Employee Benefit Plan Audit: What Mid-Market Employers Need to Know

Most mid-market HR Directors find out their benefit plan requires an annual audit the hard way — when a new CFO reviews the compliance calendar and discovers it was missed, or when the DOL sends a notice. The penalties are real: daily fines for late Form 5500 filings, potential plan disqualification, and personal fiduciary liability for plan administrators who failed to act.

The audit requirement under ERISA isn’t complex, but it’s easy to miss at the 100-participant threshold — the exact inflection point where most mid-market companies cross. Here’s what you need to know, when it applies, and how to make sure your program is managed correctly.

When Does Your Benefit Plan Require an ERISA Audit?

The general rule is straightforward: benefit plans with 100 or more participants with account balances on the first day of the plan year must file Form 5500 with audited financial statements attached. This applies to 401(k) plans, 403(b) plans, defined benefit pension plans, and health and welfare plans that are funded through a VEBA trust or similar arrangement.

A critical change took effect for 2023 Form 5500 filings. Previously, the participant count included everyone eligible to participate — even employees who had not enrolled. Under the new methodology, the count is based only on participants with account balances. For plans with significant eligible-but-not-participating populations, this may push you below the 100-participant threshold and eliminate the audit requirement. Contact your plan administrator or benefits broker to verify your current participant count under the new methodology before assuming your prior-year audit obligation continues.

Key thresholds and rules to understand:

• 100+ participants with balances — “large plan” status, full Form 5500 required with audited financial statements attached
• Fewer than 100 participants — “small plan” status, Form 5500-SF eligible, no audit required
• The 80–120 rule — if your plan was classified as large in the prior year and your participant count drops to between 80 and 120, you may continue filing as a large plan without being required to switch classification. Most plan administrators choose small-plan status when available to eliminate the audit expense.
• New plans — plans in existence for seven months or fewer can generally defer the audit requirement until the following year
• Welfare plans (health, dental, disability) — audit requirements apply only if the plan is funded through a trust; insured welfare plans paid from general employer assets typically do not require an audit

What the Audit Actually Covers

An employee benefit plan audit is an independent review of the plan’s financial statements conducted by a qualified CPA. It produces an auditor’s opinion on whether the plan’s financial information is presented fairly and in compliance with ERISA and DOL requirements. That opinion gets attached to your Form 5500 filing.

The audit covers several distinct areas that plan sponsors need to coordinate for:

• Financial statement accuracy — plan assets, liabilities, and net assets are fairly reported
• Contribution testing — employer and employee contributions were properly calculated and deposited within required timeframes
• Benefit payment compliance — distributions were made in accordance with plan terms and participant eligibility
• Participant data accuracy — eligibility rules were correctly applied; participants were properly included or excluded
• Prohibited transaction review — any transactions flagged under ERISA’s prohibited transaction rules are identified and disclosed
• Internal control evaluation — the auditor assesses the plan’s internal controls and provides recommendations for improvement

There are two audit types under ERISA. A full-scope audit tests all areas including investments. A Section 103(a)(3)(C) audit — previously called a “limited scope” audit — permits the auditor to exclude investment testing if a qualified institution (bank, insurance company, or similar regulated entity) certifies the completeness and accuracy of investment information. Most plans elect the 103(a)(3)(C) option because it reduces audit scope and cost while still meeting the ERISA requirement.

Deadlines and Penalties You Can’t Afford to Miss

The Form 5500 filing deadline for calendar-year plans is July 31. An extension of 2.5 months — to October 15 — is available by filing Form 5558 before the original deadline. The audit must be complete before the Form 5500 is filed, which means the practical deadline for engaging an auditor is several months earlier, particularly for plans that haven’t been audited before.

Missing the deadline is expensive. The IRS assesses a penalty of $250 per day, up to $150,000 per filing year. The DOL has a separate penalty authority up to $1,100 per day with no cap. For a plan that misses the July 31 deadline without an extension and doesn’t file until December, you’re looking at potential penalties that materially exceed the cost of the audit itself.

The timeline that works for a calendar-year plan:

• January–February — confirm participant count and audit requirement; engage auditor if required
• February–April — gather plan documents, participant data, contribution records, and investment statements for auditor
• April–June — auditor fieldwork; respond to auditor requests for documentation
• June–July 15 — receive auditor’s draft report; review and finalize
• July 31 — Form 5500 filed electronically via EFAST2 with auditor’s report attached
• October 15 — extended deadline if Form 5558 was filed before July 31

How to Select a Qualified Benefit Plan Auditor

Auditor selection is a fiduciary responsibility under ERISA. The DOL’s Employee Benefits Security Administration has studied audit quality and found deficiencies in 70% of audits completed by CPA firms handling only one or two ERISA engagements annually. That’s not a minor quality variation — it’s a systematic failure driven by firms that lack the specialized knowledge ERISA audits require.

The American Institute of Certified Public Accountants (AICPA) maintains an Employee Benefit Plan Audit Quality Center (EBPAQC) whose member firms are required to designate an audit partner with firm-wide responsibility for ERISA quality, conduct annual internal inspections, and maintain current training across all engagement staff. Member firms perform at materially lower deficiency rates than non-members. Ask any prospective auditor whether they are EBPAQC members — and verify it.

What to evaluate when selecting a plan auditor:

• ERISA audit volume — how many employee benefit plan audits does the firm complete annually? Firms with fewer than 10 ERISA engagements per year should be treated with caution for a large plan audit.
• EBPAQC membership — verify at aicpa.org/EBPAQC; non-membership isn’t disqualifying, but membership is a quality signal
• Industry experience — auditors familiar with your plan type (401(k), defined benefit, health and welfare) will complete the engagement more efficiently and identify issues that generalist auditors miss
• References from similar plans — ask for references from plans in your size range and plan type; a firm that primarily audits large defined benefit plans may not be the right fit for a 200-participant 401(k)
• Peer review status — ask whether the firm’s ERISA audit work has been peer-reviewed and request the results

What Plan Sponsors Need to Prepare

The audit process requires cooperation from HR, finance, legal, and your plan’s recordkeeper. Starting preparation early reduces audit cost — auditors bill by the hour, and disorganized documentation adds time. Here’s what you’ll need to have ready:

• Plan documents — the plan document itself, any amendments, and the adoption agreement for pre-approved plans
• Participant data — complete and accurate census data including eligibility dates, contribution elections, vesting status, and beneficiary designations
• Contribution records — documentation of all employer and employee contributions with deposit dates; late deposits are the single most common DOL deficiency finding
• Distribution records — all benefit payments made during the year with supporting documentation of participant eligibility and plan terms
• Investment statements — certified statements from your plan’s trustee or custodian if electing the 103(a)(3)(C) limited scope option
• Prior year Form 5500 — the auditor will use this as a baseline for the current year engagement

How Your Benefits Broker Should Be Supporting Audit Coordination

A full-service benefits broker is not an ERISA auditor — that’s the CPA firm’s job. But your broker should be managing the compliance calendar that keeps your audit on track, coordinating between your HR team and the auditor, and flagging any plan operation issues identified during the year that the auditor will need to know about.

Our licensed advisors at Hotaling maintain a compliance calendar for every mid-market client that tracks Form 5500 deadlines, audit timelines, ACA reporting obligations, COBRA notice requirements, and ERISA plan document review cycles. That calendar is built into the advisory relationship — not something you have to ask for separately at renewal time.

What your broker should be doing on the audit front:

• Confirming your participant count annually and alerting you to threshold changes after the 2023 Form 5500 rule change
• Maintaining a recommended auditor list and facilitating the engagement if you don’t have an existing relationship
• Providing plan documentation to the auditor as requested — carriers and TPA relationships are managed through the broker
• Reviewing the auditor’s management letter for plan operation issues that require plan design or administrative corrections
• Tracking the Form 5500 deadline and extension filing if needed

Frequently Asked Questions