The Setting Every Community Up for Retirement Enhancement (SECURE) was first introduced in 2019 as a law that made it easier for Americans to save for retirement. Phase 2 of SECURE, while adding 90 new provisions to the original, introduces significant operational and compliance changes in retirement plans.
The new rules, effective under SECURE 2.0 2026 changes, has led to increased pressure on auditors. This includes materially affecting audit scope, risk assessment, and documentation standards. All this in a bid to minimize enforcement risk related to operational compliance under existing DOL and IRS oversight frameworks.
This blog provides an overview of key SECURE 2.0 provisions effective through 2026 and how auditors can move from routine compliance reviews to high-judgment, control-intensive engagements
Key Changes to SECURE 2.0
Audit Considerations for SECURE 2.0 Provisions Effective requires auditors to make sure Employee Benefit Programs comply with significant requirements. These are related to the treatment of employee contributions for payroll as well as for the documentation of retirement plans. The following changes increase the amount of oversight each audit will receive from regulatory authorities:
Roth mandatory catch-up Contributions
Under SECURE 2.0, individuals at 50 or above will be permitted to treat all of their catch-up contributions as Roth (after-tax) if their FICA Wages for the year preceding the year they become 50 exceed $150,000 for inflation. Effective January 1, 2026, qualifying employees under SECURE 2.0 will no longer be able to contribute to their 401ks pre-tax via catch-up contributions.
From an auditing perspective, this new rule creates additional risk for not meeting operational compliance related to how payroll systems are set up, how participant compensation is tested, and how contributions are classified. Auditors should ensure that payroll systems and record-keeping systems properly identify affected participants (by using prior-year wages), consistently apply the Roth designation, and eliminate pre-tax catch-up contributions from being made by high-income employees.
Enhanced (“Super”) Catch-Up Contributions
With regard to applicable defined contribution plans, the limits on catch-up contributions for participants who will turn 60, 61, 62, or 63 by the end of the plan year will be increased from their current maximum limit to a maximum amount of $10,000, or up to 150 percent of the standard maximum limit (indexed). These increases may occur at a later date than what was originally proposed.
For SECURE 2.0 2026 changes, the possible increase may be greater than $10,000 depending upon the inflation adjustment made to the standard maximum contribution limit of $8,000 for that year. The IRS has provided transition relief that will allow additional time to make changes to payroll systems and recordkeeping. (SECURE 2.0)
Auditors should determine if the plan administrator accurately applies these higher limits, which became effective in 2025, and restricts eligibility for enhanced contributions to those who qualify within the specific plan year. Audit procedures should test participant age information; contributions that exceed the allowable enhanced limit of each plan year; as well as control processes to verify that enhanced catch-up contributions will not exceed allowable enhanced limits.
Plan Amendment Deadlines
As with the majority of SECURE 2.0 provisions, many take effect now and permit reasonable, good-faith compliance during interim periods until 31 December 2026. All qualified plans, except for certain Government and collectively bargained plans which may have later deadlines, must also have tax-qualified amendments in order to remain tax-qualified. Noncompliance with the timely adoption of plan amendments can result in plan qualification issues, as well as increase the risk of the plans being deemed non-compliant by the DOL or the IRS.
Auditors should evaluate whether management has set forth an amendment timeline along with determining whether there is a draft or signed version of the provided plan amendments. Finally, auditors must determine if the plan operations for the interim periods comply with the “reasonable, good-faith” compliance requirement during that time period.
How Should Auditors Prepare for SECURE 2.0
SECURE 2.0 brings real operational changes to retirement plans. Auditors who wait until year-end to address them will find themselves behind. Provisions phase in over multiple years and do not apply uniformly across plan types, so preparation has to start well before fieldwork.
1. Know What Provision Applies to Each Client
The first step is understanding which provisions affect which plans. Teams should sit down with management early, review any plan amendments, and confirm whether payroll systems and third-party administrators have actually made the required updates, not just whether they intend to. The areas most likely to require attention are automatic enrollment requirements, Roth catch-up rules for higher earners, the expanded catch-up limits for participants between ages 60 and 63, student loan matching contributions, updated RMD age thresholds, and hardship withdrawal self-certification procedures.
2. Revisit Risk Assessments
Most of the risk introduced by SECURE 2.0 is operational, not presentational. The concern is whether systems are correctly identifying eligible participants, applying the right contribution limits, and classifying deferrals properly. Where processes run through automation, IT general controls and interface controls deserve a closer look than they may have received in prior years.
3. Go Deeper on Internal Controls
Control evaluation needs more substance this cycle. That means asking how management tracks payroll system changes, how income thresholds are verified for Roth catch-up purposes, what oversight exists for student loan matching certifications, and whether hardship withdrawals go through any post-approval review. For plans that rely on third-party administrators, auditors need to carefully work through SOC 1 reports and confirm that plan sponsors are actually carrying out their complementary responsibilities, not just that those responsibilities are described on paper.
4. Update Audit Programs and Get in Front of Clients
Standard workpapers will likely need new steps to cover age-based eligibility testing, escalation percentage verification, and payroll-to-plan reconciliation. More importantly, client conversations should happen early. Many plan sponsors are still working through what SECURE 2.0 requires of them operationally, and some have not fully connected the regulatory changes to their internal processes. Identifying gaps before year-end is far less disruptive than finding them during fieldwork.
5. Keep Documentation Tight
Regulatory scrutiny around benefit plan audits is not going away. Risk assessments, control testing conclusions, and management representations should all be documented in a way that clearly supports the conclusions reached, not just checks a box.
Conclusion
As the regulatory and professional environment continually evolves, auditors must remain flexible in their approach to employee benefit plan audit and should always be informed about new standards, how to interpret any new requirements that are being issued, and how to incorporate any new developments into the plan for conducting an audit and the actual audit itself.
Auditors need to use their professional judgment to exercise flexibility with regards to any evolving regulatory and professional risks, the increasing complexity of business operations. The potential need to modify the methodologies used to perform audits on employee benefit plans and to deliver reliable assurance to the participants.
By thinking ahead and proactively modifying the way that they perform audits on employee benefit plans, auditors will continue to provide an effective audit that meets the requirements identified by various sources of external review and oversight.
