You may already have an HCM solution and are reviewing your requirements annually. Or, you may be evaluating a new solution. Ensuring you include a review of the solution's capabilities to meet your organization's compliance and audit requirements is necessary. Your chosen solution should help your organization enable compliance, mitigate compliance risks, and support the ability to perform data audits to meet compliance standards.
How do compliance requirements vary?
If you have never reviewed compliance requirements, it is essential to keep in mind that these vary among organizations and depend upon various factors. Examples of these factors, which govern the depth to which compliance and audit requirements need to be addressed, include:
Countries in which the organization operates (Canada, U.S., or internationally),
Structure of the organization as a private or public corporation,
Industry and nature of the organization's business,
Types of information systems and business solutions in place and
Delivery platforms on which those systems are implemented and maintained.
Here is a list of Compliance and Audit requirements for HR/Payroll and Reporting that you should use to ensure your organization is covered from all legal standpoints:
HR and Payroll Legislation audit requirements:
Requirements to satisfy Canadian and US taxation authorities, to fully accommodate the country-specific tax computations and filing (TD1s and W4s) and all HR legislative and compliance requirements.
HR compliance for local, provincial, state, and federal requirements is achieved through depth of functionality, access to reliable and accurate data, and integration among HR-supporting solutions.
Employee benefit support provisions and legislative requirements concerning open enrollment, COBRA, and HIPAA programs.
Support for the US Immigration and Naturalization Service's requirement to complete an I-9 (Employment Eligibility Verification) Form by a hired employee.
Support for the provisions of the ADA(Americans with Disabilities Act) in the US relative to job application procedures and privileges of hiring, employment, advancement, and training.
Employment Equity (Canadian) to support compliance reporting, including the identification of gender, persons with disabilities, Aboriginal people, and members of visible minorities.
Equal Employment Opportunity (EEO – US) includes company employment data categorized by race and ethnicity, age, gender, persons with disabilities, and job category.
Audit reporting capability for data input changes, including user-defined parameters for date ranges, old and new values, change dates, and user IDs among changed records.
Audit reporting of user system log-ins, all transaction activity, and system exits.
It would help if you worked closely with your IT and Finance Department and inquired with your vendor about the extent of their technical standards, compliance and audit provisions, and security. Items of interest to cover in your detailed review should include:
Security, data privacy, and verification of the vendor's audit controls, compliance levels, and standards within their operations.
Disaster recovery sites and business continuity safeguards for their customers.
Physical and environmental security provisions exist within the vendor's hosting facilities.
What specific certifications and audits may they subscribe to, and to what frequency are they conducted to ensure active compliance?
What type of audit report may be available from the vendor (i.e., SAS 70 or SSAE16), what is included in the report, and how frequently is that report made available to the customer if required?
Compliance of the vendor with your organization's application development standards for any customization work or professional services that may be required.
Compliance with service and support for your organization, the accessibility of the vendor, service response, and levels to which support is included within the service agreement
Organizations that select and implement solutions that do not comply with their organizational standards or those of the governing bodies within their obligation may be the focus of unwanted challenges that include, for example:
Financial penalties and fines for non-compliance with tax filing, auditing, and government reporting requirements.
Lost business opportunities that have been forfeited to your competitors, which are compliant.
Corrupt or missing data among systems not structured within a compliant and regularly-audited framework surrounding development, service, and support.
Business disruption, or closure, through system failure or inadequate support and infrastructure to recover from disaster.
The compliance and audit-related requirements will vary among organizations. While the list of compliance items above is not exhaustive, and not all of these may apply to your organization specifically, ensure that a comprehensive review of compliance and audit requirements is not glossed over within your HCM solution review process.