Internal Controls on Payroll

Internal control procedures, the practices and guidelines a business follows to protect its resources, are especially important when recording, preparing and distributing the payroll. Having proper procedures in place protects the company's assets by reducing the risk of fraud and eliminating errors. According to the Risk Unit of Marquette University, inadequate segregation of duties is the university's most common audit finding. This improper separation of duties involving payroll tasks leads to a higher risk of loss through fraud and negligence.

Segregation of Duties

Four categories of tasks involved in payroll -- hiring and advancing personnel, recording and maintaining accurate time sheets, preparing payroll and paying employees and payroll taxes -- should be segregated by departments or individuals responsible, if possible. In addition, designating a member of management for periodic review of company bank records pertaining to the payroll can further ensure proper payroll records and reduce the risk of fraud. Maintaining a separate bank account for payroll alone reduces the amount of company assets at risk and makes it easier to audit.

For smaller companies that lack a sufficiently large staff to separate payroll responsibilities, the business owner or a trusted manager should oversee the payroll process from beginning to end. If this is too time consuming to be performed each payroll period, regular yet random and thorough inspections should be conducted.

Human Resources

Authorization to pay an employee by the human resources department protects the business from fraud by reducing and eliminating the possibility of fictitious or terminated employees continuing to be on the payroll. The HR or personnel department should maintain updated employee records at all times that reflect the rate of pay each employee receives and any benefits provided.

Recording Time Worked

Time sheets or time cards should be signed by the employee; then reviewed, approved and signed by a supervisor when applicable. Time off or unpaid absences should be reflected on the appropriate time sheet. Approve overtime before the fact. In addition, an employee should not have access to his time sheet once a supervisor has approved and signed the record for the payroll preparer.

Preparing Payroll

As a further control procedure, the person or persons in charge of preparing payroll who are calculating the compensation owed to each employee should not have authorization to sign time sheets or issue paychecks. During the preparation of payroll, FICA or Social Security and income taxes and other deductions such as insurance are figured in, and final dollar amounts for salaries and wages should be then sent to the department or person in charge of issuing checks to employees and paying payroll taxes.

Paying Employees and Payroll Taxes

When feasible, internal control procedures in payroll should require that the person or persons permitted to pay employees and payroll taxes not have unauthorized access to human resource records, time sheets and payroll preparation materials. In small companies in which this is not feasible, the owner or upper management should authorize all checks or designate two trusted employees to have control of authorization, requiring both signatures for authorization.

Also consider using a selection of the following controls for nearly all payroll systems, irrespective of how timekeeping information is accumulated or how employees are paid:

Audit

Have either internal auditors or external auditors conduct a periodic audit of the payroll function to verify whether payroll payments are being calculated correctly, employees being paid are still working for the company, time records are being accumulated properly, and so forth.

Change Authorizations

Only allow a change to an employee’s marital status, withholding allowances, or deductions if the employee has submitted a written and signed request for the company to do so. Otherwise, there is no proof that the employee wanted a change to be made. The same control applies for any pay rate changes requested by a manager.

Change Tracking Log

If you are processing payroll in-house with a computerized payroll module, activate the change tracking log and make sure that access to it is only available through a password-protected interface. This log will track all changes made to the payroll system, which is very useful for tracking down erroneous or fraudulent entries.

Error-checking Reports

Some types of payroll errors can be spotted by running reports that only show items that fall outside of the normal distribution of payroll results. These may not all indicate certain errors, but the probability of underlying errors is higher for the reported items. The payroll manager or a third party not involved in payroll activities should run and review these reports.

Expense Trend Lines

Look for fluctuations in payroll-related expenses in the financial statements, and then investigate the reasons for the fluctuations.

Issue Payment Report to Supervisors

Send a list of payments to employees to each department supervisor, with a request to review it for correct payment amounts and unfamiliar names. They may identify payments being made to employees who no longer work for the company.

Restrict Access to Records

Lock up employee files and payroll records at all times when they are not in use, to prevent unauthorized access. Use password protection if these records are stored on line. This precaution is not just to keep someone from accessing the records of another employee, but also to prevent unauthorized changes to records (such as a pay rate).

Payroll Calculation Controls

The following list of possible controls address such issues as missing timesheets, incorrect time worked, and incorrect pay calculations. They are:

Automated Timekeeping Systems

Depending on the circumstances, consider installing a computerized time clock. These clocks have a number of built-in controls, such as only allowing employees to clock in or out for their designated shifts, not allowing overtime without a supervisory override, and (for biometric clocks) eliminating the risk of buddy punching. Also, you should send any exception reports generated by these clocks to supervisors for review.

Calculation Verification

If you are manually calculating payroll, then have a second person verify all calculations, including hours worked, pay rates used, tax deductions, and withholdings. A second person is more likely to conduct a careful examination than the person who originated the calculations.

Hours Worked Verification

Always have a supervisor approve hours worked by employees, to prevent employees from charging more time than they actually worked.

Match Payroll Register to Supporting Documents

The payroll register shows gross wages, deductions, and net pay, and so is a good summary document from which to trace back to the supporting documents for verification purposes.

Match Time Cards to Employee List

There is a considerable risk that an employee will not turn in a timesheet in a timely manner, and so will not be paid. To avoid this problem, print a list of active employees at the beginning of payroll processing, and check off the names on the list when you receive their timesheets.

Overtime Worked Verification

Even if you do not require supervisors to approve the hours worked by employees, at least have supervisors approve overtime hours worked. There is a pay premium associated with these hours, so the cost to the company is higher, as is the temptation for employees to claim them.

Pay Change Approval

Consider requiring not just one approval signature for an employee pay change, but two signatures – one by the employee’s supervisor, and another by the next-higher level of supervisor. Doing so reduces the risk of collusion in altering pay rates.

Check Payment Controls

When you pay employees with checks, several controls are needed to mitigate the risks of fraud and various errors. Key controls are:

Update Signature Authorizations

When check signers leave the company, remove them from the authorized check signer list and forward this information to the bank. Otherwise, they could still sign company checks.

Hand Checks to Employees

Where possible, hand checks directly to employees. Doing so prevents a type of fraud where a payroll clerk creates a check for a ghost employee, and pockets the check. If this is too inefficient a control, consider distributing checks manually on an occasional basis.

Lock up Undistributed Paychecks

If you are issuing paychecks directly to employees and someone is not present, then lock up their check in a secure location. Such a check might otherwise be stolen and cashed.

Match Addresses

If the company mails checks to its employees, match the addresses on the checks to employee addresses. If more than one check is going to the same address, it may be because a payroll clerk is routing illicit payments for fake employees to his or her address.

Payroll Checking Account

You should pay employees from a separate checking account, and fund this account only in the amount of the checks paid out. Doing so prevents someone from fraudulently increasing the amount on an existing paycheck or creating an entirely new one, since the funds in the account will not be sufficient to pay for the altered check.

You may find that several controls buttress each other, so that there are overlapping effects resulting from multiple controls. In these cases, you may be able to safely eliminate a few controls, knowing that other controls will still mitigate the risk of loss.