fatigue." The industry is rapidly shifting toward collaborative technological ecosystems like the Atlura platform to streamline this burden.
A collaborative platform architecture replaces static PDF checklists with dynamic, interactive project management workflows. Within the Atlura environment, the auditor's extensive Request List is digitized into a tracked, highly visible dashboard. As you upload executed plan documents, payroll information, and complex census data, the platform automatically routes the documentation to the relevant stakeholder for immediate review.
The platform eliminates the silos between your internal HR/Finance departments, your financial advisor, and your external TPA. If an auditor flags a missing trust report or needs clarity on a payroll integration, your advisor can monitor the portal in real-time and intervene to procure the necessary data without bottlenecking the sponsor.
Atlura serves as a secure document exchange hub for the duration of your audit engagement — not a permanent fiduciary file. Your audit team will download and retain the documents needed for the audit file, then purge the platform once the engagement is complete. Plan sponsors should maintain their own complete fiduciary records, including committee minutes, fee benchmarking reports, and investment policies, in their own secure repository.