Auditing payroll is a critical skill. Today I explain how.
While payroll is often seen as a low-risk area, considerable losses can occur here. So, knowing how to audit payroll is important.
Auditing Payroll - An Overview
Payroll exceeds fifty percent of total expenses in many governments, nonprofits, and small businesses. Therefore, it is often a significant transaction area.
To assist you in understanding how to audit payroll, let me provide you with an overview of a typical payroll process.
First, understand that entities have payroll cycles (e.g., two weeks starting on Monday). Then, payments are made at the end of this period (e.g., the Tuesday after the two-week period). Also, understand that most organizations have salaried and hourly employees. Salaried personnel are paid a standard amount each payroll, and hourly employees earn their wages based on time.
Second, an authorized person (e.g., department head) hires a new employee at a specified rate (e.g., $80,000 per year).
Third, human resources assists the new-hire with the completion of payroll forms, including tax forms and elections to purchase additional benefits such as life insurance.
Fourth, a payroll department employee enters the approved wage in the accounting system. The employee’s bank account number is entered into the system (if direct deposit is used).
Fifth, employees clock in and out so that time can be recorded.
Sixth, once the payroll period is complete, a person (e.g., department supervisor) reviews and approves the recorded time.
Seventh, a second person (e.g., payroll supervisor) approves the overall payroll.
Eighth, the payroll department processes payments. Direct deposit payments are made (and everyone is happy).
In this article, we will cover the following:
- Primary payroll assertions
- Payroll walkthroughs
- Payroll fraud
- Payroll mistakes
- Directional risk for payroll
- Primary risks for payroll
- Common payroll control deficiencies
- Risk of material misstatement for payroll
- Substantive procedures for payroll
- Common payroll work papers
Primary Payroll Assertions
The primary relevant payroll assertions are:
I believe—in general—completeness and cutoff (for accrued payroll liabilities) and occurrence (for payroll expenses) are the most important payroll assertions. When a company accrues payroll liabilities at period-end, it is asserting that they are complete and that they are recorded in the right period. Additionally, the company is saying that recorded payroll expenses are legitimate.
Additionally, payroll auditing requires an understanding of threats in light of these assertions. So how do I gain this knowledge? Payroll walkthroughs.
Perform a walkthrough of payroll to see if there are any control weaknesses. How? Walk transactions from the beginning (the hiring of an employee) to the end (a payroll payment and posting). And ask questions such as the following:
- Does the company have a separate payroll bank account?
- How often is payroll processed? What time period does the payroll cover? On what day is payroll paid?
- Who has the authority to hire and fire employees?
- What paperwork is required for a new employee? For a terminated employee?
- Is payroll budgeted?
- Who monitors the budget to actual reports? How often?
- Who controls payroll check stock? Where is it stored? Is it secure?
- If the company uses direct deposit, who keys the bank account numbers into the payroll system? Who can change those numbers?
- Do larger salary payments require multiple approvals?
- Who approves overtime payments?
- Who monitors compliance with payroll laws and regulations?
- Who processes payroll and how?
- Who signs checks or makes electronic payments? If physical checks are used, are they signed electronically (as checks are printed) or physically?
- How are payroll tax payments made? How often? Who makes them?
- Who creates the year-end payroll tax documents (e.g., W-2s) and how?
- What controls ensure the recording of payroll in the appropriate period?
- Are the following duties assigned to different persons:
- Approval of each payroll,
- Processing and recording payroll,
- The reconciliation of related bank statements
- Possession of processed payroll checks
- Ability to enter or change employee bank account numbers
- Ability to add employees to the payroll system or to remove them
- Who can add or remove employees from the payroll system? What is the process for adding and removing employees from the payroll system?
- Who can change the master pay rate file? Does the computer system provide an audit trail of those changes?
- Who approves salary rates and how?
- Who reconciles the payroll bank statements and how often?
- Who approves bonuses?
- What benefits (e.g., retirement accounts) does the company offer? Who pays for the benefits (e.g., employee) and how (e.g., payroll withholding)?
- Who reconciles the payroll withholding accounts and how often?
- Are any salaries capitalized rather than expensed? If yes, how and why?
- Are surprise payroll audits performed? If yes, by whom?
- Does the company outsource its payroll to a service organization? If yes, does the payroll company provide a service organization control (SOC) report? What are the service organization controls? What are the complementary controls (those performed by the employing company)?
Moreover, as we ask these questions, we need to inspect documents (e.g., payroll ledger) and make observations (e.g., who signs checks or makes electronic payments?).
If controls weaknesses exist, we create audit procedures to respond to them. For example, during the walkthrough, if we see that one person prints and signs checks, records payments, and reconciles the bank statement, then we will plan fraud-related substantive procedures.
As we perform payroll walkthroughs, we are asking, “What can go wrong—whether intentionally or by mistake?”
When payroll fraud occurs, understatements or overstatements of payroll expense may exist.
If a company desires to inflate its profit, it can—using bookkeeping tricks—understate its expenses. As (reported) costs go down, profits go up.
On the other hand, overstatements of payroll can occur when theft is present. For example, if a payroll accountant pays himself twice, payroll expenses are higher than they should be.
Mistakes also lead to payroll misstatements. Payroll errors can occur when payroll personnel lack sufficient knowledge to carry out their duties. Additionally, misstatements occur when employees fail to perform internal control procedures such as reconciling bank statements.
Directional Risk for Payroll
The directional risk for payroll is an understatement. So, audit for completeness (determining that all payroll is recorded). Nevertheless, when payroll theft occurs (e.g., duplicate payments), overstatements can occur.
Primary Risks for Payroll
The primary payroll risks include:
- Payroll is intentionally understated
- Inappropriate parties receive payments
- Employees receive duplicate payments
As you think about these risks, consider the control deficiencies that allow payroll misstatements.
Common Payroll Control Deficiencies
In smaller entities, it is common to have the following control deficiencies:
- One person performs two or more of the following:
- Approves payroll payments to employees,
- Enters time or salary rates in the payroll system,
- Issues payroll checks or makes direct deposit payments,
- Adds or removes employees from the payroll system
- Reconciles the payroll bank account
- No one reviews and approves recorded time
- No one reviews and approves payroll before processing
- No one performs surprise audits of payroll
- Appropriate procedures for adding and removing employees are not present
- No one reviews the removal of terminated employees from payroll
- No one compares payroll expenses to a budget
(Here are suggestions to make your payroll controls stronger.)
Another key to auditing payroll is understanding the risks of material misstatement.
Risk of Material Misstatement for Payroll
In auditing payroll, the assertions that concern me the most are completeness, occurrence, and cutoff. So my risk of material misstatement for these assertions is usually moderate to high.
My response to higher risk assessments is to perform certain substantive procedures: namely, a reconciliation of payroll in the general ledger to quarterly 941s. Why? The company has an incentive to accurately file 941s since the returns are subject to audit by governmental authorities. So, if the 941s are correct, the reconciliation provides support for recorded payroll.
Additionally, consider theft which can occur in numerous ways, such as duplicate payments or ghost employees.
In a duplicate payment fraud, the thief, usually a payroll department employee, pays himself twice.
Ghost employees exist when payroll personnel leave a terminated employee on the payroll. Why would someone in the payroll department intentionally leave a terminated employee in the payroll system? To steal the second payment. How? By changing the terminated employee’s direct deposit bank account number to his own. The result? He receives two payments (his own and that of the terminated employee).
Once your payroll risk assessment is complete, decide what substantive procedures to perform.
Substantive Procedures for Auditing Payroll
My customary tests for auditing payroll are as follows:
- Reconcile 941s to payroll
- Recompute accrued payroll liability (amount recorded at period-end)
- Review payroll withholding accounts for appropriateness and vouch subsequent payments for any significant amounts
- Compare payroll expenses (including benefits) to budget and examine any unexplained variances
- When control weaknesses are present, design and perform procedures to address the related risks
- Compare accrued vacation to prior periods and current payroll activity
In light of my risk assessment and substantive procedures, what payroll work papers do I normally include in my audit files?
Common Payroll Work Papers
My payroll work papers normally include the following:
- An understanding of payroll-related internal controls
- Risk assessment of payroll at the assertion level
- Documentation of any payroll control deficiencies
- Payroll audit program
- Accrued salaries detail at period-end
- A summary of any significant payroll withholding accounts with supporting information
- A detail of vacation payable (if material) with comparisons to prior periods
- Budget to actual payroll reports
- A reconciliation of payroll in the general ledger to quarterly 941s
- Fraud-related payroll work papers (when needed)
In this article we looked at the keys to auditing payroll. Those keys include risk assessment procedures, determining relevant assertions, assessing risks, and developing substantive procedures. My go-to substantive procedure is to reconcile payroll to 941s. I also review payroll withholding accounts and recompute salary accruals. Comparisons of payroll expenses are useful. Finally, if merited, I perform fraud-related payroll procedures.
In the next post in this series, we’ll look at how to audit debt.
Sounds like you are talking about a payroll service organization like ADP or Paychex. If you are, then you’ll need to obtain the SOC report from the payroll service provider. Such a report often includes an audit opinion on the internal controls as they relate to the payroll system; those opinions are usually provided by audit firms such as KPMG or PWC. See my SOC post: https://cpahalltalk.com/soc-report/
How do I audit a Payroll were the system is owned by a vendor
I don’t think classification is relevant because most businesses do a good job of allocating their payroll expenses appropriately. Completeness and occurence can be in play since there is a potential for businesses to intentionally understate their expenses (to increase their net income).
I don’t think classification is relevant because most businesses do a good job of allocating their payroll expenses appropriately. Completeness and occurrence can be in play since there is a potential for businesses to intentionally understate their expenses (to increase their net income).
You have provided a very helpful statement of the relevant assertions, thank you.
Is it fair to say that classification is not a particularly relevant assertion because of government taxation and reporting, that accuracy is not a particularly relevant assertion because employees will check their paystubs to make sure they are getting their due, and that completeness is not a particularly relevant assertion because employees will make sure that all of their hours are being recorded?
Thanks for your helpful feedback I appreciate your help. I’ve got some more questions about the auditor opinion towards the financial statements and I would be very grateful if you could answer them briefly. The questions are as follows:
1- If an auditor has been audited a firm for five years. In the past three years, their financial condition has steadily declined. In the current year, for the first time, the current ratio is below 2:1, which is the minimum requirement specified in the firm’s major loan agreement. Now the auditor have reservations about the ability of the firm Ltd to continue in operation for the next year. If the firm makes no disclosure regarding this issue, what audit opinion and/or modified wording should the auditor issue?
2- This scenario is different and independent from above one, if the auditor was unable to be present at the annual stock take of a company X due to airline disruption caused by flooding and storms around balance date. Inventory is a material balance sheet item for the company. The auditor have not been able to establish, through alternative procedures, the existence and valuation of inventory at balance date because the company does not keep perpetual inventory records. What audit opinion should the auditor issue here?
I would appreciate again your help in this regard, answering these questions will help me for my CPA exam.
Alex, it depends on what the weakness is. For example, if one person controls the removal of employees from payroll (upon termination) with no second person review and that same person can change the former employee’s bank account number to their own, then contol risk is high for the occurrence assertion. Then your risk of material misstatement Is probably high. In response, you’ll perform audit tests to look for potential duplicate payroll payments to one person (the payroll clerk). This is just an example. There are many ways payroll control weaknesses impact RMM and the audit procedures.
In case of auditing the payroll, if the auditor finds that the client’s internal controls surrounding payroll have been poorly designed and are assessed by the auditor as ineffective. How will this discovery impact on the elements of the audit risk model? and what will be the implications of this to the strategy adopted by the auditor for the audit of payroll?
I appreciate your help in this regards.
Jim, good fraud tests–something I should do more often. Thanks.
One test we do is to have the chief executive – assuming they aren’t involved in processing payroll – review the W2 forms, to make sure that they recognize all of the names, and that payroll amounts are reasonable. For small to medium size organizations, this is a pretty good test.