PAYROLL
AUDIT PROGRAM
February 2016
Potential Risks
I.
Objectives/Steps
Effectiveness Of Key User Functions (Payroll Only)
Rates and Dates not set up properly.
1. Maintaininig Payroll Data
A. Setup Of Payroll – review source documentation for payroll
setups for 20XX (i.e., 26 pay periods, tax rates, payroll policy
changes) and compare them to what is in the system.
Evaluate the process for uploading new tax rates into the
system. (i.e. fed, state, FICA)
Document process for setup.
Employee pd too much or too little.
Deductions not accurate
i.e., taxes – fines
Garnishment of wages
B. Payroll Calculations in HRMS System
Deductions (for example)
1. Benefits
2. Taxes
3. Child Support
4. Club Dues (i.e., Union, Employees Club, etc.…)
5. Commuting
6. Garnishment of Wages
7. United Way
All Earnings (for example)
1.
2.
Select a sample size appropriate for your objectives
Salary
Bonuses
Use a (25) employee sample from HR audit (or reasonable
representation of employee types), and re-calculate their
payroll deductions and earnings.
Determine that the appropriate forms are in the employee
payroll file. (i.e. W-4, etc. …)
Pay adjustments not processed completely,
accurately or on time, resulting in too much or too
little money deducted from and or added/to
employee pay checks.
Missed opportunities for retroactive deductions.
Only one person has control over all adjustments.
C. Pay Adjustments
(including retro adjustments and garnishments)
Ensure appropriate documentation is on file for pay
adjustments. Determine types of adjustments that can occur.
Determine how they ensure that all adjustment transactions
result in the appropriate deductions/reimbursements? How do
they ensure they are accurate? Are the adjustments subject to
independent verification?
Prep. By
Date
W/P Ref.
PAYROLL
AUDIT PROGRAM
February 2016
Potential Risks
Objectives/Steps
For example, consider:
1. Employee Initiated Changes (i.e., overtime corrections)
2. Retroactive Deductions
3. Garnishments
Unauthorized adjustments could be processed.
Unauthorized one-time awards.
Incorrect award amount.
D. One Time Awards
Determine that controls for one-time awards are appropriate to
ensure compliance to the company rules. For example,
consider:
1. Chairman’s Award
2. President’s Award
3. Performance Spotlight Award
Employee reimbursed to little or too much.
Duplicate reimbursements paid to employee.
Invalid reimbursement for a terminated employee.
E. Employee Reimbursements
Using sample of (25) individuals (or appropriate mix based on
company size) from HR audit, trace any reimbursements to
source documents to determine information/calculation is
accurate.
1. Expense Report
2. Employee Memberships
3. Registration, certifications and accreditation;
4. Education reimbursement including retroactive for new
employees on 6 month probation.
5. Relocation
Note: The interfaces processing reimbursements are:
List the interfaces you have and what systems they support
Are there limits that may be exceeded?
F.
Stock Purchase Plan
Walk through process with payroll department.
Testing to be determined.
Are there limits that may be exceeded?
G. Employee Merchandise Purchase Plans
Walk through process with payroll department.
Testing to be determined.
Terminated employee paid.
H. Final Paycheck
Evaluate the final paycheck procedures to ensure the final
paycheck is accurate and processed timely.
Prep. By
Date
W/P Ref.
PAYROLL
AUDIT PROGRAM
February 2016
Potential Risks
Objectives/Steps
Walk through process with payroll department.
Testing to be determined.
Note: This process is coordinated with the timekeeping
system admin and HR.
I.
Dedicated Vehicle Plan
Walk through process with payroll department.
Testing to be determined.
J.
Fixed Distribution
Walk through process with payroll department.
Testing to be determined.
K. Labor Distribution
Walk through process with payroll department.
Testing to be determined.
L. Occasional Use
Walk through process with payroll department.
Testing to be determined.
M. Severance
Walk through the severance process with Human Resources,
Legal and Payroll.
Information in HRMS is not accurate and/or
complete. This risk is magnified with mass updates,
as more information is updated at one time.
II.
N. Mass Updates -- Determine that transactions applied HRMS
with mass updates are appropriately controlled and results
appropriately reviewed. Additionally ensure that controls and
compliance to company procedures are appropriate. Test the
following:
1. Long Term Incentive Plans
2. Merit Increases/Lump Sums
3. Management Incentive Comp Pplan
4. General Increase for Bargaining Units (Union Increase)
5. Market Value Salary Increases
Payroll Processing
Timesheet information from Workforce Management
A.Working with Paysheets (timesheets)
Prep. By
Date
W/P Ref.
PAYROLL
AUDIT PROGRAM
February 2016
Potential Risks
Systeam is not being interfaced correctly to
HRMS/Payroll System.
Objectives/Steps
Determine what paysheets are used for. Items noted that may
be reviewed regarding paysheets are:
a. Timesheets – tracking exception time
b. OT Time for non-exempt employees.
c. Manual Adjustments
Note: Ensure accuracy of information interfacing from
Workforce Mgmt Systems. This may be covered during
section V -= Risks.
All pay errors are not identified and corrected.
Employees paid too much or too little.
B. Calculating Pay
Review process of calculating pay. Determine how errors are
identified and resolved. What edits are in the system?
Note: Review process of running edit and final payroll
including the balancing procedures performed.
A good time to do a Variance Comparison
between last pay period and current pay
period.
C. Confirming Pay
Walk through process of confirming pay. Review the
balancing procedures.
D. Working With Checks
Use sample of (25) individuals from HR audit to test following
audit areas.
1.
Is the right person being paid?
Are they getting paid the right amount?
Are they getting too many paychecks? (Duplicates)
Check Processing
Ensure that the checks and signature name plate(s) are
physically secured and under dual control.
Review the check distribution process.
Ensure paycheck data in HRMS System is accurately printed
on paystubs/checks.
Determine how live check versus direct deposit is indicated in
HRMS system.
How are paycheck numbers generated? How are they
controlled?
Prep. By
Date
W/P Ref.
PAYROLL
AUDIT PROGRAM
February 2016
Potential Risks
Objectives/Steps
2.
Unauthorized check.
Incorrect amount on check.
Check received by wrong person.
Manual Checks
Review the check distribution process.
Review authorization for manual checks.
Track reasons for manual check requests for metrics.
Note: these are used for special requests and are printed in the
payroll department.
3.
Lost check cashed.
Stop payment request not performed timely.
Lost Paycheck
Ensure log information is accurate.
Note: The voided or cancelled check information is entered
into HRMS payroll system to provide an audit trail. This is
for documentation only. The processing is performed in the
bank recon system.
4.
Direct Deposit
Review/Test:
- Accuracy of direct deposit account information in HRMS
- Authorization of direct deposit (authorization forms.)
5.
On-Line Bank Reconciliation
Review process for on-line bank reconciliations.
Wrong bank account.
Wrong amount
Not on time
Unaware of outstanding checks.
What are the procedures for investigating missing, duplicate
or long outstanding checks?
Note: Potential test would be to verify the check information
(number and amount) to the bank recon system.
Wages wrong.
Unauthorized adjustment.
Employee paying too much or too little taxes.
E. Adjusting Employee Balances
1. Pay Adjustments
Review procedures for pay adjustments. Pay
special attention to work-arounds regarding taxable
wages and pre-tax calculations.
Potential Test - review adjustments for 3rd quarter 20XX.
Corporate financial information inaccurate
Employee deductions not recorded correctly.
2.
Payroll Journal Entries
Review payroll journal entry process.
Prep. By
Date
W/P Ref.
PAYROLL
AUDIT PROGRAM
February 2016
Potential Risks
III.
Objectives/Steps
Test steps to be determined.
Prep. By
Quarterly Processing (Payroll Only)
Incorrect tax deposits and forms filing could create
agency penalties
Identify requirements for quarterly processing.
Determine that the company is complying with Federal and
State agencies for supplying them with taxation data.
IV.
Year-End Processing (Payroll Only)
Identify requirements for year-end processing.
Incorrect payroll information is recorded on the W-2
and subsequently to the taxing authorities.
Determine that THE COMPANY is complying with Federal and
State agencies for supplying them with taxation data.
Review the process for producing W-2 forms.
V.
Risks Associated With Managing Payroll Are Minimized
We can rely on the work performed in the other sections to meet
this control objective. No steps needed for this section
VI.
Data Integrity (Payroll Only)
A. Exception Testing
Run queries to test integrity of payroll data in HRMS. (For
example identify any terminated employees receiving a
paycheck, etc.…)
For details regarding the tests performed, reference exceptiontesting spreadsheet at w/p ________.
N/A (see
note at left)
Date
W/P Ref.
PAYROLL
AUDIT PROGRAM
February 2016
Potential Risks
Objectives/Steps
B. Conversion from other application – Discuss impact of
difference of decimal points. HRMS has greater number of
positions than other application had so there is less rounding
error, however, some salaries were affected.
Where there any other problems noted?
C. Training and Control of Field Input
1. Training
2. Standards
3. Controls
4. How has decentralization of input worked?
Note: All timesheet input is done in XX Time System.
Reference section V for interface testing.
VII.
Use Of Computer Resources (Payroll Only)
HRMS not used for its maximum effectiveness
A. Identify potential HRMS payroll functionality that may be used
instead of the company’s customizations.
B. Are there opportunities for automation where there is manual
entry to HRMS or other systems?
C. Identify manual payroll processes that are not supported by
HRMS application. Determine if there are plans to incorporate
these functions into application.
D. Discuss why payroll processing takes so long.
VIII. Interfaces (Payroll Only)
Information passed to/from other system is not
accurate, complete, or timely.
(Note2: this also relates to synchronization of data)
A. Create a system diagram of payroll interfaces. Chose a sample
of the interfaces and ensure information input or output from
HRMS is accurate, complete and updated on a timely basis by
Prep. By
Date
W/P Ref.
PAYROLL
AUDIT PROGRAM
February 2016
Potential Risks
IX.
Objectives/Steps
reviewing balancing and reconciliation procedures.
1. Time System
2. G/L
3. Accounts Payable
4. Bank Recon System
5. Labor Distribution System
6. Banking
7. Wire Transfers
Audit Trails (Payroll and HR)
Unable to determine neither what has occurred nor a
way to research system activity.
A. Determine that audit capability exists, is turned on, and used.
B. Determine that adequate audit capability exist the HRMS
application and that it is used so that application performance
is not degraded.
C. Review of audit trails
1. Who reviews?
2. What is reviewed?
3. How often?
4. What action is taken based on what criteria?
X.
Change Management (Payroll and HR)
A.
B.
C.
D.
E.
F.
Naming standards?
Approvals for changes? Prioritization?
How changes affect other system components?
Documentation of changes?
Determine that change management controls are appropriate.
Review comparison reports used to determine changes among
software upgrades/releases.
G. Obtain a list of problem tickets. Look at any open tickets. Is
the service desk meeting their SLA’s goals for HRMS?
H. Determine if some team queries were lost during the upgrade
(if applicable).
Prep. By
Date
W/P Ref.
PAYROLL
AUDIT PROGRAM
February 2016
Potential Risks
XI.
Objectives/Steps
Backup and Recovery (Payroll and HR)
A. Determine that application, system, and data files are backed
up, rotated offsite, and retained per regulations.
1. Obtain criteria for data retention from business owner.
2. Compare criteria with how long the data is being backed
up.
B. Determine that the business resumption process is documented
and is tested periodically.
XII.
Operations Documentation
The lack of appropriate documentation can increase
risks that systems will be inadequately maintained by
existing or new staff.
Determine that operations procedures, customizations, jobs,
programs and locations where they reside are documented.
Jobs are not appropriately controlled to ensure data is
accurately and timely processed.
Review how production jobs are scheduled and controlled on the
server and/or mainframe.
XIII. Application/Provider Contract
THE COMPANY’s interests are not protected
adequately the contract.
A. Determine that an escrow account is setup as necessary to
protect THE COMPANY in case application process has
solvency difficulties.
Controls are not in place to ensure procedures for
interacting with application are adequate.
B. Determine if the contract has clause regarding THE
COMPANY’s right to audit procedures for interacting with
application provider.
Prep. By
Date
W/P Ref.
PAYROLL
AUDIT PROGRAM
February 2016
Potential Risks
Objectives/Steps
XIV. Output Management
Reports are produced that are not being used (waste
of resources).
Reports are distributed to inappropriate personnel
Too much clutter in an edit/error report may cause
the review to miss critical system errors.
Unauthorized individuals could obtain access to
confidential data
Reports may contain inaccurate information that
adversely impacts operations, business decisions, etc.
Potential errors may not be detected with the current
reports that are produced
A. Document key reports from the payroll system and ensure
they are received and used by the appropriate personnel.
1.
.Evaluate key edit/error reports to ensure that they
contain only true exceptions
2. Determine that personnel do not keep query report
information on their local hard drives.
3. Identify and evaluate controls over printed reports (in I/O
and/or on personal printers). If it is sensitive information,
should it even print to I/O?
4. Review confidentiality of report information by
reviewing access to confidential reports
B. Review the content of a sample of key reports for:
1. Usefulness
2. Purpose Clearly Defined
3. Title meaningful
C. What reports are used for error correction/detection?
D. Are users happy with and using reports?
Prep. By
Date
W/P Ref.