This article was updated on Oct. 12, 2018.
Organizations must ensure they have processes in place for monitoring outsourced payroll compliance. Even though payroll vendors have services to help keep customers compliant with the myriad regulations, the ultimate responsibility for compliance remains with the organization paying the workers.
It may seem risky to outsource payroll because these compliance risks fall on the organizations' shoulders; however, in the vast majority of cases, well-established and profitable payroll vendors likely already have secure compliance processes in place that are designed to help ensure that customers stay compliant. In fact, payroll vendors often have better processes in place than hiring firms can build for themselves. Although finance leaders should not rely entirely on compliance processes of payroll vendors, however robust they are, when coupled with a customer's internal controls, vendor processes can help increase the confidence financial leadership has that the organization remains in compliance with laws, financial control standards and data protection and privacy rules.
Legal requirements for payroll processes are extensive. There are numerous federal laws that regulate different aspects of the payroll process, including the Fair Labor Standards Act, the Federal Insurance Contributions Act and the Federal Unemployment Tax Act. For publicly traded companies, the Sarbanes-Oxley Act (SOX) also regulates monitoring financial practices. In addition to federal laws, there are state laws governing payroll processes that can be, and often are, designed to be more protective of employees.
In order to make sure outsourced payroll vendors remain in compliance with these and other legal requirements, financial leadership should require that vendors provide the following information at a minimum:
- What processes do you have in place to keep up with regulatory changes?
- How do you ensure continued compliance with the regulatory environment?
- How often do you audit your processes?
- How often, and in what form, do you send customers audit reports for monitoring compliance efforts?
Answers to these questions should be provided at least once per year so you can independently perform an audit of that vendor's compliance.
Financial Controls, Data Protection and Privacy
Finance leaders should also consider both internal vendor financial controls and data security and privacy risks when outsourcing payroll processes. As with any data stored digitally, including payroll data, there is a risk that unauthorized individuals can gain access. This consideration is especially important when dealing with an outsourced payroll vendor.
There are various ways to help verify an outsourced payroll vendor remains in compliance with data protection and privacy standards. One is with a Service Organization Controls 1 (SOC 1) report and another is with the SOC 2 audit.
SOC 1 Report
A SOC 1 report is a report on the controls at a service organization that is relevant to internal controls of financial reporting. A CFO will use this report to help monitor whether a payroll has sufficient financial controls in place. Financial leadership should request a copy of the vendor SOC 1 report and continue to receive copies each time it is updated.
SOC 2 Audit
Another way to help customers evaluate that security controls are in place is to require a payroll vendor to complete SOC 2 audits. Service Organization Controls are serialized accounting standards for the financial and operational controls pertinent to third-party services — in this case, payroll services. A SOC 2 audit is a way to evaluate security and privacy measures, and it helps to provide assurance that a vendor is following one or more of the following five principles: security, availability, processing integrity, confidentiality and privacy.
Just because a payroll vendor assures you that they have processes in place to remain compliant with application laws and standards does not mean the job is done. Finance leaders cannot abdicate responsibility to even the most reputable payroll vendors because non-compliance will negatively affect the organization, not the vendor. By asking the right questions, performing audits and holding vendors accountable for compliance processes and audits, financial leadership can add additional layers of security to increase confidence that their payroll processes remain compliant and still realize all the benefits of working with an outsourced vendor.