News & Resources


A Compliant Payroll Depends on the Best Ingredients

BY: Brian Garrett, CPP, CPA | 06/27/19

What do a great chef and a compliant payroll department have in common? They each depend on key ingredients for a quality, consistent product that delights their customers. While the product of a chef may be somewhat subjective, the product of a payroll department is black and white—a complete, accurate, and compliant paycheck every payroll for every employee. To ensure compliance, payroll departments must have processes and procedures in place with internal controls that help ensure no bad apples get into the mix.

In the past, ensuring strong internal controls was already a challenge, but the environment was somewhat homogenous, so companies could build customized processes that were specific to their environments. Today, payroll departments need to manage data integrity from both inside and outside sources. As payroll software has evolved to provide economies-of-scale cost savings and way more powerful data analysis tools, so, too, has the need to ensure internal controls of payroll service providers and subservice providers. Fortunately, service providers are required to provide internal control assurances in the form of audit reports that detail the internal-control processes providing assurance their internal controls are operating as intended.

SAS 70, SSAE 16, SOC Reports

For 18 years, the Statement on Auditing Standards (SAS) 70 report was the standard for service provider internal-control audits, the primary audience being user organizations (customers). In the wake of the Enron and WorldCom scandals and the passage of the Sarbanes-Oxley Act of 2002 (Pub. L. 107–204), otherwise known as the SOX Act, the focus on internal controls became even more important. Public company management was required to provide internal-control attestation statements certifying the effectiveness of the companies’ internal controls. In 2011, SAS 70 was effectively replaced by the Statement on Standards for Attestation Engagements (SSAE) 16, Reporting on Controls at a Service Organization, which provided service organization customers with the Service Organization Controls (SOC) 1 report. Then, in 2017, SSAE 18 replaced SSAE 16 to include review of subservice (third-party) organizations. The new standard requires a new SOC 2 report detailing the security, availability, processing, integrity, confidentiality, and privacy of businesses’ information systems.

As payroll departments migrate their legacy systems to more cost-effective payroll service providers, they need to rely on SOC 1 and 2 reports to provide assurances their partners’ internal controls are operating effectively. The reports can be compared to “health inspectors” of payroll service providers to ensure ingredients used to process payrolls aren’t ruined during the “cooking” process. The reports help identify bugs in the software so that they can be eliminated quickly.

Companies need to make sure other ingredients given to payroll are of the highest quality. For example, management needs to ensure ingredients such as salary information, time and attendance, paid time off, new hires, and terminations are processed timely and completely and are authorized by appropriate managers and administrators. Payroll needs to take information provided by management and apply a smorgasbord of laws and regulations to calculate an accurate paycheck. Along the way, internal controls need to operate effectively to ensure that money paid to employees is accurate down to the penny, or risk legal action.

Open for Business

The payroll customers are the employees, who are the pickiest customers in the world. As soon as they open the menu to pick their selections, compliance needs to be at the forefront. Compliance starts from the time a job requisition is posted to the company’s job board or advertised by a third party. The task of posting a job typically falls to human resources. However, payroll needs to work closely with them on job codes, salary ranges, hiring managers, locations, schedules, employee type, and departments, which are some of the ingredients that make up the payroll soufflé. It’s important that the timing is precise so that when a candidate is offered and accepts a job, new hire paperwork is processed timely and the new hire is paid correctly from the beginning.

There’s a Control for That

One of the most important internal controls in the payroll process is separation of duties. No one person should have access or control over enough processes to create a fraudulent payment. Data entry, although clerical in nature, is probably the most important role in the payroll department. The payroll administrator’s role is to make sure all the payroll data needed to calculate a correct paycheck, including new hires, are entered accurately. They shouldn’t be responsible for entering the new hire into the system, as that would be a violation of separation of duties. New hire data entry should be done by human resources to properly separate the duty.

Payroll accountants have an important role to play as well. They ensure that all of the transactions created by the payroll process are recorded in the proper general ledger accounts. Many payroll departments send payroll registers to department managers so that they can ensure that expenses posted to their departments are accounted for as expected. Having department managers inspect their payroll registers helps mitigate collusion between HR and payroll. Another important internal control is the use of error reports, which detect abnormalities before payroll is closed. For example, if HR changes a new hire employee type from exempt to nonexempt, but doesn’t change their pay rate from a pay period amount to an hourly amount, and hours are applied to that pay rate, the employee may be substantially overpaid if the error isn’t detected. To mitigate this risk, payroll departments can use high-low reports to detect net paychecks that are unusually too large or too small. This would be a redundant control, since this type of error should be detected by a control for changing the employee’s record. Error reports are a good way of ensuring those controls are operating effectively.

Follow the Money

Since employee costs are typically the largest operating expense companies encounter, it makes sense that thieves target payroll more than almost any other aspect of the business process. For instance, two of the highest-risk scenarios payroll departments guard against are paying ghost or phantom employees and paying terminated or deceased employees after their termination date. There are other risks payroll departments need to focus on. The list below includes these and other examples of payroll risks:

  • Direct deposit fraud (directing small amounts to fraudulent bank accounts)
  • Overtime fraud
  • Fictitious tax jurisdictions
  • Ghost employees
  • Paying employees after termination date (or not entering termination date when an employee leaves the company or passes away)
  • Employee-reimbursement fraud
  • Paycheck theft
  • Paycard fraud
Each of these risks should have at least one internal control. Below are examples of mitigating controls payroll departments should consider:
  • Separation of duties
  • Error reports
  • Two-step timesheet authorization (employee submits and manager authorizes)
  • Data analytics to detect duplicate addresses, back accounts, and social security numbers
  • Mandatory vacation policies
  • Cross-training
  • Periodic risk assessments
  • Annual payroll audits by independent auditors

Payroll departments should obtain an annual SOC report from their payroll service providers but should not rely solely on it to ensure the payroll calculations are accurate. Laws and regulations change frequently, so companies should continually challenge past assumptions to make sure they are still valid.

Icing on the Cake

Once the payroll process is complete and employees are paid, the payroll department needs to ensure payments to tax authorities are funded timely. During this process, payroll risk changes from errors and fraud to compliance risk, as each taxing authority may have different funding and reporting requirements. Ingredients such as effective tax rates, employee-withholding-form elections, employee wage base, and the taxability of earnings and deductions need to be updated to ensure compliance. Larger companies may have a separate payroll tax department to help with payroll tax compliance, whereas smaller employers may outsource this role to a third-party service provider. Companies should review their service providers’ SOC reports to check for internal controls to ensure payroll and withholding taxes are reported and paid in a timely manner. Late payments typically result in penalties and interest.

Additionally, payments to benefits providers need to be accurate and timely and should be reviewed by an independent party, either each payroll or periodically by an auditor. For instance, payroll accountants can easily reconcile these payments with the general ledger to ensure payments are made and accounts are reconciled. Payroll managers are the top chefs in the payroll kitchen who make sure all the payroll sous-chefs and line cooks are doing their jobs and processes and procedures are being followed. Checklists are typically employed to make sure steps aren’t missed (see “Good Internal Controls Will Lead to Smoother Audits” article in this issue). Risk assessments may be performed throughout the year to focus on areas of larger risks. Larger payroll departments may opt to employ controls analysts or may engage their internal auditors to perform reviews throughout the year. If the product turns out flawlessly (i.e., an accurate paycheck), silence from employees is a good thing.

Presentation Is Everything

Once the payroll process wraps up, reporting the results to various stakeholders is important to ensure the transactions are correct to the penny. Presenting pay statements to employees not only makes good business sense, but, in many jurisdictions, it’s a legal requirement. For instance, some employees may simply look at their bank account balances to make sure their paychecks were directly deposited, whereas others may meticulously analyze every calculation on the statement. It’s good to provide employees with details to recalculate their paychecks. Other stakeholders (including taxing authorities, benefits service providers, banks, and the accounting department) should review their respective transactions to ensure they match their expectations. In a perfect world, everything balances and no one has any questions—but we know we don’t live in a perfect world. Payroll departments need to be able to answer questions regarding discrepancies and be able to identify gaps in the payroll process. If gaps are detected, controls should be put into place to prevent future gaps. Noise coming from stakeholders is never a good sign of an effective payroll process or internal controls. The aroma of a well-run payroll department’s final product is akin to everyone enjoying their meal and can be summed up in one word: silence.

Brian Garrett, CPA, CPP, is Compliance Advisor for Ultimate Software and a member of the Board of Contributing Writers for PAYTECH.