Best Practices for Payroll Internal Controls

Payroll is a crucial business process in any organization because it assures that employees are compensated in full and in a timely manner. Employees assume they will receive their paychecks without delays or errors; it’s a basic expectation.

Conversely, payroll delays and errors erode employee morale and productivity — and even lead to enforcement from labor regulators. Unhappy employees, meanwhile, also jeopardize the company’s profitability, financial stability, and reputation. For these reasons, it’s critical to develop a strong payroll process, identify any risks, and implement robust control activities to mitigate those risks.

Common Payroll Risks and the Need for Controls

Ghost Employees

Ghost employees are a common cause of payroll fraud. These are usually:

• Fake employees who don’t exist and are employees on paper only;
• Dead or terminated employees who remain on the payroll;
• Real people who never work at the business but receive paychecks from it anyway.

Ghost employee fraud is almost always perpetrated by someone inside the company, usually working in or managing the payroll function.

If the ghost employee is an actual person, he or she may also be involved in the fraud. In some cases, a ghost employee payroll scheme is set up by an employee to bribe someone outside the company and make the bribe payments look like legitimate payroll payments.

Timesheet Padding

Hourly employees claiming that they worked more hours on their timesheet than they actually worked is another common payroll risk. Such padding of time records is particularly prevalent in smaller companies that use legacy timekeeping systems, such as paper time cards or spreadsheets. Timesheet padding is also common when employees work remotely or when there is little or no managerial oversight.

Attendance by Proxy

Attendance by proxy (also known as “buddy punching”) happens when one employee clocks in for another. If it happens on rare occasions, the harm to payroll is small. When widespread or frequent, however, the fudged hours or days can add up and result in significant losses for the organization.

Incorrect Classification

The risk of incorrect payee classification is fairly high for companies with inexperienced teams running payroll in-house. When contractors and freelancers are not separated from full-time employees in the payroll, the company may end up paying more taxes than it needs to.

Lack of Security Leading to Data Loss

The payroll system contains all sorts of sensitive information related to the organization and its employees. Unfortunately, many organizations still use insecure password-based systems or have no controls to identify or prevent phishing scams. This lax security leaves the organization vulnerable to data breaches, fraud, and compliance-related fines.

Non-Compliance

A lack of understanding of relevant laws around taxation, overtime pay, holiday pay, or minimum wage pay rates can create compliance headaches for the payroll department. Further, the legal and regulatory landscape is constantly changing, so payroll must keep up to assure that the company is not fined or otherwise punished for its compliance mistakes.

Natural Disasters or Other Disruptive Events

Disasters and emergencies can disrupt operations in any company. If a disruptive event occurs, the company may not be able to fulfill its payroll obligations. That can lead to disgruntled employees, increase churn, and ultimately harm operational continuity and service delivery.

Internal Controls Procedures for Payroll Systems

Many types of internal controls play a critical role in minimizing risks for payroll systems. Every organization should consider these payroll internal controls.

Segregation of Duties

Segregation of payroll duties, also known as separation of duties, assures that no single person has access to all the sensitive payroll data or tasks to perpetrate fraud. At the very least, these payroll tasks should be segregated:

• Timesheet approver
• Payroll processor
• Paycheck signer and issuer
• Payroll tax preparer

Payroll Audits

Regular payroll audits can minimize the chance of fraud due to buddy punching or ghost employees. Audits can confirm that the payroll system is running correctly and reveal whether the organization is accurately fulfilling its payment and tax obligations.

Separate Bank Accounts

A separate bank account for payroll reduces the number of company assets at risk. Even if an employee commits payroll fraud, the business losses will be limited to that account only. A dedicated payroll account also simplifies audits.

This account should only contain enough funds to process and complete payroll. All other business funds should be maintained in a separate bank account.

Management Review

A member of company management (or the business owner) should periodically review payroll records. Managerial oversight can assure proper payroll record-keeping and reduce the risk of fraud.

Digitized Time Tracking

Time and attendance software can address the risk of incorrect timekeeping, payroll mistakes, and fraud. Time tracking and payroll software also records overtime, approved paid time off, and unpaid absences as additional payroll controls.

For example, software applications are now available with an approval checkbox on every employee’s time card. A supervisor must provide that approval before the time card can be sent to payroll for processing. Once the payroll preparer receives this approval, the employee cannot make changes to the timesheet.

Access and Change Control

The roles and access levels of payroll staff should be carefully assigned and monitored. Only authorized staff with the proper access rights and permissions should be allowed to make changes to the payroll system. Non-payroll employees should not be able to access the payroll information of other employees.

Any changes — especially incorrect ones due to either fraud or negligence — can be quickly identified and addressed with changelogs and audit trails.

Variance Analysis

Organizations should know how much they spend each payroll cycle. If payroll in one pay period greatly fluctuates from the average spend, that could indicate payroll errors or fraud. Therefore, a mechanism should be established for payroll managers to investigate such variances.

Other Security Controls

All electronic payroll and employee records should be protected with strong passwords and ideally with two-factor or multi-factor authentication (2FA or MFA). All physical payroll records must be stored in a safe place with robust access controls so that unauthorized people cannot access, modify, compromise, or delete the documents.

Some other ways to strengthen payroll security are:

• Train payroll staff on the dangers of social engineering scams such as phishing, as well as ransomware and different kinds of cyberattacks that may result in data breaches.
• Limit access to the payroll office to authorized personnel only.
• Protect payroll documents stored offsite with strong physical security.
• Protect all computer systems and databases with a strong firewall, endpoint security solutions, and other security measures.
• Protect online payroll documents or records with robust access control.
• Securely dispose of all paper documents.
• Establish a policy to process all external requests for payroll information specifying the:
  • Acceptable communication channels (for example, all requests should be given in writing);
  • Audit controls;
  • History and change logs

How Can I Implement Payroll Internal Controls?

Implementing internal payroll controls should start by first identifying the risks specific to your organization. For instance, a small business with fewer than a dozen employees is less likely to have a problem with ghosting or buddy punching. In larger organizations, both these issues could be more challenging to detect.

It’s also essential to identify the relevant regulatory and legal rules applicable to the organization. Non-compliance can be a serious problem, so knowing your compliance obligations is another good starting point for implementing internal payroll controls.

Automated time and attendance tracking systems should be implemented, along with cybersecurity measures such as access control and MFA. In addition, if payroll staff have multiple roles or carry out various activities, their duties should be segregated.

If a separate bank account does not already exist for payroll, open one without delay. A designated bank account is a quick and easy way to improve control over your payroll processes. Finally, the organization should establish a mechanism to conduct regular management audits and fraud audits.

Protect Your Payroll System With ZenGRC

Protect your payroll function with adequate controls to reduce financial risks and keep your business running smoothly. ZenGRC can help you identify and manage payroll risk and compliance by documenting audits and tracking workflows.

Get better visibility into your payroll landscape, recognize risks, and mitigate business exposure — all from one single, integrated platform. ZenGRC provides customizable risk calculations and enables continuous risk monitoring, so you can catch and remediate payroll and other risks quickly before they become an issue.

Want to see for yourself how ZenGRC works? Schedule a demo.