You get the notice in the mail. IRS. Department of Labor. State employment agency. Doesn’t matter who—your stomach drops either way. You’ve got a PEO handling payroll and compliance, so they’ll deal with this, right?
Not necessarily.
The co-employment arrangement that makes PEOs work also creates a gray area when auditors come calling. You signed a contract that transferred certain employer responsibilities, but agencies don’t always care what your contract says. They pursue whoever controlled the actual work, made the actual decisions, or created the actual exposure. Sometimes that’s the PEO. Often, it’s you. And occasionally, it’s both of you pointing at each other while an auditor waits for answers.
This isn’t about whether PEOs provide value—they do. It’s about understanding exactly where their audit defense responsibilities end and yours begin, so you’re not caught unprepared when it matters most.
Why Co-Employment Creates Audit Confusion in the First Place
Co-employment sounds clean on paper. The PEO becomes the employer of record for tax and benefits purposes. You remain the employer for operational purposes. Payroll, compliance filings, benefits administration—that’s them. Hiring, firing, scheduling, job duties—that’s you.
But audits don’t respect those neat boundaries.
When the IRS audits payroll tax filings, they’re looking at the PEO’s records under the PEO’s EIN. That’s especially true if you’re working with an IRS-certified PEO (CPEO), which assumes federal employment tax liability on your behalf. In that scenario, the CPEO is on the hook for wage tax obligations, and you get liability relief that non-certified PEOs can’t provide.
Sounds great. Until the Department of Labor shows up asking why three employees were misclassified as exempt, or why overtime wasn’t calculated correctly for the past two years.
That’s an operational compliance audit. And operational decisions—who works when, how jobs are classified, what duties people actually perform—those stayed with you. The PEO processes payroll based on the information you provide, but they don’t control whether that information reflects legal reality.
The distinction that matters: administrative defense versus operational defense.
Administrative defense covers documentation, filings, and records that the PEO manages directly. They respond to IRS notices about W-2 discrepancies. They provide 941 reconciliation. They handle workers’ comp premium audits because they control the policy and classifications.
Operational defense covers decisions you made about how work gets done. Job classifications. Overtime calculations. Meal break compliance. Workplace safety protocols. The PEO didn’t make those calls—you did. And when an agency investigates those areas, the audit lands on your desk, not theirs.
The confusion happens because many business owners assume the PEO’s compliance support extends to operational decisions. It doesn’t. It can’t. They’re not on your worksite. They don’t manage your supervisors. They don’t know whether your “administrative assistant” spends 60% of their time doing actual administrative work or running the sales floor.
That’s why agencies often pursue the worksite employer first, even when a PEO is involved. You controlled the work. You made the classification. You set the schedule. The fact that someone else processed payroll doesn’t change who created the exposure.
What Your PEO Actually Handles When Auditors Show Up
Let’s start with what PEOs are genuinely built to defend: the administrative side of employment.
Payroll tax audits: If the IRS sends a notice questioning payroll tax filings, your PEO owns the response. They filed the 941s under their EIN (or yours, depending on the arrangement). They issued the W-2s. They maintain the wage records. When the IRS wants documentation proving that payroll taxes were calculated and deposited correctly, the PEO provides it.
For certified PEOs, this protection runs deeper. CPEOs assume federal employment tax liability, which means the IRS holds them responsible for unpaid taxes—not you. That’s a meaningful shift in risk. Non-certified PEOs process your payroll and handle filings, but ultimate tax liability stays with you if something goes wrong. Understanding the CPEO vs PEO distinction matters when evaluating your actual protection level.
Either way, the PEO responds to the audit. You’re not digging through payroll registers or reconciling quarterly deposits. That’s their domain.
Workers’ comp audits: Your PEO manages the workers’ comp policy, assigns classification codes, and handles premium audits when the carrier reviews payroll to adjust rates. If the auditor questions whether your warehouse workers should be coded differently, the PEO defends that classification.
But here’s the catch: they need you to provide accurate job descriptions. If your employees’ actual duties don’t match what the PEO coded them as, that’s a problem you created. The PEO can defend the classification they assigned based on the information you gave them. They can’t defend a classification that was wrong from the start because you described the job inaccurately.
Benefits audits: If your health plan faces an ERISA audit or the IRS questions ACA compliance, the PEO typically handles plan documentation and Form 5500 filings. They manage the benefits platform, track eligibility, and maintain records showing who was offered coverage and when.
That said, fiduciary responsibility under ERISA can be shared or retained depending on how your plan is structured. Some PEOs act as the plan sponsor and assume fiduciary duties. Others administer the plan while you remain the fiduciary. If you’re still a fiduciary, you retain certain legal obligations even though the PEO handles day-to-day administration. That distinction matters if the DOL investigates plan management or participant communications.
The pattern here: PEOs defend what they control and document. Tax filings, benefits administration, workers’ comp policies—those are systems they run. They have the records. They know the compliance requirements. They respond to audits in those areas because they own the process.
But they don’t own your operational decisions. And that’s where most audits targeting worksite employers actually focus.
Where You’re Still Fully Exposed
Now for the uncomfortable part: the audits that land squarely on you, regardless of what your PEO contract promises.
DOL wage and hour investigations: The Department of Labor doesn’t care that you have a PEO. When they investigate Fair Labor Standards Act (FLSA) compliance, they’re looking at who controlled work schedules, who decided which employees were exempt, and who made the call on how overtime gets calculated.
That’s you.
Your PEO processes payroll based on hours you report and classifications you assign. They’re not on your floor watching whether your “managers” spend their time doing actual managerial work or just running a cash register with a fancier title. They’re not reviewing whether your salaried employees actually meet the duties test for exemption.
If the DOL finds misclassification, you’re liable. If they find unpaid overtime, you’re liable. If they find recordkeeping violations, you’re liable. The PEO might help you pull payroll records, but they’re not defending your classification decisions—they didn’t make them. Understanding what HR compliance protection actually covers helps set realistic expectations.
OSHA and workplace safety audits: Your site. Your equipment. Your safety protocols. Your liability.
OSHA citations go to the employer who controls the worksite. That’s you, not the PEO. If an inspector finds inadequate fall protection, missing lockout/tagout procedures, or improper hazard communication, you’re the one receiving the citation and paying the penalty.
Your PEO might provide safety training resources or help you develop an injury and illness prevention program. But they’re not managing your day-to-day safety compliance. They’re not conducting your worksite inspections. They’re not ensuring your supervisors enforce PPE requirements.
When OSHA shows up, the PEO isn’t showing up with them.
State-specific employment law audits: This is where things get messy fast, because state employment laws vary wildly and most PEOs can’t possibly track operational compliance across every jurisdiction.
California meal and rest break compliance? That’s on you. You control schedules and break policies. Seattle predictive scheduling laws? You decide when shifts get posted and changed. New York wage theft prevention notices? You’re the one who needs to provide them at hire and annually.
PEOs can offer guidance and provide template policies, but enforcing those policies day-to-day is your responsibility. If your state audits meal break compliance and finds violations, the PEO didn’t create that exposure—you did, by not managing breaks properly.
The common thread: operational decisions stay with the worksite employer. The PEO can’t defend choices they didn’t make and behaviors they didn’t control.
What Your PEO Contract Actually Says About Audits
Most business owners don’t read the audit defense section of their PEO contract carefully until an audit happens. By then, it’s too late to negotiate.
Here’s what to look for before you sign.
Indemnification clauses: These define who’s financially responsible if an audit results in penalties or back payments. Some PEO contracts indemnify you for payroll tax errors they made. Others include broad carve-outs that leave you holding the bag if the underlying issue traces back to information you provided.
Pay attention to the exceptions. If the contract says the PEO indemnifies you “except for errors resulting from client-provided information,” that’s a wide opening. Nearly every payroll tax issue can be traced back to something you reported—hours worked, employee classifications, wage rates.
Cooperation requirements: Most contracts require you to cooperate with audit defense efforts. That sounds reasonable until you realize “cooperation” often means dropping everything to gather records within 48 hours, making employees available for interviews, or providing documentation the PEO should have maintained.
Look for specifics. Does the contract define response timelines? Does it specify what records you’re required to maintain versus what the PEO maintains? If it just says “client agrees to provide reasonable assistance,” that’s vague enough to become a problem.
Document retention commitments: Who’s responsible for keeping what, and for how long? Your PEO should maintain payroll records, tax filings, and benefits documentation. But I-9s, job descriptions, performance reviews, accommodation requests, safety logs—those typically stay with you.
If the contract doesn’t clearly delineate document retention responsibilities, you’re both going to assume the other one has it. That assumption fails the moment an auditor requests something neither of you kept. Review the audit trail requirements your provider should be meeting.
Questions to ask before signing: Who pays for audit defense costs if the issue falls in a gray area? What’s the escalation process if an audit notice arrives? Do they have dedicated compliance staff, or is “audit support” just a sales rep forwarding your email to the payroll team?
The best PEO contracts include defined response protocols, clear divisions of responsibility, and access to actual compliance professionals—not just customer service reps reading from scripts. A thorough contract negotiation process addresses these issues upfront.
The worst contracts bury vague language that sounds protective but leaves you exposed when it matters.
Building Your Own Audit Defense Posture
Even with a great PEO, you need your own audit-ready infrastructure. Agencies don’t wait for you to coordinate with your PEO. They expect immediate responses and complete records.
Records you must maintain independently: I-9 forms (kept for three years after hire or one year after termination, whichever is later). Job descriptions that accurately reflect actual duties, not aspirational titles. Time records showing when employees worked, when they took breaks, and how overtime was calculated. OSHA logs (required for five years). Documentation of accommodation requests and interactive process steps.
Yes, your PEO has payroll records. But when the DOL shows up asking how you determined someone was exempt, they want to see the job description and the duties analysis—not just the pay stub. When OSHA investigates an injury, they want your logs and incident reports, not payroll data.
Keep these records accessible and organized. Don’t assume your PEO has them just because they handle payroll. Understanding how to document your PEO accounting policies creates a foundation for organized recordkeeping.
Create a response protocol: Decide now who internally coordinates with the PEO when an audit notice arrives. Who speaks to auditors? Who gathers documentation? How do you hand off information between your team and the PEO without gaps or delays?
The businesses that handle audits smoothly have a clear chain of command. Someone owns the relationship with the PEO. Someone else owns internal recordkeeping. They know how to work together before the pressure hits.
The businesses that struggle treat every audit as a surprise fire drill, with no one sure who’s supposed to do what.
Run an annual audit prep review: Once a year, reconcile your records with what the PEO has on file. Review employee classifications to make sure they still match actual duties. Update job descriptions when roles change. Check that your internal time records align with what the PEO processed.
This isn’t about distrusting your PEO. It’s about catching discrepancies before an auditor does. If your records show an employee working 50 hours but the PEO only processed 40, that’s a problem you want to find during an internal review—not during a DOL investigation. Consider the internal audit considerations that protect your business proactively.
Treat this like an insurance policy. You’re paying for a PEO to reduce compliance risk, but you’re also building your own safety net in case something slips through.
The Real Takeaway on PEO Audit Defense
A PEO reduces your audit exposure in specific areas. Payroll tax compliance. Benefits administration. Workers’ comp management. Those are real, meaningful protections.
But a PEO doesn’t eliminate your responsibility for operational decisions. How you classify employees, manage schedules, maintain workplace safety, and comply with state-specific employment laws—that’s still yours. An audit in any of those areas lands on your desk, not the PEO’s.
The businesses that fare best treat the PEO as a partner, not an insurance policy. They know what’s covered, they document what isn’t, and they build the relationship before an audit letter arrives. They don’t assume the PEO will handle everything, and they don’t wait until an auditor is asking questions to figure out who owns what.
Read your contract. Understand the indemnification terms. Maintain your own records. Build a response protocol. Review your posture annually.
Because when an audit happens—and eventually, one will—you want answers ready, not excuses about coordination delays or missing documentation.
Before you sign that PEO renewal, make sure you’re not leaving money on the table. Many businesses unknowingly overpay because of bundled fees, hidden administrative markups, and contracts designed to limit flexibility. We give you a clear, side-by-side breakdown of pricing, services, and contract terms—so you can see exactly what you’re paying for and choose the option that truly fits your business. Speak with an advisor
