With the availability of full-service payroll organizations, it can be easy for companies to overlook internal controls surrounding payroll. However, this oversight can be a detriment to many companies, as the ability to commit fraud or the likelihood of uncaught errors can be prevalent within the payroll function.
A 2016 study conducted by the Association of Certified Fraud Examiners found that payroll fraud accounts for approximately 13 percent of all occupational fraud in the U.S., with an average loss of $90,000.
Below are six quick and easy controls that organizations can implement immediately, without adding a significant amount of cost or time.
- Run a change report every pay period. This report will capture anything that has changed from the previous payroll run, and can quickly identify unauthorized pay rate changes, the addition of ghost employees, or direct deposit bank account changes. This report should be run by someone outside of the payroll data entry function, ideally the controller or CFO, or even the CEO in companies with smaller accounting departments. Authorized support should accompany any changes listed in the report. This report may also be helpful in verifying that approved changes are actually reflected in the system (i.e., a terminated employee was appropriately removed and not paid after departure).
- Review the payroll register before and after the information is submitted to the service organization. Oftentimes, the payroll supervisor will review the register before submission, and then the payroll clerk transmits the data and the process is completed. This process allows the payroll clerk to make unauthorized changes after the supervisor has already reviewed the data.
- Automate as much as possible. Many payroll packages now offer an electronic timekeeping module directly in the payroll system. At the end of each week, supervisors can log into the module and approve employee hours, which are then automatically transferred to the payroll processing module. By eliminating the use of manual time cards, organizations reduce the risk of error through data entry, while also making the payroll cycle more efficient. On a sample basis, employee hours can be checked against employment contracts and other personnel files. For instance, a part-time employee who only works three days a week should not typically have 40 hours in the timekeeping software.
- Implement access controls. In addition to providing electronic access into the payroll system, companies should implement physical access controls. Personnel files should be secured in locked cabinets. Additionally, both the Human Resources department and the respective department head should approve all personnel file changes. Check stock and signature stamps, if applicable, should also be secured in locked locations. Access to the check stock should only be accessible to those who are not authorized signers. If this segregation is not practicable, then sequentially pre- numbered payroll checks should be accounted for by someone independent of the of the payroll preparation process.
- Perform variance analyses regularly. Companies should run payroll variance analyses on a monthly basis, based on disaggregated data by department, function center, or division. These analyses should be run against the budget and prior year, and changes outside expectations should be investigated. Companies can also look at salary per FTE, payroll tax ratios, and employee benefits ratios for any unusual outliers.
- Establish segregation of duties. This control may be the most difficult to implement for smaller organizations. Ideally, different employees should perform the following functions: a) the processing of payroll within the system, b) access and input into the general ledger, c) the maintenance and management of physical personnel files, d) approval of time reporting, and e) the distribution of payroll checks. Sufficiently segregating responsibilities will help to control the risk of unauthorized changes or transactions.
Not all of these controls may make sense for your organization. However, implementing even one or two may effectively mitigate risks in the payroll cycle to an acceptable level.