Uncategorized

ERISA Plan Audit: The Large Plan Threshold, the SOC 1 Reliance, Form 5500 Schedule H

An ERISA plan audit is the independent financial statement audit a large employee benefit plan must attach to its Form 5500. The trigger is participant count, and a 2023 Department of Labor change rewrote how that count works. For many 401(k) plans, the new counting method pushed them below the threshold and out of the audit requirement entirely.

Key takeaways

  • An ERISA plan audit is generally required when an employee benefit plan is a “large plan,” meaning it has 100 or more participants at the beginning of the plan year, under the DOL Form 5500 rules and ERISA section 103(a)(3)(A).
  • Effective for plan years beginning on or after January 1, 2023, the DOL changed the count for defined contribution plans to participants with account balances, not merely those eligible, which dropped many plans below 100 (DOL final rule, 88 FR 11793).
  • The 80-to-120 participant rule lets a plan that filed as a small plan continue filing as small until it exceeds 120 participants, smoothing the transition into audit status.
  • SAS 136 reshaped plan audits and replaced the old “limited scope audit” with the ERISA Section 103(a)(3)(C) audit, in which the auditor does not test certified investment information but still reports on it.
  • The audit attaches to Form 5500 Schedule H, and the return is due seven months after plan year-end, with a 2.5-month extension available on Form 5558.

What is an ERISA plan audit?

An ERISA plan audit is an audit of the financial statements of an employee benefit plan, performed by an independent CPA and required under the Employee Retirement Income Security Act of 1974. Section 103(a)(3)(A) of ERISA requires the administrator of a plan to engage an independent qualified public accountant to audit the plan’s financial statements and attach the auditor’s report to the plan’s annual return, Form 5500.

The audit covers the plan itself, not the sponsoring employer. The plan is a separate legal entity with its own financial statements: a statement of net assets available for benefits and a statement of changes in those net assets. The auditor tests participant data, contributions, benefit payments, investment activity, and the plan’s compliance with its own document and with the tax-qualification rules that keep the plan’s earnings tax-deferred.

This is a financial statement audit, distinct from a review or compilation. For the broader framing of those service levels, see audit versus review versus compilation. A plan audit is one of the more specialized engagements in public accounting, governed by its own standard and its own peer review focus, because errors flow directly to the retirement savings of plan participants. Our accounting learning hub gathers the related employee-benefit and audit topics for readers who want the surrounding context.

The stakes explain the scrutiny. A plan audit protects participants who have no practical way to verify that their contributions were deposited, that their account balances are correct, or that distributions were paid only to eligible participants. The Department of Labor’s Employee Benefits Security Administration, not the SEC or the PCAOB, oversees the quality of these audits, and it has historically found that audits performed by firms with very few plan clients show higher deficiency rates than those performed by firms with established benefit-plan practices. That finding shaped both the move to SAS 136 and the peer review emphasis on benefit-plan engagements.

Who needs one

The dividing line is the large plan versus small plan distinction. A small plan, generally one with fewer than 100 participants at the beginning of the plan year, files the Form 5500-SF or Form 5500 with Schedule I and is usually exempt from the audit requirement. A large plan, with 100 or more participants, files Form 5500 with Schedule H and must attach an independent auditor’s report.

What counts as a “participant” is where the 2023 change lands. Historically, a defined contribution plan such as a 401(k) counted every eligible employee, even those who never enrolled and held no account balance. Under the DOL final rule published at 88 FR 11793, effective for plan years beginning on or after January 1, 2023, a defined contribution plan counts only participants with an account balance at the beginning of the plan year. An eligible employee who never contributed and has no balance no longer counts toward the 100.

The practical effect was large. Plans with many eligible but non-participating employees, common in industries with high turnover or low enrollment, saw their participant counts fall. Many plans that had been large plans, carrying an annual audit, dropped below 100 and became small plans exempt from the audit. The change did not alter the threshold number; it changed who gets counted. The question of when a 401(k) plan needs an audit now turns on account balances first.

The 80-to-120 participant rule cushions the transition. Under it, a plan that filed its prior Form 5500 as a small plan may continue to file as a small plan, avoiding the audit, as long as the participant count stays at 120 or fewer. Only when the plan exceeds 120 must it file as a large plan and obtain the audit. The rule prevents a plan from bouncing in and out of audit status as its headcount drifts around 100.

How it works: the mechanics

The plan administrator engages the auditor and prepares the plan’s financial statements. The auditor’s work centers on a handful of areas: participant eligibility and contributions, benefit payments and distributions, investment existence and valuation, participant data accuracy, and the plan’s compliance with its governing document and the Internal Revenue Code’s qualification rules.

A defining feature of plan audits is reliance on the recordkeeper. Most 401(k) plans use a third-party recordkeeper and a custodian or trustee that holds the investments. The auditor does not re-audit the entire investment platform of a large recordkeeper. Instead, the auditor obtains a SOC 1 report on the recordkeeper’s controls. A SOC 1 report, issued under SSAE 18, describes the service organization’s controls over financial reporting and tests their operating effectiveness, allowing the plan auditor to rely on those controls rather than testing them directly at the source. The concept parallels other service-organization assurance work; for the related framework, see the SOC 2 audit, noting that plan audits specifically rely on SOC 1, the financial-reporting variant.

The certification mechanism drives the scope. ERISA section 103(a)(3)(C) lets a plan limit the audit when a qualified institution (a bank or insurance carrier) certifies the completeness and accuracy of the investment information it holds. Under SAS 136, this is now called an “ERISA Section 103(a)(3)(C) audit.” The auditor does not audit the certified investment information but does audit everything else and reports specifically on whether the certified information agrees to the certification. This replaced the older “limited scope audit,” which produced a disclaimer of opinion that confused users.

SAS 136, “Forming an Opinion and Reporting on Financial Statements of Employee Benefit Plans Subject to ERISA,” took effect for plan years ending on or after December 15, 2021. It restructured the auditor’s report, added required procedures around plan provisions and prohibited transactions, mandated specific communications about the section 103(a)(3)(C) election, and required the auditor to obtain a substantially complete draft Form 5500 before dating the report.

The audited financial statements attach to Form 5500 Schedule H, the financial schedule large plans file. Schedule H reports plan assets, liabilities, income, expenses, and transactions, and includes supplemental schedules such as the schedule of assets held and the schedule of reportable transactions.

Thresholds and the counting change

Item Rule Source
Large plan threshold 100 or more participants at beginning of plan year DOL Form 5500 rules; ERISA 103(a)(3)(A)
Participant count (DC plans), 2023 onward Participants with an account balance only DOL final rule, 88 FR 11793
Participant count, pre-2023 All eligible employees, balance or not Prior DOL counting method
80-to-120 rule Prior small-plan filer may stay small until count exceeds 120 Form 5500 instructions
Audit standard SAS 136, effective plan years ending on/after Dec 15, 2021 AICPA ASB
Form 5500 due date Last day of 7th month after plan year-end (July 31 for calendar plans) DOL/IRS Form 5500 instructions
Extension 2.5 months via Form 5558 (to October 15 for calendar plans) IRS Form 5558

Worked example

Assume Cedar Mill Manufacturing sponsors a calendar-year 401(k) plan. At January 1, 2025, the plan has 145 eligible employees. Under the pre-2023 method, all 145 would count, making it a large plan needing an audit. Under the current rule, only participants with an account balance count. Of the 145 eligible employees, 78 have account balances; the remaining 67 are eligible but never enrolled and hold no balance.

The count is therefore 78, below the 100-participant threshold. Cedar Mill’s plan is a small plan for 2025 and is not required to obtain an audit. It files Form 5500-SF or Form 5500 with Schedule I and no auditor’s report.

Now suppose enrollment campaigns succeed and, at January 1, 2026, 108 participants have account balances. The plan now exceeds 100. But the 80-to-120 rule asks how the plan filed last year. Because Cedar Mill filed as a small plan for 2025 and the 2026 count of 108 is 120 or fewer, it may continue to file as a small plan for 2026 and again avoid the audit. Only if the balance count climbs above 120 in a future year, or if the plan had filed as large in the prior year, would the audit become mandatory and Schedule H with an attached auditor’s report would be required.

Recent changes 2024 to 2026

The dominant change is the 2023 participant-counting rule for defined contribution plans, finalized at 88 FR 11793 and effective for plan years beginning on or after January 1, 2023. By moving from “eligible” to “account balance” counting, it reduced the number of plans required to be audited. The full effect showed up in the 2023 Form 5500 filing cycle and continues into 2025 and 2026 filings, with many former large plans now filing as small.

SAS 136 remains the governing audit standard, fully effective and reflected in current peer review and Department of Labor enforcement focus. The Department of Labor has continued to scrutinize plan audit quality after its earlier studies found deficiencies in a meaningful share of plan audits, and the section 103(a)(3)(C) reporting model under SAS 136 was designed in part to respond to those concerns.

Form 5500 itself continues to evolve under the SECURE 2.0 Act of 2022, including changes that affect how multiple-employer plans and pooled employer plans report and count participants. Plan administrators should confirm the current year’s Form 5500 instructions, because the counting rules for grouped arrangements differ from those for a single-employer plan.

Common pitfalls

Frequently asked questions

When does a 401(k) plan need an audit?
Generally when it is a large plan, meaning 100 or more participants at the start of the plan year. Since 2023, a defined contribution plan counts only participants with an account balance, so plans with many non-enrolled eligible employees may fall below the threshold.
How did the 2023 rule change the count?
It changed the count for defined contribution plans from all eligible employees to only those with an account balance, under the DOL final rule at 88 FR 11793, effective for plan years beginning on or after January 1, 2023. This dropped many plans below 100 participants.
What is the 80-to-120 rule?
A plan that filed its prior Form 5500 as a small plan may continue to file as a small plan, and skip the audit, as long as its participant count does not exceed 120. It prevents plans from flipping in and out of audit status near 100.
What is an ERISA Section 103(a)(3)(C) audit?
An audit in which a qualified bank or insurance carrier certifies the plan’s investment information, and the auditor does not audit that certified information but reports on whether it agrees to the certification. SAS 136 renamed and restructured what was formerly the “limited scope audit.”
Why does the auditor use a SOC 1 report?
Most plans use a third-party recordkeeper. The auditor obtains a SOC 1 report on the recordkeeper’s controls over financial reporting, issued under SSAE 18, to rely on those controls rather than testing them at the source.
When is the audit due?
The audit attaches to Form 5500, which is due the last day of the seventh month after plan year-end (July 31 for a calendar-year plan), with a 2.5-month extension to October 15 available on Form 5558.
Which Form 5500 schedule carries the audit?
Schedule H, the financial schedule large plans file. Small plans use Schedule I or Form 5500-SF and do not attach an auditor’s report.
Does a small plan ever need an audit?
Usually not, but a small plan that holds non-qualifying assets above a threshold without a fidelity bond or qualifying institution custody can lose the small-plan audit waiver and need an audit. The general rule is that small plans are exempt.

Bottom line

The ERISA plan audit is triggered by participant count, and the 2023 DOL switch to counting only participants with account balances took many 401(k) plans out of audit range. Where an audit is required, SAS 136 governs the report, the section 103(a)(3)(C) election limits scope around certified investments, and the work relies on the recordkeeper’s SOC 1 report before attaching to Form 5500 Schedule H.

Sources and methodology

This article relies on primary sources: the Employee Retirement Income Security Act of 1974, particularly section 103(a)(3)(A) and (C); the Department of Labor final rule changing defined contribution participant counting, published at 88 FR 11793 (February 2023); the DOL and IRS Form 5500 and Schedule H instructions and the 80-to-120 participant rule; AICPA Statement on Auditing Standards No. 136; SSAE 18 governing SOC 1 reports; Form 5558 extension procedures; and the SECURE 2.0 Act of 2022. Thresholds and effective dates reflect rules in force for 2025 and 2026 plan-year filings.