Print Edition

  Email News Updates

NONPROFIT MANAGEMENT: Giving retirement-plan compliance the attention it deserves

By Gerald J. Archibald


“My best days in retirement are when I give back to the community.”— Anonymous

Stock markets continue to hit all-time highs throughout the pandemic since the lows of the original sell-off on March 23, 2020. We see 401(k) and 403(b) retirement account values have increased significantly for almost all participating employees and retirees, as the S&P 500 Index has increased by about 95 percent since the lows.

One of the many reasons for stock-market valuation increases is the continued increase in stock-market investments by employees through their retirement plans, including 401(k) and 403(b) plans. In addition to expanding the number of millionaires in their retirement-account valuations, more than 55 percent of Americans now hold investments either individually or through their retirement plans. 

As an auditor and business advisor, the foregoing fact pattern reminded me of an article that I published back in 2013 that focused on mitigating risk by having employers implement both required and reasonable policies and procedures to reduce the probability of government regulatory penalties. 

Retirement-plan compliance continues to be a priority area for audit by both the Department of Labor and the IRS. Recent data shows that with the stock market at record highs, based partially on $10 trillion-plus of pandemic stimulus funds coupled with our economy as the “best of the worst on the globe”, U.S. retirement assets are at $35 trillion and represent 32 percent of all financial household assets. As a nonprofit organization and employer, you most likely have a 403(b), 401(k), or defined-contribution plan. Defined-benefit plans have fallen out of favor for various reasons, and now cover only 7 percent of American employees, primarily employed by government and organizations with collective bargaining units. There are currently about 600,000 401(k) plans in the U.S., covering about 60 million active participants and millions of former employees and retirees. 

Retirement-plan compliance is an area that does not always receive an appropriate amount of monitoring from the employer’s perspective. Regulatory compliance with Department of Labor (DOL) and IRS regulations should be of particular importance to the retirement-plan trustees. If you need proof, consider the following daily penalties that can be assessed by the DOL or IRS for regulatory violations.

If you pay attention to the following Top 10 list, you will be most likely able to avoid penalties for failure to exercise proper governance and due diligence on your retirement plan(s). 

1) Our accounting firm serves as auditors for more than 500 retirement plans. That places us in the Top 20 CPA firms in the U.S. with specialization in auditing retirement plans. As a result, we know firsthand about best practices, as well as issues and concerns facing employers as plan sponsors. The first cardinal rule is to be sure that you call a professional accountant or attorney with extensive expertise in retirement-plan compliance. 

2) The trustees of your retirement plan, your board, and/or audit/finance committee should meet at least once each year with your retirement plan independent auditors. The retirement-plan trustees have primary responsibility for regulatory compliance, but the agency board also has responsibility for the protection of employee retirement-plan assets. 

3) Your independent auditor should also provide a letter of recommendations regarding any internal-control improvements and regulatory-compliance matters, as necessary. For example, the independent auditor should be testing that employee contributions to the plan are being properly deposited within the applicable safe-harbor period (e.g., 15 days) or as required by regulation.

4) An ongoing challenge for all retirement-plan employer sponsors is maintaining compliance with all investment-related fee disclosures that are required to be provided to plan participants. The regulations in this area can be found in IRS Code Section 404.

5) To comply with the Section 404 regulations, retirement-plan fiduciaries must discharge their duties for the plan prudently and solely in the interest of participants and beneficiaries. At a minimum, this requires disclosure of specific plan-related information (e.g.: administrative expenses) and investment-related information (e.g.: investment fees and expenses).

6) Plan fiduciaries should be aware of the following:

a. Simply receiving and passing on disclosures isn’t enough; due diligence must be conducted and documented.

b. Using existing service providers to conduct due diligence involves inherent conflicts of interest and should be avoided. 

c. Benchmarking fees and expenses alone is generally not adequate to determine reasonableness.

d. Plan sponsors subject to these Section 404 regulations that have not issued an RFP in more than three years should do so.

7) Plan sponsors, and many retirement-plan advisors, are not able to properly manage Section 404 disclosure requirements due primarily to the complexity of fee arrangements and lack of appropriate expertise. 

8) In 2018, the IRS published a 401(k)-plan checklist, which is designed to help plan sponsors find, help with, and avoid costly mistakes. Additional information can be found at 

9) On April 2021, the Department of Labor issued a cybersecurity notice. Information can be found at This notice provides guidance for plan sponsors in the following areas:

a. Tips for monitoring service-provider cybersecurity practices and activities

b. Cybersecurity best practices for plan fiduciaries (plan sponsors)

c. Online security tips for plan participants and beneficiaries

10) Finally, if you are one of the dwindling number of employers that sponsors a defined-benefit retirement plan, please review it to determine whether the plan is sustainable and affordable for your organization. In the past 25 years, the number of employees covered by a defined-benefit plan has declined from 62 percent to less than 7 percent. This is primarily due to the relative lack of predictability (e.g., mortality rates, investment return, historically low interest rates, compensation increases, and turnover rates) in comparison to the discretionary flexibility that exists in defined-contribution plans (e.g., 401(k), 403(b), etc.)

Finally, the IRS has examples of some of the most common errors made together with appropriate correction methods. This can be found at The DOL also has an informational webpage related to its Voluntary Fiduciary Correction Program at 

The bottom line is retirement-plan compliance must be incorporated into your organization’s risk mitigation policies and procedures.        

Gerald J. Archibald, CPA, is a partner in charge of the management advisory services at The Bonadio Group. Contact him at

Thank You For Visiting