More than 6,000 employers woke up on July 17, 2019, to find that their payroll processing company, Interlogic Outsourcing, Inc., or IOI, had knowingly made a $122-million overdraft by initiating wire transfers without having the funds to cover the transactions, according to a federal lawsuit. The company faces a civil fraud lawsuit, and restraining orders have been issued to freeze the personal assets of IOI’s CEO Najeeb Khan. This may do little to help intended recipients of the wire transfers. Read the full story here and here.
If you’re not one of the 6,000 employers using IOI’s services, don’t think this doesn’t concern you
IOI is not the first payroll processor charged with fraud and, likely, won’t be the last. In 2016, Pinnacle Workforce Solutions closed its doors due to a similar misdeed. At that time, we warned employers not to make assumptions about their outsourcers that could result in being caught in a Pinnacle or IOI debacle. (If this sounds familiar, perhaps you read our 2016 blog, “Lessons in Risk from Pinnacle.”) The message to employers is worth repeating.
Don’t assume you’re covered
Employers pay companies to take care of such things as payroll, so they don’t have to worry about it. Most assume the service providers they hire are good companies that would never do anything wrong. They also assume that if there is a problem, the service provider is liable (or insurance will cover it).The first assumption is correct. The vast majority of payroll companies — big and small — are good fiduciary stewards that would never intentionally misappropriate client withholding funds and have good procedures in place to avoid mistakes.
The second assumption, however, is naïve. Historically, payroll companies agreed to liability for any errors or misdeeds on their part. The large ones were even likely to assume financial liability for errors on the part of their clients. Times have changed. And, if you think the provider’s insurance (or yours) will cover it, think again. You can’t insure against illegal acts.
Employers: read the fine print of your payroll services agreement; it may surprise you. Few companies, if any, will agree in writing to be liable for actions that result in financial loss — even if it’s their fault — putting all liability onto you, the client. Beyond the fine print, some companies actively put the onus on clients for confirming all is well. For example, UltiPro Services advises clients that it is their responsibility to verify that payroll deposits have been made. While this may seem a bit backward, we give them credit for going the extra mile to make it easy by providing the direct links to do so.
So, what’s an employer to do? Outsourcing still makes good sense. In an ideal world, service providers would be more accountable, but the bigger problem we see is that employers are overly trusting that all financial matters are being handled properly.
Publicly traded companies of the world (think ADP, Ceridian, Paychex, etc.) are held to higher standards and, therefore, you can be more confident in their fiscal controls. Also, due to the financial transparency required for publicly held companies, you can get a peek at their financials. (There is no such peek for privately held companies.) Further, the large number of internal controls that go along with required audits makes it more difficult for funds to go missing. But there are lots of reasons employers go with privately-held (often smaller) companies — who they know, who they trust, who best fits their culture.
Tips for employers
In a world of buyer beware policies, here are a few steps an employer can take to put their mind at ease that their payroll service provider is the good financial steward you believe them to be.
- No less than twice a year (quarterly is good), check that payroll taxes are being paid, and money is being moved as required. Ask the provider to show proof and how you can confirm directly.
- On an annual basis, request a copy of the current year SSAE 18 audit(s), SOC 1 (financial controls) and SOC 2 (data controls) for the review performed on both the business and the data center. If they don’t have one (or won’t provide it), ask why. These are voluntary audits, so a company that knows it will fail may opt to forego the audit. Once in hand, look for whether it has an unqualified opinion. Specifically, look for these phrases in the auditor’s opinion: “in all material respects” and “the description fairly presents (or represents) ...” This signals a clean audit. Anything less — ask your independent CPA to review it for more detailed analysis.
- For a prospective new provider, ask for and check references along with an SSAE 18, SOC 1 and SOC 2 audit(s).
- One additional option suggested by Caley LaRue, senior vice president of Gallagher’s Professional Liability Practice, is to ask (or require) your service provider to provide evidence of a Crime Bond. This is a guarantee that the bond company will carry the risk. Bonds generally renew annually. You may also request that your service provider obtain a Crime Bond that specifically names you, and that you will be notified within 30 days of the provider canceling the bond. If you go this route, don’t be surprised if the provider asks you to pay for the additional protection, especially in instances where your company is specifically named.
Given the varying processes and bureaucracy associated with payroll tax filing and processing, there may be no immediate red flag in the event of a problem, thereby increasing the risk for employers. Mitigate that risk by considering the financial attributes associated with a service provider before outsourcing (e.g., capitalization, insurance limits, strength of balance sheet, M&A ramifications, etc.), and then remain engaged with your provider. Contact us to discuss how a service provider’s financial attributes impact your risk.
Assisting companies to evaluate technology providers and mitigate risk is one of many consulting services Gallagher offers. Contact us today to start a conversation about fiscal health of your current or potential HR tech service providers (including payroll).
About the Author
Rhonda Marcucci, together with Ed Barry, co-leads Gallagher’s HR and Benefits Technology Consulting Practice. Their team provides unbiased, well-researched HR technology and benefits administration consulting including sourcing advice and service provider capability audits. Rhonda’s extensive and broad-based experience in finance, accounting, administration, strategic planning, information systems, sales and marketing, and operations is instrumental in helping clients identify a comprehensive strategy and execute against it.