SOC 1 Compliance Considerations for Global Payroll Owners of Multinational Businesses

SOC 1 Compliance Considerations for Global Payroll Owners of Multinational Businesses

The outsourcing of non-core services has been a popular business model since the early 1990s. It can help a business remain focused on what they do best and it can offload work to a firm that has more experience with the task, more scale, and a better understanding of associated regulatory compliance. Moreover, it is usually good for the bottom line; outsourcing to service organizations can save a business significant time and money. Many businesses use service organizations for complicated functions such as payroll processing.

When you outsource to a service organization, however, how can you trust that the methods they use to conduct your business are consistently accurate and compliant? You want to avoid serious risks – one of the biggest being the security of your employees’ personal information. The service organization must have the right controls, policies, and procedures to safeguard personally identifiable information (PII) and ensure that every report you receive is accurate. A SOC 1 report can help you become comfortable with your chosen vendor’s capabilities in this regard.

The Basics of SOC 1 Compliance

A SOC 1, formerly known as a System and Organization Controls report, is part of the Statement on Standards for Attestation Engagements (SSAE) 16, which, itself, is an auditing standard for service organizations. While SSAE 16 is an American standard, it mirrors the more international ISAE 3402. Both standards supersede the earlier, popular standard known as SAS 70. A SOC 1 report is the end product of an audit by a qualified independent CPA. (In May of this year SSAE 18 was issued as an update to SSAE 16. Some of the updates affecting SOC1 are noted below.)

Note that the SOC 1 report is exclusively for “service organizations.” According to the American Institute of Certified Public Accountants (AICPA), a service organization is defined as “The entity (or segment of an entity) that provides services to a user organization that are part of the user organization’s information system.” Here are some examples of service organizations under this definition:

• Software as a Service (SaaS) providers
• Credit card processing
• Payroll processing
• Medical billing

A SOC 1 report conveys the information that you and your CPA need to know about a service organization’s policies, procedures, and other necessary information about how they handle your financial information. In other words, it’s a report that describes whether the service organization is actually doing what they profess to with your financial information and employee data.

Competitive service organizations that wish to differentiate themselves will proactively undergo a SOC 1 audit annually, so they can share the results with their current and prospective clients.  You can rest easy in their SOC 1 compliance because of the frequency as well, it shows overall initiative.

According to AT-C Section 320, the objective of a SOC 1 report is to produce an attestation by the auditor that:

• The service organization’s own description of their system is true to what is actually taking place
• The controls for the service organization’s systems will accomplish the control objectives if the systems operate effectively

There are two kinds of SOC 1 reports, type 1 and type 2. A type 1 report is a snapshot of the service organization’s controls at a single point in time. It reports on the fairness of the service organization’s own description of their processes and describes whether their own controls are suitably designed to achieve the control objectives.

Type 2 reports on the same material, but it looks at the controls over a period of time. This report not only describes the controls in place, but it also monitors their effectiveness through the reporting period, which can be no less than 6 months in duration. Typically, a type 2 report covers 12 months.

The Parts of a SOC 1 Report

On May 1st, 2017 the AICPA put into effect new guidance for SOC 1 reports, stating that a SOC 1 report should have three parts:

  1. The management of the service organization writes a description of their system and controls
  2. The management writes an assertion that the description is a fair representation of the actual system in place and that the controls are designed to meet their respective control objectives
  3. The service auditor’s report that issues an opinion on the above two items. For type 2 reports, the contents must also include a description of the auditor’s tests of the controls and the results of those tests over the given period of time.

Why Ask for a SOC 1 Report?

When you are evaluating service organizations, a SOC 1 report can be a value-added independent opinion that offers peace of mind. Not only does it confirm that the service organization is actually doing what they say they are; it indicates that they have a “controls culture” that is more likely to keep pace with the fast-changing world. Ask for potential service organizations to provide a current SOC 1 report. Your financial information and financial reporting are key aspects of your business, and you don’t want to trust them with just anyone.

If you have any questions for us on compliance or payroll around the globe, please feel free to contact our team. We are here to help!


**This article is for informational purposes only. It is not intended to constitute legal advice.


Indian Payroll Requirements for Multinational Businesses
Tax Equalization Considerations for Expat-employing International Businesses