Any discussion with global payroll professionals will eventually result in the words “compliance” or “due diligence” entering the conversation. You may ask why that is the case and whose role it is to hold the “reins” of compliance and due diligence?
In larger organizations, the Chief Executive Officer would have the ultimate responsibility and oversight of compliance ensuring adherence to laws, regulations, rules, and operational stability in each country. In turn, CEOs usually delegate some of that responsibility to other management staff. There is a good reason for compliance being on the forefront of everyone’s minds. Noncompliance leaves you at risk for financial losses, security breaches, license revocations, business disruptions, erosion of trust, and a damaged reputation (or worse, imprisonment).
Compliance has also had a resurgence of interest as a direct result of the coronavirus pandemic. Many payroll professionals have received a call or an email from their senior management asking the questions: Is everything being processed correctly? Will our employees get paid on time? Or perhaps, more unfortunately, what can we do as we are not going to be able to pay our employees for much longer?
Several governments offered financial support to companies or their citizens, or both, during this unprecedented time. Some of these government-funded benefits and assistance programs were managed directly through the payroll process. Globally, tax authorities are now tasked with recouping funds used to support these economies and this is, in part, achieved through a more robust compliance monitoring and enforcement program. This has resulted in increased government audits and checks on the administration of tax legislation. With the outset of the coronavirus outbreak, some people travelled home as businesses shutdown—and for some, “home” meant another country. This scenario can easily result in complex compliance challenges. As taxes collected via payroll remains one of the highest forms of state revenue collection, it comes as no surprise then that payroll compliance is critical.
These compliance issues apply whether the payroll is managed in-house or outsourced to a third party. In-house monitoring of compliance is often more difficult, especially if the structure has been in place for some time. The coronavirus pandemic has made some companies think hard about their resilience and ability to manage continuous regulatory changes. Compliance is not just about getting the numbers right; you need to think hard about those business continuity plans, too. When was the last time you checked those backups? Can your payroll software provider or IT team perform that restore when you need it most?
Managing In-country Partners, Service Providers
The management of an outsourced service provider is fundamental to ensuring compliance. Payroll is critical to keep workers motivated, ensuring that they are paid correctly, and on time every time.
There are other reasons why monitoring the performance of an in-country service provider is crucial. Global payroll is complicated and stressful. It is an art not a science. Errors in one area may not only result in additional time or fines but could also result in employees receiving unwarranted attention from tax authorities in respect of their status or just becoming disgruntled due to incorrect payments. Success depends on all stakeholders working in partnership, which then translates into nothing coming as a surprise.
The compliance journey will never end and will take detours depending on the business strategy. Sometimes, the business will formally take notice at the point it decides to outsource, change a provider, or enter a new country. It is never too late. Even if the new supplier is well-known, or perhaps some of their team is known, due diligence is key to a successful partnership. Many companies will have a procurement strategy, which covers financial status and other areas, like the following:
- Supplier code of conduct—Do their values and controls match yours?
- Conflict of interest checking—Does using a particular supplier create a conflict of interest for other parts of your business?
- Information security and data protection, including GDPR—Can the service provider demonstrate a clear track record, and will they allow you to speak to existing clients?
- Market reputation—Does the service provider have regional affiliations with recognized professional payroll bodies, such as the APA in the United States?
- Prior legal or professional and regulatory issues—Can the service provider attest to no prior issues?
Increasingly, such due diligence also looks at carbon footprints, diversity, wage gaps, and the supplier’s focus on national living wage versus the minimum wage.
This level of due diligence may seem high to some, but if these values are important to a company’s shareholders and to the company’s reputation, then they must be important to your suppliers, too. Your company’s auditors should be looking at critical aspects of the business, and this includes payroll.
Maintaining this level of due diligence is difficult and increasingly takes commitment to deliver. Often, customers will look for accreditation, such as ISAE 3402 or SOC 1 and 2 controls, but it is vital to read the auditor’s notes: what does it actually cover? Which locations? Such certifications are a good indication that the supplier understands its processes and that the auditors accept the controls that are listed. However, you must remain a sceptic. Ask yourself, “What is not covered?”
The audit process should be considered ongoing and auditing dozens of countries every year is just not feasible without a huge team. A cyclical approach would perhaps be a better solution. The audit should also be considered as part of the overall contract performance which will include service level agreements (SLAs) and key performance indicators (KPIs).
Payroll Professionals Should Start With a Review
We have listed below some of the areas we believe will support the payroll professional to ensure that they have a tight hold on the compliance reins. These include the following:
- Develop a controls framework that covers the areas to be monitored and highlights the information required to demonstrate compliance
- Prepare a risk matrix for your countries, which involves:
- Assigning risk (e.g., high, medium, or low) that is based on headcount volume, prior issues, or where the highest regulatory risk is encountered
- Determining audit frequency for each risk category, which will be covered by an annual audit: Medium would see an audit being undertaken every two years and a low categorization, which results in an audit every three years
- Scheduling frequency of audits for each country or supplier based on the risk matrix
- Allocate resources—even if the supplier is contractually obligated to provide evidence to show adherence to the controls framework, a responsible person is needed to review that evidence and ensure they are complying. Remain objective and sceptical.
In terms of resources, it is important that this responsible person is qualified for the role of ensuring compliance. It could be a single person or a Relationship Management team member. Do not be afraid to bring in expertise from elsewhere in your business for specific areas such as IT to review data security.
In addition to the controls framework, the Relationship Management team should consider a number of other factors. Listed below are the most relevant ways to managing compliance:
- Review the performance of the contract (i.e., SLAs, KPIs, service failures)
- Review management reports and ask for supporting evidence if anything is not clear in the reports
- Review the change requests (CR) management process and new services
- Review the escalation management and ensure that process improvements are clearly documented to ensure the same issue is not escalated again
- Review the implementation process for any new transitions or new services to ensure that the controls are fully understood and maintained for these new services.
Controlling the Compliance Beast
Compliance can be a wild beast, but it can be controlled by keeping a firm hand on the reins. Key to keeping those reins tight is agreeing to the scope and knowing who is holding them.
A successful partnership can run for years with minimal compliance and the wild beast can be reined in if all parties take the risks seriously, are clear on roles and responsibilities, and diligently follow the controls framework.
Do you like our content? Join the GPMI community to get free education and articles straight to your inbox!
Sharon C. Tayfield, MCIPP, is a Director of BDO LLP in Global Payroll Services. Prior to this, she held the position of Chief Operations Officer (COO) with a payroll service provider specialising in Africa. Before moving into payroll Tayfield was the Group Financial Director of a property outsourcing group with control over HR and payroll. With more than 20 years of experience in global payroll, Tayfield ensures clients remain compliant in all regions they operate in, and most importantly, that the clients’ employees are paid on time.
Neil Pinches is a qualified management accountant with more than 25 years of experience in multiple business transformation projects and ERP implementations within the U.K., Australia, Europe, Middle East, and the United States across a wide variety of sectors, including retail, banking, publishing, and FMCG. Pinches is experienced in the set-up, rollout, and operations of global accounting services including payroll. He spent several years overseeing outsourced teams in finance and payroll and currently holds the position of Global Transitions Director at BDO UK LLP.