NDNB is North America’s leading provider of SOC 1 SSAE 18 audit reports for payroll companies. Our personnel have extensive experience auditing payroll companies as far back as 1997 with the original (now retired) SAS 70 auditing standard. Simply stated – we understand the internal operations of payroll companies and can provide an incredibly detailed, yet efficient audit process from beginning to end.
Payroll companies conduct sensitive transactions, store highly confidential personal information, dispense large amount of payroll weekly, and much more. Because of this, the controls surrounding such activities must be regularly assessed for client and regulator reporting, which is exactly what a well-executed SOC 1 SSAE 18 report does.
Note: SOC 2 is NOT a proper auditing mechanism for payroll companies as it cannot adequately assess and test the ICFR concept – Internal Controls Relating to Financial Reporting. Because of this, payroll companies are advised to stay away from SOC 2 reporting as the main compliance assessment.
SOC 1 SSAE 18 Payroll Reporting – What You Need to Know
Begin with a Scoping & Readiness Assessment: New to the world of regulatory compliance – especially SOC 1 SSAE 18 reporting – then a scoping & readiness assessment should be considered an absolute must. The benefits of such an assessment? Many, indeed, such as the following:
- Validation of audit scope in terms of information systems, personnel, third-party vendors (i.e., subservice organizations), physical locations, and more
- Identification of internal control gaps, such as security and technical gaps, along with documentation gaps – information security processes and procedures.
Identify ICFR Component & Relevant Control Objectives: Payroll processing companies perform highly sensitive transactions for their customer, thus testing for controls relating to the ICFR concept is a must. ICFR stands for “Internal Controls Over Financial Reporting”, so here are some excellent examples of control objectives to consider for SOC 1 SSAE 18 reporting:
- (New Client Setup) Controls provide reasonable assurance that new clients are set up in a valid, accurate, and complete manner for all aspects of payroll processing.
- (Authorization of Transactions) Controls provide reasonable assurance that all payroll transactions originate from authorized sources.
- (Payroll Processing) Controls provide reasonable assurance that all aspects of the actual payroll processing activities are conducted in a valid, accurate, and complete manner.
- (Recording of Activities) Controls provide reasonable assurance that all payroll transactions are recorded in a valid, accurate, and complete manner.
- (Processing of Payroll Disbursements) Controls provide reasonable assurance that all payroll transactions are processed and ultimately disbursed according to schedules as agreed upon, with any noted deviations documented and approved as necessary.
- (Documentation) Controls provide reasonable assurance that all relevant documents (both hard-copy and electronic copy) are produced and distributed in a valid, accurate, and complete manner.
- (ACH Payments) Controls provide reasonable assurance that ACH payments to all intended recipients are conducted in a valid, accurate, and complete manner.
- (Payroll and Tax) Controls provide reasonable assurance that all payroll and tax accounts are setup and established, fees are accurate, and that the relevant quarterly and annual payments and filings are made by authorized personnel.
Identify ITGC Controls and Develop Relevant Control Objectives: Information Technology General Controls – commonly known as ITGC – are also critical to assess for SOC 1 SSAE 18 reporting for payroll processors, so consider testing for the following from a scope perspective:
- (Change Management): Controls provide reasonable assurance that changes to existing systems and the implementation of new systems as well as any internal company-wide changes, are authorized, tested, approved, properly implemented, and documented.
- (Logical Access): Controls provide reasonable assurance that access to all information systems (Network Devices, Operating Systems, Applications, and Databases) and other components that require authentication and authorization activities is limited to those who are authorized, and access rights are commensurate with user roles and responsibilities within the organization.
- (Network Security): Controls provide reasonable assurance that formalized network policies and procedures are in place, secure data transmission protocols are utilized, and information systems are appropriately hardened, configured, and monitored as needed for ensuring a secure environment.
- (Data Backup): Controls provide reasonable assurance that data files are backed up in a timely and complete manner, backup logs are generated for appropriate review, and critical system maintenance activities are undertaken on a regular basis.
Undertake all Necessary Remediation: What are the two biggest remediation items when it comes to payroll processing companies for SOC 1 SSAE 18 compliance? (1). Documentation. (2). Security and Technical controls. As for documentation, payroll companies need to have in place well-written processes and procedures for both their specific business functions (i.e., the payroll lifecycle, from beginning to end), and for general I.T. controls (i.e., access control, change control, data backup, etc.). This can take time, but’s it got to be done.
As for security and technical controls, many times payroll processors will find a deficiency within their information systems that needs to be corrected. For example, passwords need to be stronger, firewalls need configuration files to be re-written, and more. This also requires time in the context of having to utilize internal I.T. resources to correct these issues. NDNB luckily provides an in-depth baseline InfoSec best practice sheet that can be used for essential hardening of systems. It’s complimentary to each one of your SOC 1 SSAE 18 payroll processing clients.
Engage in Continuous Monitoring: Becoming SOC 1 SSAE 18 compliant for payroll companies is just the beginning in terms of regulatory compliance. Sure, it’s a great accomplishment, but you need to know that annual compliance is the new norm, which means continuous monitoring of one’s internal control environment is must. Specifically, it’s about ensuring that your controls are assessed on a regular basis, with changes made to ensure the continued operating effectiveness of those controls.
Companies change, business lines change – it’s the nature of the business world – and because of this, you need a structured, disciplined process for regularly monitoring your internal controls. Find a true internal “champion”, somebody who will take the time to regularly assess internal controls relating to all aspects of payroll processing. That certain “champion” will need to develop a checklist based off of the SOC 1 SSAE 18 audit, as this also helps ensure that obtaining a “clean”, unqualified opinion on annual audits is achievable. Who wants to receive and adverse opinion on their annual SOC 1 SSAE 18 report – not your business – hence the reason for continuous monitoring.
NDNB is North America’s Leading Provider of SOC Audits