the atlas companies enterprise risk management...

9/13/2017

1

©Stinnett & Associates LLC

CHA-CHING! PAYROLL CONTROLS

THAT PAY OFF

Melinda Stinnett, CPA, CIA | Managing Director

1

September 15, 2017

©Stinnett & Associates LLC2

PERSONAL INTRODUCTION

Bachelor’s Degree (Accounting) Oklahoma State University

Public accounting career for approximately 12 years (started Career with Price Waterhouse in Phoenix, next headed to McGladrey LLP in South Dakota, and then landed a job with Arthur Andersen in Tulsa, OK)

Establishment of Stinnett & Associates September 2001

Professional

Interests

Love all things MARVEL, Thor is my favorite superhero!

I enjoy scuba diving.

The perfect breakfast: Merritt’s Chocolate Donut!

Family trips – most recently, climbed Mt. Fuji.

©Stinnett & Associates LLC3

Personal Introduction

Graduated from Texas A&M with Bachelor’s and Master’s degrees in Accounting

Started with Stinnett in June 2004 after four years in public accounting

Client serving for 10 years, primarily SOX Compliance in the energy industry

CPA and CIA certifications

Transitioned to professional practice support in 2014

Manage Audit Methodology and Quality Assessment Program

Professional

Interests

Attending kids’ sporting events

Friday family movie nights

Favorite Drink: Diet Dr. Pepper

Favorite Hobby: Planning vacations!

9/13/2017

2


DISCLAIMER

• The comments and statements in this presentation are the opinions of the speakers and do not necessarily reflect the opinions or positions of Stinnett & Associates, LLC.

• This presentation is the property of Stinnett & Associates, LLC. All rights reserved. No part of this document may be reproduced, transmitted or otherwise distributed in any form without written permission from Stinnett & Associates, LLC.

• Stinnett & Associates, LLC expressly disclaims any liability in connection with the use of this presentation or its contents by any third party.

4


FIRM BACKGROUND

5

Stinnett & Associates, LLC (Stinnett) is a professional advisory firm which excels at maximizing value for both public and private

organizations. Our services are designed to help clients more effectively manage risk and improve performance by streamlining processes,

reducing costs, and enhancing controls.

Stinnett offers co-source and outsource solutions within a diverse range of services, including:

Process Design and Re-engineering Internal AuditGovernance Risk and Compliance

Sarbanes-Oxley Fraud Investigation Fraud Risk Assessment

Cost Recovery Information Technology Enterprise Risk Management

Doing the Right Thing

Founded in 2001, Stinnett has grown to have offices in Dallas, Houston, Oklahoma City, San Antonio,

and Tulsa. We provide services to several Fortune 1000 companies as well as many mid to large size

organizations with global operations.

We are primarily recognized for offering relevant advisory assistance and exemplary client service withthe unique ability to deliver what our clients need. Working toward solutions, we have a reputation for

“doing the right thing.”

Stinnett is a certified Women’s Business Enterprise through the Women’s Business

Enterprise National Council. We pride ourselves on being trusted business advisorswho focus on assisting clients to reach strategic milestones positioning them for

future success.


GETTING TO KNOW YOU

• How many years in

payroll?

• Position in payroll

department?

• Size of company?

• Type of company?

• Level of outsourcing?

6

9/13/2017

3


LEARNING OBJECTIVES

• Discuss current payroll trends

• Identify objectives, risks, and internal

controls over the payroll process

• Identify appropriate internal control

procedures based on the size of the

department

7


AGENDA

• Purpose of Internal Control

• Trends in Payroll

• Segregation of Duties

• Payroll Sub-Processes

-Objectives and Risks

-Expected Controls

-Best Practices and

Continuing Monitoring

8


WHAT IS INTERNAL CONTROL?

• Under the COSO Internal Control-Integrated Framework, a widely

used framework in not only the United States but around the

world, internal control is broadly defined as:

“A process, effected by an entity's board of directors,

management, and other personnel, designed to provide

reasonable assurance regarding the achievement of objectives

relating to operations, reporting, and compliance.”

9

9/13/2017

4


WHY PAYROLL INTERNAL CONTROL?

• Achieve Regulatory Compliance

• Identify and Create Operational Efficiencies

• Prevent and Detect Payroll Errors

• Improve Accuracy of Financial Reporting & Organizational Health

• Prevent and Detect Payroll Fraud

10


WHY INTERNAL CONTROL?

11


GROUND RULES

• Internal controls are not “one size fits all” and should be established to best suit your company and should consider:

-Nature of organizations and related businesses

-Size of staff

-Systems

-Risk tolerances

• Payroll trends are evolving and could alter your internal control structure

• Control examples included in presentation are not all-inclusive

12

9/13/2017

5


SEGREGATION OF DUTIES

• Separating key functions in a process such that one employee

does not have sole responsibility for a process

• Can be difficult and costly to fully implement, especially in small

companies

-Smaller companies may need to implement more manual

review controls to compensate for lack of personnel

• Four categories to be segregated: Authorization, Custody,

Record-Keeping, and Reconciliation

13


SEGREGATION OF DUTIES - PAYROLL

Authorization

• Approval of New Hires

• Approval of Pay Rates

• Signing of Checks

Custody

• Access to Checks and Bank Accounts

• Mailing or Delivering Checks

Record Keeping

• Preparing Source Documents

• Maintaining Journals, Ledgers, Etc.

Reconciliation

• Preparing Bank Reconciliations

• Preparing Payroll Liability Reconciliations

14


INTERNAL CONTROL - PAYROLL SUB-PROCESSES

• Employee Master File Maintenance

• Time Keeping and Payroll Processing

• Payroll Disbursements

• Financial Reporting

15

9/13/2017

6


EMPLOYEE MASTER FILE MAINTENANCE

16



• Objective: All and only authorized additions, deletions, and

changes to the employee master file are promptly and accurately

recorded.

• Risks:

-Unauthorized or fictitious employees are added to the system

-Unauthorized changes (including pay rates, deductions, and

other payroll benefits) are entered in the system

-Terminated employees are not removed from the system

17



• Limited access to employee master file

- Small company – If system does not allow for limited access, check signer should review employee master file for changes prior to each payroll run

- Large company – Access to employee master file within system is limited to appropriate individuals. Appropriate segregation of duties is expected. Periodic reviews of system access ensure access remains appropriate.

- If outsourced or cloud-sourced – Appropriate individual is responsible for validating accuracy and completeness of information sent to outsource agency or input to cloud software

18

9/13/2017

7



• All new hires and changes to master file are documented and

approved

- Small company – Signed authorization required for all changes to

employee master file

- Large company – Responsibility for master file changes lies with

HR and changes are interfaced to payroll system. Appropriate

system access is maintained for both systems.

- If outsourced or cloud-sourced - Appropriate individual is

responsible for validating accuracy and completeness of information

sent to outsource agency or input into cloud software

19



• Terminations are recorded timely and access to systems is promptly removed.

- Small company – Completion of a Termination Checklist for each termination ensures prompt removal from payroll

- Large company – Interface between HR and payroll systems ensure changes made by HR are recognized in payroll timely. Termination notices are sent to HR by supervisors.

- If outsourced or cloud-sourced - Appropriate individual is responsible for validating accuracy and completeness of information sent to outsource agency or input into cloud software

20



• Best Practices and Continuous Monitoring Opportunities

- Compare new employees with existing employee data (duplicate SSN, address, bank routing and account number)

- Compare employee data to vendor data

- Approval limits within the system for pay rate changes to protect from data entry errors

- Periodic reconciliation between HR and Payroll master files if separate systems are utilized

- If outsourced or cloud-sourced, HR system is interfaced to outsourced system to streamline changes

21

9/13/2017

8


TIME KEEPING AND PAYROLL PROCESSING

22


TIME KEEPING

• Objective: Total labor time and costs are properly authorized,

controlled, and recorded.

• Risks:

-Unapproved hours worked or absences are recorded and paid.

-Hours worked (including overtime) are over/under stated on the

time sheet.

-Duplicate time sheets are submitted.

23


TIME KEEPING

• Time sheets are approved by a supervisor prior to submission to payroll.

- Small company – Time sheets are signed by employee and supervisor prior to entry into payroll.

- Large company – E-timesheets requiring dual electronic approval by employee and supervisor prior to payroll processing.

- If outsourced or cloud sourced – Timesheets/payroll data should be sent to outsourcing agency by authorized individuals only, or timekeeping system interfaces with outsource or cloud system such that only approved timesheets are processed.

24

9/13/2017

9


PAYROLL PROCESSING

• Objective: Gross pay and deductions from pay are properly

calculated and recorded.

• Risks:

-Payments are made to fictitious, unauthorized, or terminated

persons.

-Duplicate payments are made to the same employee.

-Pay amount, including pay rate, regular and overtime hours,

and deductions, is incorrectly calculated.

25


PAYROLL PROCESSING

• Processed payroll data is reviewed for accuracy prior to payment

- Small company – Payroll reports are reviewed for changes, new employees and reasonableness of net payment prior to authorizing payment. Agreement to control totals is verified to ensure completeness of payroll processing.

- Large company – Comparative payroll analysis by pay groups/divisions, etc. is performed after each payroll processing to identify significant or unusual payroll variances.

- If outsourced or cloud sourced – Authorized individual should review provided payroll reports for reasonableness and agreement to check figures prior to authorization of payment.

26


TIME KEEPING AND PAYROLL PROCESSING

• Continuous Monitoring Opportunities

-Exception reports for payroll changes beyond certain

parameters

• Overtime hours significantly above normal for an employee

• Lack of overtime based on position

• Consistent hours for non-salaried employees

• Timecards with less than standard hours

• Unusual or excessive pay amounts outside of set parameters

27

9/13/2017

10


PAYROLL DISBURSEMENT

28


PAYROLL DISBURSEMENT

• Objectives:

- All payroll disbursements (payments made) are properly authorized and relate to valid employees and their work performed.

- Control is maintained over check stock and other cash disbursement technology.

• Risks:

- Payroll payments are not recorded or are recorded in the incorrect account.

- Payments are made to fictitious employees or disbursements are made without proper authorization.

- Cash disbursements recorded do not agree with amounts paid by the bank.

29


PAYROLL DISBURSEMENTS

• Check stock should be properly secured

-Small company – Check stock should be maintained in locked

cabinet/closet, and key is kept in custody of authorized

individual. Direct deposit should be encouraged.

-Large company – Direct deposit should be required, or check

stock that is maintained is blank until printed.

- If outsourced or cloud sourced – Check stock is maintained

on site of third-party, payments are returned to authorized

person at company.

30

9/13/2017

11


PAYROLL DISBURSEMENTS

• Bank account balances are monitored frequently and

reconciled timely.

-Small company – Payroll bank accounts are reconciled

monthly

-Large company – Cash accounts are monitored daily. Imprest

accounts may be utilized.

- If outsourced or cloud sourced – Maintain authorized access

to accounts by third-party.

31


FINANCIAL REPORTING

32


FINANCIAL REPORTING

• Objective:

- Payroll expenses and related liabilities are recorded appropriately

- All accruals for payroll wages, taxes, and deductions are recorded

timely and are reasonably estimated.

• Risks:

- Payroll expenses and/or related payroll liabilities (including accrued

wages) are calculated or recorded incorrectly.

- Journal entries are made for payroll or related accruals which are

inaccurate or inappropriate.

33

9/13/2017

12


FINANCIAL REPORTING

• Payroll reports are reconciled to the general ledger after

each payroll is generated.

-Small company – Payroll-related accounts are reconciled

timely and reviewed by appropriate personnel.

-Large company - Payroll-related accounts are reconciled

timely and reviewed by appropriate personnel.

- If outsourced or cloud-sourced - Payroll-related accounts are

reconciled timely and reviewed by appropriate personnel.

34


FINANCIAL REPORTING

• All journal entries are reviewed and approved by the appropriate supervisor.

-Small company – If limited personnel prevents review of individual journal entries, then a monthly general ledger review by an appropriate employee must be performed.

-Large company - Journal entries must be reviewed an approved by someone other than the preparer prior to entry.

- If outsourced or cloud sourced - Journal entries must be reviewed an approved by someone other than the preparer prior to entry.

35


FINANCIAL REPORTING

• Monthly review of payroll expense as compared to budget, prior year expenses, etc., is performed. Significant or unusual variances are explained.

- Small company - A monthly payroll expense review by an appropriate employee must be performed, and explanations are obtained for significant or unusual variances.

- Large company - A monthly payroll expense review by an appropriate employee must be performed, and explanations are obtained for significant or unusual variances.

- If outsourced or cloud sourced - A monthly payroll expense review by an appropriate employee must be performed, and explanations are obtained for significant or unusual variances.

36

9/13/2017

13


FINANCIAL REPORTING

• Best Practices or Continuous Monitoring Opportunities

-Payroll expense trend analysis over various time frames to

identify normal seasonal variances, making unusual variances

easier to detect.

-Perform a periodic payroll audit to verify payment amounts,

deductions, and withholdings are all accurate.

37


PAYROLL TRENDS

• Outsourcing

• Cloud-Sourcing or Software as a Service

• Accessing Payroll Information from Mobile Devices

• Data Security

• Paycards

38


THIRD PARTY PAYROLL PROVIDERS

• Outsourcing payroll activities does not result in outsourced risk!

-Access to third-party administrator (TPA) systems must be appropriately limited

-Data transmission must be verified for accuracy and completeness

-Review of TPA SOC 1 (SSAE 18) report on an annual basis to ensure TPA control environment meets the internal control objectives of your organization

39

9/13/2017

14


THIRD PARTY PAYROLL PROVIDERS

• SOC 1 Report User Control Consideration Examples

- Data Input – validating information sent is complete and accurate

- Processing – ensuring payroll data is ready to process prior to

submission

- Data Output – reviewing output for discrepancies and verifying

direct deposit files are accurate

- Logical Access – maintaining appropriate access to the TPA system

- Client Inquiries – timely notification of any changes to authorized

personnel

40


SPECIAL CIRCUMSTANCES - EMPLOYEE ADVANCES

• Need to track advance and repayments

- Risk of errors in recordkeeping

- Time consuming to track individual advance amounts and repayment

• Employee may terminate prior to repayment of advance

- Federal or state law may prohibit employer from withholding

advance from last paycheck

• If company offers employee advances

- Consult with employment attorney

- Have an explicit policy regarding advances

41


SPECIAL CIRCUMSTANCES - EXPENSE REPORTS

• If reimbursed through payroll, must be aware of tax implications

-Ensure expense is valid business expense

-Consideration of per-diem amounts vs. actual amounts (if larger

than per-diem, may be considered excess wages subject to

payroll taxes)

-Timeliness of expense reimbursement

-Use of proper expense reports with proper approval is essential

for recordkeeping and audit tracking

42

9/13/2017

15


QUESTIONS

43

www.STINNETT-ASSOCIATES.com | 888.808.1795

Stinnett & Associates

8811 S. Yale Ave., Suite 300

Tulsa, OK 74137

Main Number 918.728.3300

[email protected]