BY GRETCHEN INOUYE, CPP
Payroll, which includes taxes and benefits, is frequently the largest operating expense of an organization. Then when you factor in the confidential payroll information to the financial aspects, developing and maintaining adequate controls within the payroll environment is essential.
Controls generally fall within three areas: physical controls, staffing practices, and system controls. The size and complexity of an organization will determine the levels and types of controls to implement, although some controls are applicable in all environments.
Physical controls involve restricting access to payroll by establishing actual physical barriers such as using locks on doors, desks, and filing cabinets. If access to the payroll department is not strictly limited to authorized individuals, control of paper and other factors may require more thought and creativity. Do not leave paperwork open to unauthorized view or theft. Do not leave computer screens open to view. Make proper disposal and destruction of paper containing personally identifiable information a routine practice. Inventory and control company check stock.
Staffing practices include exercising due diligence in hiring and assigning appropriate levels of access to payroll. One best practice is to segregate job duties so that a single employee does not have full, end-to-end control of payroll processes. This is not always possible in a single-person office or a small department, so personnel outside of payroll may need to provide assistance or oversight. Accounting should review and reconcile the payroll bank account, for example. Provide department managers with listings of employees being paid in their units so that they can review and confirm. Another useful control is to periodically rotate the duties of employees in a larger payroll department to help facilitate cross training and to help identify inconsistent practices within processes that can lead to lapses in controls.
System controls should include restricting access to authorized personnel only through the assignment of user identification and requiring the use of strong passwords, which should expire at set intervals. Periodically review authorized access, and automatically revoke the access of terminated employees with payroll processing capability on termination. Activate audit trails in the system to track and identify changes to data by user. Employ encryption software when sensitive, identifiable employee data is being electronically transmitted.
Establish system edits as alerts to help ensure payrolls are processed within set rules and data falls within valid parameters. Some common edits are those that identify when payroll transactions are being created for a terminated employee or when there are no transactions for an active employee. Both of those situations may be legitimate, but the edits would allow for review and verification or correction if necessary. Some other edits may be used to help identify payments that would fall outside of expected norms, exempt employees not receiving full salary, or nonexempt employees not receiving required overtime. Design all edits to meet the needs of the particular organization.
Document all internal and external controls and periodically test them for effectiveness.
Gretchen Inouye, CPP, is a Payroll Consultant and the APA’s 2015 Payroll Woman of the Year. Author note: The Payroll Source® was used in preparing this article.
This article was sponsored by rapid! PayCard® and is available in the February issue of APA PAYTECH.
The information contained in this article and any other article do not reflect the views of rapid! PayCard®. The opinions, conclusions and other information expressed are neither given nor endorsed by rapid! PayCard® or its representatives, but provided for the sole purpose of presenting updates on current research in this sector.