SOC 1 for Payroll Providers
Why are people asking my payroll company for a SOC 1 report?
Payroll is one of the most commonly outsourced business functions, making SOC 1 necessary to ensure to clients that payments are made accurately and in a timely fashion to the necessary parties.
Penalties for failing to file or pay taxes, or other fees to governing bodies can be enormous, thus making third-party reporting necessary to showcase compliance.
There are two main types of organizations that handle payroll that could need a SOC 1 report:
- Payroll Processing Company
Firms that perform payroll processing throughout the entire lifecycle see every function of the life cycle, from setting up clients into a system, obtaining and inputting payroll information, and facilitating the disbursements to employees.
- Third-party providers
Firms that perform payroll processing in various stages and handle information that could affect the payroll processing company and/or their clients. This could be third-party firms responsible for the printing of checks, the software that is used to process and administer payroll, as well as third parties who manage a payroll processor’s information technology managed services. Any business that has the ability to affect their clients’ internal controls over financial reporting will benefit by having an annual SOC 1 performed to provide their end users.
What does a SOC 1 report cover?
For payroll companies, a SOC 1 report predominantly focuses on IT areas and business processing controls. An independent assessor, such as A-LIGN, would look at the payroll process controls that are in place. This would include things like:
- The secure, accurate, and complete implementation of new clients
- Completion of payroll and tax statements, and other financial statements
- Completion and accuracy of payroll information
- Vendor management for subservice organizations
A-LIGN has an understanding of the different payroll applications that are in use in payroll firms and is able to leverage that knowledge to assess the controls the payroll company has in place as they relate to the use of their payroll application.
What triggers an organization to ask for a SOC 1 report?
Typically, when an organization requests that their client provides a SOC 1 report, it is because they are going through a financial statement audit. There is confusion amidst many companies that only publicly traded firms are required to undergo financial statement audits, however, businesses of any kind may be required to undergo these audits.
As a result, your business may be asked to provide these reports as a result of these audits.
How often do I have to do it?
If the business requesting that you complete a SOC 1 report is asking you for it as a result of a financial statement audit, it is likely that your business will be asked to report annually. However, some payroll clients are able to do it less frequently depending on their size.
Frequency depends on the maturity of your organization and the need expressed by clients.
Why is SOC 1 Necessary?
As we detail the need for SOC 1, we will refer to the payroll provider as ‘Payroll Provider Inc.’ and the company outsourcing their payroll needs as “Outsourcer Inc.”
Payroll providers are considered service organizations because they provide services for other businesses. Before a company engages with Payroll Provider Inc., it is important that Outsourcer Inc. understands how your organization works and how your business could affect their financial statements.
Payroll companies are responsible for handling large sums of both personal and financial information that requires protection. Because of this, it is necessary that Payroll Provider Inc. has the appropriate safeguards and processes to maintain compliance. By completing a SOC 1 audit, Outsourcer Inc. will be able to easily review the business and IT areas of Payroll Provider Inc. that could affect their financial statements. Outsourcer Inc.’s financial auditors can then review the report to understand how your operational controls could affect them.
A SOC 1 audit ultimately provides Outsourcer Inc. with the comfort that Payroll Provider Inc. will be able to conduct business in a reliable fashion and meet the expectations that Outsource Inc. sets. In addition, a SOC 1 audit provides Payroll Provider Inc. a competitive advantage by building trust and increasing profits through increasing operational effectiveness.
Preparing for SOC 1
If your business has never performed a SOC 1 audit before, A-LIGN recommends that you go through a readiness assessment. A readiness assessment allows your organization to observe potential areas of weakness and allows remediation before conducting an assessment. This ensures that your organization is prepared prior to the official engagement.
Are you looking to find out more about a SOC 1 engagement? A-LIGN has extensive experience working with payroll providers and can serve as an advisor as you determine the security and audit needs of your business. Connect with a payroll compliance specialist today at firstname.lastname@example.org or 1-888-702-5446.