Your First 401(k) Audit: Complete Guide

Your 401(k) plan just crossed 100 eligible participants, and someone told you that means you need an audit. They're right. If this is your first time, the process might seem intimidating — but it doesn't have to be. This guide walks you through everything you need to know, from choosing an auditor to what happens after the report is issued.

Why Your Plan Needs an Audit

The Department of Labor requires plans with 100 or more eligible participants at the beginning of the plan year to have an independent audit. This is known as a limited-scope audit under ERISA Section 103(a)(3)(C). The purpose is straightforward: verify that the plan is being administered correctly and that participant assets are protected.

The audit report gets filed alongside your Form 5500, which is your plan's annual return to the DOL and IRS. Without it, your filing is incomplete — and incomplete filings can trigger penalties and unwanted attention from regulators.

If you're not sure whether you've hit the threshold, keep in mind that the count is based on eligible participants, not just those actively contributing. That distinction catches many plan sponsors off guard.

Step 1 — Choose the Right Auditor

Not all CPA firms are created equal when it comes to retirement plan audits. A firm that's great at tax returns or financial statement audits may have little experience with the specific requirements of ERISA and SAS 136. Choosing the wrong firm often means a longer, more painful process — and sometimes a deficient audit that creates more problems than it solves.

Here's what to look for:

• AICPA EBPAQC membership — This is the gold standard for employee benefit plan audit quality. Member firms commit to rigorous quality standards and ongoing training specific to retirement plan audits.
• Specialization in retirement plans — Ask how many EBP audits the firm performs each year. Ideally, it's a significant portion of their practice, not a side business.
• Fixed-fee pricing — Hourly billing creates unpredictability. A firm that quotes a fixed fee has enough experience to scope the engagement accurately.
• Clear timeline commitments — Ask when the audit will start, how long fieldwork takes, and when you can expect the final report. Vague answers are a red flag.
• References from similar-sized plans — A firm that audits 10,000-participant plans may not be the right fit for a 150-participant plan, and vice versa.

Step 2 — Understand the Timeline

A typical 401(k) audit takes 4 to 8 weeks from kickoff to final report. Understanding the general flow helps you plan ahead and avoid bottlenecks.

• Week 1 — Engagement letter signed
• Week 1-2 — Document request sent by the auditor
• Week 2-4 — You gather and submit documents
• Week 3-6 — Fieldwork and testing by the audit team
• Week 6-7 — Draft report sent for your review
• Week 7-8 — Final report issued

The most important takeaway: start early. Ideally, you should engage an auditor 4 to 6 months before your Form 5500 filing deadline. For calendar-year plans, that means starting the process in the spring. Waiting until summer creates unnecessary pressure and limits your options if issues arise.

Step 3 — Gather Your Documents

Your auditor will send a document request list early in the engagement. Having these materials organized and ready is the single biggest thing you can do to keep the audit on schedule. Here are the most commonly requested items:

• Plan document and all amendments
• Summary Plan Description (SPD)
• Trust or custodial account statements — quarterly and annual
• Payroll records and W-2 data for the plan year
• Participant census data (dates of birth, hire, termination, hours worked)
• Employee and employer contribution records
• Distribution and loan records
• Board minutes or plan committee meeting notes
• Prior year audit report, if applicable

If your recordkeeper or TPA can provide many of these items, coordinate with them early. The faster documents are submitted, the faster the audit moves.

Step 4 — Know What the Auditor Tests

Understanding what the auditor examines helps remove the mystery from the process. The audit isn't adversarial — the goal is to verify that your plan is operating in accordance with its governing documents and applicable regulations.

Key testing areas include:

• Participant eligibility — Are the right people enrolled in the plan? Were employees offered participation when they became eligible?
• Contribution accuracy — Are employee deferrals and employer matches calculated correctly based on the plan formula?
• Contribution timeliness — Are employee deferrals deposited within the DOL's guidelines? Late deposits are one of the most common findings.
• Distributions and loans — Do they follow the terms of the plan document? Were required withholdings applied?
• Investment allocation and valuation — Are assets properly valued and allocated to participant accounts?

The auditor selects a sample of participants and transactions to test. They're looking for systematic issues, not trying to catch isolated mistakes. If something is off, it usually points to a process that needs fixing — not a reason to panic.

Step 5 — Review the Draft Report

Before the final report is issued, you'll receive a draft for your review. Take this step seriously. Read the report carefully and discuss any findings with your auditor.

If the auditor identifies issues — such as late contributions, eligibility errors, or operational failures — it's not the end of the world. Many problems can be corrected through the IRS's Employee Plans Compliance Resolution System (EPCRS) or the DOL's Voluntary Fiduciary Correction Program (VFCP). These programs exist specifically to help plan sponsors fix mistakes and bring their plans back into compliance.

A good auditor won't just point out problems — they'll explain what the findings mean, how significant they are, and what your options are for correcting them. If your auditor can't do that in plain language, that's a sign you may have the wrong firm.

Step 6 — File Your Form 5500

The audit report is attached to your Form 5500 as a required schedule. The filing deadline for calendar-year plans is July 31, but most plan sponsors file for an automatic extension, pushing the deadline to October 15.

Late filings can result in penalties from both the DOL and the IRS. The DOL can assess penalties of up to $250 per day for late filings, with no maximum cap. The IRS penalty is $250 per day, up to $150,000. These aren't theoretical — the DOL actively pursues late filers. Make sure your filing is on time.

Common First-Audit Mistakes to Avoid

After working with hundreds of plan sponsors through their first audit, certain patterns emerge. Here are the mistakes we see most often:

• Starting too late. Engaging an auditor in August for a July 31 deadline (or even October 15 with an extension) leaves almost no room for issues. Start in the spring.
• Choosing the cheapest auditor instead of the most qualified. A low bid from a firm that doesn't specialize in retirement plans often results in more work for you, a longer timeline, and sometimes a deficient audit that needs to be redone.
• Not designating a single point of contact. When the auditor has to chase multiple people for different documents, things fall through the cracks. Assign one person to be the liaison.
• Failing to gather documents promptly. The audit can't move forward without your documents. Every week of delay on your end pushes the timeline back.
• Not reviewing the draft report carefully. The draft is your opportunity to ask questions, clarify facts, and understand any findings before the report becomes final.