Scale your CPA & accounting firm with elite offshore talent trusted by 1,000+ firms.
Thank you for your interest. Our due diligence checklist will be shared with you within 48 hours.
Employee benefit plan (EBP) audits are a required service for plan sponsors, but for CPA firms performing fewer than five per year, the compliance risks, training costs, and DOL scrutiny may outweigh the rewards. This blog breaks down the real pros and cons of maintaining an EBP audit practice at low volume, explores how SAS No. 136 has raised the stakes since 2021, and helps small to mid-sized CPA firms decide whether to keep, refer, or outsource this service entirely.
Under the Employee Retirement Income Security Act of 1974 (ERISA), most retirement plans - 401(k)s, defined benefit pensions, profit-sharing plans - with 100 or more participants carrying account balances at the start of the plan year must file a Form 5500 with the DOL annually. That filing, for large plans, requires an independent audit by a CPA.
The audit exists to protect employees. It confirms that plan assets are accurately accounted for, contributions and distributions are properly handled, and the sponsor is meeting its fiduciary duties to participants.
What has changed significantly over the past decade is how demanding these audits have become to execute correctly - and what happens when they fall short.
In November 2023, the DOL's Employee Benefits Security Administration (EBSA) released its fourth Audit Quality Study, covering 2020 plan year filings. The headline finding was encouraging on the surface - an overall 30% major deficiency rate, down from 39% in 2015.
Look closer, though, and the picture for low-volume firms is sobering:
The DOL's conclusion, consistent across all four studies it has conducted since 1997, is clear: volume is a proxy for quality in EBP audit work. The fewer you do, the higher the risk of a deficient filing.
The table below summarizes deficiency rates by firm size from the 2023 DOL Audit Quality Study:
| Audits/Year | Deficiency Rate | Plans at Risk | Benchmark |
|---|---|---|---|
| 1-2 | 70% | High | DOL Study 2023 |
| 3-5 | 51.7% | Elevated | DOL Study 2023 |
| 6-24 | 50.1% | Elevated | DOL Study 2023 |
| 25-99 | 25% | Moderate | DOL Study 2023 |
| 100+ | 17% | Lower | DOL Study 2023 |
Source: DOL EBSA Audit Quality Study, November 2023. Journal of Accountancy, December 2023.
To be fair, there are real reasons CPA firms have kept EBP audits on their service menu - especially as their clients grow. Here is an honest look at those reasons.
When a client's workforce grows past 100 participants with plan balances, their first call is typically to their existing CPA. Offering EBP audit services lets you capture that work rather than referring it elsewhere. For firms trying to be full-service, the logic is straightforward: keep the work in-house, deepen the relationship, reduce the risk of losing the client to a competitor.
The challenge is whether your team can stay current enough on EBP-specific standards to do the work properly - and what happens to the relationship if they do not.
EBP audit season runs roughly from May through October, after the April 15 tax deadline and well ahead of year-end. For firms looking to smooth out revenue across the calendar year, this timing has obvious appeal. Idle senior staff can be directed toward audit work without pulling resources from tax season.
That said, an efficient EBP audit performed by a prepared team should not consume more than a month of work per engagement. If it is taking significantly longer, that is often a sign of documentation gaps or staff unfamiliarity - both of which drive up cost without driving up the bill.
The number of CPA firms performing EBP audits dropped from 7,330 in 2011 to 4,300 by 2020 - a 41% reduction. As standards tighten and smaller firms exit, there is a theoretical case for the firms that remain to capture more work.
The practical qualification: this opportunity only benefits firms already performing high volumes of audits. Firms doing fewer than 25 audits per year still had a combined major deficiency rate of 55% in the 2023 DOL study. Fewer competitors does not help if your work is still likely to be flagged.
Source: CLA, New DOL Audit Quality Study Shows EBP Audit Experience Matters, March 2024.
Want to Keep Your EBP Clients Without Doing the Audits Yourself?
We partner with CPA and accounting firms to handle EBP audit delivery — you stay the client's primary advisor, we take care of the work.
Here is where the math gets harder for low-volume practices. The cons are not theoretical - they are documented, financially material, and increasingly difficult to manage without dedicated infrastructure.
The DOL does not grade low-volume firms on a curve. A deficient Form 5500 filing triggers the same penalty exposure regardless of how many audits your firm performs annually.
Current penalty levels as of 2025:
The Delinquent Filer Voluntary Compliance Program (DFVCP) can reduce penalties for firms that self-correct before DOL contact, but it does not eliminate them. And once your firm has submitted a deficient audit on behalf of a client, the conversation about penalties is one you will be having with that client - not the DOL.
Effective for plan year 2021 filings, the AICPA's Statement on Auditing Standards No. 136 introduced significant new requirements across every phase of an EBP audit:
For firms doing three audits a year, SAS No. 136 means more work per engagement, more documentation requirements, and more areas where a misstep creates liability. The standard was designed to improve quality across the board; for low-volume practices, it also widened the gap between what the DOL expects and what a generalist team can reliably deliver.
Continuing education for EBP audit professionals is intensive and expensive. AICPA Employee Benefit Plan Audit Quality Center membership - which firms need to demonstrate credible practice standards - carries its own training and compliance obligations.
For a firm doing two or three audits a year, the cost-per-engagement math rarely works:
This is not a critique of capability. It is a basic cost structure problem. The training investment is fixed; the audit volume is not large enough to spread it.
Most plan sponsors view EBP audits as a mandatory cost - a 'necessary evil' in the words of many practitioners. They shop primarily on price, not quality, because they often cannot distinguish between audit providers until something goes wrong.
This creates a structural problem for low-volume firms:
The competitive landscape has shifted. EBP audits were once a reliable niche for smaller firms precisely because larger firms avoided them. That is no longer the case.
The 2023 DOL study found that a favorable peer review rating does not correlate reliably with EBP audit quality. Many deficient audits came from firms with clean peer reviews. The DOL noted this explicitly and has referred seven deficient engagements from the study to the AICPA Professional Ethics Division for possible disciplinary action.
This is significant: a clean peer review is not a reliable defense if the DOL reviews your EBP work directly. Low-volume firms should not assume that passing their most recent peer review means their EBP audits would hold up under DOL scrutiny.
Automation has entered nearly every corner of public accounting, and EBP audit workflows are no exception. Platforms can speed up data collection, flag compliance anomalies in participant data, and reduce the time spent on documentation prep.
For high-volume practices, these tools are genuine productivity multipliers. For firms doing three or four EBP audits a year, they do not solve the underlying problem.
Here is why technology alone is not enough for low-volume EBP practices:
Automation is a productivity multiplier for teams that already have the knowledge. For teams that do not, it can create a false sense of security.
The most common objection to referring or outsourcing EBP audits is the fear of losing the client relationship. In practice, that fear is directly addressable. The more relevant question is what protecting the client actually requires.
The most common objection to referring or outsourcing EBP audits is the fear of losing the client relationship. In practice, that fear is addressable. The more relevant question is what protecting the client actually requires.
A firm performing two or three EBP audits a year is not primarily in the EBP audit business. It is in the client relationship business, and those clients happen to need an EBP audit. The question worth asking: is retaining the audit work the same as retaining the client?
It does not have to be. Several structured arrangements allow CPA firms to serve those clients well while offloading the engagement risk:
The referring firm directs the EBP audit engagement to a specialized partner. The partner handles delivery end-to-end under their own brand. The referring firm:
The referring firm maintains the client-facing relationship and brand experience. The specialized partner handles execution behind the scenes. The client receives an EBP audit that appears to come from their existing firm, while the work is performed by a team doing this at scale.
For solo practitioners or smaller firms looking to build an audit practice rather than exit it, a growth partnership provides end-to-end operational infrastructure - staffing, workflows, quality controls - without requiring the firm to build it from scratch. This is the right path for firms that genuinely want EBP audit volume to become a core part of their practice.
In each case, the client receives better work. The referring firm keeps the relationship. The compliance risk sits with a team that handles this at scale - not a generalist rotating through one EBP engagement a year.
For CPA firms serving clients who happen to grow into the EBP audit requirement, partnering for Audit Support Services is increasingly the smarter business decision. It is not a concession—it is a recognition that specialized work belongs with specialized teams.
MYCPE ONE works with CPA and accounting firms across the U.S. and Canada on exactly this. Three structured models are available depending on where your firm sits:
We have been working with CPA and accounting firms across the U.S. and Canada for over 10 years. Today, 200+ firms partner with us, supported by 3,000+ professionals across 40+ offices in two countries and 10,000+ clients served across that network. That scale is what makes consistent, review-ready EBP audit delivery possible - the same institutional knowledge the DOL’s own data shows only comes with volume.
Looking to Refer EBP Audits to a Firm That Handles Them at Scale?
MYCPE ONE works with 200+ CPA firms across the U.S. and Canada. Referral, white-label, or growth partnership — we fit around how your firm works.
EBP audits are high-stakes compliance work. The DOL has studied this sector four times since 1997 and reached the same conclusion each time: low-volume practices produce the most deficiencies. The 2023 data is more specific than ever - 70% of firms doing one or two audits a year submit filings with major deficiencies.
The honest question for any CPA firm doing fewer than five EBP audits a year is not whether you can do this work. It is whether you can do it well enough to hold up under DOL review, year after year, under SAS No. 136, as standards keep tightening and penalty levels keep rising.
Keeping the work without the volume or infrastructure is a reputational risk dressed up as client service. Structuring it differently - through referral, white-label, or growth partnership - is how strong advisory firms protect their clients and protect themselves.
Most professionals and AICPA guidance suggest fewer than five per year creates a difficult cost-benefit equation. Firms should aim for 10 or more annually to justify the infrastructure. Below that threshold, structured referral or white-label arrangements are typically the sounder professional decision.
The DOL can reject the Form 5500 filing and assess penalties of up to $2,739 per day (2025 rate) until a compliant filing is submitted. Deficient engagements may also be referred to the AICPA Professional Ethics Division, which can impact licensure.
No. Automated EBP audit tools speed up data collection and flag anomalies, but they do not replace the judgment required to interpret findings correctly under SAS No. 136 and ERISA. For low-volume teams, automation can create a false sense of security.
The AICPA Employee Benefit Plan Audit Quality Center is a membership body that sets quality benchmarks for EBP audit practices. The 2023 DOL study found EBPAQC member firms had significantly lower deficiency rates than non-members.
Frame it as a quality upgrade, not a handoff. Explain that EBP audits require a dedicated team performing this work at high volume, and that you are ensuring they receive audit services from a practice built specifically for this. In a white-label model, the client may not need to know the work is executed by a partner at all.
For calendar-year plans, July 31. An extension using Form 5558 pushes the deadline to October 15. Late filings without an approved extension carry the same penalty exposure as non-filing.
Christopher is the Director of Client Relations and Business Development at MYCPE ONE, a leader known for his energy and people-first approach. Chris leads from the front mentoring teams, driving growth, and building lasting client relationships. With over a decade of experience in sales, coaching, and business strategy, he has helped 5,000 CPAs nationwide overcome challenges and discover new opportunities. Chris is a familiar presence at major accounting conferences, representing MYCPE ONE and shaping meaningful industry partnerships. Passionate about leadership and professional growth, he continues to inspire teams and professionals to reach their highest potential.
How to Scale CAAS (Client Accounting & Advisory Service) + VCFO with Offshoring!
How To Scale CFO And Advisory Services With Offshoring
Bursting myths around Offshoring for an Accounting firm
Nonprofit and Single Audits: Is the Compliance Burden Worth It for Your Firm?
Christopher Rivera
