Picture this: you’re reviewing your 401(k) plan records in March and realize your participant count just crossed 100 for the first time at the start of the year. Now you’re staring at an employee benefit plan audit requirement you’ve never dealt with before, with a Form 5500 deadline on the calendar and no clear sense of where to begin. This scenario plays out every year for growing businesses, and the confusion it creates is completely understandable. An employee benefit plan audit isn’t like your standard financial statement audit, the rules around when it’s required, what it covers, and how to prepare for it are specific enough that getting them wrong carries real consequences.
This article walks you through the full picture: the thresholds that trigger the requirement, which plan types are covered, what auditors actually test, how the process unfolds over three to four months, and what you can do right now to make the experience less disruptive. At DMG Worldwide, we work with plan sponsors navigating this requirement for the first time and those tightening up their compliance before the next filing cycle. Consider it a practical framework so you’re not scrambling when the document request arrives.
When Your Plan Triggers an Employee Benefit Plan Audit Requirement
ERISA and Department of Labor regulations require most employee benefit plans to file an annual Form 5500. For large plans, that filing must include an independent audit from a qualified CPA. The question most plan sponsors ask first is straightforward: do we actually qualify as a large plan?
The 100-Participant Rule and What Counts
A plan is generally classified as large, and therefore subject to an employee benefit plan audit, when it has 100 or more participants at the start of the plan year. The critical detail is how “participants” are counted under rules that took effect for 2023 filings and remain in place for 2026: only participants with account balances on the first day of the plan year are included. Employees who are eligible to participate but have never contributed, and therefore carry a zero balance, are excluded. For plans previously sitting right at the threshold, this change moved some of them back below 100 and eliminated the audit requirement entirely.
The 80, 120 Buffer Zone
There’s a protection built into the rules for plans whose participant counts fluctuate around the 100 mark. If your plan filed as a small plan in the prior year, you can continue to do so as long as your participant count stays below 121 at the start of the current plan year. This 80, 120 buffer means a plan with, say, 112 participants this year doesn’t automatically trigger a new audit obligation if it previously qualified as small. Once the count hits 121, however, the exemption disappears and the audit requirement becomes mandatory regardless of prior filing history.
Consequences of Missing the Threshold
Failing to recognize the audit requirement and omitting the audit report from your Form 5500 creates compounding problems. The DOL can reject the filing outright, and late or incomplete filings carry civil penalties of up to $2,670 per day under DOL and IRS enforcement guidance, a figure that has increased over time with inflation adjustments. Beyond the financial penalties, plan fiduciaries face exposure for breach of their duties under ERISA. The DOL treats a missing or deficient audit report as a serious compliance failure, not a technicality.
Which Types of Benefit Plans Must Be Audited
Not every benefit plan follows identical rules, and knowing where your specific plan falls eliminates a lot of unnecessary anxiety.
Retirement Plans (401(k), 403(b), Defined Benefit)
Defined contribution plans, including 401(k) and 403(b) arrangements, and defined benefit pension plans are all subject to the 100-participant audit threshold once crossed. Audit testing in these plans concentrates on several core areas: eligibility determinations, contribution accuracy, vesting calculations, loan balances, and hardship distributions. Auditors are checking whether what actually happened in the plan matches both the plan document and ERISA requirements.
Health and Welfare Plans: A Higher Bar for Audit
Most health and welfare plans, including medical, dental, and disability coverage, are not subject to the same audit requirement. The determining factor is how the plan is funded. If the plan is trust-funded, meaning participant contributions are held in a separate trust rather than flowing through the employer’s general assets, it may be subject to audit when the 100-participant threshold is met. Fully insured plans paid from general employer assets are generally exempt from the audit requirement, though funding structure and how benefits are bundled on Form 5500 reporting can affect that status. This distinction removes audit exposure for most small employers sponsoring standard group health coverage, but confirming your plan’s specific status with a qualified ERISA CPA is the safest approach.
Plans That Are Commonly Exempt
Several categories of plans fall outside ERISA’s audit requirements entirely. Government plans and church plans are statutory exemptions. Unfunded excess benefit plans and certain fully insured welfare plans are also commonly excluded, though exemption for welfare plans depends on funding structure and Form 5500 reporting obligations, some bundled arrangements can still trigger Schedule H requirements. If you’re unsure where your plan lands, a review of the plan documents alongside a qualified ERISA CPA will give you a definitive answer rather than a guess. Knowing which documents to bring to that conversation, your plan agreement, adoption records, and most recent Form 5500, gets you to a clear answer faster.
Employee Benefit Plan Audit: What Auditors Look for and Where Most Plans Get Flagged
Understanding what auditors actually test, and where plans consistently fail, gives you a diagnostic tool before the audit begins. The DOL’s 2023 Audit Quality Study (published by EBSA) identified clear patterns in where deficiencies cluster, and plan sponsors who know these patterns can address them proactively. For the original study and DOL materials, see the Department of Labor’s reporting on the audit quality study DOL’s Audit Quality Study.
Contribution Timeliness and Accuracy
Late deposits of participant deferrals represent the single most common finding across employee benefit plan audits. ERISA requires that employee deferrals be remitted to the plan trust as soon as administratively feasible after each payroll cycle, and auditors test this rigorously. Even a gap of a few days can be classified as a prohibited transaction, which triggers correction requirements and potential excise taxes under IRS rules, with remediation typically available through the DOL’s Delinquent Filer Voluntary Compliance Program or IRS correction procedures. Employers who process payroll and then hold deferrals in operating accounts before transferring them to the plan are particularly vulnerable to this finding.
Employee Census Data and Enrollment Records
Inaccurate census data is the starting point for a cascade of audit problems. Incorrect hire dates, wrong compensation figures, and outdated termination records all create errors that flow through eligibility testing, vesting calculations, and contribution accuracy. Auditors begin most of their procedures with the census, so errors there multiply quickly. Missing enrollment forms and unsigned opt-out documentation are also flagged consistently, particularly in companies that grew quickly and never formalized their recordkeeping from the start.
Plan Document Compliance and Nondiscrimination Testing
Auditors compare what the plan document says against what the plan actually did during the year. Incorrect matching contribution formulas, vesting schedules that don’t match the document’s terms, and failures in ADP/ACP nondiscrimination testing are all recurring findings. A plan that was amended several years ago but whose operational processes were never updated to reflect the new terms is a common source of these compliance gaps.
The Audit Timeline and What Each Phase Involves
A benefit plan audit runs approximately three to four months from engagement to final report issuance, though complexity, plan sponsor responsiveness, and SOC 1 availability can extend that window. Most plan sponsors underestimate how early the process needs to start, and delays in the early phases push everything back toward the filing deadline.
Phase 1: Engagement and Document Gathering (Months 1, 2)
For calendar-year plans with a July 31 Form 5500 deadline (or October 15 with a Form 5558 extension), the engagement should start six to nine months before that date, meaning initial conversations in October or November of the plan year. That timing matters because early planning reduces the last-minute scramble and gives your team time to resolve any recordkeeping gaps before fieldwork begins. Early steps include signing the engagement letter, receiving the auditor’s document request list, and gathering plan records. One task that trips up many first-time plan sponsors: requesting SOC 1 reports from the plan’s recordkeeper and custodian. These reports can take several weeks to obtain, four to six weeks is common based on typical provider timelines, and the audit can’t proceed effectively without them.
Phase 2: Fieldwork and Testing (Months 3, 4)
The auditor moves into transaction testing, internal controls review, and plan record examination once the documentation package is submitted. This phase requires active participation from the plan sponsor. Responding to follow-up information requests within two to three business days keeps the process on schedule and controls costs. Delayed responses are the most common reason audits run over budget and over schedule.
Phase 3: Report Issuance and Form 5500 Filing
The auditor prepares draft financial statements for plan sponsor review, incorporates any final corrections, and issues the audit report. That report is then attached to the Form 5500 as part of Schedule H and filed electronically via EFAST2. Missing the July 31 deadline without filing for an extension creates the penalty exposure described earlier, so the filing calendar needs to be tracked closely throughout the engagement.
Preparing Your Employee Benefit Plan Audit Documentation
The quality of your documentation before the auditor arrives determines how smoothly the audit runs. A disorganized or incomplete package slows fieldwork, increases costs, and surfaces findings that could have been addressed internally. Use the sections below as a practical benefit plan audit checklist to guide your preparation.
Plan Documents and Financial Records
The baseline documentation includes the plan document and all amendments, the adoption agreement, investment statements for the plan year, prior Form 5500 filings, and the Summary Annual Report. Auditors use these as the reference point against which everything else is tested. If amendments have been made but not formally adopted, that gap will surface during fieldwork.
Participant Data and Contribution Records
Clean census data means accurate hire and termination dates, correct compensation definitions as defined by the plan document, complete contribution history, current loan balances, approved hardship withdrawal documentation, and accurate vesting schedules. The most important step here is reconciling this data before the auditor requests it. Errors discovered during fieldwork take longer to resolve than errors caught and corrected in advance.
SOC 1 Reports and Third-Party Provider Documentation
A SOC 1 Type II report is an independent controls report issued by the plan’s recordkeeper or custodian covering a defined period, typically six to twelve months. Under ERISA Section 103(a)(3)(C) and AICPA audit guidance, a limited-scope audit allows the auditor to rely on these reports to assess the reliability of data coming from the service provider. This reliance reduces the scope of direct testing required. Request these reports from your service providers at the very start of the engagement. Waiting until the auditor asks for them adds weeks to the timeline. For a practical explainer of what a SOC 1 Type II report covers, see this overview on SOC 1 Type II reports SOC 1 Type II report.
Why Auditor Experience Changes Your Outcome Significantly
Plan sponsors often treat auditor selection as a procurement exercise. It shouldn’t be. The DOL’s 2023 Audit Quality Study shows directly that auditor experience with benefit plans determines audit quality, and a deficient audit report creates secondary risk for the plan sponsor entirely separate from the plan’s own compliance standing.
What the DOL’s Audit Quality Data Actually Shows
The 2023 DOL Audit Quality Study (EBSA) found that CPA firms performing one to two benefit plan audits per year had a 70% major deficiency rate. Firms performing the highest volume of plan audits had deficiency rates in the range of 12 to 19 percent. That gap is not a matter of effort or intent, it reflects the specialized knowledge required to audit these plans correctly. A deficient audit report attached to a Form 5500 can trigger a DOL investigation of the plan itself, making auditor quality a direct risk factor for the plan sponsor. For additional commentary and analysis on the DOL’s findings, see this summary of the DOL EBP audit quality report findings DOL EBP audit quality report findings.
What to Look for When Evaluating an Audit Firm
When selecting an auditor, the evaluation should focus on ERISA-specific experience, annual volume of employee benefit plan audits performed, EBPAQC (Employee Benefit Plan Audit Quality Center) membership through the AICPA, and familiarity with your specific plan type. EBPAQC membership requires firms to maintain documented quality control policies, conduct annual internal inspections of their benefit plan audit work, and submit to AICPA oversight. EBPAQC membership is a meaningful signal of commitment to the specialized standards this work requires.
How DMG Worldwide Approaches Benefit Plan Audit Engagements
At DMG Worldwide, our approach to employee benefit plan audit engagements goes beyond completing procedures and issuing a report. We review the plan’s documentation, contribution processes, and operational history before fieldwork begins and identify gaps that could become findings before the audit is formally underway. For plan sponsors navigating this requirement for the first time, that proactive review makes a measurable difference in the outcome. Our team understands both the technical ERISA requirements and the operational realities of small-to-mid-size businesses, and we bring both to every engagement. If you want to understand where your plan stands before the audit clock starts ticking, a free initial consultation is a practical first step. Learn more about our team on the admin, DMG Worldwide Inc page.
Getting Ahead of Your Next Filing Cycle
The core takeaways here are worth keeping close. The 100-participant threshold, measured by participants with account balances on day one of the plan year, triggers a mandatory employee benefit plan audit under ERISA. The 80, 120 buffer zone provides protection for plans that filed as small in prior years, but once a plan crosses 121 participants, there’s no carve-out. The most common audit findings, late contribution deposits, inaccurate census data, and plan document compliance failures, are all preventable with consistent, proactive recordkeeping. The audit process runs three to four months from engagement to filing, which means preparation needs to start well before most plan sponsors realize it.
Auditor selection matters as much as the quality of the plan’s own records. A firm with deep, specialized experience in ERISA plan audits produces a more reliable report and identifies issues before they become DOL findings. The deficiency rate data by firm volume makes that point clearly, and it’s a factor plan sponsors shouldn’t overlook when making the selection.
If your plan is approaching the 100-participant mark, or if you’ve already crossed it and want to understand what your first employee benefit plan audit will involve, reach out to DMG Worldwide for a free consultation. We’ll assess where your plan stands, identify any documentation or operational gaps that need to be addressed, and give you a clear picture of what to expect before the auditor’s document request arrives. Get started at dmgcpas.com.
