In this Q&A HR and payroll compliance experts Ewa Tworzydlo and David Smiton discuss some of the major issues they see customers experience with compliance. They take a look at what can be done to solve these issues.
Q: What does compliance mean in relation to HR and payroll?
David Smiton (DS): Well first and foremost compliance means ensuring HR services and payroll are accurate and delivered on time.
Making sure data is up to date is a core part of remaining compliant due to data privacy laws.
However, this can be a major challenge for HR departments with new people joining and leaving companies on a daily basis. This is in addition to the frequent need to make changes to HR data due to personal life changes.
Not to mention the fact that in a multi-national company, different countries have different data protection laws so being compliant can be difficult for companies without the right type of support.
Q. What are some of the major compliance issues you have seen some of our clients’ experience?
Ewa Tworzydlo (ET): To David’s point our client’s key issue around compliance is ensuring that data is accurately and securely processed and complies with the relevant local legislation.
We see ourselves as an additional line of support for our customers. If companies are not aware of changes in Personal Identifiable Information, it is not only a risk that the data is inaccurate, but it can become a legal issue.
However, many companies are now aware of the importance of keeping their data accurate and secure. This in part has been driven by the requirements of the General Data Protection Regulation (GDPR) in Europe, and we see more and more companies globally implementing GDPR, which is perceived as the ‘Gold standard’ for data laws.
When companies are audited, they need to demonstrate the security and integrity of the data they are processing.
Q. How do Service Organization Control (SOC) reports help with compliance?
DS: For our clients, we support them to ensure their data remains secure, accurate and available to those who are authorized to access the data. For their own audit purposes many companies demand Service Organization Controls (SOC) reports, as evidence of independent testing of the control environment. This provides additional assurance to our customers.
ET: The Sarbanes-Oxley Act, introduced in 2002 in the US, required companies to provide evidence of independent auditors checking the system of internal controls.
There are three SOC reporting options, which the American Institute of Certified Public Accountants (AICPA) designed; SOC 1 looks at controls relevant to financial reporting (in our case related to payroll operations and associated IT controls). SOC 2 looks at the security and availability of systems, and SOC 3 which is a shortened version of the SOC 2 report.
More and more companies are demanding SOC 2 reports as they require more in-depth information about security and governance controls so that they can have confidence in the integrity and security of their payroll.
We provide SOC 1 and SOC 2 type 2 audit reports for a period of 9 months and in near future will be looking to extend their coverage to 12 months.
Q: How has COVID-19 impacted compliance for companies?
DS: Since the COVID-19 pandemic we have seen that remaining compliant has got even more complicated. With countries implementing different furlough schemes, we have seen a 90% increase in payroll changes since March 2020.
That quantity of changes can cause massive headaches for payroll teams if they have to manage payroll in-house.
It has meant that companies are increasingly looking for support to help them manage an ever increasing complex environment.
Q. How do companies reduce the risk of being non-compliant?
ET: Many companies are very well aware of the compliance risks. This is mainly, since the introduction of GDPR regulations in Europe. This compels organizations to ensure their data is secure and compliant.
More and more countries are starting to implement or already have implemented their own versions of the GDPR. For example; Brazil, Thailand, Chile and of course the California Consumer Privacy Act (CCPA) in the USA. Each has followed the EU’s lead with their own data privacy legislation akin to GDPR.
Companies need to make sure that they adhere to these regional and also local regulations. It can be difficult to do this in-house if you operate in a number of countries. We advise companies that they should outsource this process to help ensure they reduce their risk of non-compliance.
DS: EU regulations have helped to standardize data privacy, but countries still do have variations. Although one would think legislation like GDPR helps companies remain compliant there are still unique country variations that have to be adhered to.
A prime example is the saga that is Brexit. The UK government has stated it is their intention that the UK will introduce GDPR into law as the ‘UK GDPR’. But there may be further developments in the future.
Q. What are some of the consequences for companies that underestimate the importance of being compliant?
ET: Some of the major consequences are financial. If a company is found to be in breach of GDPR, they can be liable to pay a fine of up to 4% of global revenue. So, this is a major motivation for companies to optimize their data policies and security.
We can raise the flag if we see there is a danger of a company being non-compliant. This enables action to be taken before it becomes a bigger issue.
DS: Another side of this is the loss of reputation. If company is found to be non-compliant and/or breached GDPR then it can have a massive impact on their brand reputation.
There are a number of companies who have suffered from data breaches. This has affected their reputation for securing data. Ultimately, consumers are wary about sharing data with companies that have a poor reputation for looking after their data.
It’s not only a financial impact from a purely cost perspective.
Q. Finally, alongside payroll compliance, how do we support our clients with IT risks raised by their IT departments?
ET: Implementing a new system always poses a risk. Contracts we have with clients usually contain a detailed description of the security measures required. It is expected they will be introduced into every new system.
For most of our clients we are required to deliver SOC 1 reports. They contain auditor’s opinion and results of controls’ effectiveness provided also for wide range of general IT controls.
An example of a control area is payroll processing or data entry. But we also have four different control objectives relating to IT. These are; access management, change management, interfaces monitoring, data backup and replication (including physical security). They are all included at a high level in the customer contracts. We can go into greater depth with the client’s IT department when requested.
Lastly, our security team review any new contract. They verify whether there is any need for additional security controls or if we already satisfy the customer’s security requirements with the existing security measures.