Payroll Process
Final Audit Report
Report Nr. 13/12
August 30, 2012
Distribution:
To:
President & CEO
Senior Vice President & Chief Financial Officer
Senior Vice President, Human Resources & Communications
Vice President & Corporate Controller
Vice President, HR Client Services
Assistant Corporate Controller
Director, Compensation & Benefits
Manager, HR Information Systems & Operations
CC:
Senior Vice President, Corporate Affairs & Secretary
Senior Vice President, Business Development
Senior Vice President, Insurance
Senior Vice President, Financing
Senior Vice President, Business Solutions & Innovation
Senior Vice President and Chief Risk Officer
Director, Planning & External Relations
Principal, Office of the Auditor General
Director, Office of the Auditor General
Audit Team:
Lindsay Schoutsen
Allison Lowe
Vice President Internal Audit
Monica Ryan
Table of Contents
Introduction ........................................................................................................... 3
Audit Objectives & Scope ..................................................................................... 3
Internal Audit Opinion........................................................................................... 3
Audit Findings & Recommendations................................................................... 4
Conclusion ............................................................................................................ 4
Payroll Process | August 30, 2012
2
Introduction
In accordance with our FY2012 Audit Plan, EDC Internal Audit performed an audit of the Payroll and
Benefits process. In fiscal year 2011, EDC’s salary and benefits expenditure was $154 Million (excluding
Pension costs), which represented 54% of the corporation’s total administrative expenses of $284 Million.
Audit Objectives & Scope
The overall objective of this audit was to evaluate both the design and operating effectiveness of controls
surrounding the payroll and benefits process at EDC that ensure the accuracy of payments to employees
and the recording of payroll costs. The scope of this audit included detailed testing of controls pertaining
to:
• Employee master data;
• Payments to employees;
• Reconciliation of payroll clearing accounts and of the payroll register to the general ledger;
• Variance analysis; and
• Exception reporting.
This audit did not include a review of controls related to EDC’s pension plan.
Internal Audit Opinion
In our opinion the Payroll and Benefits process is Well Controlled. 1 Detailed audit testing confirmed that
effective controls exist to ensure payroll costs are authorized, accurately recorded and monitored. Two
moderate 2 findings were noted and are described in the following section.
1
Our standard audit opinions are as follows:
Strong Controls: Key controls are effectively designed and operating as intended. Best in class internal controls exist. Objectives of the
audited process are most likely to be achieved.
- Well Controlled: Key controls are effectively designed and operating as intended. Objectives of the audited process are likely to be
achieved.
- Opportunities Exist to Improve Controls: One or more key controls do not exist, are not designed properly or are not operating as
intended. Objectives of the process may not be achieved. The financial and/or reputation impact to the audited process is more than
inconsequential. Timely action is required.
- Not Controlled: Multiple key controls do not exist, are not designed properly or are not operating as intended. Objectives of the process are
unlikely to be achieved. The financial and/or reputation impact to the audited process is material. Action must follow immediately.
-
2
The ratings of our audit findings are as follows:
−
Major: a key control does not exist, is poorly designed or is not operating as intended and the financial and/or reputation risk is
more than inconsequential. The process objective to which the control relates is unlikely to be achieved. Corrective action is
needed to ensure controls are cost effective and/or process objectives are achieved.
−
Moderate: a key control does not exist, is poorly designed or is not operating as intended and the financial and/or reputation
risk to the process is more than inconsequential. However, a compensating control exists. Corrective action is needed to avoid
sole reliance on compensating controls and/or ensure controls are cost effective.
−
Minor: a weakness in the design and/or operation of a non-key process control. Ability to achieve process objectives is unlikely
to be impacted. Corrective action is suggested to ensure controls are cost effective.
Payroll Process | August 30, 2012
3
Audit Findings & Recommendations
1. Monitoring Controls
Through our detailed testing we have confirmed that salaries and benefits are approved and the related
payroll costs are accurately and completely recorded. However, we found that responsibility for payroll
processing within EDC currently resides with one team. This includes activities associated with the
creation and maintenance of employee master data, the review and approval of changes to master data
and, issuing and recording payments to employees. The combination of these activities within one team
creates a segregation of duty conflict. To compensate, some monitoring of payroll related expenses is
being performed. However, the scope of this monitoring does not address all of the risks associated with
the lack of segregation of duty. Accordingly, we have recommended that Finance be provided access to
payroll records and that additional monitoring controls be implemented and performed by Finance in a
manner that maintains confidentiality while providing independent oversight and review of the payroll
process.
Rating of Audit Finding – Moderate
Action Owner – VP HR Client Services in collaboration with VP & Corporate Controller
Due Dates - All actions to be implemented by Q4 2012
2. Annual Salary Planning Tool
Annual salary planning is completed by EDC team leaders through the use of software designed for this
purpose. The salary planning software has restricted access and the final salary updates are approved and
then immediately “locked down”. However, there is no interface between the software and the payroll
processing system. As a result, salary planning results must be manually exported from the software and
uploaded into the payroll processing system. This movement of data requires a validation check of the
data to ensure there are no discrepancies between the approved salary tool and the final pay. This
validation exercise is not currently being performed. Our audit testing included a validation check of the
2012 salary planning exercise and no discrepancies were found. We have recommended that a validation
be done on an annual basis after each salary planning exercise.
Rating of Audit Finding - Moderate
Action Owner – Director, Compensation and Benefits
Due Dates - All actions to be implemented by Q3 2012.
Conclusion
The audit findings and recommendations have been communicated to and agreed by management, who
has developed action plans that are scheduled for implementation no later than Q4 2012.
We would like to thank management for their support throughout the audit.
Payroll Process | August 30, 2012
4