Internal Controls for Payroll - Tracy Arner

Financial Management Program1

Learning ObjectivesUpon completion of this session , youshould be able to:Recall definition of internal controlUnderstand the importance of internal controlRecite basics of the payroll and benefit cycleExplain Internal Control for the payroll cycleDiscuss segregation of duties for payroll2

INTERNAL CONTROLDEFINITION3

Internal Control ReviewCOSOCommittee of SponsoringOrganizations4

Internal Control ReviewCOSO’s definition of internal control:Internal control is a process, effectedby an entity’s board of directors,management and other personnel,designed to provide reasonableassurance regarding the achievementof objectives in the followingcategories:5

Internal Control ReviewDefinition of internal control continued:Operations - effectiveness and efficiency ofoperationsReliability of financial reportingCompliance with applicable laws andregulations6

COSO’s Integrated FrameworkInternal control is carried out by people.– Objectives/control mechanisms establishedby people– Employees must know responsibilities/limitsof authorityManagementObjectivesEmployeesDutiesPerformanceOf Duties7

COSO’s Integrated FrameworkInternal control can only provide reasonableassurance– Nobody’s perfect—human decision-makingflawed– Cost outweighs benefits of installing control– Collusion possible– Management override8

Internal Control Components9

Internal Control Components1 st component, Control EnvironmentIntegrity and ethical valuesgifts and gratuities.pdfUGA exampleCommitment to competenceManagement’s philosophy and operating style(Tone at the Top)Assignment of authority and responsibilityHuman resource policies and practices10

Internal Control Components2 nd Component, Risk AssessmentDefined by COSO –Risk assessment is the identification andanalysis of relevant risks to achievement of theobjectives, forming a basis for determining howthe risk should be managed.11

Risk AssessmentA precondition to risk assessment is theestablishment of objectives. COSOframework objectives are organized intothree categories:Operational ObjectivesFinancial ReportingObjectivesCompliance Objectives12

Risk AssessmentRisks are eventsthat threaten theaccomplishmentof objectives.Risk assessment is the process ofidentifying, evaluating and determining howto manage these events.13

Internal Control Components3 rd Component, Control ActivitiesControl activities are the methods used toreduce risk identified during the riskassessment process.14

Control ActivitiesControl activities includepolicies and proceduresCOSO’s Framework offers the followingcontrol activities commonly performed bypersonnel at various levels.15

Control Activities‣ Top Level Reviews‣ Direct Functional Management‣ Information Processing‣ Physical Controls‣ Reconciliations‣ Segregation of Duties16

Internal Control Components4 th Component, Information andCommunicationAn organization needs to make sure thattypes of communications used are broadbased,useful, reliable and continuous.17

Internal Control Components5 th Component, MonitoringEnsures that the internal controls operateas intended.– Ongoing Monitoring– Separate Evaluations18

Ongoing Monitoring• Comparison of employees working tothose receiving paycheck• Response to auditor recommendationsto strengthen internal controls• Employees restate periodically that theyunderstand and comply with code ofconduct• Employees regularly perform criticalcontrol activities19

Separate EvaluationsIs I/C system evaluated byexternal/internal auditors?– If so, how often?– Is the process appropriate?– Is internal control system documentationappropriate and adequate?20

COSO Update – 1 st Quarter 2013Concepts that remain the same– Definition of internal control– 5 components– Criteria used to assess effectiveness– Use of judgment in evaluating effectiveness21

COSO Update – 1 st Quarter 2013Concepts added• Codification of principles for developing andevaluating the effectiveness of InternalControls• Expanded financial reporting objective toaddress internal and external, financial andnon-financial reporting objectives• Increased focus on operations, complianceand non-financial reporting objectives basedon user input22

COSO Update Timelinewww.coso.org2010 2011 2012Sept - Jan Feb - Oct Dec - Mar Apr - DecAssess & SurveyStakeholdersDesign &BuildPublicExposureFinalizeReleased first quarter 201323

Summary of UpdatesCodification of 17 principles embedded in the original FrameworkControl Environment1. Demonstrates commitment to integrity and ethical values2. Exercises oversight responsibility3. Establishes structure, authority and responsibility4. Demonstrates commitment to competence5. Enforces accountabilityRisk Assessment6. Assesses fraud risk7. Identifies and analyzes significant change8. Specifies relevant objectives9. Identifies and analyzes riskControl ActivitiesInformation &CommunicationMonitoring Activities10. Selects and develops control activities11. Selects and develops general controls over technology12. Deploys through policies and procedures13. Uses relevant information14. Communicates internally15. Communicates externally16. Conducts ongoing and/or separate evaluations17. Evaluates and communicates deficiencies24

IMPORTANCE OF INTERNALCONTROLS25

Meet objectivesSecurity of assetsPreserve integritySeveralvaluablereasons forInternalControlsPrevent errorsProtect employeesComplianceChecks and balances26

• Most state laws require governments tohave annual audits of their financialstatements in accordance withGenerally Accepted GovernmentAuditing Standards (GAGAS).• GAGAS requires reporting on internalcontrols27

Internal Control and Single Audits• When expending Federal assistance ofmore than $500,000, a governmentmust undergo an A-133 audit or aSingle Audit.• Single audit requires auditee to maintaina system of internal controls28

Can the COSO Framework and the fiveinterrelated components of an effective internalcontrol system be used in the deterrence offraud?ABSOLUTELY29

Lack of adequate internal controls isone of the most commonly citedreasons that fraud occurs within anorganization.FRAUD30

PAYROLL AND BENEFITACCOUNTING OVERVIEW31

Employee Earnings• Determined by agreement between employer andemployee• Salary schedule– Type of position– Steps and years of experience• Employees pay examples:– Annual salary/prorated over pay periods– Hourly rates• Pay periods vary—monthly, semimonthly, biweekly orweekly• FLSA—150% regular rate for +40 hours with certainexemptions32

Employee Earnings• Time sheet– Basis of periodic payroll• Contents of time sheet– Employee name and number– Pay period– Dates worked– Number of hours worked– Account distribution– Signatures• Employee• Employer33

Payroll Journal• Special Journal• Sometimes call Payroll Register• Common contents:– Name of employee– Expenditure/expense classifications– Gross payroll– Adjustments to gross payroll– Adjusted gross payroll– Net payroll34

Payroll Deductions and• Social security tax• Federal Income Tax• State Income Tax• Deferred compensation• Pension plans• Insurance• Other miscellaneousWithholdings35

Recording the Payroll36

Recording Employer’sShare of Benefits37

Earnings Records38

PAYROLL PROCESS ANDINTERNAL CONTROLOBJECTIVES39

Defining Payroll Process• Personal Services = Big Bucks• Expenditure includes– Adjusted gross pay– Employer’s share of benefits• Payroll department– Pays employees• Strong internal controls needed40

Payroll Cycle41

Payroll Cycle42

Control Objectives• Control operations– Establish levels of authority– Provide approval for transactions– Provide feedback to approvers• Safeguard assets– Loss or damage– Waste, inefficiency, error, theft or fraud43

Control Objectives• Provide adequate information– Timely– Reliable– Supports control structure44

7 Supplementary Objectives• All transactions are recorded• Authorize only valid transactions/protectfrom invalid transactions• Record only valid transactions/preventrecording of invalid transactions• Value transactions correctly/protect fromincorrect calculations and errors in recording45

7 Supplementary Objectives• Recorded transactions are classifiedcorrectly using Chart of Accounts• Record transaction in timely manner• Transactions recorded to subsidiary ledgersand posted to general ledgerAlan Trenerry, Principles of Internal Control (Sydney: UNSW Press, 1999) 9-10.46

Control Objectives forPayroll1. Payroll transactions are preapproved orauthorized2. Only valid transactions are recorded andthey are recorded in proper period3. Valid transactions are accurate, agreewith source documents and recorded ona timely basis47

Control Objectives for4. Recorded transactions– Represent economic events that actuallyoccurred– Are lawful in naturePayroll– Are executed in in accordance withmanagement’s general authorization48

Control Objectives forPayroll5. Access to payroll records are controlled– Restricted to authorized personnel6. Proper segregation of duties49

Internal Control Components50

Control Environment/Payroll• Control Environment– Published code of ethics required to be readand acknowledged by employees• Only employees that possess requiredknowledge and skills should be hired• Employees should be supervised byqualified personnel• Job descriptions should be updated withrequired skills and knowledge51

Control Environment/Payroll• Management has ongoing commitment toongoing education and training foremployees in the payroll department– Especially regarding federal and state taxissues and laws52

Internal Control Components53

Risk Assessment andObjective No. 1: AuthorizationRisks:• Hiring an unapproved employee May not be legally eligible• Overspending budget• Hiring an unqualified employee• Incorrect classification for benefitscould result in higher costsPayroll54

Risk Assessment andObjective No. 2: Safeguarding AssetsRisks:Payroll• Errors in payroll process due to hiringunqualified employee• Interest and penalties• Fictitious employees added to payroll55

Risk Assessment andPayrollObjective No. 2: Safeguarding AssetsRisks:• Incorrect employee classification– Employee vs independent contractor– Exempt vs nonexempt• Leave taken not properly reported56

Risk Assessment andPayrollObjective No. 3: Accurate, reliable and timelyinformationRisks:• Salary/Pay rate not correct• Hours/pay period inaccurately entered• Deduction entered improperly• Not posted to general ledger• Taxes/benefits not paid within required time57

Internal Control Components58

Control Activities for PayrollFour Categories of Control Activities• Hiring• Documentation• Authorization• Reconciliation59

Control Activities for Payroll• Written process for hiring– Budget approval– Authority to advertise– Appropriate applicant information– Established selection process– Formal job offering (Letter)• Pay rate• Benefits provided• Status• FLSA classification60

Control Activities for PayrollFour Categories of Control Activities• Hiring• Documentation• Authorization• Reconciliation61

Control Activities for Payroll• Documentation—completethe forms– Personal data– Form I-9 (Employment EligibilityVerification)– Form W-4 (Federal Tax Withholding)– Form G-4 (State Tax Withholding)– Benefit forms– Retirement plan forms– Other forms62

Control Activities for PayrollFour Categories of Control Activities• Hiring• Documentation• Authorization• Reconciliation63

Control Activities for Payroll• Authorization– Required to ensure that only validtransactions are entered into payroll system• Time sheets signed by employee and supervisor– Supervisor’s approval = authorization to pay and certifiestime recorded is actual time worked.• Payroll should be authorized by supervisor– Verify that all supporting documentation is present priorto approving payroll– Could be manual or electronic approval64

Control Activities for PayrollFour Categories of Control Activities• Hiring• Documentation• Authorization• Reconciliation65

Control Activities for Payroll• Reconciliations– Hours worked on time sheets = summary ofhours worked in payroll system– Adjusted Gross Salary - No variations unlessadjustments to pay– Taxable Wages - Adjusted gross wages lesspre-tax deductions– Benefits and Deductions– # of employees66

Control Activities for Payroll• Checklist easy way to showcompleted tasks• Also need to reconcile generalledger accounts afterwithholdings are paid67

Internal Control Components68

Information/Communication of Payroll• Enrollment periods for benefits• Pay periods and dates (cutoff)• Holidays• Furlough days• Personnel policies and procedures• Salary information• Benefits payable due dates• Tax withholding due dates69

Internal Control Components70

Monitoring and Payroll• Are controls operating as intended• Unmonitored controls deteriorate over time• Monitoring should be ongoing71

Ongoing Monitoringand Payroll• Supervisory activities:‣Preventive control‣Detective control‣Examples:‣Reconciliations of payroll amounts‣Initial and date face of reconciliation‣Review employee information change forms foraccurate and timely posting72

Monitoring and Payroll• Separate Evaluations– Completed by persons outside of operationsafter the fact• External auditors• Internal auditors• Objective– Internal controls functioning properly– Provide communication tools for deficiencies73

SEGREGATION OF DUTIES74

What Is Segregation of Duties?• Segregation of duties (SoD) meansseparating the record-keeping functionfrom the operational responsibility of thatactivity and from those who exercisephysical control over the records75

What Is Segregation of Duties?DeliberatefraudmoredifficultLikely thatinnocenterrors willbe foundUsed to ensurethat errors orirregularities areprevented ordetected on atimely basis byemployees in thenormal course ofbusiness76

Categories of Duties to be Segregated77

Evaluating Segregation of DutiesAsk yourself…If I make an error in my work,will someone downstream ofme detect it before it becomesa major issue for managementand the taxpayers to readabout?78

Evaluating Segregation of DutiesFunction that is indispensable,potential subject to abuseDivide function into separatestepsAssign each step to a differentperson or different department79

Evaluating Segregation of DutiesAt a minimum, no person should be able toperform more than two of the functions. Thematrix illustration below presents various waysto assign responsibilities that are less than theoptimum.80

Mitigating or Compensating Controls• Reduces the risk of an existing or potentialcontrol weakness resulting in errors andomissions• Compensating controls are less desirablethan the segregation of duties• More resources are required to investigateand correct errors and to recover losses81

Mitigating or CompensatingControls• Types of compensating controls that canbe implemented:– Review reports of detail transactions– Review selected transactions– Take periodic asset counts– Check reconciliations82

Mitigating orCompensatingControls‣Management performsthe procedure‣Compensating controlscannot be delegated83

Segregation of Duties Checklist84

Segregation of Duties85

Segregation of Duties86

www.vinsoninstitute.org©2012 The Carl Vinson Institute of Government. All rights reserved.87