By Avani Desai
Today’s business environment is compliance heavy, under continuous scrutiny and intertwined with customer and legislative requirements. However, companies must still ensure compliance with the myriad of standards, requirements, laws, and regulations, such as SSAE 16 Examination (SOC 1), SOC 2/3 Examination, ISO Certification, FedRAMP Assessment, and hundreds more, across all areas of governance and programs.
As human resource and payroll service providers, or provider of any workforce management solutions, you must reassure customers about the security and integrity of their data stored within your environment. Being able to deliver a level of comfort to customers around financial, corporate, and personal information is the foundation of information security compliance and can be a significant differentiator from competitors.
That said, the compliance method highlighted here is the SSAE 16 examination, also referred to as a Service Organization Control (SOC 1) report. The SOC 1 report is an internationally accepted third party attestation report that is specifically designed for service organizations. A SOC 1 report provides service organizations and customers with a benchmark to compare internal controls and processes to industry standards. SOC 1 examinations are performed when the provider’s services are relevant to their customers’ internal controls over financial reporting. For human resource and payroll service providers, the report would include both information technology controls and transactional controls, for example, to help ensure that records are complete and accurate in recording account balances.
There are two types of SOC 1 reports. The service organization is responsible for specifying whether or not a “Type 1” or “Type 2” will be performed. A “Type 1” SOC 1 examination is performed when management requires a report on the fairness of presentation of the service organization’s internal controls over financial reporting and the suitability of the design of controls as of a specified date. A “Type 2” SOC 1 examination is performed when management requires a report on the fairness of presentation of the service organization’s internal controls over financial reporting and the suitability of the design and operating effectiveness of controls over a period of time, typically six months.
Service providers going through the examination process for the first time may opt to perform a readiness assessment, which simulates a SOC 1 examination. The readiness assessment identifies the controls that are believed to be in place and operating effectively for each applicable objective, and identifies relevant controls that are either not in place, or that are believed to be in place but are judged to be ineffective.
Your company may decide down the path of a SOC 1 report based on a request or a contract, however don’t let that cloud your views on the several key benefits of obtaining the report:
- Build trust and confidence with current and potential customers
- Attain independent, third party assessment of controls
- Provide a single examination to fulfill multiple customer requests
- Obtain confirmation that controls in place are as management expects
- Increase of market share
We have seen the requests for human resource and payroll service providers to obtain a SOC 1 report increase with the heightened awareness of outsourcing risks, internal controls, data security incidents, regulatory compliance, and contractual obligations. Corporate governance boards and even shareholders want to see third party assurance over companies’ outsourced operations because of the inherent risk of outsourcing business functionality. The most efficient way to give comfort to customers is providing a third party assurance report. As such, many organizations have found it to be worthwhile to complete a SOC 1 examination before customers require it.
About Avani Desai:
Avani Desai is the Chief Marketing & Communications Officer at BrightLine CPA & Associates, Inc. (BrightLine). Avani has over 10 years of experience in IT Risk Management, Compliance, and Privacy. BrightLine is a leading provider of attestation and compliance services and is the only company in the world that is a CPA firm, a globally licensed PCI Qualified Security Assessor, an ISO Certification Body and a FedRAMP 3PAO.