SSAE 18 and Payroll and Check Processing Companies | Type 1 and Type 2 Reporting
SSAE 18 Type 1 and Type 2 reporting for payroll providers and check processing companies have a close relationship indeed. Many organizations outsource these material functions to service organizations that provide traditional payroll processing (including the entire lifecycle of the processing platform itself), printing and mailing of hard-copy checks, and multiple other critical services.
If you are a payroll and/or check processing company, or any other type of service organization providing critical services to the payroll industry as a whole, then SSAE 18 Type 1 and Type 2 reporting should be on your radar.
When the regulatory compliance auditors come knocking at your doorstep, take notice of these three critical points you need to know about SSAE 18 and Payroll and Check Processing Companies:
1. SSAE 18 is the perfect reporting tool for payroll and check processing companies. SSAE 18 Type 1 and Type 2 reports are directed towards service organizations that have a direct relationship with ICFR, Internal Control over Financial Reporting. More specifically, if your service organization handles, processes, facilitates, calculates or records client financial data that could impact the financial statement reporting of your clients, then an SSAE 18 report is a must have.
Though the AICPA launched the new Service Organization Control (SOC) framework, which allows for three (3) different reporting options (SOC 1,SOC 2, and SOC 3), a SOC 1 report (which uses the SSAE 18 professional standard) is the preferred choice of reporting for these types of companies.
2. Developing control objectives that reflect your business process is critical. In addition to general I.T. controls, payroll and check processing companies must also report on their specific business process controls. For example, if you are a traditional payroll company providing services that include the entire payroll lifecycle, then you will want to have control objectives that reflect this in an SSAE 18 Type 2 report. A few examples include:
- New client setup/on-boarding of all critical data, as well as the subsequent validity, accuracy and completeness of the data---much of which is considered Personally Identifiable Information (PII).
- Validity, accuracy and completion of all data calculations and related batch processing related to the actual payroll information for all clients.
- Tax issues, such as preparing and filing quarterly and/or annual payroll reports and tax statements, calculations, withholding, reconciliation and escrow services.
- As applicable, Flexible Spending Account (FSA) administration, Health Reimbursement Account (HRA) administration, and 401K administration.
- COBRA administration and related termination of individuals from payroll services.
- Vendor management and other necessary due-diligence procedures for "subservice organizations".
3. Identifying "subservice organizations" is very critical in this industry. Many traditional payroll processing companies, while they handle a large part of the entire payroll lifecycle, still outsource critical functions such as check printing/mailing, or possibly even utilizing a technology provider for network security. It is vitally important that payroll processing companies identify all subservice organizations, their applicable roles, as well as whether they should be included within the scope of the SSAE 18 audit for the primary service organization, or undertake their own respective SSAE 18 Type 1 and/or Type 2 assessment.
4. Documentation is Essential. Remember that policies and procedures – and other forms of documentation – are necessary for becoming SOC 2 complaint. How necessary? Enough so that companies often hire us – or another firm – to write their documentation. In the world of regulatory compliance, policies and procedures are so incredibly important as it shows auditors you have formalized processes for essentially everything you do.
Get busy writing those policies and procedures, or reach out to us as we provide complimentary templates to all our valued clients throughout North America and Europe. Let’s face it, no one really likes authoring policy documents, and it’s why we offer our templates to our valued clients.
5. Other Operational Measures are Necessary. have you performed a risk assessment lately, and documented the results? How about putting in place a comprehensive security awareness training program for all employees? Do you have a documented incident response plan in place, and has it been tested? Just a few of the “operational” areas that could very well come under testing for SOC 1 SSAE 18 compliance. We say “could” because unlike SOC 2, which has a prescriptive set of criteria-based tests, SOC 1 has a much more flexible framework. Talk to your auditors to determine what they believe is the best scope for your SOC 1 SSAE 18 assessment.
SOC 1 SSAE 18 Payroll Experts – Let’s Talk.