A continuous & critical process is always subject to audit review to ensure it is free of risks, especially where the process involves money or sensitive data. Needless to mention, an organisation is always susceptible to various risks, including the likelihood of fraud being committed upon it either by internal or external elements. Where individual employees have unsupervised and full authority or control over the organisation’s funds or where sensitive or valuable data is not protected with the right amount of security, there is an exposure for fraud.
Such processes demand a well-thought out documentation, authorisation matrix, clear cut strategy and protection from risk and disaster. One such critical process that requires maximum care and protection under the HR function is the Payroll process since it has a key to both funds and sensitive data.
Let us identify some of the major aspects of controls that a payroll process should have in place to make it robust and secure:
- Accurate Payroll Procedural documentation
- Segregation of duties
- Approval workflows & authorisation matrix
- Payroll checklist & a sound validation procedure
- Approved list of input providers & output receivers
- Data security, back-up & disaster recovery plan
- Record retention & destruction management
- Process measurement metrics & Case Management
- Root cause analysis & escalation matrix
It is true that in spite of our best efforts & care, errors do occur sometimes in payroll which could either be of minor or major in nature. Any error should be thoroughly examined to ensure that there is no wider impact. Historically, it has been observed that upon proper investigation, even minor errors have lead to discovery of a major configuration defect or process flaw. Risk is even higher if the errors are of statutory in nature. A root cause analysis (RCA) must be conducted to arrive at corrective and preventive measures. A corrective measure is a stop-gap or immediate action to be taken to rectify an identified issue while a preventive measure is a long term action taken to prevent the same error from occurring again.
Unfortunately, another angle to this scenario is whether the errors committed were deliberate or not. When it is realised that the error is of deliberate in nature, it is known as fraud. The risk is more where all or some most critical parts of the payroll controls including fund management, inclusion and exclusion of employees, salary changes, validation process, bank file preparation, etc are all under the management of one single person or a small independent team.
Some of the control points listed earlier does help in preventing or detecting frauds, but to specifically reiterate:
- Have a clear multi-departmental segregation of duties
- Well document the pre-post payroll validation process at different levels in the team
- Multi-layer authorisation & separate approval matrix for funds & bank file
- Regular head count validation to be performed by compliance or risk teams
- Validation of funds requirement to be performed by finance or treasury teams
- Finally, check for any variations in salary costs to be performed by accounting team
Some good safety tips to prevent errors or fraud:
A highly recommended safety measure is to maintain a ‘maker-checker’ balance, where the ‘maker’ is the member actually entering the payroll data while ‘checker’ is another member of the team, who will validate all the entries submitted in the system by the ‘maker’ to rectify any inadvertent errors. Both maker-checkers will sign in with their individual log-in to record that both have validated the entries in the system for any future audit references.
Segregation of duty has its own advantage and is generally recommended by risk & compliance teams. This will ensure that for a same process, there are multiple stakeholders who have their own access to view sensitive data or have independent responsibility to validate any data or to approve/authorise a transaction. In order to ensure there are no disruptions to a well-set process due to absenteeism, cross-training of team members of each other’s duties is highly essential. This will serve a dual purpose of backing up each other during vacations or sickness of any team member & to detect any errors/ fraud during maker-checker activity.
Some companies have implemented a mandatory leave program for its employees. Employees managing critical activities in an organisation will be required to proceed on mandatory leaves for a certain number of days. During this period, another team member or supervisor is asked to manage the process. This way, if any fraudulent activities were occurring, that would come to light.
Another precautionary measure is to ensure that a responsible member of the management regularly reviews the payroll results & request for either detailed workings or reconciliations with supporting documents. Cross verification or confirmation of the numbers may be sought from other departments such as head count validation from recruitment teams, funding variation analysis from Treasury or Finance teams, etc. A random check of payroll records with Time, Attendance & Leave system or personnel records to check that no fraudulent employees are enlisted in the payroll data will be helpful. A verification of employees to detect false or duplicate social security numbers or identity documents may also throw up some interesting facts.
Any control process in an organisation should include their vendors too. More often than not, vendors are generally treated as outsiders and are excluded from detailed risks and controls process. An important point to note is that vendors do store or process sensitive and highly confidential data on behalf of an organisation. While there are a plethora of controls and security in place for internal processes, it is highly recommended to extend similar controls to vendor processes too. After all, they are an extension of an internal team performing a service or task for an organisation. Therefore, it is imperative that any control process should cover vendors too. More so, if the vendor is using their own system for processing sensitive data of another organisation, then there are specific audit certifications that the organisation could seek from the vendor to ensure there is appropriate system and data security. These guidelines are specified in the Statement on Standards for Attestation Engagements # 16 (SSAE), also known as Service Organization Controls - 1 (SOC) report. Many well-known consulting firms do perform such audits of the vendor’s system on behalf of an organization and issue the certificate.
