Service Organization Control (SOC) Reporting for PEOs
SOC reporting will help your PEO gain a competitive advantage by validating the efficiency and effectiveness of your internal controls, identifying areas of improvement, and improving financial reporting integrity.
Why is SOC 1 Reporting important?
PEOs should regularly assess and address risks faced by customers related to financial reporting, compliance with laws/regulations, and efficiency and effectiveness of operations.
A clean SOC 1 report, issued by an independent third-party CPA firm during an audit process, is evidence that the PEO is evaluating and reporting on operational controls related to security, availability, processing integrity, confidentiality, and privacy.
Auditors evaluate the infrastructure, software, people, procedures, and data to perform the attestation. The suitability of the design of certain internal controls is tested in the SOC 1 Type 1 Examination, which asserts that the PEOs systems and services are compliant with SOC 1 standards as of a specified date (i.e. August 4, 2018). The SOC 1 Type 2 Examination reviews the operating effectiveness of the internal controls defined in “Type 1” over a specified period of at least six months.
There are many benefits to going through the process and obtaining the SOC 1 Attestation. For some companies, the Attestation contributes to improvements in customer service quality and consistency. Others experience increased confidence in the function, efficiency, and performance of internal controls, expansion of potential new clients that require the report (like public companies), and increased credibility of their services. Together, these impacts can lead to increased client retention, profitability, and productivity for a PEO.
What Should PEOs Consider?
Definition of the Scope
Define the system, products/services, and locations under review. For example, the audit may only include one location and the payroll processing system. Third-party service providers, or subservice organizations, may also be excluded from the scope of the report. Expected uses of the report should determine the appropriate scope parameters.
Control objectives identify the desired result or purpose of implementing control activities and address risks related to security, availability, processing integrity, confidentiality and privacy. The CPA firm performing the audit may help build control objectives that are commonly used for your service or industry, however, management is ultimately responsible for the definition of control objectives and related controls.
Control activities include management’s policies and procedures that help ensure the PEO’s control objectives are in place and consistently achieved.
Standard Operating Procedures (SOP)
Standard Operating Procedures (SOPs) are the policies and procedures that are designed to standardize processes, mitigate risks and define the company’s control points. The SOPs are reviewed as a control activity for each control area to understand the process, systems, policies and personnel involved.
- AICPA Guide: Reporting on Controls at a Service Organization (March 1, 2012)