401k Plan Audits: A Complete Guide for 2026

You’re probably in one of two situations right now. Your company is growing fast and someone just realized the retirement plan may be nearing the point where an audit becomes mandatory. Or you already know an audit is coming, and the bigger worry is not the audit itself. It’s whether your payroll files, eligibility records, remittance timing, and plan documents will all agree once an auditor starts testing them.

That anxiety is justified, but it’s also manageable. A 401k audit isn’t just a compliance event for large plans. It’s a forced review of whether the plan is operating the way you think it is. And that matters even if your plan is still below the threshold that requires an audit, because smaller plans face the same operational risks. Common problems such as late contributions and incorrect compensation definitions show up across all plan sizes, including plans that don’t need a mandatory audit, as noted in this 401(k) compliance FAQ for employers.

The practical mistake many plan sponsors make is treating audit readiness as a year-end document chase. In practice, most painful findings start much earlier. They usually begin where payroll, HR, and the plan administrator stop speaking the same language.

Table of Contents

• Your Guide to Navigating a 401k Plan Audit
• What Exactly Is a 401k Plan Audit
  • What the auditor is actually reviewing
  • Why the audit matters beyond the filing
• Understanding the Triggers for a 401k Audit
  • How participant counts now work
  • The 80 to 120 rule in practice
  • Why growing companies get surprised
• The Audit Process Timeline and Expected Costs
  • What the process usually looks like
  • What drives audit fees
  • Why cheap audit selection often backfires
• Common Audit Findings and How to Avoid Them
  • Where findings usually come from
  • Common 401(k) Audit Findings and Penalties
  • What actually works
• A Step-by-Step 401k Audit Preparation Checklist
  • Ninety days before fieldwork
  • Thirty days before fieldwork
  • During fieldwork and before finalization
• How Benely Streamlines Audit Readiness and Compliance
  • Why a connected platform changes the work
  • What good audit readiness looks like in practice
• Frequently Asked Questions About 401k Audits
  • What is a limited-scope audit and is my plan eligible
  • What happens if we fail our 401k audit
  • How do I choose an IQPA
  • Can the audit be done remotely
  • If our participant count fluctuates, when do we actually need the audit
  • Should a small plan ever prepare like it’s going to be audited anyway

Your Guide to Navigating a 401k Plan Audit

If your headcount is rising, your audit risk may be rising with it. That’s often when HR gets pulled into a problem that feels accounting-heavy, legal-adjacent, and operationally messy all at once. The good news is that 401k plan audits are far less intimidating when you stop viewing them as a one-time event and start treating them as a test of routine plan administration.

A useful way to frame the audit is this. It’s a health check on the plan, your internal controls, and the data flowing between payroll, HR, the recordkeeper, and your third-party administrator. If those systems are aligned, the audit tends to be orderly. If they aren’t, the audit exposes the cracks quickly.

Three practical truths matter early:

• The audit isn’t mainly about catching fraud: In many companies, the harder problem is ordinary process failure. Eligibility isn’t tracked correctly. Payroll codes don’t match plan definitions. Contribution timing isn’t monitored.
• The filing is only one piece: Form 5500 matters, but auditors also test whether the plan operated according to the governing documents and ERISA requirements.
• Exemption doesn’t mean safety: Plans below the mandatory audit threshold can still carry the same operational errors and corrective burden.

Practical rule: The best time to prepare for a 401k audit is while processing payroll, not after receiving the auditor’s request list.

HR leaders usually don’t need to become ERISA technicians. They do need a clean operating model. That means knowing who owns eligibility, who reviews payroll feeds before contributions post, who reconciles census data, and where plan documents live.

When those answers are vague, the audit becomes expensive in staff time even before the invoice arrives.

What Exactly Is a 401k Plan Audit

A 401k plan audit is an independent examination of the plan’s financial statements and selected operations by an Independent Qualified Public Accountant, often called an IQPA. It is a financial inspection. The auditor isn’t there to redesign your plan. The auditor is there to determine whether the plan’s reporting is accurate and whether administration appears consistent with the plan documents and applicable rules.

If you want a broader framing of how review functions work inside organizations, this practical guide to internal audit is a useful companion. It helps explain why testing controls and validating records isn’t bureaucratic busywork. It’s how companies catch process weakness before it becomes a regulatory problem.

What the auditor is actually reviewing

Auditors typically request a mix of documents, data extracts, and process explanations. That often includes plan documents, amendments, trust statements, payroll records, participant census data, contribution reports, loan activity, distributions, and evidence supporting Form 5500 reporting.

They also test whether transactions were handled properly. For example, they may review whether employee deferrals were remitted on time, whether compensation used for contributions matched the plan’s definition, and whether eligible employees entered the plan when they should have.

If you need a refresher on the legal framework behind many of these duties, this ERISA overview is a solid starting point.

Why the audit matters beyond the filing

The audit protects more than a form. It protects fiduciaries, because it creates an independent record of whether plan reporting and operations hold together under scrutiny. That’s especially important when the company has grown quickly, changed payroll systems, switched TPAs, or merged entities.

A smooth audit usually reflects disciplined year-round administration. A rough audit usually reveals that basic controls were never clearly assigned.

The strongest teams don’t wait for the auditor to identify contradictions. They reconcile payroll to plan activity throughout the year, keep amendments organized, and document who approved key administrative steps.

That discipline matters because many audit problems look technical on paper, but operationally they’re simple. Someone used the wrong payroll code. Someone forgot to update eligibility logic. Someone assumed the TPA was checking data that no one checked.

Understanding the Triggers for a 401k Audit

The trigger for mandatory 401k plan audits is often described too casually. People say, “Once you hit 100 employees, you need an audit.” That’s close enough to create confusion and far enough from the rule to create expensive mistakes.

The actual test turns on plan participant counts used for Form 5500 filing status, not your overall company headcount.

How participant counts now work

Under current rules described in this guide to 401(k) 5500 audit rule changes, a 2023 DOL rule change redefined a “large plan” by counting only participants with account balances. Previously, a plan with 95 active employees and 35 eligible former employees would have triggered an audit. Under the new rule, that plan will often remain a small plan, with estimated audit fee savings of $8,000 to $30,000 annually.

That change matters for fast-growing companies that have turnover, acquisitions, or long tails of former employees still sitting in the plan. It also means participant counting is now more operational than many sponsors realize. If terminated participants still carry balances at year-end, they can continue affecting future audit status.

In practice, HR and finance should review participant count trends before the start of the next plan year, not after year-end cleanup.

The 80 to 120 rule in practice

The other rule that trips people up is the 80-120 participant rule. According to Watkins Ross on 401(k) audit requirements, a plan that filed as small in the prior year can continue filing as small, and avoid an audit, as long as it has fewer than 121 participants on the first day of the plan year. Once a plan has filed as large, it must continue to do so as long as it has at least 100 participants.

That creates a planning window, but only if you apply the rule correctly.

A simple way to think about it:

• Prior year filed as small: You may stay small until the count reaches 121.
• Prior year filed as large: You generally stay large while the count remains at 100 or more.
• Borderline plans need active monitoring: A slight shift in balances, distributions, or participant cleanup can affect status.

Here’s a helpful video overview if your team wants a plain-English walk-through before talking with counsel or your auditor.

Why growing companies get surprised

The plans that get caught off guard usually don’t have a bad intent problem. They have a timing problem. No one checked the participant count early enough. No one understood how terminated employees with balances affected the result. Or the company assumed the TPA would tell them when an audit was coming, even though the sponsor still owns the filing obligation.

Don’t forecast audit status from employee headcount alone. Use plan participant data, balance status, and prior filing status together.

The cleanest operating habit is a recurring census review with HR, payroll, and the TPA. That’s where audit forecasting becomes predictable instead of reactive.

The Audit Process Timeline and Expected Costs

Most audit stress comes from uncertainty. Teams don’t know what the auditor will ask for, how long fieldwork will last, or whether they’ve chosen the right firm. The underlying process is more predictable than it seems if you break it into phases and assign owners early.

What the process usually looks like

A typical 401k audit unfolds in a sequence that HR and finance can manage well if the work is staged.

1. Select the auditor early
   Don’t wait until filing season. You want time to evaluate benefit plan experience, request sample deliverables, and coordinate calendars with your TPA and recordkeeper.

2. Receive the initial request list
   The auditor sends a prepared-by-client list. This usually includes plan documents, census data, trust reports, payroll support, contribution detail, loan and distribution reports, and prior year filings.

3. Fieldwork and testing
   The auditor tests samples, traces transactions, reviews reconciliations, and asks follow-up questions. Poor documentation and inconsistent payroll coding often become apparent at this stage.

4. Discuss findings
   Not every finding means disaster. Some issues require correction, some require added support, and some require process changes for the next year.

5. Finalize the report and filing support
   The audit report is issued for inclusion with the Form 5500 package.

If filing timing is part of your concern, this overview of the Form 5500 filing deadline is worth keeping handy for internal planning.

What drives audit fees

Audit cost depends on complexity, not just size. A cleaner plan can cost less to audit than a smaller but poorly administered plan. In the verified guidance, audits often range from $10,000 to $30,000 annually for plans in scope, and another source notes costs averaging $8,000 to $12,000 for plans under $50M in assets, with some audits reaching $18,000+, depending on complexity and scope, as described in the earlier cited materials.

What usually affects fees:

• Plan complexity: Loans, distributions, corrections, and unusual transaction types create more testing.
• Record quality: Organized reports from the recordkeeper and TPA reduce back-and-forth.
• Internal controls: Documented processes lower the time spent proving what happened.
• Responsiveness: Delayed answers often mean expanded fieldwork.

Why cheap audit selection often backfires

Trying to save money with a lightly experienced auditor is a classic false economy. A DOL study summarized by Lillie & Company found that firms performing only 1 to 2 benefit plan audits per year had a 76% deficiency rate, compared with 12% for firms conducting 100 or more.

That gap should change how you buy audit services. Lowest fee should not be the first filter. Relevant volume, current ERISA plan experience, and a clear request process matter more.

A specialist often costs less in total organizational effort, even when the engagement fee is higher.

The practical trade-off is simple. Pay a little more for a firm that knows benefit plan audits, or pay later in staff disruption, corrections, and increased regulatory risk.

Common Audit Findings and How to Avoid Them

The most common audit findings rarely start as dramatic failures. They start as ordinary administrative drift. A payroll code was mapped incorrectly. Eligibility was interpreted one way by HR and another way by the TPA. Deferrals were held a little too long before remittance. By the time an auditor reviews the file, the issue looks like a compliance problem because it is one.

Where findings usually come from

One of the clearest examples is participant data. Assurance Dimensions’ summary of frequent 401(k) plan audit deficiencies notes that deficiencies in participant data, including use of incorrect compensation definitions from payroll systems, appear in 15.6% of audits. That’s the most useful lens for many employers. The root cause often isn’t fraud. It’s a systems and process disconnect between payroll, HR, and plan administration.

That’s why “be more organized” is not enough. If the source data is wrong, better folders won’t fix the audit.

Common 401(k) Audit Findings and Penalties

Common Finding	Typical Root Cause	Potential Penalty / Correction
Late remittance of employee deferrals	Payroll funds withheld on time but not transmitted promptly to the plan	May require correction, additional contributions, and prohibited transaction reporting
Incorrect compensation used for deferrals or match	Payroll earnings codes don’t align with the compensation definition in the plan document	Misallocated contributions, testing failures, and corrective contributions
Missed eligibility entry	HR onboarding, payroll setup, and TPA eligibility files don’t match	Missed deferral opportunity corrections and plan operational fixes
Incomplete loan or distribution support	Recordkeeping reports exist, but approval trails or supporting records are scattered	Extra audit scrutiny, delayed completion, and possible corrective action
Weak document control	Amendments, adoption agreement, SPD, or opinions are stored across email, shared drives, and vendor portals	Filing delays, incomplete support, and avoidable findings

A related protection that often gets confused with the audit requirement is the ERISA bond requirement. It serves a different purpose, but sponsors should still make sure it’s in place and current.

What actually works

The teams that reduce findings usually do a handful of things consistently:

• Map payroll codes to plan definitions: Don’t assume gross pay equals eligible compensation.
• Review eligibility monthly: Especially after rapid hiring, entity changes, or payroll migrations.
• Reconcile census files before year-end: If birth dates, hire dates, status changes, and termination dates are inconsistent, the audit will surface it.
• Assign one data owner: Someone must own the final participant file sent to the TPA and auditor.
• Document exceptions: If something unusual happened, write it down while people still remember it.

Most “documentation problems” begin as process design problems. Fix the handoff, and the paperwork usually fixes itself.

Many growing companies need to mature. They don’t need more heroics. They need fewer manual touchpoints and clearer system rules.

A Step-by-Step 401k Audit Preparation Checklist

Audit preparation gets easier when you treat it like a controlled project instead of an emergency response. The checklist below is built for the HR manager or finance lead who has to coordinate payroll, the recordkeeper, the TPA, and the audit firm without losing a month to email archaeology.

Ninety days before fieldwork

Start with the items that determine whether the rest of the process will be smooth.

• Confirm audit status: Verify participant count and prior filing status so you know whether an audit is required for the year.
• Select the IQPA: Choose a firm with demonstrated employee benefit plan audit experience, not just general audit capability.
• Create a document folder: Centralize the adoption agreement, amendments, SPD, service agreements, trust statements, prior year audit report if applicable, and prior Form 5500 support.
• Align your vendors: Tell payroll, the TPA, recordkeeper, and internal finance team when fieldwork is expected and what support they’ll need to deliver.

Thirty days before fieldwork

This is the heavy-lift phase. It’s where most companies either stabilize the audit or make it harder.

• Reconcile payroll to contributions: Check that employee deferrals and employer contributions agree to payroll records and plan reports.
• Review compensation definitions: Validate that excluded and included earnings categories match the plan document, not assumptions from payroll setup.
• Test eligibility and entry dates: Pull a sample of new hires, rehires, and terminated employees. Make sure actual plan entry followed the document.
• Prepare census data carefully: Hire date, birth date, status, termination date, compensation, ownership status, and year-end balance fields must be internally consistent.

Keep one version of the census file. Once multiple departments start editing separate copies, audit prep slows down fast.

During fieldwork and before finalization

Once the auditor starts testing, speed and consistency matter more than volume.

• Answer from source documents: Don’t respond from memory if the plan document or payroll report can answer the question directly.
• Track open items in one log: A shared tracker avoids duplicate work and missed follow-ups.
• Escalate discrepancies early: If payroll and TPA reports don’t match, don’t wait for the auditor to discover the difference.
• Document corrections: If you identify an issue, record what happened, what was corrected, and whether process changes are needed for the next year.
• Review the draft carefully: The management team should understand findings before the report is finalized.

A well-run audit prep cycle isn’t glamorous. It’s disciplined. The best sign that you’re ready is simple: your records tell the same story no matter which system the auditor starts with.

How Benely Streamlines Audit Readiness and Compliance

A fast-growing HR team usually feels the problem in August, not at year-end. An auditor asks for support on eligibility, compensation, and deferral timing, and the answer sits across payroll exports, email approvals, and TPA files that do not match cleanly.

Benely works best when the goal is not last-minute document gathering, but cleaner administration all year. It gives HR, payroll, and benefits teams one operating system for employee changes, plan-related records, and ownership of recurring tasks. That matters because audit readiness improves when the same employee event is recorded once and carried through correctly, instead of being rekeyed across separate systems.

Why a connected platform changes the work

Teams do not reduce audit risk by working harder in Q4. They reduce it by setting up fewer opportunities for records to drift apart during the year.

Used well, Benely helps companies:

• Keep employee records in one place: Hire dates, status changes, terminations, and other core data stay easier to verify across HR and benefits workflows.
• Reduce manual handoffs: Fewer spreadsheet transfers means fewer chances to introduce errors before data reaches the TPA or auditor.
• Maintain cleaner documentation: Plan materials, amendments, notices, and supporting records are easier to retrieve when requests come in.
• Clarify accountability: HR, payroll, finance, and outside partners can see who owns each step and what still needs review.

For teams that want an external framework to support internal controls, this comprehensive checklist for auditors is a useful reference. It covers the kind of document discipline and review habits that make fieldwork less disruptive.

What good audit readiness looks like in practice

The practical benefit is control over the process.

Instead of rebuilding support after the auditor sends a request list, the team is already working from organized records, current employee data, and a clearer chain of responsibility. Audit prep still takes effort. But the effort shifts toward review and exception handling, not reconstruction.

Benely does not remove the need for oversight. No platform does. HR still needs to confirm payroll settings match the plan document, review exceptions, and coordinate with the TPA and auditor. The trade-off is straightforward. An integrated system reduces avoidable mismatch risk, but only if the company uses it with defined ownership and routine checks.

That is what reliable compliance looks like in practice. Fewer surprises, faster support retrieval, and fewer audit issues created by disconnected systems.

Frequently Asked Questions About 401k Audits

What is a limited-scope audit and is my plan eligible

Some large plans may qualify for a 103(a)(3)(C) audit, which is a lower-burden option in certain circumstances when qualified investment information is properly certified. Eligibility depends on plan structure and custodial arrangements, so sponsors should confirm the fit with their auditor and ERISA counsel before assuming this approach is available.

What happens if we fail our 401k audit

An audit usually doesn’t produce a simple pass-fail outcome in the way people expect. More often, the auditor identifies findings, missing support, or operational issues that require correction, additional disclosure, or process changes. Often, the cost is the time and disruption required to reconstruct records and fix underlying errors.

How do I choose an IQPA

Start with employee benefit plan experience, not general firm reputation alone. Ask how many benefit plan audits the firm performs, who will staff the engagement, what their request list looks like, and how they handle common sponsor-side problems such as census inconsistencies and payroll reconciliation issues. You want a firm that can identify risks clearly without turning every issue into a fire drill.

Can the audit be done remotely

Yes, many audits can be performed largely remotely if your records are organized and accessible. Secure document sharing, clean exports from payroll and the recordkeeper, and one internal coordinator make remote fieldwork much easier. Remote doesn’t mean informal, though. Auditors still need complete support and timely responses.

If our participant count fluctuates, when do we actually need the audit

The rule that matters most for borderline plans is the prior filing status combined with the first-day participant count. As noted earlier in the article, the 80-120 participant rule allows a plan that filed as small in the prior year to stay small, and avoid an audit, until it reaches 121 participants on the first day of the plan year. But once a plan has filed as large, it generally stays large while it has at least 100 participants.

Borderline plans shouldn’t guess. They should document the count method, preserve the supporting census, and confirm filing status before deadlines start closing in.

Should a small plan ever prepare like it’s going to be audited anyway

Yes. That’s often the smartest approach. Even if a plan is exempt from the mandatory audit requirement, the same categories of administrative mistakes can still create correction work, participant issues, and fiduciary exposure. Small plans benefit from the same controls: documented eligibility rules, clean payroll mapping, timely remittances, and organized plan records.

---

If your team wants fewer surprises during 401k plan audits, cleaner payroll-to-benefits coordination, and a more reliable compliance workflow, explore Benely. It’s a practical next step for companies that want audit readiness to be part of normal operations, not a yearly scramble.