How SECURE 2.0 Is Changing 401(k) Audits in 2026

Why SECURE 2.0 is Creating More Audit Complexity

The SECURE 2.0 Act introduced dozens of retirement plan changes with staggered effective dates. Some provisions are mandatory. Others are optional. Many require payroll system updates, plan document amendments, participant notices, and operational controls.

As auditors, we are now seeing increased attention around:

• Roth catch-up contribution preparation
• Enhanced catch-up limits for ages 60–63
• Long-term part-time employee eligibility
• Automatic enrollment requirements
• Forfeiture account usage
• Late remittance testing
• Payroll coding accuracy
• Cybersecurity and participant data controls
• Operational consistency between plan documents and actual plan administration

The biggest theme of the 2026 audit season is this: Operational compliance is becoming just as important as financial accuracy.

Roth Catch-Up Contributions Are Driving New Payroll Risks

One of the largest SECURE 2.0 changes impacting 401(k) audits is the upcoming mandatory Roth catch-up contribution requirement for high earners.

Beginning in 2026, employees earning more than the IRS wage threshold in the prior year must make catch-up contributions as Roth contributions rather than pre-tax contributions. The IRS issued final regulations in 2025 confirming the implementation timeline and operational requirements.

While many sponsors know the rule is coming, auditors are already evaluating whether plans are operationally prepared. This includes reviewing:

• Payroll coding accuracy
• Roth source setup
• W-2 wage threshold tracking
• Catch-up contribution classification
• Coordination between payroll and recordkeepers
• Plan document consistency
• Participant communication procedures

For plans that still do not offer Roth contribution functionality, the risk is even greater because affected employees may lose the ability to make catch-up contributions altogether if systems are not updated properly.

Enhanced Catch-Up Limits for Ages 60–63 Add Another Layer of Complexity

SECURE 2.0 also increased catch-up contribution limits for participants ages 60–63.

While this sounds straightforward, operationally it creates additional testing and monitoring requirements during audits. Auditors are reviewing whether:

• Payroll systems correctly identify eligible age groups
• Contribution limits are monitored accurately
• Participants are receiving the correct limits
• Excess deferrals are identified timely
• Recordkeepers and payroll providers are aligned

Even small payroll coding errors can create compliance issues that surface during testing.

Long-Term Part-Time Employee Rules Continue to Create Audit Findings

Long-term part-time (LTPT) eligibility continues to be one of the biggest operational challenges for plan sponsors.

Under SECURE 2.0, more part-time employees are becoming eligible to participate in retirement plans due to reduced service requirements. For many sponsors, this has exposed weaknesses in:

• Hour tracking
• Eligibility monitoring
• Employee classification
• Enrollment timing
• Communication procedures

Auditors are spending significant time reviewing whether eligible employees were admitted to the plan correctly and timely. This is especially important because failures involving excluded eligible employees can trigger correction requirements under IRS and DOL rules.

Automatic Enrollment Requirements Are Increasing Operational Pressure

Beginning in 2025, many newly established 401(k) and 403(b) plans became subject to mandatory automatic enrollment requirements under SECURE 2.0.

For affected plans, auditors are reviewing whether:

• Eligible employees were automatically enrolled properly
• Default contribution percentages were applied correctly
• Annual escalation features are functioning
• Opt-out elections are documented
• Payroll deductions align with plan provisions
• Required participant notices were distributed

Automatic enrollment sounds simple on paper, but operationally it requires strong coordination between HR, payroll, TPAs, and recordkeepers. Many of this year’s audit issues are emerging because systems were never fully aligned before implementation.

Late Remittance Testing Is Receiving Increased Scrutiny

Late remittance testing has always been an important audit area, but SECURE 2.0 has amplified attention on payroll process controls overall. Auditors are seeing more situations where:

• Payroll files are transmitted inconsistently
• Contribution deposits are delayed
• Approval processes are unclear
• Responsibility between departments is not clearly defined

Because retirement plans are becoming more operationally complex, weak payroll processes are standing out more during audits. For many sponsors, the audit is revealing that the real issue is not the accounting records — it is the underlying workflow.

Forfeiture Accounts and Plan Document Alignment Matter More Than Ever

The IRS and auditors are also paying closer attention to forfeiture account usage and whether plans are administering forfeitures according to plan terms and updated guidance. Auditors are increasingly testing:

• Timing of forfeiture usage
• Allocation methods
• Expense applications
• Plan document consistency
• Whether forfeitures are accumulating improperly

This area often becomes problematic when operational practices evolve over time but plan documents are never updated accordingly.

SECURE 2.0 is forcing many sponsors to re-evaluate whether their operational practices actually match their governing documents.

Cybersecurity Is Becoming Part of the Audit Conversation

While cybersecurity is not technically a new SECURE 2.0 provision, the increased reliance on payroll integrations, participant portals, APIs, and automated data transfers has elevated cybersecurity discussions during employee benefit plan audits. Auditors are increasingly asking about:

• Access controls
• Payroll file transfer security
• User permissions
• Vendor oversight
• Participant data protection
• SOC reports
• Multi-factor authentication

The retirement plan ecosystem is becoming more digital and interconnected, which means cybersecurity risks are becoming more relevant during audits.

What Plan Sponsors Should Be Doing Right Now

The biggest mistake plan sponsors can make is treating SECURE 2.0 as purely a legal or document amendment issue. The real risk is operational execution. Before your next audit, plan sponsors should evaluate:

• Does payroll match plan provisions?
• Are Roth sources configured correctly?
• Are eligibility rules functioning properly?
• Are contribution limits monitored accurately?
• Are forfeitures administered consistently?
• Are automatic enrollment procedures documented?
• Are HR, payroll, TPAs, and recordkeepers aligned?
• Are internal controls clearly defined?

The plans with the smoothest audits this year are typically the ones with strong processes, clear documentation, and proactive coordination between providers.

A 401(k) Auditor’s Final Thoughts on SECURE 2.0

SECURE 2.0 is fundamentally reshaping the employee benefit plan audit landscape.

The 2026 audit season is proving that retirement plan compliance is no longer just about numbers. It is about systems, workflows, controls, communication, and operational discipline.

Plan sponsors who proactively address these changes now will reduce compliance risk, minimize audit disruption, and create a smoother experience for both participants and auditors.

At PriceKubecka, we specialize in streamlined, year-round 401(k) audits designed to reduce disruption for plan sponsors while helping identify operational risks before they become major compliance issues.

Need help with this year’s EBP audit or evaluating your SECURE 2.0 compliance? Let’s connect.

Frequently Asked Questions