SOC 1 for Payroll Providers

Why are people asking my payroll company for a SOC 1 report?

Payroll is one of the most commonly outsourced business functions, making SOC 1 necessary to ensure to clients that payments are made accurately and in a timely fashion to the necessary parties.

Penalties for failing to file or pay taxes, or other fees to governing bodies can be enormous, thus making third-party reporting necessary to showcase compliance.

Read more: 9 Critical Payroll Pain Points and What Payroll Professionals Should Do About Them

There are two main types of organizations that handle payroll that could need a SOC 1 report:

  1. Payroll Processing Company

Firms that perform payroll processing throughout the entire lifecycle see every function of the life cycle, from setting up clients into a system, obtaining and inputting payroll information, and facilitating the disbursements to employees.

  1. Third-party providers

Firms that perform payroll processing in various stages and handle information that could affect the payroll processing company and/or their clients. This could be third-party firms responsible for the printing of checks, the software that is used to process and administer payroll, as well as third parties who manage a payroll processor’s information technology managed services. Any business that has the ability to affect their clients’ internal controls over financial reporting will benefit by having an annual SOC 1 performed to provide their end users.

What does a SOC 1 report cover?

For payroll companies, a SOC 1 report predominantly focuses on IT areas and business processing controls. An independent assessor, such as A-LIGN, would look at the payroll process controls that are in place. This would include things like:

  • The secure, accurate, and complete implementation of new clients
  • Completion of payroll and tax statements, and other financial statements
  • Completion and accuracy of payroll information
  • Vendor management for subservice organizations

A-LIGN has an understanding of the different payroll applications that are in use in payroll firms and is able to leverage that knowledge to assess the controls the payroll company has in place as they relate to the use of their payroll application.

What triggers an organization to ask for a SOC 1 report?

Typically, when an organization requests that their client provides a SOC 1 report, it is because they are going through a financial statement audit. There is confusion amidst many companies that only publicly traded firms are required to undergo financial statement audits, however, businesses of any kind may be required to undergo these audits.

As a result, your business may be asked to provide these reports as a result of these audits.

How often do I have to do it?

If the business requesting that you complete a SOC 1 report is asking you for it as a result of a financial statement audit, it is likely that your business will be asked to report annually. However, some payroll clients are able to do it less frequently depending on their size.

Frequency depends on the maturity of your organization and the need expressed by clients.

Why is SOC 1 Necessary?

As we detail the need for SOC 1, we will refer to the payroll provider as ‘Payroll Provider Inc.’ and the company outsourcing their payroll needs as “Outsourcer Inc.”

Payroll providers are considered service organizations because they provide services for other businesses. Before a company engages with Payroll Provider Inc., it is important that Outsourcer Inc. understands how your organization works and how your business could affect their financial statements.

Payroll companies are responsible for handling large sums of both personal and financial information that requires protection. Because of this, it is necessary that Payroll Provider Inc. has the appropriate safeguards and processes to maintain compliance. By completing a SOC 1 audit, Outsourcer Inc. will be able to easily review the business and IT areas of Payroll Provider Inc. that could affect their financial statements. Outsourcer Inc.’s financial auditors can then review the report to understand how your operational controls could affect them.

A SOC 1 audit ultimately provides Outsourcer Inc. with the comfort that Payroll Provider Inc. will be able to conduct business in a reliable fashion and meet the expectations that Outsource Inc. sets. In addition, a SOC 1 audit provides Payroll Provider Inc. a competitive advantage by building trust and increasing profits through increasing operational effectiveness.

Preparing for SOC 1

If your business has never performed a SOC 1 audit before, A-LIGN recommends that you go through a readiness assessment. A readiness assessment allows your organization to observe potential areas of weakness and allows remediation before conducting an assessment. This ensures that your organization is prepared prior to the official engagement.

Read more: “Failed” Your SOC Examination? Here’s Why

Are you looking to find out more about a SOC 1 engagement? A-LIGN has extensive experience working with payroll providers and can serve as an advisor as you determine the security and audit needs of your business. Connect with a payroll compliance specialist today at or 1-888-702-5446.

Making the Switch from SSAE 16 to SSAE 18

When service organizations receive a SOC 1 examination, it is performed under the SSAE 16 or “Statements on Standards for Attestation Engagements 16, Reporting on Controls at a Service Organization” standard.

In the Spring 2016, The AICPA’s Auditing Standards Board (ASB) completed the clarity project, the result of which was the issuance of the SSAE 18 standard, “Concepts common to all Attestation Engagements”. This new standard replaces SSAE 16 for SOC 1 engagements and goes into effect for reports dated after May 1, 2017.

It is important to note that the SSAE 16 standard was specific to service organizations and the SSAE 18 is for all attestation engagements. This means that we can no longer refer to SOC 1 as an SSAE 16 examination and it will not be replaced by the term SSAE 18 examination. Instead, it will simply be referred to as the SOC 1.

Despite the potential for confusion related to the naming of the examinations and reports, the actual changes to what a service organization has to do to prepare for an examination is not extensive. Here are four changes that come with SSAE 18 that affect the SOC 1 examination.


  1. Vendor Management

The most significant change in the requirements that has to be met by a service organization is ensuring that its vendor management program for subservice providers (for example colocation facilities) is significantly robust.  SSAE 18 is requiring that service organizations implement processes that monitor the controls at subservice organizations. SSAE 18 provides the following control suggestions:

  • Review and reconcile output reports.
  • Hold periodic discussions with the subservice organization.
  • Make regular site visits to the subservice organization.
  • Test controls at the subservice organization by members of the service organization’s internal audit function.
  • Review Type I or Type II reports on the subservice organization’s system.
  • Monitor external communications, such as customer complaints relevant to the services by the subservice organization.
  1. Risk Assessment

Another change in what will be required by SSAE 18 will be in the area of more specific requirements as opposed to the existing general considerations of risk via a risk assessment.  SSAE 18 requires service auditors to obtain a more in-depth understanding of the development of the subject matter than currently required, in order to better identify the risks of material misstatement in an examination engagement. This, in turn, should lead to an improved linkage between assessed risks and the nature, timing, and extent of attestation procedures performed in response to those risks.

  1. Complementary Subservice Organization Controls

SSAE 16 required that service organizations provide a listing of controls that should be performed by user organizations.

In order to recognize that more organizations are outsourcing key functions to their own set of subservice organizations, SSAE 18 introduces the concept of “Complementary Subservice Organization” controls. This concept establishes and defines the controls for which user entities must now assume in the design of the system description. Another key factor related to these complementary controls is that they are necessary for the achievement of control objectives in the report. SSAE 18 provides more guidance around this area, and will hopefully lead to more consistent reporting across entities and practitioners.

  1. Written Assertion Requirement

The final change to the SOC 1 is the requirement, per SSAE 18, that the service auditor obtains a written assertion. This written assertion is the statement found within the SOC report wherein the service organization asserts that the system description provided is essentially true and complete. This statement has always been contained within the SOC 1 reporting document but the requirement that the service organization signs the document was optional. In practice, the majority of service organizations have already been signing this document, as a way to strengthen the credibility of the report. Accordingly, there will not be significant changes to what either the service auditor or service organization will have to do to meet this requirement.

It is important for you to understand these changes and how it will impact your organization before the standard goes into effect in May 2017. Our assessors can prepare you for this change and ensure you stay in compliance. Contact A-LIGN today for assistance at or 1-888-702-5446.

What are the differences between ISAE 3402 and SSAE 16?

The preferred reports for service organizations with direct impact on internal controls over financial reporting of their clients are the SSAE 16 (Statement on Standards for Attestation Engagements (SSAE) No. 16, Reporting on Controls at a Service Organization, was issued by the Auditing Standards Board of the American Institute of Certified Public Accountants) and ISAE 3402 (International Standard on Assurance Engagements (ISAE) No. 3402, Assurance Reports on Controls at a Service Organization, was issued in December 2009 by the International Auditing and Assurance Standards Board). While these reporting options were designed to aligned, there is a common misconception that an SSAE 16 examination and an ISAE 3402 examination are exactly the same. A careful review shows that there are actually nine key differences that make ISAE 3402 distinct from an SSAE 16.

The Differences Between ISAE 3402 and SSAE 16

  1. Intentional Acts by Service Organization Personnel

SSAE 16 requires the service auditor to investigate any noted deviations that could have been caused by an intentional act of service organization personnel. It also requires that the auditor receives written representation from service organization management detailing any actual, suspected or alleged intentional acts that could affect the fair presentation of management’s description of the system. An example of an intentional act could be something such as an employee committing fraud.

While both standards require the investigation of any deviation’s identified, the ISAE 3402 does not explicitly require auditors to obtain the written representations.


  1. Anomalies

An operating anomaly is something that deviates from the standard. ISAE 3402 contains a requirement that allows a service auditor to conclude that a deviation that is identified when testing a sample of the control can be considered an anomaly. This is because of the idea that when controls are sampled, they are not necessarily representative of the entire population from the samples drawn.

On the other hand, SSAE 16 treats all deviations in the same manner, rather than as an anomaly.

  1. Direct Assistance

SSAE 16 requires that the service auditor applies U.S. audit standards guidance when the service auditor uses members of the service organization’s internal audit function to provide direct assistance.

ISAE 3402, on the other hand, does not provide for use of the internal audit function for direct assistance.

  1. Subsequent Events

SSAE 16 requires that the auditor discloses any event that could be significant in order to prevent users from being misled. A subsequent event would be something that could change management’s assertion after the audit period has ended.  However, ISAE 3402 limits the types of subsequent events that would be disclosed in the service auditor’s report to only those that could have a significant effect on the service auditor’s report.

Following the release of the report, the SSAE 16 also requires the service auditor to adapt and apply the appropriate U.S. audit standards guidance if they become aware of conditions that existed at the report date and could have affected management’s assertion had the service auditor known about them.

  1. Statement Restricting Use of the Service Auditor’s Report

SSAE 16 requires that the service auditor’s report include a statement restricting the use of the report to management of the service organization, user entities, and user auditors.

ISAE 3402 requires that the service auditor’s report include a statement that indicates that the report is intended for the service organization, user entities, and user auditors, but does not require a statement restricting its use.

  1. Documentation Completion

ISAE 3402 requires that the service auditor assembles the appropriate documentation in an engagement file and complete assembly after the completion of the service auditor’s report.

SSAE 16 also requires this measure but has a 60-day timeline following the service auditor’s report release date.

  1. Engagement Acceptance and Continuance

SSAE 16 establishes that management acknowledges and accept the responsibility of providing the service auditor with written representations at the conclusion of the engagement.

ISAE 3402 does not require this acknowledgment.

  1. Disclaimer of Opinion

If the service provider does not provide the assessor with specific written representation, ISAE 3402 requires that the auditor disclaim an opinion after discussing the matter with management. If this were to occur, the auditor is required to take action.

SSAE 16 requires that the service auditor takes action as well in the same manner or by withdrawing from the engagement.  The SSAE 16 also contains certain incremental requirements when the auditor plans to disclaim an opinion.

  1. Elements of the Section 801 Report That Are Not Required in the ISAE 3402 Report

SSAE 16 contains certain requirements that are incremental to those in ISAE 3402. These requirements are as follows:

  • The identification of any information included in the documentation that is not covered by the service auditor’s report.
  • A reference to management’s assertion, and a statement that management is responsible for identifying any of the risks that threaten the achievement of the control objectives.
  • A statement that the examination included assessing the risks that management’s description of the service organization’s system is not fairly presented and that the controls were not suitably designed or operating effectively to achieve the related control objectives.
  • A statement that an examination engagement of this type also includes evaluating the overall presentation of management’s description of the service organization’s system and suitability of the control objectives stated in the description.

Reporting Options

While both SSAE 16 and ISAE 3402 are designed to accomplish the same goal in terms of reporting the establishment of effectively designed controls over financial reporting, some service organizations may need to provide reports to their clients (user entities) under each standard. Often this is driven by the need to perform services within and outside of the United States. For those service organizations, the U.S. based standard allows for SSAE 16 reporting to be performed in accordance with the ISAE 3402 standards, often referred to as a combined report.

When considering the reporting options that makes sense for your organization, it is important to work with an experienced assessor who can understand the unique needs of your company. A-LIGN has conducted more than 4,000 SOC 1, SOC 2 and ISAE 3402 reports and understands the challenges that each can present for an organization seeking a report. Contact us now to find out more about how A-LIGN can help at or call 888-702-5446.

How SOC Audits Can Help Save on Errors & Omissions Insurance

E/O Insurance As many companies look to reduce costs, one cost that continues to rise as the company grows is Errors and Omissions (E/O) insurance premiums. Both company liability and personal liability of the board of directors and owners is a topic that continues to be a focus of litigation. One of the ways a company can demonstrate they have sound controls over their control environment (which includes the tone at the top, board of directors’ participation, management oversight, etc) is to have a SOC audit conducted by a third-party auditing firm such as A-LIGN.  Continue reading “How SOC Audits Can Help Save on Errors & Omissions Insurance”

Why do my clients ask me for a SOC 1/SSAE 16 Report?

Let’s spend a few minutes getting back to basics. Why do your clients ask for a SOC 1/SSAE 16 report to be provided?  Your clients ask because their auditors probably asked for it.  So why do your auditors ask for this report?  The roots for SSAE 16 can be traced back to SAS 70 and even further to SAS 55.  The understanding of internal controls is a fundamental component of performing a financial audit.  I spent time early in my career in the financial audit department which helps me explain to companies why a SOC 1/SSAE 16 report would be applicable or not to the company.  In performing a financial audit, the auditor makes inquires of the company regarding their internal controls. Having an understanding of the internal control over financial reporting is a required component for the auditor to perform.  If a service has been outsourced to another company, the auditor is required to understand the internal controls. This is so that they can understand the internal controls and assess control risk accordingly. Continue reading “Why do my clients ask me for a SOC 1/SSAE 16 Report?”

SOC 2 – Not your prior year SAS 70

After a 20 year reign as the service auditor’s report, the SAS 70 was retired this summer with much fanfare. After being used to communicate the design, implementation and operating effectiveness of controls at every type of service organization imaginable, the AICPA published new standards that better align the type of service organization and service provided to the report used to communicate the design, implementation and operating effectiveness of controls to the user of the report. Continue reading “SOC 2 – Not your prior year SAS 70”