Employee Benefit Plan Risk Management Tips and Best Practices

Duncan B. Will, CPA/ABV/CFF, CFE, CAMICO – March 12, 2026
Employee Benefit Plan Risk Management Tips and Best Practices

There are a number of risk management tactics that CPAs can use when working with plan sponsors on employee benefit plans. Consider these risk management tips:

1. Confirm EFAST2 Verification

After filing employee benefit plan reports, auditors should log into the Employee Retirement Income Security Act (ERISA) Filing Acceptance System 2 (EFAST2) to confirm that the correct audit report is visible and that no attachments have been blocked or removed.

EFAST2, the U.S. Department of Labor (DOL)’s mandatory electronic filing system for employee benefit plan reports, automatically screens Form 5500 attachments for personally identifiable information (PII) and the presence of participant-level data such as participant names or Social Security numbers. The existence of such PII can cause the system to block attachments, including the auditor’s report. If the audit report is “scrubbed” and consequently not visible in EFAST2, the Employee Benefits Security Administration (EBSA) may believe the audit report was not filed.

2. Discuss Deficient versus Delinquent Filings

Inform the plan sponsor of the deficient versus delinquent filing issue and the potential consequences, advise the plan sponsor that deficient filing offers a 45-day grace period from the imposition of penalties on delinquent filings, and obtain the plan sponsor’s written consent of their decision as to whether to submit a deficient or delinquent filing.

Plan sponsors and their auditors often encounter difficulties making it challenging to timely file complete and accurate employee benefit plan reports. When faced with this issue, a debate may ensue whether it is preferable to submit a deficient filing or to delinquently file.

  • A deficient filing occurs when a Form 5500 is submitted which contains errors or omissions, such as missing or incomplete required information. Deficient filings are granted a 45-day penalty-free correction period to timely cure the deficiencies. Penalties are only assessed if the filing is not corrected within the prescribed 45-day correction window.
  • A delinquent filing occurs when no Form 5500 is filed at all, resulting in immediate exposure to penalties without the benefit of the 45-day grace period. Delinquent filings generally carry higher penalty exposure than deficient filings and often trigger additional enforcement action.

The EBSA consistently emphasizes the importance of filing timely and as accurately as possible, noting that deficient filings are treated more favorably than late filings.

Penalties imposed on Form 5500 filing failures have changed. The long-standing $50,000 penalty cap no longer exists. Instead, civil penalties now accrue on a per-day basis beginning the day after the original filing due date. The $50,000 penalty was often threatened but was typically waived. The DOL and IRS may not be as lenient with the current civil penalties. As a result, short delays or unresolved deficiencies could lead to substantial cumulative exposure for plan sponsors, for which the plan auditor may be blamed.

Penalty notices frequently alarm plan sponsors, even though the DOL may reduce penalties when deficiencies are timely corrected or resolved through available compliance programs. Auditors should explain that penalty notices are part of a statutory framework and not necessarily indicative of final liability.

3. Act on Penalty Notices

Auditors should encourage prompt, measured responses to DOL correspondence, rather than delay or not act. Early engagement, timely corrections and — when appropriate — use of voluntary compliance programs can materially reduce penalty exposure. Focusing on remediation rather than reacting to headline penalty numbers is critical to achieving an efficient and favorable resolution.

4. Consider the DFVC Program

Typically, it’s best to encourage the plan sponsor to engage qualified ERISA legal counsel for advice regarding the Delinquent Filer Voluntary Compliance (DFVC) program. Or one may contact the Office of the Chief Accountant (OCA) for assistance with technical or procedural questions regarding the program.

Via the DFVC, plan sponsors have a valuable opportunity to resolve late Form 5500 filings with substantially reduced penalties. The program is not available after the DOL concludes that a plan is delinquent in its filings. A key advantage of the program is the ability to bundle delinquent plan years into a single submission, minimizing cumulative penalties. Jennifer Warner is EBSA’s DFVC Program Coordinator. She may be reached at 202-693-8388.

Participation in the DFVC Program requires full and timely compliance. Program submissions must be accurate and remit the required DFVC penalty payment. Filings submitted without payment don’t qualify for program relief. If both steps aren’t met, the submission won’t qualify for DFVC protection and could be subject to full statutory penalties.

DOL Correspondence

Auditors should emphasize to plan administrators the need to prioritize timely and well-documented responses to all DOL correspondence, as response deadlines accelerate and escalate rapidly. Notices of Rejection have a 45-day correction window to remedy identified deficiencies. More serious correspondence, such as a Notice of Intent to Assess a Penalty or a Notice of Determination, require action within 30 days, indicative of the matter having moved beyond routine compliance review.

Failure to respond timely and appropriately to a Notice of Intent to Assess a Penalty or a subsequent Notice of Determination greatly increases enforcement risk. Unresolved issues at these stages may transition into formal civil penalty proceedings, and opportunities for informal resolution diminish significantly.

The DOL encourages and welcomes proactive communication. Early outreach often prevents misunderstandings from escalating into enforcement actions. Auditors should not hesitate to contact the DOL with questions regarding notices, correction procedures or compliance expectations. Timely engagement can be a mitigating factor and is among the most effective risk management strategies in resolving DOL concerns.

Follow this timeline for responding to DOL correspondence:

  • General inquiries: Respond promptly
  • Notice of Rejection: Respond within 45 days
  • Notice of Intent to Assess a Penalty: Respond within 30 days
  • Notice of Determination: Respond within 30 days

DOL Audit Inspections

Special attention should be paid to a consent form accompanying document requests from the OCA. The OCA document requests include a request for the CPA to consent to the release of the CPA’s audit workpapers to other authorities. Many CPAs, believing they are required to sign the consent or not aware of its implications, have signed the consent. However, it’s best to not sign the consent. If signed, this consent would permit the DOL to forward the auditor’s workpapers to state licensing boards, the National Association of State Boards of Accountancy (NASBA), the American Institute of CPAs (AICPA) and/or the Public Company Accounting Oversight Board (PCAOB). CPAs voluntarily accommodating this request would waive their rights to inspect or approve the workpapers submitted in advance of being alerted to any preliminary DOL findings or the release of the workpapers.

EBSA representatives have stated that providing or withholding the requested consent has no impact on DOL audits. Therefore, there is no advantage and potentially significant disadvantages to providing this consent. Instead, practitioners are encouraged to express their appreciation for the constructive feedback the EBSA inspection may provide but respectfully decline to sign the consent before having an opportunity to consider and discuss the OCA inspection results.

Loss Prevention Advice

When the DOL selects your audit workpapers for inspection, it’s best to do the following:

  1. Don’t sign the CONSENT FOR DISTRIBUTION OF INFORMATION included within the DOL document request materials.
  2. Have a qualified auditor unrelated to the engagement and experienced in employee benefit plan audits assess whether he/she:
    • understands the nature, timing and extent of procedures performed
    • understands the results of the procedures performed and the evidence obtained
    • understands the conclusions reached on significant matters
    • is able to agree or reconcile the accounting records with the audited financial statements. [AU-C 230 requirement]
  3. When deemed necessary, add contemporaneously dated explanations to the workpapers to meet AICPA’s (AU-C 230) audit documentation requirements.
  4. Consider stamping each page of your workpapers “CONFIDENTIAL.” Doing so reinforces the confidential nature of the workpapers and that consent has not been granted to disseminate the workpapers beyond the OCA.
  5. Take care to provide the DOL with all audit documentation within the initial submission of audit workpapers. Many auditors have omitted workpapers thought not to be needed only to receive a critical response indicating their workpapers didn’t meet U.S. generally accepted auditing standards (GAAS). This isn’t a case where “less is more.”
  6. Consider obtaining a power of attorney from the plan sponsor so that preliminary DOL audit correspondence is sent directly to the CPA firm. The use of a POA expedites the inspection process and reduces the likelihood that OCA preliminary findings (frequently the result of difficulty identifying the location of audit work performed) unnecessarily distress the plan sponsor. However, do not use the IRS Power of Attorney Form 2848. Instead, use a general POA.
  7. Seek expert advice before sending a written response to the DOL inspection findings. Argumentative/disrespectful communications often prompt disagreeable/harsh responses. So, even when frustrated, control your urge to voice your frustration. Follow these guidelines for written responses to the DOL:
    • Be respectful.
    • Express an appreciation for the DOL’s constructive feedback.
    • Indicate steps your firm will take to improve future EBP audits.
    • Inform the DOL representative of where in the previously provided audit workpapers the representative will be able to locate the audit evidence thought to have been lacking.

    Common DOL Findings

       

      CPAs performing or interested in performing pension plan audits should consider the EBSA’s November 2023 Audit Quality Study and should acquire and utilize the AICPA’s authoritative Employee Benefit Plans: Audit and Accounting Guide (updated as of Aug. 1, 2025) and the Audit Risk Alert, Employee Benefit Plans Industry Developments — 2019, their most recent alert addressing employee benefit plan engagements.

Duncan B. Will

Duncan B. Will

Duncan B. Will, CPA, ABV, CFF, CFE, is a loss prevention manager and accounting and auditing specialist with CAMICO, leveraging more than 40 years of experience in accounting, including public accounting, forensic accounting, consulting and audit and tax compliance.

 

Related content

article image
ARTICLE

How Nonprofits Can Benefit from Outsourced Accounting

 March 10, 2026
article image
ARTICLE

Accounting for Construction Companies: 2026 Tax and Finance Strategies

 March 9, 2026
article image
ARTICLE

AI Investing and the CPA: A Seismic Shift and the AI Gold Rush

 March 9, 2026
article image
ARTICLE

Understanding the Ups and Downs of CFO Decision-Making

 March 9, 2026
Related Pages: Accounting & Auditing Knowledge Hub | Business Management Knowledge Hub | Financial Planning and Wealth Management Knowledge Hub | NJCPA Business & Industry Professionals Interest Group | Auditing Knowledge Hub | The Changing Role of the CFO/Finance Director


 

Related events

March 12, 2026
Controller/CFO Update: Hot Topics Facing Today's Financial Professional
March 12, 2026
Virtual Chapter
2026 New Jersey Business Update and Outlook
March 12, 2026
Big Picture Mega-Trends, Big Data, and World We Now Face
March 13, 2026
Advanced Audits of 401(k) Plans: Best Practices and Current Developments
FIRST
    LAST