Michelle Yankovich
Michelle Yankovich

Addressing a Crucial Financial Exposure

What reviewing payroll processes regularly can reveal.

June 2, 2011
by Michelle Yankovich, CPA

Your company may outsource your payroll processing function and the service provider has been processing your company’s payroll for years, without any problems. You process payroll internally, your staff has worked in your company for years and payroll is a routine process that functions quite systematically every pay period. You have not encountered any internal control difficulties with payroll processing. Would periodic payroll process evaluations still be necessary?

The answer is YES.

Payroll represents a significant operating expense within ever-changing environments. Routine internal activities evolve over time. Proposed regulatory provisions become law. Work forces contract or expand. Job responsibilities change when such work-force fluctuations occur.

These and other events present internal control risks. Having a third-party service organization handle payroll processing does not alleviate all of the risks, either. Payroll service providers rely on information their client companies provide. If that information is inaccurate or incomplete, the provider’s output will reflect those shortcomings.

Payroll service providers face internal control risks that emerge continually and evolve, too. They participate in acquisitions and mergers. They implement new information technology systems. They confront numerous new compliance requirements as well as other potential exposures.

Perhaps the biggest risk confronting all of us is complacency. How long can an honest but costly data entry error go unnoticed? A typical fraud scheme goes undetected for a year or longer. How much money can be misappropriated during that time?

Reviewing payroll processes regularly can help your firm identify and mitigate risks before too much time passes. Begin looking at the internal processes and evaluating whether new controls or changes in existing controls are needed for payroll processing.

Periodic Internal Evaluations

Payroll steps performed internally vary from one company to another, but reviewing related human resources tasks provides a good starting point for all internal evaluations. How are your human resource and payroll functions structured? Are these functions segregated to ensure that the activities related to processing new employees, related benefits and termination of employees are separate from processing payroll transactions?

What internal controls exist to verify pay rates for employees? How is new employee information verified in the payroll system? How are various related benefits, such as sick time, personal time and vacation time assigned to employees and verified? What about overtime pay? Are such records updated regularly and are individual employees aware of related policies?

From that starting point, define what other steps comprise the payroll process. Consider what can go wrong; consider what might have changed and whether or not internal controls currently exist to address those identified risks effectively.

Establishing and maintaining segregation of duties is essential for mitigating internal control vulnerabilities.

For payroll processing purposes, an individual employee’s time sheet or time card should require a supervisor’s review and approval. Is this being performed consistently and is there an evaluation of the appropriateness of the supervisor who approved the time sheet?

Given the recent difficult economic times and budget cutbacks, companies have had periods of no increases in compensation or even faced reductions in staff. Is the individual responsible for entering payroll information into the system independent of the approval process? Are the reconciliations of payroll accounts or funds performed by someone outside of the payroll function?

Maintaining a flow chart, matrix or spreadsheet or other means to illustrate steps involved in the payroll process helps highlight instances in which segregation of duties is necessary.

Job duties change and technology enhancements are made to the processing system that can affect critical processing steps. In response, existing segregation of duties must be evaluated periodically. That original flow chart or other illustration can be revisited and used as tool for determining how segregation of duties must be updated.

Companies may not have enough employees to segregate all conflicting or incompatible duties totally. In such cases, exception-reports identify events requiring investigation. For example, such a report can show how several employees received inordinate amounts of overtime pay within a specified time-period. Further investigation can reveal that responding to a crisis-situation required that overtime. Such an investigation, though, can also reveal overtime abuse.

Individual information technology (IT) access rights to various files, applications and modules need to be monitored on a continual basis to align with defined segregation of duties. Those automated controls help ensure that only employees with specific, required work needs have access to various system components. Such controls guard against attempts to execute unauthorized disbursements, view files containing employee Social Security numbers or other nonpublic information or engage in other improper actions.

If you are using a third-party payroll service provider, how does that provider control the risks it faces? How much assurance do you have that risks are identified and mitigated?

If you work for a public company, you have to comply with Sarbanes-Oxley requirements for internal control over financial reporting. If you have an outside payroll service provider processing your payroll, chances are that your auditors have asked for a Statement on Auditing Standards (SAS) 70 report over the processing of transactions by that service organization. Statements on Standards for Attestation Engagement (SSAE) 16 (PDF) recently replaced SAS 70 as a reporting standard.

Requiring such an assurance report represents a best practice for private companies as well. Your company should monitor the overall quality of its payroll service provider and be aware of any substantial changes affecting it. Mapping the controls within your payroll process to the controls of the service organization that are relevant to your operations will help you identify and evaluate any control gaps that might exist and allow you to take appropriate action.

Has your payroll provider relocated to a different facility? Did it replace long-time leaders recently? Has it suffered any security breaches or encountered any other incidents that raise concern? Being aware of significant events that present risk can help you identify issues that need to be addressed.


Payroll is a considerable expense for every company. Evaluating the related processes regularly helps your company mitigate immense risk and maintain financial health.

Rate this article 5 (excellent) to 1 (poor). Send your responses here.

Michelle R. Yankovich, CPA, is a partner in Advisory Services for Weaver, the largest independent certified public accounting firm in the Southwest with offices throughout Texas. You can reach her at 210-572-3743.