• Home
  • Insights
  • A Trustee's Guide to Data Security in Payroll Compliance Audits
Key going into door to unlock symbolizing security measures.

A Trustee's Guide to Data Security in Payroll Compliance Audits

A Trustee's Guide to Data Security in Payroll Compliance Audits

Multiemployer benefit plans conduct payroll compliance audits to ensure employer compliance with the contribution requirements of the plan. During a payroll compliance audit, the payroll auditor receives confidential information from the plan administrator and employer and provides a report to the trustees.  In an era where identity theft poses a significant problem for consumers and businesses, it is extremely important to protect this sensitive data. As fiduciaries, trustees of multiemployer benefit plans should require from their payroll compliance auditor that participants' confidential data is received and stored securely.

Select which categories you would like to subscribe to.


Payroll compliance audit data and documentation is regularly received electronically. A payroll compliance auditor should require safety measures are used before accepting records.  The following strategies may be used to ensure security for data transmission:

·       Redacting - A simple approach to protecting Social Security numbers by masking all but the last four digits of a Social Security number (e.g. - xxx-xx-1234). Redaction should always be used when sending unencrypted e-mail or regular mail, such as a payroll audit report. Unfortunately, redaction can be insufficient when working with a large volume of records.

·       On-Demand File and E-mail Encryption - A service that integrates with e-mail software such as Microsoft Outlook for organizations that need to easily and securely transmit confidential information via e-mail.

·       Secure FTP - A relatively inexpensive solution that allows administrators to upload data from their systems and make it safely available through the Internet. These services also provide encryption and password protection.

Most field payroll auditors travel for days or weeks at a time to various employers, performing testing on a firm-issued laptop. Laptops involved in land and air travel are prime candidates for identity theft.

A plan's payroll compliance auditor should use a combination of the following precautionary measures:

·       Physical Security - Security cables should be used for laptops stationed in offices. Offices should be secured to prohibit unauthorized access. Laptops should never be left unsecured in vehicles or checked with airline baggage.

·       Intelligent Data Encryption - Software that allows the firm to automatically encrypt all data files on a laptop and lock data access after unsuccessful logon attempts.

·       Data Elimination - Software that can automatically erase laptop data in the event that a laptop is reported lost or stolen. Use of data elimination software should be combined with online backup services in order to retain all of the work performed in the event that laptop data must be destroyed.

·       Online Backup Service - Allows the payroll compliance auditor to configure periodic backups of laptop data to secure servers. Data can be retrieved, even in the event of a stolen laptop.

If you, as a trustee, want "peace of mind" over the data security issues of your plan's payroll compliance program, ask your service providers the following questions:

·       What data security measures are used by payroll compliance auditors on laptops and computer systems? Do they have and use up-to-date technology?

·       Does the payroll compliance auditor disclose full Social Security numbers in payroll audit reports?

·       How does the plan administrator make participant data available to the payroll compliance auditor?  What procedures does the administrator use to ensure data is sent securely and confidentially?

·       Do the plan payroll compliance auditor and plan administrator distribute participant data through e-mail? What data security measures are used in conjunction with e-mail distribution?

Trustees should be confident that the plan's payroll compliance auditor is using proper security measures with participant data. There is no other way to diminish the risk of having to inform participants that their personal information has been compromised.

Tim Hallenbeck is a payroll compliance manager in Lindquist LLP's San Ramon office. He has been with the Firm since 2003. Tim supervises and reviews the work of the senior and staff compliance auditors assigned to the trusts he manages.  He has helped to develop department training programs and re-design Lindquist LLP's customized payroll compliance tracking systems. Contact Tim at (925) 277-9100 or thallenbeck@lindquistcpa.com with questions or comments.

Select which categories you would like to subscribe to.