1.
P R E C I S I O NExpert Guidance and Creative Solutions for Retirement Professionals VOL 2 2014
A DWC ERISA CONSULTANTS PUBLICATION
An Rose Employee
By Any Other Name
Plan Documents:
More Like Guidelines
or Actual Rules?
Doing M&A
The Right Way
Accidents Will Happen
Sometimes Simple Isn’t
Control Yourself:
Plan Compliance
and Internal Controls
Bad Things Happen.
How To Be Prepared.
Don’t Be The Next Target
for a Data Breach

2.
A DWC ERISA CONSULTANTS PUBLICATION 2014
FROM THE EDITORS TABLE OF CONTENTS
Security is a word that means many things to many people.
To an investment professional, it might refer to a stock or
mutual fund. To a nervous parent of a teenager, it might
mean driving a really safe vehicle. To the technologically
astute, it could be safeguarding sensitive data. To someone
contributing to their 401(k) plan, it could most certainly
refer to saving enough for a comfortable retirement.
What do all of these have in common? Maybe many
things, but the one that jumped out at us is that they all
require proactivity. Business moves at a hectic pace, and
it is really easy to fall into approaching our day-to-day
activities reactively. Sometimes, that is just the nature of the
beast, but being proactive means getting in front of issues
before they become problems. And, preventing problems
leads to enhanced security, whether it is protecting data
or establishing internal controls to ensure greater plan
compliance.
This year’s edition of PRECISION Magazine is all about being
proactive. We are pleased to bring you articles from our
team of internal experts as well as guest authors who know
the value of leading the process rather than reacting to it.
The good news is that whether the situation calls for
advance planning or knowledgeable reaction, you’ve come to
the right place.
Keith Clark, Doug Hoefer and Adam Pozek
Partners, DWC ERISA Consultants, LLC
2.
Don’t Be The Next Target
for a Data Breach
Adam C. Pozek, ERPA, QPA, QPFC
5.
An Rose Employee By Any Other
Name
Szilvia Frazier, ERPA, QPA
Cindy Banta, QKA
9.
Plan Documents: More Like
Guidelines or Actual Rules?
Adam C. Pozek, ERPA, QPA, QPFC
11.
Doing M&A The Right Way
Amy E. Ouellette, CFP®
, ERPA, QPA
14.
Accidents Will Happen
Joni L. Jennings, ERPA, CPC
18.
Sometimes Simple Isn’t
Doug Hoefer
21.
Control Yourself: Plan Compliance
and Internal Controls
Ilene H. Ferenczy, Esq.
24.
Bad Things Happen.
How To Be Prepared.
Rick Alpern

3.
A DWC ERISA CONSULTANTS PUBLICATION 2014 2.
Don’t Be The Next Target for a Data Breach
By Adam C. Pozek, ERPA, QPA, QPFC
The TJX Companies, Target and AT&T are just
three of the big names to have been victims of
massive data breaches in which sensitive personal
and financial information was compromised.
Although it might seem that large companies are
the only potential victims, the risk is shared by
any organization that houses or transmits such
information.
If you think about it, the data necessary for ongoing
administration of employee benefit plans is enough
to make an identity thief’s mouth water – names,
social security numbers, birth dates, addresses –
pretty much everything except mother’s maiden
name, favorite pet and name of first grade teacher.
With the rapid evolution of technology and the
sophistication of the bad guys who wish to exploit it
to their advantage, it is increasingly critical that we
take steps to prevent them.
Rules of the Road
All but three states have enacted laws restricting
when and how sensitive information can be
electronically stored and transmitted, even for
employers dealing with employee information.
If you do business in Europe, the EU has
enacted the Directive on Privacy and Electronic
Communications.
In some of the strictest states, there are monetary
penalties imposed on any party that does not take
affirmative steps to protect certain information. For
example in Massachusetts, sending unencrypted
personal information over the internet can result
in civil penalties of up to $5,000 per violation.
That means e-mailing an employee census file for
10 employees without some form of password
protection or encryption could result in hefty fines
even if there is no actual theft of the data.
In addition, both the SEC and FINRA have standards
that investment professionals must follow to protect
client records, and the SEC’s Office of Compliance
Inspections and Examinations recently announced
that it will begin examining broker-dealers and
registered investment advisors with an eye on
cybersecurity governance.
Protect Yourself and Your Data
While there are plenty of high tech methods of
protecting your data, there are some simple and
inexpensive steps you can also take.
Create a Data Usage Policy
For starters, create a company policy that describes
how sensitive information can and cannot be used
and by whom. This can be as simple as indicating
that all personal information is to be held in the
strictest of confidence at all times or as robust as
breaking down the entire who, what, why, when
and where. Note that data can be stolen in very low
tech ways such as dumpster diving on trash day. So
do not overlook something as obvious as requiring
discarded hard copies to be shredded rather than
just tossed in the trash can.
Once the policy is in place, be sure to communicate
it to all employees. Consider including it in your
employee handbook or otherwise making it a
condition of employment, similar to other company
policies and procedures. Highlighting it creates
awareness at all levels of the organization and can
make data security a part of the company culture.
Have a Rhyme and Reason for Data Accessibility
Start by asking whether all employees need to access
all information all the time in order to effectively do
their jobs. If not, consider restricting their system
permissions to only that data or those systems they

4.
A DWC ERISA CONSULTANTS PUBLICATION 20143.
Evaluate Data Transmission Methods
When transmitting sensitive information over the
internet, try to use secure portals to upload or
download information in lieu of e-mailing it. For
example, our client portal employs leading edge
password protection and encryption to ensure
our clients’ connections to our system are secure
and direct. That means employee census files
are uploaded directly to our secure site and not
transferred over the unprotected internet. Many
professional firms and service providers that work
with protected information have similar portals.
If a secure connection is not available, files should,
at a minimum, be password protected prior to
transmission via e-mail or other means. Even the
most ubiquitous desktop applications (Microsoft
Office, Adobe Acrobat, etc.) allow this functionality
with only a couple of additional clicks when saving
files. Of course, the recipient will need the password
in order to open the file, but be sure you send it
via a follow up e-mail or alternative means rather
than including it in the message that contains the
protected file. After all, sending both the file and the
password in the same message does not offer much
protection if it gets hacked.
Still another option is to implement logic on your
e-mail server that automatically encrypts outbound
messages that include sensitive information. Many
e-mail setups, including cloud-based Microsoft
Exchange services, offer this functionality at a
nominal additional cost, and most include a setting
designed to detect and encrypt strings of numbers
that follow conventional formats such as social
security numbers, credit card numbers, etc. Even if
a user forgets to take precautions with the data, the
server will do it for them.
need. This could be determined by employee, title,
job classification, location, etc.
It is also critical to review and understand how
various systems handle passwords. At a bare
minimum, a password should be required to access
all systems that contain sensitive information.
However, many systems include settings that can
easily enhance security by:
•• Preventing common, easily-guessed passwords
such as “1234” or even “password”;
•• Setting passwords to expire at regular intervals
such as every 90 days;
•• Prohibiting previously used passwords or those
that are too similar to either the company name
or an individual’s user ID; and
•• Requiring passwords to be a certain length
or include certain types of characters such as
upper and lower case letters, numbers and/or
punctuation marks.
Assess the risks and burdens of these different
options to determine which, if any of them, make
sense for you.
Don’t Be The Next Target for a Data Breach ... continued

5.
A DWC ERISA CONSULTANTS PUBLICATION 2014 4.
Remember Mobile
For all of the aforementioned reasons, do not
forget to consider how mobile devices factor into
the equation. Some high profile data breaches
have occurred when employees took unprotected
laptops on business trips only to have them stolen.
If employees can access sensitive data from their
laptops, tablets and/or smartphones, make sure:
•• Those devices are password protected;
•• Mobile access is limited to only the data the
employee would be able to see while in the office;
and
•• You can remotely erase the device if lost/stolen or
at least disable/reset that user’s login information.
All are important considerations as today’s notion of
“the workplace” is much broader than it once was.
Work With Professionals
Data security is a big deal. In the same way that you
work with professionals for other critical yet complex
business needs, it is also important to work with
data security professionals. That might mean making
sure your internal IT staff has the necessary training
and experience to address your data security needs
or hiring an outside consultant to evaluate your
systems. If you are located or do business in a state
with particularly strict laws, this might mean hiring
an attorney to review your policies and procedures
to ensure you are in compliance. If you do not have
the expertise yourself, work with someone who does.
Select Partners That Take Data Security Seriously
Even if you have taken the necessary security
measures, you could still be vulnerable if your
business partners have not. There is a saying that
a chain is only as strong as its weakest link, and
the same is true with the data transmission chain.
Anyone with whom you share sensitive information
should have systems and procedures in place
designed to ensure its protection. If you are unsure
about a current or prospective partner’s data-
protection policies, ask them.
Conclusion
We are not data security experts, but we have
worked with outside professionals and implemented
procedures to provide secure transmission and
protect the sensitive information in our possession.
Although technology creates an ongoing game
of cat-and-mouse between those who wish to
misappropriate data and those who wish to protect
it, following the steps described in this article can be
a great start to making sure your data does not have
a target on it.
Adam is a nationally known writer and speaker and 20+ year veteran of the pension consulting business. He is a partner at
DWC ERISA Consultants, where he works with businesses of all sizes and industries from across the country.
Even if you have taken the necessary security measures,
you could still be vulnerable if your business partners have not.

6.
A DWC ERISA CONSULTANTS PUBLICATION 20145.
An Rose Employee By Any Other Name
By Szilvia Frazier, ERPA, QPA and Cindy Banta, QKA
As companies adapt to an ever-changing business
environment, it sometimes calls for the use of
different types of work arrangements. Some may rely
on more part-time workers, while others may choose
to work with independent contractors. Regardless
of the reason for using them, alternative work
arrangements present some unique challenges when
it comes to employee benefit plans.
Employee or Not?
This seems like such a simple question but it can
become complicated quickly. Making an accurate
determination is critical for several reasons.
•• Exclusive benefit rule: This rule requires retirement
plans to be maintained exclusively for the benefit
of the sponsoring company’s employees. As a
result, the plan cannot be extended to anyone who
is not legally an employee of the company.
•• Plan design: There is quite a bit of flexibility in
designing plans to include/exclude certain groups
of employees, but in order to take full advantage of
that flexibility, it is important to first have a solid
understanding of which workers are part of the mix.
•• Nondiscrimination: Properly classifying workers is
an important first step to ensuring that a plan is
in compliance, provides the promised benefits and
does so in a manner that does not discriminate in
favor of Highly Compensated Employees (“HCEs”)
– generally those who own more than 5% of the
company or who have annual compensation
exceeding $115,000 (indexed for inflation).
Making the Determination
It is generally up to each employer to ensure its
workers are properly classified. While it is not quite
as simple as whether the worker’s pay is reported
on a Form 1099 versus a W-2, the IRS has provided
guidance for companies to consider. The so-called
“Twenty Factor Test” (found in Revenue Ruling 87-
41) focuses largely on whether the company has the
right to control the worker.
As a general rule, the following factors suggest
that the company has that right, and is likely in an
employer/employee relationship if:
The worker …
•• Is required to comply with instructions regarding
when/where/how to work;
•• Performs services at the company’s place of business;

7.
A DWC ERISA CONSULTANTS PUBLICATION 2014 6.
•• Must submit regular or written reports; and
•• Is in a continuing relationship with the company.
The company …
•• Has the ability to hire, supervise or terminate the
worker;
•• Provides tools, materials and/or equipment for the
worker to use in performing services; and
•• Pays/reimburses business expenses such as for
travel, etc.
Conversely, the following factors tend to support
a determination that the worker is an independent
contractor and not an employee if:
The worker …
•• Has a significant investment in facilities,
equipment, etc. that are used for performing
services;
•• Realizes a profit or loss;
•• Provides similar services for more than one firm at
a time; and
•• Makes services available to the general public.
Each determination is based on all the relevant facts
and circumstances, and there is no single factor or
combination of factors that will always lead to one
decision or the other.
Leased Employees
Many people think of “leased employee” as a generic
term that refers to any worker that comes from some
sort of staffing agency; however, the law includes a
very specific and lengthy definition. Although a true
Leased Employee is, by definition, a common law
employee of the leasing organization, he/she may
also be treated as an employee of the company for
which he/she performs services if all of the following
conditions are met:
•• The recipient company pays a fee for the services
of the individual;
•• The worker has performed services for at least
one year on a substantially full-time basis (at least
1,500 hours in a 12-month period); and
•• The recipient company has primary direction over
the services rendered by the worker.
Self-Employed Individuals
For qualified plan purposes, a self-employed
individual is considered an employee, and may
participate in the company’s plan. Such individuals
include sole proprietors, partners of a partnership,
or the sole shareholder of a corporation.
Other Classifications
Other Than Full-Time
This is a broad group that may include subcategories
such as temps, part-timers, seasonal employees,
interns and per diem employees. What they all have
in common is that they are still employees regardless
of how many hours they work. That means they
must be provided benefits on the same basis as
other employees once they meet the plan’s specified
eligibility requirements. More on that later.
After deciding who is or is not an employee,
it is important to consider other types of classifications
that come into play.

8.
A DWC ERISA CONSULTANTS PUBLICATION 20147.
Miscellaneous
There are any number of other categories that
companies might use to classify their employees.
Some may be driven by extraneous factors – union
members, non-resident aliens, etc. – while others
may be the result of a particular company’s internal
structure – front office staff, factory floor workers,
senior managers, students, the owner’s children,
etc. As we will see in the next section, it is important
for companies that use different classifications
to describe them with some precision and apply
the categorization consistently. For example, if a
company employs students and wants to treat them
differently as a group, the company should define
whether the “student” group applies to all students
or just those enrolled full-time in an undergraduate
program or whatever other variations that may be
appropriate.
Plan Design
Now that we have identified who the employees are
and determined how they are classified, let’s consider
how those categories can be used to customize the
plan design. In other words, who is covered by the
plan and who can be excluded or treated differently
from the others?
Eligibility
According to the law, the strictest eligibility provisions
that a 401(k) plan can utilize are attainment of age
21 and completion of one year of service (defined as
12 months in which an employee works at least 1,000
hours). The plan can be more generous but not more
restrictive, and a plan can use different provisions for
different groups of employees. If a company has high
turnover in the first year, sticking to the maximum
requirements might make sense. If a company
wants to enroll new employees right away, requiring
only one month of service might be the way to go.
Perhaps a combination – one month of service for
salaried employees and one year of service for hourly
employees.
There is an important point to keep in mind,
however. Once in place, the provisions must be
applied consistently. This can present challenges
in plans that use more generous requirements.
Consider a company that employees all full-
time employees and has a one month eligibility
requirement. Fast forward a couple years, and
the company hires summer interns and part-time
employees. Based on the one month requirement,
those interns and part-timers join the plan a month
after they are hired.
Employee Exclusions
An employer may further restrict participation by
excluding named groups of employees as long as the
exclusion is based on some job characteristic other
than the amount of work performed. For example,
a plan cannot broadly exclude part-time or seasonal
employees, because a part-time employee may,
in fact, work 1,000 hours in a 12 month period,
causing the exclusion to violate the eligibility rules
described above. However, if all seasonal employees
happen to clean swimming pools, then pool cleaners
could be excluded, because the exclusion is based on
the type (not the amount) of work.
This is where precision matters. Let us return to the
“student” example. It is perfectly acceptable for a
plan to be written to exclude students as a broad
category, but being overbroad could result in the
unintended consequence of the company CEO being
kicked out of the plan when he or she decides to go
back to school to earn an MBA.
Nondiscrimination
As noted above, retirement plans cannot
An Rose Employee By Any Other Name … continued

9.
A DWC ERISA CONSULTANTS PUBLICATION 2014 8.
As consultants with DWC ERISA Consultants, Szilvia
and Cindy bring many years of experience in working with
businesses of all sizes in varying industries. They both enjoy
being able to communicate complex subject matter in a way
that resonates with their clients.
discriminate in favor of HCEs. And of course,
there cannot be a rule without a test to go with it.
That test is called the minimum coverage test, and
there are two variations – the ratio percentage test
(“RPT”) and the average benefits test (“ABT”).
The RPT is a head count test and looks only at the
number of people covered by the plan. Without
getting too far into the weeds, as long as a plan covers
at least 70% of company’s non-HCEs, it satisfies the
RPT. In other words, the plan can exclude up to 30%
of the non-HCEs and still pass the test.
The ABT considers the amount of benefits each
person receives and can sometime be used to prove
the plan is nondiscriminatory even if the RPT fails.
Conclusion
As you can see, proper employee classification
should be carefully considered in relation to your
retirement plan. Proactive planning in the beginning
and being mindful of changes to workforce
demographics can prevent unintended consequences
down the road. When dealing with alternative work
arrangements or excluding employee classes from
your plan, it is best to work with knowledgeable
experts who can guide you through the process.

10.
A DWC ERISA CONSULTANTS PUBLICATION 20149.
Spend any amount of time dealing with retirement
plans, and sooner or later the plan document
will become a topic of conversation…maybe
not an overly exciting topic, but an important
one nonetheless. The law requires retirement
plans to have, maintain and follow their written
plan documents. Any time an employer takes an
action that is not consistent with provisions in
the document, the IRS considers it an operational
failure, and that is not a good thing.
Seems pretty straight-forward, right? Guess
again. From time to time, the question of intent is
brought into the mix. Sometimes, outside notes
or other documentation are consulted as possible
justification to do something contrary to the plan
documents. Several years ago, the United States
Supreme Court actually addressed this in its Kennedy
v. Plan Administrator for DuPont Savings and Investment
Plan opinion.
Although every case is based on its unique facts,
SCOTUS was clear that plan documents must be
followed no matter what anyone’s intention may or
may not have been.
This issue comes up outside the courtroom as well.
We once worked with a small employer whose
plan was audited by the IRS. It turns out that for
several years, investment gains were allocated in a
manner that did not agree with the plan document
provisions...clearly an operational failure. But the
result was that the employees got too much as a
result of the error, and the owner of the company got
short-changed.
You are probably thinking there was no harm to the
employees, so the IRS could not have possibly cared.
While a logical conclusion outside the retirement
plan world, it is incorrect in this context. The auditor
required correction and assessed a mid-five-figure
penalty against the employer.
Believe it or not, the reason for this article is not
to attempt to scare you into following your plan
document - although I guess that would not
necessarily be a bad result – the following the
document part, not the scaring part. The reason is
that with some careful, proactive review, the plan
document can be your friend as well as an important
part of your internal controls that ensure plan
compliance. [See “Control Yourself: Plan Compliance
and Internal Controls” on page 21.]
Even though intentions don’t matter (at least not to
the Supreme Court or the IRS) once the document
is written, a collaborative discussion about those
intentions ahead of time allows the plan document
to be written so that it reflects the company’s goals
and objectives for the plan. Do you want to exclude
certain classes of employees from participating in
the plan? Proper preparation of the plan document
can probably make that happen, while less attention
to those details could result in the unintended
inclusion of certain employees. [See “An Rose
Plan Documents: More Like Guidelines or Actual Rules?
By Adam C. Pozek, ERPA, QPA, QPFC
“… ERISA forecloses any justification
for enquiries into expressions of intent,
in favor of the virtues of adhering to
an uncomplicated rule. Less certain
rules could force plan administrators to
examine numerous external documents
purporting to be waivers and draw
them into litigation like this ...”

11.
A DWC ERISA CONSULTANTS PUBLICATION 2014 10.
Employee By Any Other Name” on page 5.]
How about making sure that profit sharing
contributions are calculated only on base salary and
not bonus or giving that group of key employees
you just hired vesting credit for service with their
previous company? Yep. Careful document drafting
can accommodate those also. And these are only a
few of many examples.
What if company goals or workforce demographics
change? Are you stuck abiding by a now outdated
plan document? The answer is a resounding “Yes.”
That is until you amend your plan document to
reflect the changes. Although some provisions can
only be changed prospectively (sometimes not
until the start of the next year), there are very few
provisions that cannot be changed by adopting a
formal written amendment.
It is a good idea to discuss the specifics of the
change, including the motivation behind it, with
someone who is knowledgeable about plan design
and plan documents to make sure the proposed
change is the most efficient means of accomplishing
the goal. There might also be other related provisions
or potential unintended consequences that should
be addressed at the same time. For example, if a
company wants to amend its plan to allow Roth
401(k) contributions, they likely also want to amend
the loan and distribution provisions so that Roth and
pre-tax deferrals are treated the same.
The good news is that there is no time like the
present to review your plan document. From
now through April 2016, almost all 401(k) and
other defined contribution plans are required to
completely rewrite their documents (a process
known as a restatement) to incorporate language
from previous law changes.
Unlike the pirate’s code, the plan document really
is more like actual rules and not just guidelines.
This mandatory restatement is a great opportunity
to lift the hood on your plan, keep what you like
and change what needs to be updated to ensure it
continues to meet your goals and provide valuable
benefits for you and your employees.
Adam is a nationally known writer and speaker and 20+ year veteran of the pension consulting business. He is a partner at
DWC ERISA Consultants, where he works with businesses of all sizes and industries from across the country.
CHEAPTECHTOOL#30
Postmates (www.PostMates.com)
It’s a busy time of year; you’re working late at the office for the eighth night in a row; and you’re
getting really tired of all the local fast food joints that deliver. Just check in with Postmates on your
iOS or Android device to place an order from any restaurant in town, and the service will send
someone to pick it up and deliver it right to your door. Maybe you’re stuck in your hotel room
without a rental car when your computer battery dies – not just runs out of juice, but completely
dies. Postmates will send someone to the local electronics store to get you a new one and bring it
to your hotel. Any restaurant or store … you name it.
Deliveries are usually made in under an hour. The app itself is free, but there is a minimum delivery
fee of $5 with the actual charge based on the distance. Think of it as the personal assistant version
of Uber. Postmates is currently available in 10 cities across the country and is rapidly expanding
into new markets.

12.
A DWC ERISA CONSULTANTS PUBLICATION 201411.
Doing M&A The Right Way
By Amy E. Ouellette, CFP®
, ERPA, QPA
Congratulations! You’re buying (or selling) a company!
Call your lawyer; call your accountant; call your …
Third Party Administrator? With all the hullabaloo
surrounding this kind of transaction, the 401(k) plan
is often overlooked until well after the fact, which
can leave the parties facing some unintended and
often unpleasant issues to resolve.
Background
Before going any further, we should clarify a few
terms that will be used in this article. Any reference
to “plans” or “retirement plans” generally refers
to 401(k) plans specifically. Although many of
the same concepts apply to other types of plans,
there are also some variations. Second, when we
talk about a “transaction,” we are referring to the
actual purchase or sale of the business. Last but not
least, references to a “stock” transaction assume at
least an 80% transference of ownership. There are
additional nuances that are beyond the scope of this
article when the percentage transferred is below that
threshold. Now, back to the article.
If you are the seller and also sponsor a plan,
the transaction often determines what, if any,
ongoing plan responsibilities you have and how the
participants are impacted. The driving force behind
these impacts is the type of acquisition – stock or
asset – so we will start by reviewing the difference
between the two.
The First Critical Question – Stock or Asset?
Acquiring a company via a stock purchase means
that the buyer is purchasing the ownership of the
entity from the seller. The purchased company
remains intact through the transaction but has a
new owner(s). Everything owned by the company
is now owned by the buyer, and any employees are
usually treated as employees of the buyer, either
directly or indirectly. If the buyer keeps that entity
open and running, it is a separate but related
employer (shared ownership but a separate taxable
entity). Think of it as buying a house along with the
furniture and all the contents.
An asset sale, on the other hand, leaves the seller as
the owner of the company and transfers only certain
things of value that the seller’s company owned, such
as equipment, property (e.g. physical, intellectual),
client lists, etc. The seller may eventually shut down
the business entirely, but the sale itself does not
determine that end result. Employees of the seller can
be, but are not automatically, hired by the acquiring
entity; however, if/when the buyer does hire them,
they are considered new employees. Think of an asset
sale as buying the furniture out of a house and leaving
the current owner with the house itself.
The Asset Sale – A Seller’s Perspective
What do these differences mean when it comes to
the retirement plans? Let us consider the seller first,
since the type of sale impacts the options more
immediately. Since the seller retains ownership
of the company in an asset sale, the seller retains
responsibility for the 401(k) plan. As part of the
transaction, there may be an agreement for the buyer
to assume the plan (via plan amendment) or agree
to accept assets via a trustee-to-trustee transfer
(via a separate “spin-off” agreement). However,
since doing so would result in the buyer likely also
assuming the associated risks and liabilities, our
experience is that this is a less common outcome.
Think audit risk, participant-lawsuit risk, unavailable-
historical-records risk and just general skeletons-in-
the-closet risk. If that doesn’t make you shudder …
Assuming the 401(k) plan is not transferred in the
sale, the seller may choose to continue sponsoring it;

13.
A DWC ERISA CONSULTANTS PUBLICATION 2014 12.
however, it is recommended that they contact their
plan consultant to discuss the potential for a partial
plan termination if at least 20% of their participating
workforce leaves as part of the sale. The seller may
also opt to terminate the plan entirely if the goal
is to close the business or if there is no further
interest in making contributions for any remaining
employees. Regardless of the choice, it is the seller’s
responsibility to take the appropriate steps.
The Stock Sale – A Buyer’s Perspective
Since the buyer inherits everything in a stock sale,
they must ascertain whether the seller has a plan,
because it can impact their responsibilities and/or
the timing of the transaction. If the buyer does not
want to assume the seller’s plan, the seller must,
at minimum, execute a resolution to terminate the
plan prior to the sale. This is especially important
if the buyer already has its own plan and doesn’t
wish to juggle a second one. If the seller does not
terminate the plan prior to the sale, not only does
the buyer assume responsibility, but they lose the
ability to terminate the plan since they have what
is considered a “successor plan” (see http://www.
DWCconsultants.com/PlanTermination.php for
more information).
If the buyer does inherit the seller’s plan, either
intentionally or accidentally, there are generally three
options going forward.
•• Freeze the acquired plan – requires full
maintenance of the plan, including the accounts,
documents, annual Form 5500 filing, etc. but
prohibits any further contributions;
•• Merge the acquired plan into the buyer’s plan –
requires: (a) a close comparison of the provisions
of each plan to determine if any changes are
needed to accommodate protected benefits and
(b) separate accounting of the merged sources; or
•• Separately maintain the acquired plan – requires
aggregation for certain compliance tests each year,
and depending on demographics, amending the
plans to more closely mirror one another.
What Happens To The Employees?
Again, it depends on the type of acquisition. In an
asset sale, employees that leave the seller and go to
work for the buyer are considered new employees
of the buyer. Service with the seller is generally not
automatically recognized, which can cause some PR
challenges. If the buyer wishes to count past service
with the seller for eligibility, vesting and/or allocation
purposes, they must amend their plan to specifically
recognize it. Otherwise, the employees “brought
over” are treated the same as any “Average Joe” hired
off the street.
In a stock sale, the buyer is essentially taking over the
seller’s entire business, including the employees who
are still at their same desk, doing the same work. In
other words, the buyer cannot treat these ‘acquired’
employees as new hires when it comes to the 401(k)
plan. Rather, as of the date of the purchase, the
buyer must recognize the employees’ service from
their original hire dates with the seller (i.e. the
newly acquired company) for all plan purposes
such as eligibility, vesting and allocations. There is
no amendment to “undo” this service recognition.
So it is important for the buyer to understand any
compliance and/or financial implications that may
result.
In or Out?
It is important for the buyer to consider whether
the acquired entity (via stock transaction) will be
maintained as a separate company or be merged
into the buyer’s. In other words, will the acquired
employees continue to work directly for the acquired
company (as a subsidiary of the buyer) or be

14.
A DWC ERISA CONSULTANTS PUBLICATION 201413.
“transferred” to the buyer itself. This is important,
because the employees of related companies (e.g.
subsidiaries) are generally not permitted to join the
buyer’s plan until a separate joinder or participation
agreement is signed. However, they must still be
considered as “non-benefitting” employees when
performing annual compliance testing. As a general
rule, if this non-benefitting group is comprised of
more than 30% of the employees (across all related
companies), there could very likely be a testing
problem.
As a result, if the buyer wants to allow acquired
employees to join the plan, they should make
arrangements to sign the joinder/participation
agreement in advance of the enrollment date. If, on
the other hand, the buyer does not wish to provide
retirement benefits to these employees, it is critical
to project whether that exclusion will cause testing
problems for its plan. Note that self-destruction is
usually not a risk the moment the sale goes through.
There is a transition period that is often available
that runs through the end of the year following
the year of the transaction so that buyers have
time to conduct the necessary analysis and make
an informed decision as to how they will proceed.
However, that analysis takes time, so waiting until
the end of the transition period is not recommended.
Conclusion
It can be exhausting to consider all of the possible
twists and turns as you venture down the M&A
rabbit hole. So before signing on the dotted line and
potentially backing yourself into a corner, do not be
afraid to pick up the phone and give us a call. We can
help you gather the important facts to make sure your
401(k) and M&A are handled the right way.
For over a decade, Amy has worked in the financial consulting industry. She is a Principal and Team Leader at DWC ERISA
Consultants. Amy is active with ASPPA (American Society of Pension Professionals & Actuaries). She was awarded their
Academic Achievement Award in 2010 and currently serves on their Government Affairs subcommittee on 401(k) plans. She
also sits on the Board of Directors of the ASPPA Benefits Council of the Great Northwest.
BUYER’SPLANSELLER’SPLAN
Acquired employees
may participate
Via amendment/participation
agreement if under separate taxable
entity; Yes, if a direct employee of
the buyer/plan sponsor
Yes, if hired as a new employee of
the buyer’s company
Service is recognized for:
Eligibility, Vesting, Allocations
Required Optional (via plan amendment)
Plan Sponsorship
(responsibility for
maintaining plan)
Transfers to buyer Retained by seller
Plan Termination (timing)
Prior to sale date; OR plan may be
frozen and/or merged
but not terminated if buyer
maintains its own plan
At any time; seller may continue
to operate plan or terminate
ASSET SALESTOCK SALE
Doing M&A The Right Way ... continued

15.
A DWC ERISA CONSULTANTS PUBLICATION 2014 14.
plan, reversing improper distributions or some
combination of these and other steps.
Components of EPCRS
EPCRS is divided into three sub-programs – SCP,
VCP and Audit CAP. Since Audit CAP focuses on
correcting errors once the IRS has already discovered
them, we will focus on the other two.
Self Correction Program (“SCP”)
The ever-so-creatively-named Self Correction
Program allows a company to correct a mistake
on its own without asking the IRS for approval. An
operational failure, or a failure to operate a plan
strictly in accordance with plan documents, is the
only type that can be corrected under SCP, and
availability depends in part on the significance of the
failure and the timing of the correction. Keep in mind
that an operational failure occurs even if the operation
is more generous than what the plan document requires.
[See “Plan Documents: More Like Guidelines or
Actual Rules?” on page 9.]
Accidents Will Happen
By Joni L. Jennings, ERPA, CPC
If you are a music fan, you may be familiar with the
Elvis Costello song “Accidents Will Happen.” While
Elvis certainly didn’t have 401(k) plans in mind when
he wrote that song, he certainly could have. The
user’s guide for retirement plans consists of tens of
thousands of pages of laws and regulations, many of
which make about as much sense as Sanskrit. With
so many moving parts, it is usually a question of
“when” not “if” an accident will happen despite the
best of intentions.
Maybe you forgot to sign the required plan
amendment a few years ago; maybe you didn’t
realize that buying that new company requires
changes to your plan document; maybe you lost
track of time and didn’t let that new hire start
contributing to the plan on time. While these errors
may seem inconsequential, the IRS does not usually
look at it that way. No matter how innocent the
mistake might be, uncured accidents can come back
to haunt you. Never fear, EPCRS is here.
Overview of EPCRS
The IRS created EPCRS, or the Employee Plans
Compliance Resolution System, in 1991 to provide
plan sponsors with a mechanism to fix mistakes.
Since then, EPCRS has seen more than 30,000
corrections, and Congress has even taken notice,
instructing the IRS to expand the program so that
more companies can take advantage of it.
Before diving into the deep end, let us take a
look at some of the general principles. First and
foremost, the program is designed to un-do the
error … in other words, to place participants in
the position they would have been in had the error
never occurred. For example, the correction may
involve making additional contributions to the

16.
A DWC ERISA CONSULTANTS PUBLICATION 201415.
Any operational failure can be corrected under SCP
within two years of occurrence, and insignificant
failures have an unlimited correction window
and can even be self-corrected under audit. Of
course, “significant” is one of those terms that
lawyers like because the meaning is so subjective. In
recognition of the ambiguity, the IRS does provide
a list of factors to be considered when making that
determination including the number of participants
involved, the amount of contributions/plan assets
involved, the number of years the failure occurred
and why it occurred.
Although IRS approval is not required as part of
SCP, it is important to keep documentation of the
corrections that have been made so that it is easy to
demonstrate all was handled properly if the plan is
ever audited and the agent wants to see proof.
Voluntary Correction Program (“VCP”)
Showing just as much creativity in naming, VCP is
for the voluntary correction of failures that are not
eligible for SCP. Specifically, it is used to correct
significant operational failures that are more than
two years old as well as the other three types of
failures:
• Plan Document Failure: The plan document is
missing something it should contain or includes
language that it is not allowed to contain. Usually
occurs when a plan sponsor does not timely
update a plan document after a change in the law.
• Employer Eligibility Failure: A company sponsors
a plan it is not allowed to sponsor, e.g. a for-profit
company with a 403(b) plan.
• Demographic Failure: The plan fails certain annual
nondiscrimination tests, such as the minimum
coverage test, and does not correct within the
timeframe permitted by IRS rules.
What also makes VCP different is that the correction
and supporting documentation must be submitted
to the IRS for review and approval. There are specific
forms, documents, etc. that must accompany the
application, and the IRS does charge a fee for the
review. The fee is based on the number of plan
participants and is far less expensive than any
penalties they would likely assess if the uncorrected
failure is discovered during an audit.
Depending on the complexity of the failure/
correction and the IRS’ current workload, the review
process can take 6 to 12 months to complete and
results in the IRS issuing a formal “Compliance
Statement” documenting their approval.
General Comments about Corrections
The IRS Revenue Procedure that spells out the
EPCRS program includes some sample corrections
for common errors but also allows for the use of
customized correction methods as long as they
are reasonable and in good faith. Again, the IRS
provides some factors for consideration. Here are a
few of them:
• Correction must be complete. In other words, if
the failure spans multiple years, all years must be
corrected.
• Corrections should generally keep assets in the
plan.
Accidents Will Happen … continued
Number of Participants Fee
20 or fewer $750
21 to 50 $1,000
51 to 100 $2,500
101 to 500 $5,000
501 to 1,000 $8,000
1,001 to 5,000 $15,000
5,001 to 10,000 $20,000
Over 10,000 $25,000

17.
A DWC ERISA CONSULTANTS PUBLICATION 2014 16.
•• When dealing with a nondiscrimination failure,
corrections should generally provide additional
benefits to non-highly compensated employees.
•• Corrections should be based on the plan terms,
contribution limits, etc. at the time the failure
occurred.
In certain circumstances, the correction of an
operational failure may be made by retroactively
amending the plan document so that it matches
actual operation; however, the availability of this
method is very limited and almost always requires
IRS approval under VCP rather than self-correction
via SCP.
The IRS also tends to be more accepting of
situations in which the plan sponsor had controls in
place designed to prevent the failure but something
slipped through the cracks. [See “Control Yourself:
Plan Compliance and Internal Controls” on page 21.]
Sample Corrections
Not allowing an eligible employee to make 401(k) contributions
It is not an uncommon occurrence for a company to
lose track of exactly when a new employee becomes
eligible for the plan and forget to enroll them on
time. Since the plan document spells out when
employees become eligible, this is an operational
failure. Fortunately, it is one that can be easily
remedied through four easy steps:
1. Determine how much the employee would have
contributed.
2. Make a company contribution generally equal to
half that amount.
3. Make a company match contribution equal to
whatever match the employee would have received.
4. Adjust items 2 and 3 for missed investment gains
and deposit that amount.
Unless you are psychic, you may be wondering how
you are supposed to know how much the employee
would have contributed. It is usually based on the
average amount contributed by the group (either
non-HCE or HCE) of which the employee is a part;
however, for some plan designs such as safe harbor
plans, it might be a fixed 3% of pay.
If this failure is corrected within two years or it
impacts a small enough number of participants,
correction can be made through SCP. Again,
documentation is critical and should include
identification of the failure, calculation of the
corrective amounts and proof the contributions were
deposited.
Not timely starting loan payments when a participant
takes a loan
Participant loans fall under the jurisdiction of both
the IRS and the Department of Labor, and correcting
a loan failure under EPCRS gets you off the hook
with both agencies. That two-for-one sounds like a
good deal, right? Well, sort of. Unfortunately, since
the DOL is not fond of self-correction, loan failures
require formal approval via a VCP application.
The correction is as simple as re-amortizing the
loan from the discovery of the failure through the
end of the 5-year period (based on the original loan
date), including accrued interest and beginning
payments based on that new schedule. All of the
supporting documentation, including the old and
new amortization schedules, should be included
along with the VCP application.
That might seem like a lot of time and expense to
simply get the loan back on track; however, since
failure to make timely payments (no matter whose
fault it may be) causes a loan to be treated as a
taxable distribution, correction via VCP is the only
way to avoid the negative tax consequences and

18.
A DWC ERISA CONSULTANTS PUBLICATION 201417.
added plan recordkeeping requirements that result
from a so-called deemed distribution.
Conclusion
EPCRS is a very useful tool when it comes to
correcting plan failures. Its continued growth and
evolution show the IRS’ commitment to encouraging
CHEAPTECHTOOL#21
Microsoft Office 365 (office.microsoft.com)
Sure, Apple has taken huge strides to expand from its niche in creative industries into broader
business use, but Microsoft Office is still the 800-pound gorilla when it comes to business
applications for word processing, spreadsheets and presentations. But at upwards of $400 per
installation for the full suite, it gets really expensive to keep the whole company on the most
current version, especially when considering that some users have both a desktop and a laptop,
each of which requires its own $400 installation.
That was then; this is now. Enter Office 365 – a subscription-based program that includes up
to five installations per user for as little as $12.50 per user per month. Not only that, but the
subscription also ensures the software is always up to date without having to write a big upgrade
check each time a new version is released.
But wait, there’s more. Each user can also install the mobile versions of Word, Excel, etc. on
their smartphones or tablets at no extra charge. It also includes applications for secure instant
messaging and web conferencing. Each subscription level includes enterprise-level e-mail
functionality, hosted on Microsoft’s servers, so you do not need dedicated IT staff to keep your
e-mail up and running.
If you need additional features, the $22 per user per month package includes increased storage
capacity, e-mail archiving and automatic encryption of outbound e-mails containing sensitive
information. Also thrown into the mix is an application called Yammer, which is almost like an
internal Facebook-type social media site just for your company. You can use it as a simple intranet
or open it up for full-blown inter-company collaboration.
With over 20 years in the pension consulting trenches, Joni brings a wealth of experience to her role as Principal and Team
Leader at DWC ERISA Consultants. As a long-time volunteer for ASPPA (the American Society of Pension Professionals and
Actuaries), she has served on the Government Affairs Committee and Conferences Committee, and she currently sits on the
Board of Directors of the ASPPA Benefits Council of Atlanta.
compliance first and enforcement second. With that
said, this program like all those thousands of other
pages of rules can be complex, so it is important to
work with experienced professionals to go through
this process. When you do, however, you can change
your tune from “Accidents Will Happen” to “[EPCRS
gives you] Shelter from the Storm.”
Accidents Will Happen … continued

19.
A DWC ERISA CONSULTANTS PUBLICATION 2014 18.
Sometimes Simple Isn’t
By Doug Hoefer
One of the most frequent phone calls we receive –
whether from a small business owner or an advisor
working with one – starts something like this …”I [or
my client] want to setup a retirement plan, but it has
to be simple and the lowest cost possible.”
What could be a better fit than a plan that has the
word “simple” in its name? Sometimes, that is a
great place to start. Other times, however, “simple”
really isn’t.
Background
In addition to the 401(k) plan, Congress created
several other types of retirement plans that are
intended to be easy for small businesses to setup
and maintain. They are the Simplified Employee
Pension (“SEP”) and the Savings Incentive Match
Plan for Employees or “SIMPLE” (how many hours
did Congressional staffers sit around trying to come
up with that name). The SIMPLE comes in two
flavors – the SIMPLE IRA and the SIMPLE 401(k).
Although all three of these options require minimal
documentation, no annual testing and limited (if
any) ongoing government filings, each imposes
limitations that often lead to a regular 401(k) plan
being an equally cost-effective option.
What’s The Difference and Does It Matter?
There are some significant differences that set these
plans apart from one another. Even if one of the
“simple” variety is a good fit now, it is a good idea to
keep the differences in mind as needs change.
Size Is Important
Employers of any size can implement SEPs and
401(k) plans; however, SIMPLE plans are only
available for companies with 100 or fewer employees
with at least $5,000 in compensation during the
immediately preceding calendar year.
Exclusive Plan
A SIMPLE plan must be the only plan an employer
maintains in a given calendar year. This most
often comes into play when a company decides to
transition from a SIMPLE to a regular 401(k) plan.
Such a transition can only occur at the beginning
of a subsequent year, and employers must generally
provide the employees with advance notification of
the discontinuance of the SIMPLE. So if you or your
client are considering a transition, you will generally
want to get started no later than October 1st to
prepare for the upcoming year.
There is no similar requirement that applies to SEPs
and 401(k) plans, so employers can maintain multiple
plans or transition from one type to another without
concern for the “exclusive plan” requirement.
Eligibility
401(k) plans and SIMPLE 401(k) plans are
allowed to have eligibility requirements as strict as
attainment of age 21 and completion of one year
of service. For this purpose, a year of service is a
12-consecutive-month period in which an employee
works at least 1,000 hours.
By contrast, neither SEPs nor SIMPLE IRAs can
limit eligibility the same way. In a SIMPLE IRA, the
maximum is to limit eligibility to those employees
who have earned at least $5,000 in compensation
in the two prior years and are expected to again in
the current year. SEPs can limit plan coverage to
those employees who have earned at least $550 in
compensation in at least three of the last five years.
There is no ability to exclude short service employees
– interns, etc. – if they meet these requirements.

20.
A DWC ERISA CONSULTANTS PUBLICATION 201419.
Employee Deferrals
Unless adopted prior to 1997, salary deferrals are
not allowed in SEPs. Both SIMPLEs and 401(k)
plans allow deferrals, but there are some critical
differences.
First, a 401(k) plan allows deferrals up to $23,000
per year ($17,500 plus an additional $5,500 for
those age 50 or older). A SIMPLE, on the other hand,
caps deferrals at $14,500 ($12,000 plus $2,500) …
a whopping $8,500 less. For a business owner who
wishes to maximize his or her deferrals, the tax
savings alone can more than offset any additional
cost of having a regular 401(k) plan.
Another important difference is that SIMPLE plans
do not allow Roth deferrals, which could limit the
plan’s utility as an estate planning tool.
Employer Matching Contributions
SIMPLE plans carry a mandatory company
contribution, which can be either a match or profit
sharing contribution. If the match is chosen, the
mandatory formula is 100% of the first 3% deferred.
No additional matching contributions are permitted.
A 401(k) plan can include a discretionary matching
feature, meaning the company can decide from year
to year whether to make a match and, if so, how
much. Companies that prefer to “buy their way” out
of certain 401(k) compliance tests can agree to a
fixed safe harbor matching formula of 100% of the
first 3% deferred plus 50% of the next 2% deferred.
SEPs do not allow matching contributions.
Employer Profit Sharing Contributions
Employers that elect the profit sharing option for their
SIMPLE plans must contribute 2% of compensation
for each eligible employee. No additional profit
sharing contributions are permitted.
SEPs and 401(k) plans allow discretionary profit
sharing contributions of up to 25% of pay in total
and no more than $51,000 per employee. Again, that
discretion provides business owners with flexibility
as to if/how much they wish to contribute. As an
alternative to the two-tiered match safe harbor
(previously described), a 401(k) plan can make a
safe harbor profit sharing contribution equal to 3%
of pay.
With a SEP, each employee must receive a uniform
contribution (as a percentage of pay). So, if the
owner contributes 10% of pay for him or herself,
each employee must also receive 10% of pay. In
a 401(k) plan, there is much greater flexibility to
provide larger contributions to those who earn
more than the taxable wage base (referred to Social
Security Integration) or target contributions based
on job classification, e.g. owners and non-owners.
Vesting
A 401(k) plan can impose a vesting schedule of up to
six years on employer contributions (other than safe
harbor contributions); however, both SIMPLEs and
SEPs require employees to be immediately vested in
all company contributions.
Loans and In-service Withdrawals
Neither SEPs nor SIMPLEs allow participant loans
like 401(k) plans do.
If a participant takes an in-service withdrawal from
a 401(k) plan prior to age 59 ½, it is subject to
regular income tax as well as a 10% early withdrawal
penalty. SEP distributions are taxed similar to
distributions from a regular IRA, and those rules
generally resemble the 401(k) rules. For a SIMPLE,
however, if withdrawals are made within the first two
years of participation, the 10% penalty is increased
to 25%!
Sometimes Simple Isn’t … continued

21.
A DWC ERISA CONSULTANTS PUBLICATION 2014 20.
Plan Documents
All of these plan types require some form of
documentation of the plan and its provisions.
For SEPs and SIMPLEs that truly keep it simple –
little (if any) creativity in plan design, no related
companies or complex ownership structures, etc. –
the IRS has forms (allegedly DIY) that can be used.
•• Form 5305-SEP
•• Form 5304-SIMPLE - allows each eligible employee
to select his or her own financial institution. The
obvious downside is in a 10 employee company,
the plan sponsor could effectively have to send
contributions to 10 different custodians each pay
period.
•• Form 5305-SIMPLE – the employer selects a single
financial institution for all plan accounts.
A 401(k) plan or a SEP/SIMPLE that cannot use
the IRS form must use a more traditional plan
document, which can follow an IRS pre-approved
format such as a prototype or be individually
customized. Many mutual fund families and other
financial institutions offer DIY prototypes which
may look straight-forward on the surface; however,
given the importance of the plan document, we
recommend working with someone with expertise
in that area. [See “Plan Documents: More Like
Guidelines or Actual Rules?” on page 9].
Annual Compliance Testing
SEPs and SIMPLE IRAs are not required to go
through the battery of annual compliance tests.
However, as we have described in this article, there
are plenty of rules that must be monitored to ensure
ongoing compliance.
SIMPLE 401(k) plans are required to satisfy the
minimum coverage test but are exempt from most of
the other tests normally associated with retirement
plans. A traditional 401(k) plan must comply with a
series of tests to ensure enough of the rank and file
employees are receiving adequate benefits, but given
the added flexibility of plan design, the testing can
be a trade-off that is well worth it.
Government Reporting
Similar to annual testing, neither the SEP nor the
SIMPLE IRA is required to file a Form 5500 each
year; whereas, both the SIMPLE 401(k) and the
“regular” 401(k) must do so. In addition, they must
file Form 8955-SSA to report former employees with
remaining balances in the plan.
Conclusion
SEPs and SIMPLEs can be extremely effective tools
for meeting the retirement plan needs of small
businesses, but they can be far from simple. Given
the flexibility in plan design – from initial eligibility to
targeting company contributions to key individuals –
a full-blown 401(k) plan can often provide benefits
to the business owner and employee alike that far
surpass the additional cost that may come with it.
The bottom line is that since “simple” sometimes
isn’t, it is of critical importance to work with experts
who understand the ins and outs, can help you
articulate your plan-related objectives and analyze
the options to ensure you have the best plan to
meet your needs. Where do you find such an expert?
Simple! Just give us a call.
As a co-founder at DWC ERISA Consultants, Doug uses his
industry expertise and collaborative approach to help clients
and investment professionals design optional plans. As a
provider/vendor specialist, he is able to guide clients through
their many options to arrive at solutions that best meet their
needs.

22.
A DWC ERISA CONSULTANTS PUBLICATION 201421.
Control Yourself: Plan Compliance and Internal Controls
By Ilene H. Ferenczy, Esq.
The phrase “internal controls” is one I’ve heard
throughout my 26-year marriage to an internal
auditor. (I was never quite sure what it meant, but
I knew he was always looking for them!) Lately,
however, I’m hearing those words used more and
more in connection with retirement plans. In fact,
IRS representatives are talking about internal
controls as a means of encouraging compliance by
plan sponsors with the law and regulations relating
to their plans.
Those who commonly work with retirement
plans recognize that there are myriad rules with
which to comply, many of which are completely
counterintuitive. Owners of companies that sponsor
retirement plans are rarely specialists in this arcane
area of the law, but are concentrating on being
doctors and manufacturers and service companies
and the like. Even HR people can give only so much
attention to the retirement plan while juggling
health insurance, payroll, workers’ compensation
and discrimination policies. When there is so much
to know and do and so little time to devote to the
process, the only way to make sure that things are
done right is to set up guidelines and follow them.
To that end, IRS speakers to the retirement plan
community emphasize how important internal
controls can be. Not only can they ensure that you
are doing what is needed, but the IRS looks upon a
company that has controls and experiences an error
despite those controls differently than a company
that does not put that much thought into how the
plan operates. To err is human, the IRS believes,
but such an error can be more easily excused if it
happened despite your best efforts. Companies
with internal controls are deemed to have a “culture
of compliance.” As a result, companies with good
internal controls are likely to find that the IRS is
more lenient when an error is discovered on audit
than it is with companies that play it more loosely.
So, what kinds of things can a company do to have
good internal controls? Here are some suggestions:
•• Have a listing of responsible parties and service providers
for the plan. These may include several people, such
as:
-- Plan administrator
-- Third party plan administrator (TPA)
-- Financial advisor
-- Fundholder/recordkeeper
-- Attorney
You may want to outline who is responsible for
which kinds of issues, to assist your staff or your
future HR director to know who does what. (By
the way, do you know what each of these entities
does? If not, perhaps you need a list of what needs
to be done and who is responsible for each item.)
Internal controls are those functions
and systems maintained by the plan
sponsor to ensure that the plan
operates properly. These may include
procedures and checklists, systems
for quality review, policies, lines of
authority … basically anything you do
to keep the trains running on time.

23.
A DWC ERISA CONSULTANTS PUBLICATION 2014 22.
•• Make sure that all plan documents are kept together
and easily locatable. This includes the legal
document (usually an adoption agreement (the
check-the-box part) and a basic plan document
(the boilerplate part)), any amendments, the
summary plan description and summaries of
material modifications, and the various procedures
adopted with the plan documents. Sometimes,
having a chart of plan provisions and where they
are found in the document is helpful to give easy
access of information. However, make sure not to
rely too heavily on the chart; the plan document
is what controls. By the way, you are required to
share these documents with a participant who
asks to see them. So having them in one spot also
helps you comply with this obligation.
•• Have written procedures for what you do, so that people
can act in your absence (and the next generation
of people fulfilling your role will know what to
do). For example, you may need procedures for
determining the amount to deposit each payroll
period, how to transmit the deposit to the trust
(along with necessary documentation), the
deadline for the deposit, and how to transmit all
of this information to the recordkeeper. This can
help you make sure that deferral deposits and loan
payments are handled correctly.
•• Speaking of loan payments, know your loan procedures.
For example, have a worksheet for determining the
maximum loan amount (if it is done in-house) or
a procedure for sending the TPA the information
it needs to process the loan. The plan is required
to have a formal loan procedure outlining how
you evaluate and approve or disapprove loans,
how you determine the interest rate, how loan
payments must be remitted, and when the loan is
considered to be in default; do you know where
yours is?
•• QDRO procedures are also required for all plans. These
can help you understand what you need to do
when a proposed QDRO is received. If you send
them on to a service provider for review, such as
your TPA or attorney, what do you need to send to
them to get the review process started?
•• Have a retirement plan “phone tree.” This will help
the people in your organization know who to call
when there is a question on the plan, and the order
in which they should be contacted. Perhaps your
tree might be:
-- If you have a question and cannot find the
answer in the plan or our procedures, call the
VP of HR.
-- If the VP can’t answer, call the TPA.
-- If the TPA can’t answer, call the attorney.
This enables the people in your organization to
take action more quickly and understand when
it is appropriate to call the service providers. If
permission is needed at one of the steps, let them
know that.
•• Have a list of deadlines relating to the plan and calendar
them. When are deposits due? When is the employer
contribution due? When are Forms 5500 due?
When does the accountant need information about
the plan deduction? And so on …
•• Should you have Plan governance documents? Plan
governance documents are terrific if your company
is large enough that you have more than one
person in the company involved with the plan.
Handling things with a prudent procedure is basic
to showing you are a good fiduciary. Having the
procedure in place is the first step. Knowing who
is responsible for what activities ensures that the
right people are making the right decisions in the
right way. Be careful, however, to make sure that
you follow the governance documents if you have

24.
A DWC ERISA CONSULTANTS PUBLICATION 201423.
Control Yourself: Plan Compliance and Internal Controls … continued
them. Having a procedure and failing to follow it
can be evidence that you do not have good internal
controls.
All of this can be summed up by: know what you
need to do and how to do it. Internal controls ensure
that things are handled properly. And, if you are
doing things right, you are much less likely to get
your plan into trouble if and when the government
comes calling.
Ilene Ferenczy is a partner in the Ferenczy Benefits Law
Center, a boutique firm specializing in employee benefits law
and working with plan sponsors and service providers. She is
the author of numerous books including Employee Benefits in
Mergers and Acquisitions, the co-editor-in-chief of the Journal
of Pension Benefits with DWC’s Adam Pozek and has worked
with many providers to update their service agreements to
comply with the DOL’s fee disclosure regulations. To learn
more about Ilene and her firm, visit www.FerenczyLaw.com.
CHEAPTECHTOOL#52
Key Ring (www.KeyRingApp.com)
It seems like just about every store, service, etc. has a loyalty program that comes with its own
shiny card. Just looking at the airlines, hotel chains and rental car companies you might use for
business travel, you probably need to carry an extra wallet. Throw in grocery stores, fast food
joints and other retailers, and it’s time to carry around one of those contraptions the Vegas dealers
use that holds five decks of cards.
Key Ring makes that all go away. Available for both iOS and Android, this free app allows you to
enter all your loyalty cards using your device’s camera. With many loyalty programs pre-loaded,
simply snap a photo of the barcode on your card, and it is instantly saved to your account. Did I
mention that the app will then alert you when any of the stored vendors offer coupons, specials,
discounts, etc.? Want to take advantage of one of those coupons? Just tap the screen to instantly
add the item to a shopping list.
One of the features that sets Key Ring apart from other similar apps is the ability to sync to other
devices or share individual cards with other people. So, set up your cards one time and have them
securely sync to your online account and to any of your other mobile devices. Get a new phone?
No problem. Just download the app, sign in to your Key Ring account and all your cards appear.
Have a single gas rewards card that you share among your family? No problem. Just select “Share
Card” and enter the recipient e-mail address to share it with your spouse, kids, etc.
Key Ring boasts the highest levels of encryption, so if you are comfortable doing that sort of thing,
you can also add your credit cards, drivers license, insurance card, etc. which can be a life-saver if
you lose or forget your wallet.

25.
A DWC ERISA CONSULTANTS PUBLICATION 2014 24.
Bad Things Happen. How To Be Prepared.
By Rick Alpern
We see it every day. The news is continually buzzing
about the most recent data breach or public
relations scandal. Target, P.F. Chang’s and Michaels
have recently had significant data breaches. And
in my backyard (Boston), the entire country is
getting a front row seat watching a PR nightmare
featuring two cousins battling for control of a local
supermarket chain. One side has been incredibly
savvy when it comes to spinning their message to the
public. The other side has been dreadful.
Whether it is a breach of your digital assets or just
a good old PR disaster, you would be well-served by
having a response team and communications plan
in place that you can activate should something
bad go down. The tough part is that every scenario
is different, and it is impossible to anticipate all of
them. However, below are some steps you can take
in advance and after a situation arises. Keep in mind,
one of my favorite problem-solving sayings while
putting together your plan: Some assembly required.
There is no one way to handle a PR hiccup. There are
so many factors involved that the final action steps
can’t be properly assembled until you know exactly
what you are dealing with.
Planning For the Problem
The best time to prepare for a data breach or PR
snafu is when you do not have one. As busy as you are
right now, perhaps you can set aside an hour or two
over the next month and begin to put a team and
plan in place that can be activated should a problem
occur. This kind of proactive planning will save
you both time and likely prevent you from making
costly missteps that could make a bad situation even
worse.
•• Assemble a Crisis Management team. Meet with them.
Explain the purpose of the team and ask for their
input as to what they think should be done in the
event of a scandal or breach. People are smart
and like to be asked. Their ideas will foster a more
cohesive team and yield a better plan than if it was
simply dictated to them.
•• So who makes “The Team?” It really depends on the
talent you have. “Some assembly required,” right?
Here are some likely choices.
-- Marketing - You want someone in these
meetings who is always thinking about
your customers … what this crisis means to
them. And, your Marketing person should
instinctively own that portion of the crisis.
If not, tell him/her to. Also, your Marketing
person should be thinking about all of the
different ways you may want to communicate
the solutions that are determined.
-- Head of IT - If the problem is a security breach
or web-related, you will need to have a broad
understanding of the problem and all of your
operating systems. Your head of IT should
be able to provide the broad picture of your
computer and online infrastructure. If you are
a small business, you might want to ask the
person who is the most proficient with your
computers.
-- Webmaster - Many breaches involve or are
perceived to involve company websites.
Having this person on the team is smart. Your
Webmaster will likely have the whole view of
your website and how the site is built from
your customer’s point of view.
-- Web Developer - Again, if the crisis is data
related, you will want to have access to the
developers who built your databases or coded
your site. They are a different breed than Heads
of IT or Webmasters. These are the folks who

26.
A DWC ERISA CONSULTANTS PUBLICATION 201425.
handwrite code, line by line. Not always the
best communicators, but often the ones who
COMPLETELY understand how a site functions.
And since it is often the databases that are
breached, you want to make sure you know the
specific code writers for your database(s).
-- Media Contact - This might be you, the
business owner. However, it does not have
to be. But it should be someone who is
comfortable and articulate in answering
questions and gifted in explaining things in a
simple way.
-- An Outside Agency - You may want to bring
your PR or Marketing agency contact in for
this. Having an outsider’s perspective can
be really helpful. Usually this person already
has experience in crisis management. And,
having an outsider’s point of view can help to
positively challenge internal thinking, which is
not always accurate.
-- An Executive Assistant - Have someone in the
meeting who is writing down EVERYTHING
and can recap the meeting. Particularly,
this person should highlight the next steps,
responsibilities and any great ideas or language
that comes out of the meeting.
When The Crisis Happens
Again, “some assembly required.” Every situation will
be different. But here are a few things to do/keep in
mind when a crisis is discovered.
•• Time is a factor. If it is a data breach that is
discovered by just one client, you have to assume
there may be others. Solving this situation must
move to the top of your to do list.
•• Pull together “The Team” and start implementing your
procedures.
-- Define the problem. In layman’s terms be able
to explain what happened, when it happened,
how it happened and what you are doing
about it. Get this typed up and handed out
to the team. Everyone needs to be saying the
same thing and approaching the challenge the
same way.
-- If there is not one clear, obvious solution, tap
the group to brainstorm options. Accept all
ideas until they stop flowing. Then, with the
team’s input, eliminate the weaker solutions
until you have mixed down the ideas into a
solid plan.
-- Assign responsibilities. Don’t try to do
everything yourself. Trust your people to do
their jobs.
•• Start getting out in front of things.
-- Communicate to all internal stakeholders what
has happened and what the plan is to fix it.
Your people will deeply appreciate that you
thought to communicate with them first.
-- If it is an issue that affects a small number of
people/clients, Pick. Up. The. Phone. Don’t
email bad news if you don’t have to. At the
agency we like to say, “Nothing takes the place
of showing up.” This is especially true when the
news you need to deliver is bad.
Bad Things Happen. How To Be Prepared. … continued

27.
A DWC ERISA CONSULTANTS PUBLICATION 2014 26.
-- If the problem affects a large group of people/
clients, you need to develop a notification
plan. Treat it almost like a media plan. Figure
out all of your touchpoints and determine
which ones you use to notify people and
clients. If there is a small core of clients
who account for a significant portion of
your revenue, call them in addition to the
notification plan.
•• Remember to keep the message simple. Do not get too
technical. Most people glaze over when too much
information is shared. They just want to know
what you have already crystallized: What is the
problem? How did it happen? And, what are you
doing to fix it? There will be time to explain how
you will keep it from happening again.
•• If you need to go before the media to explain the
situation, try to do the following.
-- The president or CEO should be the
spokesperson for the company. In situations
like this, people want to know the top person
is involved and cares enough to be a part of
the solution.
-- If the president is not comfortable explaining
the situation, he/she should definitely open up
the press conference and hand it off to those
who can eloquently address the problem.
-- Rehearse. Rehearse. Rehearse. Have your
team pepper the spokesperson with tough
questions. Craft short responses. And then,
rehearse some more.
-- Be ready for highly technical questions. And
when I say be ready, I mean have your most
knowledgeable person about the problem there
to be able to explain anything you cannot.
•• Be sincere and empathetic.
-- You must demonstrate that you care and
understand the problem you have caused. Fail
to do this, and the hole you are trying to dig
out of will get deeper.
•• Make your clients whole. How you do this really
depends on the problem and severity. Do you
offer something free? Not charge for a service
for a specific time? Hard to know because every
situation is different. Just don’t lose sight of
the fact that you caused a problem and good
customer service dictates you do something to
make things right.
•• Follow up incessantly. Don’t disappear after your
initial notification. Your clients will want to know
that you are working on the solution. They also
might need to vent. Continued follow up will allow
both things to happen.
To Management, the news of a PR crisis is the
equivalent of a well-placed punch to the gut. It drops
you to your knees, takes your breath away and leaves
you a little woozy. But you need to prepare for this
moment. Between bad judgment, hackers, human
error, etc., there are all sorts of ways PR nightmares
can happen. The cliché of, “not if it will happen, but
when it will happen” should be embraced. And,
as you know, there is no cookie-cutter solution
that makes the problem go away. You really have to
strap in and confidently lead your team through the
gauntlet. Ask a lot of questions, lean on your team
for support and always stay focused on doing the
right thing.
For 30 years, Rick has worked in the advertising, sales and marketing fields and currently serves as President of Single Source
Marketing in Danvers, Massachusetts. He is an avid believer in asking questions and listening to clients in order to achieve the
best results. Visit SingleSourceMarketing.com for more information.

28.
The rulebook for our industry consists of laws and regulations. In
other words, it is public domain, available to anyone who wants to
learn it. That means book knowledge is not enough. We have to be
able to explain and apply it in a practical manner.
Every member of the DWC team is encouraged to think beyond the
conventional wisdom and put themselves in their clients’ shoes. Since
the IRS and Department of Labor are involved, following regulations
is of critical importance, but the strategy for doing so must be
considered in the context of the day-to-day business environment.
What works for one client will not necessarily work for another.
Having solid knowledge of the rules while keeping in mind business
realities allows every DWC team member to be a strategic business
partner to their clients rather than simply another service provider.
Understanding the mechanics
is just the beginning.
DWCConsultants.com
651.204.2600