Top 401(k) Compliance Risks That Don’t Show Up in Audits

Written By Courtenay Shipley

Most organizations assume that if their plan passes its annual audit, they’re in good shape. After all, the numbers tie out. The financial statements are accurate. The auditor didn’t flag anything major.

But here’s the uncomfortable truth: an audit is not the same thing as compliance.

Independent auditors focus on financial materiality — whether the plan’s financial statements are fairly presented. Regulators like the U.S. Department of Labor (DOL) and the Internal Revenue Service (IRS) focus on something very different: fiduciary behavior and operational precision.

And in that world, even small errors can become expensive problems.

If you’re an HR leader, CFO, or committee member responsible for plan oversight, it’s time to understand the compliance risks that don’t always show up in audits — but absolutely show up in enforcement actions.

Whether your plan is subject to an audit or not, let’s walk through the most common blind spots, why they happen, and what you can do to reduce your exposure…

Contribution Timing: The “Hidden” Late Deposit Problem

You may already know employee deferrals must be deposited “as soon as administratively feasible.”

Many organizations operate under an informal rule of thumb — deposit within a week or two and you’re fine.

Here’s what often gets missed: the DOL looks at your fastest deposit.

If you were able to remit contributions within two days in March, but it took seven days in June, regulators may view that five-day difference as a prohibited transaction — essentially an interest-free loan from participants to the company.

Auditors often scan for major delays. Regulators can scrutinize every single payroll.

The result?


Lost earnings calculations. Excise taxes. Additional filings. Corrective action.

What to do:
Aim for consistency. If you can fund quickly, build your internal processes to fund quickly every payroll. Document your process and monitor it regularly.

Compensation Definitions: A Small Payroll Code with Big Consequences

This is one of the most common operational failures under the Employee Retirement Income Security Act of 1974 (ERISA).

Your plan document defines compensation in a very specific way. It might say W-2 wages. It might include bonuses. It might exclude certain fringe benefits.

Meanwhile, your payroll system is running on its own configuration, sometimes set years ago. If the payroll system excludes compensation that your plan document says must be included, you have an operational failure, even if the missed amount is small.

What happens when:

  • A new sign-on bonus is added?

  • A special allowance is created?

  • A commission code isn’t linked to 401(k) withholding?

  • You switch payroll systems?

Auditors test a limited sample. Subtle coding issues can easily go undetected.

What to do:
 Conduct an annual compensation review. Compare your plan document’s definition line by line with your payroll setup. Always repeat this exercise after adding new pay types or changing systems.

Missing Participants and Uncashed Checks

When employees terminate, many plans issue distribution checks. But if the check is sent to an outdated address and goes uncashed, the responsibility doesn’t end there.

The DOL considers uncashed checks to still be plan assets. Fiduciaries have an ongoing duty to locate missing participants.

If regulators discover years’ worth of stale checks and no documented search process, it can be treated as a breach of fiduciary duty.

Auditors may confirm that funds left the trust. Regulators want to know whether the participant actually received their money.

This has become a growing enforcement focus.

What to do:
 Establish and document a missing participant policy that includes:

  • Certified mail attempts

  • Email outreach

  • Beneficiary contact

  • Locator services

  • Clear documentation of each step

Small-balance cash-outs help, but they don’t eliminate fiduciary responsibility.

“Reasonable” Fees: The Ongoing Fiduciary Duty

Plan sponsors have a legal obligation to ensure fees are reasonable for the services provided. That doesn’t mean the fees are disclosed correctly. It means they are competitive and appropriate relative to the market.

Audits confirm that fees on statements are accurate, however, they do not determine whether those fees are excessive.

If your organization hasn’t benchmarked fees or conducted a Request for Proposal (RFP) in the last three to five years, you may be exposed.

In enforcement actions and litigation, “we didn’t realize the fees were high” is not a defense.

What to do:
 Implement a documented fee benchmarking process. Review service models, revenue sharing arrangements, and advisor compensation. Keep minutes that reflect active oversight.

Automatic Enrollment and Escalation Failures

Automatic enrollment and annual escalation features are powerful plan design tools. But they also introduce operational risk.

If your plan automatically increases deferrals by 1% annually and your system fails to apply that increase to a subset of employees, you’ve created a “failure to follow plan terms.”

Auditors often verify that the current deferral percentage matches the current election. They rarely audit whether escalation occurred precisely according to schedule over time.

Even small groups of affected participants can require corrective employer contributions.

What to do:
 Run periodic reports comparing:

  • Hire dates

  • Enrollment dates

  • Current deferral rates

  • Required escalation schedules

Confirm the system logic matches your plan document.

Audit vs. Regulatory Reality

Here’s the core difference:

An audit asks:
Are the financial statements accurate?

Regulators ask:
Did you follow your plan document precisely?
Did you act prudently as a fiduciary?
Did you operate the plan in participants’ best interest — every payroll, every year?

Those are very different standards.

An Audit is Not a Clean Bill of Fiduciary Health.

Compliance isn’t just about avoiding findings. It’s about active governance.

Strong fiduciary oversight means:

  • Reviewing payroll integration annually

  • Monitoring deposit timing

  • Confirming eligibility and escalation accuracy

  • Benchmarking fees

  • Maintaining a documented missing participant process

  • Keeping detailed committee minutes

If you’re not sure when these items were last reviewed — or whether they were reviewed at all — that’s your signal.

Retirement plans have become more complex. Regulatory scrutiny has increased, and litigation risk is real. But with the right oversight structure in place, these risks are manageable.

The key is understanding where audits stop,  and fiduciary responsibility begins.

Time for a second look at your plan operations? At Retirement Planology, we partner with employers who want more than a clean audit — they want confidence that their plan is being run correctly, consistently, and prudently.

If you’re unsure about your deposit timing, haven’t reviewed your compensation definitions lately, don’t have a missing participant process in place, or haven’t benchmarked fees in several years, now is the time to act. If any of the risks discussed in this article feel uncomfortably familiar, let’s talk!

Courtenay Shipley
Next

The Hidden and Not-so-hidden Costs of Retirement Plan Complacency