Global Payroll Compliance Checklist 2026: 50-Point Audit Framework for International HR
· by PayDD Research Team
Why Global Payroll Compliance Has Become a Board-Level Risk
In 2023, the IRS collected $7.2 billion in employment tax penalties from US companies alone. The UK's HMRC issued £700 million in IR35 contractor misclassification penalties. France's URSSAF conducted 13,400 payroll audits, identifying €4.2 billion in underpaid social contributions. Germany's Deutsche Rentenversicherung opened over 9,000 investigations into cross-border employment structures.
These are not outlier events. Global payroll compliance risk has escalated from an HR administrative function to a Board and Audit Committee concern. The driving forces:
1. Digital exchange of financial data: The OECD's Common Reporting Standard (CRS) and US FATCA mean that financial institutions in 100+ countries automatically exchange account holder information with tax authorities. The era of undisclosed offshore payroll structures is over.
2. Gig economy crackdown: Every major economy has tightened enforcement on contractor misclassification since 2018. The economic logic for regulators is simple: reclassifying 100,000 "contractors" as employees in any large country generates billions in social insurance back-payments.
3. Remote work jurisdiction expansion: The COVID-19 pandemic created millions of permanent establishment risks as employees began working from home — in countries where their employer had no legal entity. Many of those arrangements persist.
4. AI-powered audit tools: Tax authorities now deploy machine learning to identify anomalies in payroll data submissions. The threshold for triggering human review has dropped dramatically.
This guide provides a comprehensive checklist for CFOs, heads of HR, and payroll directors managing global workforce compliance. It covers entity structure, social insurance, tax withholding, contractor classification, data privacy, and cross-border special situations.
---
Section 1: Legal Entity and Employment Classification
1.1 Entity Footprint Audit
Before addressing any specific compliance item, you need to understand your company's actual legal exposure:
Action Items:- [ ] Map every country where your employees physically work (not just where contracts are signed)
- [ ] Identify countries where employees work >183 days/year (common tax residency threshold)
- [ ] Review all "remote work from home" arrangements to identify undisclosed jurisdictions
- [ ] Determine in which countries your company has triggered "permanent establishment" (PE) by having employees with authority to sign contracts or regularly habitually working there
A PE is created when a company has a "fixed place of business" or a "dependent agent" with authority to habitually conclude contracts in a country. Even a single employee who:
- Signs contracts on behalf of the company
- Maintains a home office that serves as the company's only presence
- Habitually negotiates the material terms of contracts
| Employee Role | PE Risk Level | Key Indicators |
|---|---|---|
| Local sales/BD representative | HIGH | Authority to sign, regular customer visits |
| Remote software developer | LOW | No customer contact, no contracting authority |
| Country manager | HIGH | Represents company publicly, likely has contracting authority |
| Technical support engineer | MEDIUM | May have authority over service delivery terms |
| Finance controller | MEDIUM | May have banking authority |
1.2 Employment vs. Contractor Classification
The "Economic Reality" Test (Used in Most Jurisdictions)Most employment authorities apply some version of an economic reality or substance-over-form test:
Factors indicating EMPLOYMENT:- Exclusivity (worker earns >70% of income from one client)
- Integration (worker uses client's tools, systems, processes)
- Control (client directs when, where, and how work is performed)
- Continuity (relationship extends over a sustained period)
- Risk bearing (client bears economic risk; worker has no investment risk)
- Multiple clients simultaneously
- Worker provides own tools and methods
- Worker bears risk of profit and loss
- Fixed-project or outcome-based engagement
- Worker sets own hours and location
| Country | Risk Level | Key Rule | Penalty Exposure |
|---|---|---|---|
| China | CRITICAL | STA substance test; SAFE scrutiny | Back social insurance + 50%–500% penalties |
| Brazil | CRITICAL | CLT presumption of employment | Full CLT benefits retroactively + fines |
| France | HIGH | URSSAF: regular + exclusive = employment | 5-year back contributions + penalties |
| UK | HIGH | IR35: intermediary rules for limited companies | PAYE + NI for entire engagement period |
| India | HIGH | Contract Labour Act; PF Act | Back PF + ESI contributions + interest |
| USA | MEDIUM-HIGH | IRS 20-factor test; state rules vary | 100% trust fund penalty for owners |
| Germany | MEDIUM | "Scheinselbständigkeit" (bogus self-employment) | Back Sozialversicherung + criminal liability for willful |
| Australia | MEDIUM | Superannuation Guarantee; multi-factor test | Back super + 25%–200% Superannuation Charge |
Section 2: Social Insurance Compliance
2.1 Jurisdiction-by-Jurisdiction Social Insurance Checklist
China (五险一金 — Five Insurance + Housing Fund)- [ ] Employee registered in the correct city (not EOR headquarters — must be work location)
- [ ] Contribution bases updated per July 1 annual adjustment
- [ ] Housing fund rate documented and consistent (employer = employee rate)
- [ ] Work injury insurance rate reflects actual industry category
- [ ] Foreigner employees: Work permit + separate medical insurance if not enrolled in domestic SI
- [ ] Annual social insurance reconciliation completed
- [ ] Employees earning < ₹15,000/month enrolled in Employees' Provident Fund (EPF); 12% employer + 12% employee
- [ ] Employees earning < ₹21,000/month enrolled in Employees' State Insurance (ESI); 3.25% employer + 0.75% employee
- [ ] Professional Tax (PT) registered and paid in relevant states
- [ ] EPF Universal Account Number (UAN) generated for each employee
- [ ] Annual EPF return filed by April 25
- [ ] FGTS (Fundo de Garantia do Tempo de Serviço): 8% employer, deposited monthly in employee's FGTS account
- [ ] INSS (National Social Security Institute): complex table from 7.5%–14% employee; employer 20% + RAT (occupational risk) + 3rd party contributions
- [ ] 13th Salary (Décimo Terceiro): mandatory, paid in two installments (November 30 and December 20)
- [ ] Vacation pay: 30 days per year + 1/3 additional vacation premium (férias)
- [ ] FGTS annual interest credit: 3% + SELIC rate declared annually
- [ ] PAYE Real Time Information (RTI) submissions to HMRC every pay period
- [ ] Employer NI: 13.8% on earnings above £9,100/year (2024/25)
- [ ] Employee NI: 8% on earnings £12,570–£50,270; 2% above
- [ ] Auto-enrollment pension: qualifying earnings between £6,240–£50,270; minimum 3% employer + 5% employee
- [ ] Construction Industry Scheme (CIS) if applicable
- [ ] IR35 assessment for all off-payroll workers (PSCs)
- [ ] Krankenversicherung (health): ~14.6% split equally; employer pays 7.3% + Zusatzbeitrag
- [ ] Pflegeversicherung (long-term care): 3.4% split; childless employees pay extra 0.6%
- [ ] Rentenversicherung (pension): 18.6% split equally
- [ ] Arbeitslosenversicherung (unemployment): 2.6% split equally
- [ ] Unfallversicherung (accident): 100% employer; rate varies by industry
2.2 Social Insurance for Internationally Mobile Employees
Totalization Agreements:When employees are posted from one country to another, double social insurance coverage can occur. Totalization agreements prevent this by specifying which country's system applies. Key agreements to verify:
| Agreement | Countries | Typical Rule |
|---|---|---|
| US–EU Bilateral Treaties | US + 30 countries | Posted employee: home country SS for up to 5 years |
| EC Regulation 883/2004 | EU/EEA + Switzerland | Home country if posted < 24 months |
| China Bilateral Agreements | China + 11 countries (Germany, Korea, Japan, etc.) | Varies by agreement; verify each case |
---
Section 3: Tax Withholding and Reporting
3.1 Income Tax Withholding Checklist
Withholding Obligations by Situation:| Scenario | Withholding Required | Action |
|---|---|---|
| Local national employed locally | Yes — withhold per local progressive table | Configure payroll system |
| Expat employee | Complex — determine tax residency first | Obtain tax residency certificate |
| Remote worker in non-HQ country | Yes in work country (PE risk also present) | Local payroll registration required |
| Short-term business visitor (<183 days) | Depends on tax treaty | Treaty analysis required |
| Director fees to non-resident | Yes in most jurisdictions | Separate withholding process |
3.2 Annual Reporting Obligations
| Country | Annual Filing | Deadline | Employee Copy |
|---|---|---|---|
| China | 个税汇算清缴 (IIT reconciliation) | June 30 of following year | W-2 equivalent by January 31 |
| USA | W-2 / 1099-NEC | January 31 | Employee copy: January 31 |
| UK | P60 + P11D | July 6 / May 31 | P60 by May 31 |
| Germany | Lohnsteuerbescheinigung | February 28 | Employee copy |
| France | Déclaration annuelle des salaires | January 31 | Employee copy |
| Brazil | DIRF + RAIS | February 28 | INFORME by February 28 |
| India | TDS return (Form 24Q) + Form 16 | May 31 | Form 16 by June 15 |
3.3 Equity Compensation Tax Treatment
Equity awards (RSU, ESOP, stock options) create unique cross-border withholding challenges:
Restricted Stock Units (RSU):- Taxable at vest date: FMV at vest minus any price paid
- Withholding required in the country where employee is resident at vest
- If employee worked in multiple countries during the vesting period, income must be apportioned
- Non-qualified options: taxable at exercise (spread = compensation income)
- Incentive Stock Options (ISO, US only): complex AMT treatment; no withholding at exercise for US tax purposes
- Cross-border ISO: most countries do NOT treat ISOs as incentive options; withholding required at exercise
| Country | RSU Taxation | Option Taxation | Key Risk |
|---|---|---|---|
| China | Vest date; FMV taxed as salary income | Exercise date; spread taxed as salary | Must inform EOR/payroll provider in advance |
| USA | Vest date (NQ RSU); ordinary income | Exercise (NQ) or AMT (ISO) | State income tax varies significantly |
| UK | Vest date for unapproved; CSOP/SAYE exempt | CSOP/EMI: CGT on gain | EMI approval required in advance |
| Germany | Vest date; Lohnsteuer applies | Exercise; Lohnsteuer | No beneficial equity plan |
| France | Complex: BSPCE, AGA plans partially exempt | Startup equity favorable under BSPCE | Approval required for BSPCE |
Section 4: Data Privacy and Cross-Border Transfer Compliance
4.1 Payroll Data Sensitivity Classification
Employee payroll data is among the most sensitive personal information a company processes:
Tier 1 — Core Identity (highest sensitivity):- National ID numbers, Social Security numbers, tax identification numbers
- Bank account details
- Biometric data (if used for attendance)
- Salary details, bonus information, equity awards
- Performance-linked pay data
- Attendance records
- Expense claims
- Leave balances
4.2 GDPR Compliance Checklist (EU/UK)
- [ ] Lawful basis established for payroll data processing (typically "legal obligation" or "contractual necessity")
- [ ] Data Processing Agreement (DPA) signed with all payroll processors and service providers
- [ ] Standard Contractual Clauses (SCCs) in place for data transfers outside EU/UK
- [ ] Records of Processing Activities (ROPA) updated to include payroll data flows
- [ ] Employee privacy notice includes payroll data processing description
- [ ] Retention policy defined (UK: payroll records 3 years; Germany: 10 years; France: 5 years)
- [ ] Data breach notification process includes payroll system breach scenario
4.3 China PIPL Compliance Checklist
The Personal Information Protection Law (PIPL, effective November 2021) applies to all employee data processed in China:
- [ ] Employee consent obtained specifically for cross-border data transfer (if applicable)
- [ ] Standard contract with CAC filing in place, OR security assessment completed (if transferring >100,000 individuals' data)
- [ ] Data stored on servers physically located within China
- [ ] Data inventory completed for all employee data categories
- [ ] Retention schedule aligned with PIPL requirements
- [ ] HRIS system vendor assessed for PIPL compliance
- [ ] Employee privacy notice updated to include PIPL-specific disclosures
4.4 Other Jurisdictions
India (PDPB / DPDPA 2023):- Digital Personal Data Protection Act (2023) now governs personal data
- Employee consent required for processing personal data beyond "legitimate uses"
- Cross-border transfer permitted to "notified countries" (list being established)
- Significant financial penalties (up to ₹250 crore per incident)
- Lei Geral de Proteção de Dados modeled on GDPR
- DPA required with all payroll processors
- Encarregado de Dados (Data Protection Officer) appointment required for many employers
- Cross-border transfer: adequacy decision, contractual clauses, or ANPD authorization
Section 5: Cross-Border Special Situations
5.1 Business Travelers and Short-Term Assignments
Business travelers create payroll complexity when:
- They accumulate >183 days in a country (triggering tax residency)
- They have "signature authority" in the host country (PE risk)
- Their home country does not have a tax treaty with the host country
- [ ] Deploy travel tracking system to monitor country-day counts per employee
- [ ] Establish 120-day warning threshold (before reaching 183-day limit)
- [ ] Define business traveler policy including prohibited activities (contract signing)
- [ ] Coordinate with immigration compliance (business visas vs. work visas)
5.2 Remote Work Across Borders
The post-COVID proliferation of remote work across borders has created a systemic compliance gap for many companies:
Compliance risks created by cross-border remote work:1. Tax registration obligation: Employee working from Country B for Employer in Country A may create registration requirements in Country B 2. Social insurance gap: Some countries require social insurance registration even for short-term presence 3. Employment law applicability: Local employment law protections may apply regardless of contract choice of law 4. Data sovereignty: Employee may be processing company data under Country B's data laws
Remote Work Policy Framework:For companies with frequent cross-border remote work arrangements:
1. Require advance notification (minimum 30 days) for work outside home country 2. Define approved vs. unapproved countries (based on compliance complexity and tax treaty coverage) 3. Establish maximum permitted days per country per year 4. Engage payroll provider to assess each country's specific requirements 5. Document arrangements for audit trail purposes
5.3 Secondment and Expatriate Payroll
Long-term international assignments (>12 months) typically require:
Pre-Assignment:- Tax equalization policy defined (host-based vs. home-plus vs. balance sheet)
- Social insurance routing determined (CoC obtained or host country enrollment initiated)
- Assignment letter covering: assignment duration, compensation structure, relocation assistance, repatriation conditions
- Hypothetical tax calculation completed
- Dual payroll (split between home and host entity) configured where required
- Tax return preparation in both jurisdictions
- Notional pay calculation for hypothetical tax deductions
- Annual cost projection report for finance
- Repatriation tax counseling (returning employees often face tax liabilities from foreign-source income not previously reported)
- Social insurance continuity verification
- Benefits enrollment restoration
Section 6: Audit Readiness
6.1 Documentation Standards
Regulators conducting payroll audits will typically request:
Employment Documentation:- Signed employment contracts (all revisions)
- Job descriptions used for classification decisions
- Evidence of regular salary reviews
- Offer letters for all employees
- Monthly payslips with gross-to-net calculations
- Attendance and leave records
- Payroll journals reconciled to general ledger
- Bank transfer records confirming payment amounts and dates
- Monthly IIT/withholding tax filings
- Annual tax returns submitted
- Employee self-filing confirmation records
- Monthly contribution submissions with receipts
- Annual contribution base adjustment documentation
- Employee enrollment certificates
6.2 The 3-Year Audit Trigger Matrix
Tax and labor authorities prioritize audits based on risk signals. Reduce your risk profile by addressing:
| Risk Signal | Mitigation |
|---|---|
| High contractor-to-employee ratio | Document business reasons for each contractor engagement |
| Significant growth in headcount without proportional social insurance increase | Ensure every new hire is enrolled same day |
| Cross-border payments to individuals in non-treaty countries | Obtain withholding tax rulings before payment |
| Discrepancy between reported payroll and bank statement outflows | Reconcile monthly; document timing differences |
| Prior year audit findings unresolved | Implement remediation with documented completion dates |
Section 7: Technology and Process Infrastructure
7.1 Payroll Technology Checklist
A compliant global payroll infrastructure requires:
- [ ] Payroll system with multi-country support: Either global platform (Workday, SAP, Oracle) or regional platforms with API integration
- [ ] Tax engine with real-time rate updates: Configuration should auto-update for legislative changes (e.g., China July 1 social insurance base update)
- [ ] Audit trail: All payroll changes logged with timestamp and user ID; immutable records
- [ ] HRIS integration: Single source of truth for employee master data; no manual re-entry
- [ ] Bank account validation: API-based account verification before first payment
- [ ] Sanctions screening: OFAC/EU sanctions check on all payees
- [ ] Payslip delivery: Secure employee self-service portal; not email attachment
- [ ] Reconciliation: Auto-reconciliation of payroll output against GL postings
7.2 Process Segregation of Duties
Minimum internal controls for payroll:
| Function | Control |
|---|---|
| Employee master data changes | Different person from payroll processor |
| Payment approval | Finance approver separate from payroll preparer |
| Bank account changes | Dual approval + email confirmation to employee |
| New hire setup | HR authorization required before payroll setup |
| Payroll journal posting | Finance team, not payroll team |
Conclusion: From Checklist to Continuous Compliance
Global payroll compliance is not a one-time audit exercise. It is a continuous operational capability that requires investment in three areas: technology (systems that keep pace with regulatory change), people (compliance expertise in key jurisdictions), and process (documented, controlled, auditable workflows).
The checklists in this guide represent the minimum baseline. The companies that avoid material compliance events are those that treat payroll compliance as a strategic capability — not a back-office function.
For companies expanding globally without the resources to build this infrastructure internally, EOR (Employer of Record) and managed payroll providers like PayDD can take on the compliance burden in covered markets. PayDD's infrastructure covers China, with T+0 settlement, full social insurance management, PIPL-compliant data handling, and IIT annual reconciliation support from $79/month per employee.
[Download our compliance checklist as a PDF →] | [Talk to a global payroll specialist →]