Today, payroll providers increasingly need to comply with laws, regulations and IT standards, with many changes and differences in legislation and tax differences among countries and partnerships such as the EU. It is common practice that payroll providers demonstrate to their clients that they are in control of their key processes by issuing assurance reports (SOC/ISAE). For these reports to be relevant it is important that such a report covers the most important risks and includes appropriate controls. This article shows the results from our comparison of payroll assurance frameworks and provides suggestions of how to move control over payroll processes to the next level.

By conducting a benchmarking across large payroll providers, we found that assurance frameworks of payroll providers could be enhanced. First of all, in our research, we’ve found that there is very little use of automated controls in the control frameworks. This finding shows that there’s potential for payroll providers to unlock benefits, including substantial time and cost reduction, by embracing a more automated approach. By doing so, payroll providers can streamline their processes and enhance overall efficiency, leading to enhanced productivity and improved outcomes. Secondly, KPMG found that across payroll providers, there are little to no controls implemented for monitoring subservice organizations. This provides a risk, as it can lead to inappropriate management and oversight of these subservice organizations. Without effective controls in place, payroll providers may encounter challenges in ensuring compliance, maintaining data security, and mitigating potential risks associated with subservice organizations. Finally, we also observe that in some of the assurance reports, processes we would expect to be part of the assurance report scope are not included. This includes, but is not limited to, control objectives on unauthorized and/or duplicated payments and data management. An insufficient scope could indicate that the report is insufficient to capture the key risks that are essential for payroll providers.

Lack of automated controls: an opportunity to increase efficiency and reduce errors

In our research, we found that the majority of controls in payroll providers' control frameworks are manual controls or manual controls with an automated component.
6 assurance reports have been analyzed which in total contained 379 controls. We found that only 15% of these controls are fully automated. This shows a valuable opportunity for payroll providers to enhance their operations and embracing and implementing automated controls. The benefits of automated controls result in

  1. a reduced manual workload and 
  2. less error proneness, which furthermore, will result in an overall cost reduction for the payroll provider.

First of all, by implementing automated controls as a replacement of manual controls, this obviously reduces the manual workload for employees. At a time when it is hard to find employees, it is especially important that employees can perform value-enhancing tasks instead of routine, repetitive work. Manual controls often need to be performed several times a year, while the task itself is often not complicated, and can in most instances be replaced by an automated control. In addition, it is more enjoyable for employees to be able to perform other, value-enhancing tasks instead of control work.

Second, manual controls are much more error-prone than when an automated control is properly implemented in an IT system or application. As external auditors, we often see that manual controls are not implemented timely or correctly, which impacts the quality of data from the client, and possibly resulting in failure to achieve the control objective. Controls that are not executed timely or properly pose a risk for payroll providers, as this indicates less control over the key payroll processes, which may result in findings in the assurance report

Finally, by reducing the workload with implementing less error-prone automated controls, this also automatically provides an overall cost reduction. Since automated controls eliminate the need to manually execute controls multiple times throughout the year, as well as the need to perform additional work if controls are not executed correctly or in a timely manner, this will result in lower employee and auditing costs. This is also argued by Christiaanse & Hulstijn1, who note that automated controls make internal controls more effective and increases the quality of evidence, which improves the detection and prevention of risks, which allows for a reducation in audit fees and therefore the costs of control.

Therefore, we advise payroll providers to evaluate their internal control framework and go through the following steps:

  1. Evaluate current manual controls, 
  2. Identify opportunities to automate manual controls, and
  3. Make an implementation plan for these controls.

No monitoring on subservice organizations means no control on outsourced processes

One of the first things we noticed in our research, is that many payroll providers have identified subservice organizations. Subservice organizations are service organizations used by other service organizations (in this case, the payroll provider) to perform outsourced processes and activities that are related to functions of the overall system of internal control of the service organization. In today's world, these organizations are increasingly being used and relied upon by payroll providers and other sectors, which results in transferring the risks in the ‘chain of organizations’. Therefore, it is important to note that organizations are increasingly relying on subservice organizations and transferring the risk to these organizations as well, while the responsibility to mitigate the risk still lies at the organization itself (and not the subservice organization).

KPMG has identified that the payroll providers use subservice organizations for services such as hosting, payroll or HR services. By using subservice organizations, it eliminates the need for specialized work to be performed by payroll providers themselves, which provides several benefits such as a decrease in workload. However, it is important to consider that by using subservice organizations, it is still the responsibility of the payroll provider that sufficient controls are implemented to be in control of the services that now have been outsourced to the subservice organization. This is because the payroll provider has set a certain contract with their clients, not the subservice organizations. Payroll providers often rely upon the controls that are performed at the subservice organization, because the services performed by the subservice organization impact the service organization’s service delivery to their user entities.

However, while KPMG identified that payroll providers use subservice organizations, we noted that only in few cases controls were identified to monitor these subservice organizations. This is required to stay in control, since as an organization you always remain responsible yourself even if a subservice organization is contracted.

Therefore, it is essential to monitor subservice organizations to make sure that they comply to the standards set by the organization. For example, the DNB framework on Outsourcing2 provides a solid basis of what controls would be expected in the case of outsourcing to subservice organizations. One of the measures we would expect to see in this regard, for instance, is a review of the assurance report of the subservice organization, rather than just requesting the report without analyzing it in depth. In a review of an assurance report, we, as a minimum, advise to take the following steps:

Payroll providers should carefully consider exactly what services have been outsourced. In a review of an assurance report by the payroll provider, it should be verified that these services are also adequately addressed with control measures in the assurance reports. Additionally, in case of findings/observations on the control measures of the relevant subjects that have been outsourced, the payroll provider needs to check that adequate follow-up has been provided to these findings to mitigate the risks. For payroll providers, it is important to consider that it is vital that these activities are carried out, as otherwise it cannot be determined that the payroll provider is sufficiently in control over the outsourced services.

Insufficient scoping causes key risks to be left uncovered

From our insight into the field of payroll providers, we note that there is a big difference in scope with regard to the assurance reports of payroll providers. Change management and access management are standard included as part of the scope of all control frameworks of payroll providers, however, we see that other important key processes are not included in all control frameworks.

As mentioned earlier in this article, we note that "third party management", which involves implemented controls on behalf of subservice organizations, is not part of all control frameworks, even though all payroll providers have identified subservice organizations. Furthermore, we also note that there is a lack of “data management” controls in the control frameworks of payroll providers. However, to have appropriate controls on data management (e.g. data quality controls) is preferable given the high reliance on data as part of the payroll processes. No controls on data quality could risk in insufficient data quality for clients and possible non-compliance risk. Therefore, it is highly recommended to include data management controls to remain in control over the completeness, reliability and availability of critical data. Another key process that is essential but does not receive a lot of attention in the assessed control frameworks is the process on “unauthorized and duplicate payments”. Although this is at the core of payroll providers' processes (depending on the contract with the client), we see that only one of all control frameworks viewed has defined controls to mitigate the risk of unauthorized and duplicate payments. Lastly, the same goes for controls on “taxation”. It is essential for payroll providers to maintain proper tax laws and regulations.

For this, controls need to be implemented so that the correct tax is maintained.

Summarizing, while setting up a control framework or re-defining your control framework for next year, we advise to yearly re-perform a risk assessment also considering our insight following the yearly KPMG payroll assurance benchmark.

Picture two

Summary & conclusions

Based on the aforementioned observations highlighted in this benchmark, it is important that payroll providers, when (re)establishing their control framework, think about their core processes, the risks underlying them and how these risks can be adequately mitigated with control measures. By doing so, a scope can be selected that includes control measures around the key processes of payroll providers, which likely includes controls on unauthorized payments and data management. Furthermore, it is highly recommended that the control framework includes control measures to monitor outsourced services when subservice organizations are used.

By carefully performing an in depth risk analysis and reconsidering the content of the scope of the control framework, it is important to consider if controls need to be added or are redundant. Having just the right amount of controls would mean reducing the costs and executing them timely. It is also recommended to consider which manual controls can be substituded by automated controls. By correctly implementing automating controls, the risk of errors is decreased and employees can spend their time with performing value-adding tasks instead of performing manual controls.

In sum, in our observations we noted that the current control frameworks of payroll providers offer a robust set of controls, where change management and access management is covered in all reports. Furthermore, we note that all providers have a good set of both preventative and detective controls in place. However, we also note areas of improvements for the assurance reports of payroll providers. Providers could improve the scope of their controls to ensure that all critical processes are covered, automate certain controls to reduce the potential for human errors, and implement better monitoring controls of subservice organizations. Overall, by improving the control framework, payroll providers provide increased assurance to their clients for an accurate, quick and timely payroll service that complies with local regulations, which can ultimately lead to cost savings and improved employee satisfaction. Therefore, payroll providers should continuously assess their control frameworks to identify areas for improvement and implement changes as needed to stay competitive in this industry. The authors in KPMG’s IT Assurance and Advisory services can be your contact persons for further information on how to start with this and how to identify opportunities for automation in the control framework.


1 AICPA (2016, n.d.). Reporting on Controls at a Service Organization.

De Nederlandsche Bank (2017, n.d.). Uitbesteding door pensioenfondsen.


Jacco van Kleef 

Partner, IT Assurance

KPMG in the Netherlands

Manon van Rietschoten 

Senior Manager, IT Assurance

KPMG in the Netherlands

Martina Ghisalberti

Senior Manager, IT Assurance

KPMG in the Netherlands

Milou van Vliet 

Senior Consultant, IT Assurance

KPMG in the Netherlands

We will keep you informed by email.
Enter your preferences here.