General Payroll Controls
Consider using a selection of the following controls for nearly all payroll systems, irrespective of how timekeeping information is accumulated or how employees are paid:
Audit. Have either internal auditors or external auditors conduct a periodic audit of the payroll function to verify whether payroll payments are being calculated correctly, employees being paid are still working for the company, time records are being accumulated properly, and so forth.
Change authorizations. Only allow a change to an employee’s marital status, withholding allowances, or deductions if the employee has submitted a written and signed request for the company to do so. Otherwise, there is no proof that the employee wanted a change to be made. The same control applies for any pay rate changes requested by a manager.
Change tracking log. If you are processing payroll in-house with a computerized payroll module, activate the change tracking log and make sure that access to it is only available through a password-protected interface. This log will track all changes made to the payroll system, which is very useful for tracking down erroneous or fraudulent entries.
Error-checking reports. Some types of payroll errors can be spotted by running reports that only show items that fall outside of the normal distribution of payroll results. These may not all indicate certain errors, but the probability of underlying errors is higher for the reported items. The payroll manager or a third party not involved in payroll activities should run and review these reports.
Expense trend lines. Look for fluctuations in payroll-related expenses in the financial statements, and then investigate the reasons for the fluctuations.
Issue payment report to supervisors. Send a list of payments to employees to each department supervisor, with a request to review it for correct payment amounts and unfamiliar names. They may identify payments being made to employees who no longer work for the company.
Restrict access to records. Lock up employee files and payroll records at all times when they are not in use, to prevent unauthorized access. Use password protection if these records are stored on line. This precaution is not just to keep someone from accessing the records of another employee, but also to prevent unauthorized changes to records (such as a pay rate).
Separation of duties. Have one person prepare the payroll, another authorize it, and another create payments, thereby reducing the risk of fraud unless multiple people collude in doing so. In smaller companies where there are not enough personnel for a proper separation of duties, at least insist on having someone review and authorize the payroll before payments are sent to employees.
Payroll Calculation Controls
The following list of possible controls address such issues as missing timesheets, incorrect time worked, and incorrect pay calculations. They are:
Automated timekeeping systems. Depending on the circumstances, consider installing a computerized time clock. These clocks have a number of built-in controls, such as only allowing employees to clock in or out for their designated shifts, not allowing overtime without a supervisory override, and (for biometric clocks) eliminating the risk of buddy punching. Also, you should send any exception reports generated by these clocks to supervisors for review.
Calculation verification. If you are manually calculating payroll, then have a second person verify all calculations, including hours worked, pay rates used, tax deductions, and withholdings. A second person is more likely to conduct a careful examination than the person who originated the calculations.
Hours worked verification. Always have a supervisor approve hours worked by employees, to prevent employees from charging more time than they actually worked.
Match payroll register to supporting documents. The payroll register shows gross wages, deductions, and net pay, and so is a good summary document from which to trace back to the supporting documents for verification purposes.
Match time cards to employee list. There is a considerable risk that an employee will not turn in a timesheet in a timely manner, and so will not be paid. To avoid this problem, print a list of active employees at the beginning of payroll processing, and check off the names on the list when you receive their timesheets.
Overtime worked verification. Even if you do not require supervisors to approve the hours worked by employees, at least have supervisors approve overtime hours worked. There is a pay premium associated with these hours, so the cost to the company is higher, as is the temptation for employees to claim them.
Pay change approval. Consider requiring not just one approval signature for an employee pay change, but two signatures – one by the employee’s supervisor, and another by the next-higher level of supervisor. Doing so reduces the risk of collusion in altering pay rates.
Check Payment Controls
When you pay employees with checks, several controls are needed to mitigate the risks of fraud and various errors. Key controls are:
Update signature authorizations. When check signers leave the company, remove them from the authorized check signer list and forward this information to the bank. Otherwise, they could still sign company checks.
Hand checks to employees. Where possible, hand checks directly to employees. Doing so prevents a type of fraud where a payroll clerk creates a check for a ghost employee, and pockets the check. If this is too inefficient a control, consider distributing checks manually on an occasional basis.
Lock up undistributed paychecks. If you are issuing paychecks directly to employees and someone is not present, then lock up their check in a secure location. Such a check might otherwise be stolen and cashed.
Match addresses. If the company mails checks to its employees, match the addresses on the checks to employee addresses. If more than one check is going to the same address, it may be because a payroll clerk is routing illicit payments for fake employees to his or her address.
Payroll checking account. You should pay employees from a separate checking account, and fund this account only in the amount of the checks paid out. Doing so prevents someone from fraudulently increasing the amount on an existing paycheck or creating an entirely new one, since the funds in the account will not be sufficient to pay for the altered check.
You may find that several controls buttress each other, so that there are overlapping effects resulting from multiple controls. In these cases, you may be able to safely eliminate a few controls, knowing that other controls will still mitigate the risk of loss.