Protect your Payroll and Ask for a Service Audit Report
Payroll can be an administrative nightmare if done in-house, especially for smaller companies. In addition to keeping up with employee withholdings and benefits enrollment, you must file state and federal payroll tax returns and follow union reporting requirements. Outside service companies that specialize in payroll administration can help you manage all of the details and minimize mistakes. Payroll providers can also handle expense reimbursement for employees and provide other services.
When payroll is outsourced, however, your company could be exposed to identity theft and other fraud risks if the service provider lacks sufficient internal controls. For example, sensitive electronic personal data could be hacked from your network and sold on the Dark Net — or old-fashioned paper files could be stolen and used to commit fraud.
Audits of payroll companies
Fortunately, CPAs offer two types of reports that provide assurance on whether an outside payroll provider’s controls over paper and electronic records are adequate.
Type I Audits. This level of assurance expresses an opinion as to whether controls are properly designed.
Type II Audits. Here, the auditor goes a step further and expresses an opinion on whether the controls are operating effectively.
When performing these attestation engagements, Statement on Standards for Attestation Engagements (SSAE) No. 18 requires:
- The payroll company’s management to provide a written assertion about the fairness of the presentation of the description of the organization’s control objectives and related controls and the suitability of their design; and for a Type II audit, the operating effectiveness of those control objectives and related controls,
- The auditor’s opinion in a Type II audit regarding description and suitability to cover a period consistent with the auditor’s tests of operating effectiveness, rather than being as of a specified date, and
- Auditors to identify in the audit report any tests of control objectives and related controls conducted by internal auditors.
Further, auditors are prohibited from using evidence on the satisfactory operation of controls in prior periods as a basis for a reduction in testing in the current period, even if it’s supplemented with evidence obtained during the current period.
When an audit is complete, the service auditor typically will issue a report to the payroll company.
As the customer of the service provider, it is then up to you to obtain a copy of the audit report from the payroll provider and distribute it to your financial statement auditors as evidence of internal controls.
Outsourcing with confidence
Your financial statement auditors are required to consider the internal control environment for any services you outsource, including payroll, customer service, benefits administration and IT functions. Most service providers obtain service audit reports. If yours doesn’t, you might need to request permission for your CPA to contact and visit the payroll provider to plan their financial statement audit.
The best advice we can offer is: Don’t go it alone. Contact Robert Smolko, CPA, Ciuni & Panichi, Inc. audit partner, at 216-831-7171 or firstname.lastname@example.org for sound advice when making decisions about your business.
You may also be interested in: