SSAE 16 Type 1 and Type 2 reporting for payroll providers and check processing companies have a close relationship indeed, as many organizations outsource these critical and material functions to service organizations who provide the following services:
• Traditional payroll processing ,which includes the entire lifecycle of the processing platform itself, such as setting up new clients into a specified system, obtaining recurring payroll data, and then facilitating the disbursement of funds (both electronically and hard copy checks) to designated employees within a given company.
• Third-party provider of printing and mailing hard-copy checks, and related documentation.
• All other "subservice organizations" that perform critical services for the actual primary service organization (i.e., the payroll company).
If you're a payroll and/or check processing company or some other type of service organization providing critical services to the payroll industry as a whole (or to another organization within the payroll industry), then SSAE 16 Type 1 and Type 2 reporting will surely become a requirement. And when the regulatory compliance auditors come knocking at your doorstep, take notice of these three critical points you need to know about SSAE 16 and Payroll and Check Processing Companies:
1. SSAE 16 is the perfect reporting tool for payroll and check processing companies. SSAE 16 Type 1 and Type 2 reports are geared towards service organizations who have a direct nexus/relationship with a concept known as "ICFR"; Internal Control over Financial Reporting. Simply stated, if you as a service organization are handling, processing, facilitating, calculating, recording client financial data (or any other type of activity with financial data) that could impact the financial statement reporting of your clients, then an SSAE 16 report is a must have. Though the AICPA launched the new Service Organization Control (SOC) framework, which allows for three (3) different reporting options (SOC 1, SOC 2, and SOC 3), a SOC 1 report (which uses the SSAE 16 professional standard) is without question the preferred choice of reporting for payroll and check processing companies
2. Developing control objectives that reflect your business process is critical. Along with general I.T. controls and other supporting general controls, payroll and check processing companies must also report on their specific business process controls. For example, if you are a traditional payroll company providing services that include the entire payroll lifecycle, then you'll want to have control objectives (and related control tests) that reflect this in an SSAE 16 Type 2 report. A number of specific business process areas that come to mind would be the following:
• New client setup and on-boarding of all critical data and the subsequent validity, accuracy and completeness of the data, much of which is considered Personally Identifiable Information (PII).
• Validity, accuracy and completion of all data calculations and related batch processing related to the actual payroll information for all clients.
• Tax issues, such as preparing and filing quarterly and/or annual payroll reports and tax statements, calculations, withholding, reconciliation and escrow services.
• As applicable, Flexible Spending Account (FSA) administration, Health Reimbursement Account (HRA) administration, and 401K administration.
• COBRA administration and related termination of individuals from payroll services.
• Vendor management and other necessary due-diligence procedures for "subservice organizations".
3. Identifying "subservice organizations" is a must in this industry. Many traditional payroll processing companies, while they handle a large part of the entire payroll lifecycle, still find themselves outsourcing critical functions, such as check printing and mailing, or possibly even a technology provider for network security. Its vitally important that payroll processing companies identify all subservice organizations, their applicable roles, and if they should be included within the scope of the SSAE 16 audit for the primary service organization, or undertake their own respective SSAE 16 Type 1 and/or Type 2 assessment. Learn more about NDB's complimentary SOC 1 Policy Packets and SOC 2 Policy Packets. They truly make a big difference in helping service organizations save thousands of dollars on SOC compliance.
Contact NDB Accountants today and learn about our competitive, fixed-fee SSAE 16 engagements and our expertise in the payroll industry. Contact Charles Denyer at 1-800-277-5415, ext. 705 or Christopher G. Nickell at 1-800-277-5415, ext. 706.