While many organizations pay close attention to those who have access to payroll software and records, one associated area that is often overlooked is employee benefit plans. Similar to payroll, employee benefit plan records can contain a wealth of sensitive data, such as compensation information and social security numbers, but many plan sponsors pay scant attention to who has access to these records and what they can do with them. A recent criminal case in California highlights what can go wrong if access to employee benefit plan records is not monitored closely.

On May 26, 2015, the former owner of a company was convicted of two counts of grand theft and sentenced to six months in prison and five years of probation as part of a plea bargain. The crime? He exploited his access to his company’s 401(k) plan records to manipulate four employees’ account information in order to improperly distribute over $43,000 from these accounts to himself. The larger crime? Ineffective or missing fraud policy.

Is your plan vulnerable?

As a matter of convenience, many plan sponsors give one or a handful of employees full access to revise employee benefit plan records, but often there is no review of the changes these employees make to those records. This could easily allow a fraud such as the one perpetrated to go undetected, particularly if changes are made to the accounts of former employees who no longer regularly monitor their accounts and no longer have contact with the plan’s management.

Consider your fiduciary responsibility

More than raising your ire the audacity of employee fraud, your fraud awareness thoughts should also turn to how you personally could be affected should you be a fiduciary of a plan. Such a fraud could create significant liability for the plan’s fiduciaries, even if they themselves are victims of the fraud. Fiduciaries of a benefit plan can be held personally liable to restore any losses to the plan. It is important to remember, as well, that fiduciary status is based on functions performed for the plan, not just a person’s title. All plans are required to have a named fiduciary; however, in many cases, other members of the plan sponsor’s management who exercise discretion or control over the plan are considered to be fiduciaries as well. Watch our video series on plan fiduciary responsibility.

Where to turn to for guidance

Whether the plan with which you are associated is with a public company, private company or not-for-profit, be sure you understand your responsibilities as a fiduciary and whether your plan has controls and processes in place to protect the plan and its fiduciaries. For more information, please contact Brendan Brady at bbrady@dopkins.com, a member of our Employee Benefits Plan Team about protecting your plan or Chad O’Connell about your fiduciary responsibility, or William Prohn about Information Security.

About the Author

Brendan P. Brady CPA, CVA

Brendan is responsible for managing client engagements, team scheduling, training and development. He leads general and specialized audits as well as internal control projects, and is one of the leaders of the Firm’s employee benefit plan audit practice. He uses his experience to offer management advice and suggestions for improving operational efficiency by obtaining a thorough understanding of a business, not just from the controller’s standpoint, but from management’s and the operational side.