Payroll Process-Fraud and error risks and controls to mitigate them
Posted by Alina Demeter on April 3, 2012
This article includes a list of potential risks (fraud or errors) pertaining to Payroll Process.
Remember it is easier to prevent the risks via internal controls than to correct their effects afterwards.The best practices involve
- identification of the main risks in the process
- and implementation of controls to reduce or eliminate these risks
Also one important thing to be pointed out is that the effectiveness of the controls in place should be continually monitored.
This will mean firstly to ensure that the controls which should exist in theory are actually implemented in practice and secondly these controls achieve their objectives to mitigate the risks
Risk & Controls Matrix
|Incorrect processing/payment of payroll by mistake or with intention (fraud)||Payroll system access not properly controlled/managed||System controls should be in place. Access to the payroll system and data is restricted based on the job duties and established in such a way to avoid the risk of fraud.Example: The persons responsible to record salaries should not have the access to record the salaries payment.|
|Incorrect processing/payment of payroll by mistake or with intention (fraud)||Segregation of Duties in the Payroll system access and of duties between payroll team members are not properly managed||Duties should be properly segregated. The duties between diff payroll team employees should be properly segregated to ensure there are no conflicts of interest and to avoid fraud risks|
|Incorrect input by mistake or with intention (fraud) of payroll information||Most important changes like: bank account no., salary value change, new hires (risk: fictive), leavers are incorrectly input||Data input/changes should not only be controlled by the person doing the actual inputting, but also should be subject to a peer review (100% or by sample) and high level review and approval from the Manager.|
|Incorrect processing of payroll||Inaccurate computation of salaries (gross to net)||Few random checks should be executed to confirm the correctness of the salaries computation, each month via simulation programs outside of the payroll tool.|
|Incorrect processing/payment of payroll by mistake or with intention (fraud)||Avoid wrong payroll processing/double payments/ fictitious payments||Design Payroll controls Reports to ensure correct payroll process and help identify potential issues/or fraud. These analytics reports do not replace the other controls but represent complementary checks. Examples of payroll control reports: 1.Report of changes in the system
2. Payroll should be reviewed and authorized by an independent reviewer/approver before release
3.Payroll overview total amount report (summary of gross pay, deductions, net pay, etc), including a comparison to the previous month for reasonableness
4. Payroll Control report per each employee month by month including a min/max threshold to identify errors.
5. System access rights regular review—including information as to what each individual can do in the system. This is to ensure that access rights were not changed without authorization and are in line with roles responsibilities.
6. New hires report, to avoid fictitious payrolls
7. Control report of leavers for the months post termination to detect if payroll payments are not stopped next month
8. Control report for multiple payments to same account. To ensure accurate bank and to help prevent fraud.
9. Control report of changes to bank account numbers, etc
|Payroll payment (bank transmission)||Incorrect payment of payroll||The preferred method for payroll payment is a transfer via an electronic payment file generated by the payroll system. Bank files to be uploaded are locked for editing/ prevent unintentional or deliberate changes to the payroll file. Data integrity and secure the bank transfer-file with electronic signature and encrypted. If preferred method is not possible additional controls should be put in place to ensure the integrity and security of the bank transfer. One key control in this case is ” segregation of duties” -Payroll processing, check generation, check approval/signature, recording to the cash book all should be in different hands. All payments/checks over a certain limit should be blocked.|
|Inaccurate Taxation (computation and reporting)||Tax amount incorrectly computed or reported to Authorities (wrong Tax Declarations, sent with delay)||Ensure control to validate proper computation of taxes (right % applied, legislative changes properly updated in the payroll application). Control to ensure proper preparation of Tax Returns/Declarations and submition in due time to avoid penalties.|
|Payroll Accounting||Incorrect accounting records/Accounting records does not reconcile with payroll report, payroll payment-bank statement||Review of accounting records to validate the correct accounts used and to ensure accounting records reconciled with supporting documents (reports)|
|Payroll Accounting||Automated records versus manual records/journals||In case of automated payroll records (postings generated directly by the payroll system) without manual intervention, control before loading any file to GL. In case of manual journals should have proper back up to justify the journal entry and should be approved by a more supervisor individual.|
|Payroll related documents are not kept as per legal requirements||Record Retention||A process in place to ensure all payroll related documents are properly kept for the required period and can be easily accessed if required.|
|Sensitive payroll information is not properly protected may lead to loss in reputation, loss of competitive advantage, loss of revenue, or legal consequences||Data Privacy||Company should classify data based on sensitivity and generally payroll info including personal info should be considered sensitive and carefully trated when stored or transferred to 3rd parties. Hard copies should be properly locked. Information sent by email outside the company (email out of company to vendors for example) should be encrypted and password, to avoid the risk of being intercepted. Examples of Personal Info: National ID; Driver licence; credit/debit card no, bank account no, -when stored -password protected or limited control access and when transmitted even within company should be encrypted.|