Auditing Payroll: The Why and How Guide

Here's an overview of how to audit payroll and related accounts

What are the keys to auditing payroll correctly? While payroll is often seen as a low-risk audit area, it’s a place where considerable damages can occur (such as the $800,000 theft I witnessed last year). Today, we’ll answer questions such as, “how should I test payroll?” and “when should I perform fraud-related payroll procedures?” 

auditing payroll

Picture from AdobeStock.com

Auditing Payroll — An Overview

In many governments, nonprofits, and small businesses payroll exceeds fifty percent of total expenses. Consequently, it is often a significant transaction area. 

In this post, we will cover the following:

  • Primary payroll assertions
  • Payroll walkthroughs
  • Directional risk for payroll
  • Primary risks for payroll
  • Common payroll control deficiencies
  • Risk of material misstatement for payroll
  • Substantive procedures for payroll
  • Common payroll work papers

Primary Payroll Assertions

The primary relevant payroll assertions are:

  • Completeness
  • Cutoff
  • Occurrence

I believe—in general—completeness and cutoff (for accrued payroll liabilities) and occurrence (for payroll expenses) are the most important payroll assertions. When a company accrues payroll liabilities at period-end, it is asserting that they are complete and that they are recorded in the right period. Additionally, by recording payroll expenses, the company is saying they are legitimate.

Payroll Walkthroughs

Perform a walkthrough of payroll to see if there are any control weaknesses. Walk transactions from the beginning (the hiring of an employee) to the end (a payroll payment and posting). What questions should you ask? Here are a few.

Walkthrough Questions

In performing payroll walkthroughs, ask:

  • What is the location of payroll check stock?
  • If the company uses direct deposit, who keys the bank account numbers into the payroll system?
  • Who determines payroll expense classifications?
  • Do larger salary payments require multiple approvals?
  • Who processes payrolls and how? 
  • Who signs checks or makes electronic payments?
  • What controls ensure the recording of payroll in the appropriate period?
  • Is there adequate segregation of duties for persons:
    • Approving payment,
    • Processing payroll, 
    • Recording payroll, and 
    • Reconciling the related bank statements
  • Who can add employees to or remove employees from the payroll system?
  • What employees change the master pay rate file?
  • Who has the authority to hire employees?
  • What is the process for removing employees from the payroll system?
  • Who approves salary rates and how?
  • Does the company use a budget to track payroll expenses?
  • Who reconciles the payroll bank statements and how often?

Moreover, as we ask these questions, we need to inspect documents (e.g., payroll ledger) and make observations (e.g., who signs checks or makes electronic payments?).

If controls weaknesses exist, we create audit procedures to respond to them. For example, if—during the walkthrough—we see that one person prints and signs checks, records payments, and reconciles the bank statement, then we will perform fraud-related substantive procedures. 

Payroll Fraud

When payroll fraud occurs, understatements or overstatements of payroll expense may exist.

If a company desires to inflate its profit, it can—using bookkeeping tricks—understate is expenses. As (reported) costs go down, profits go up.

On the other hand, an overstatement of payroll can occur when theft is present. For example, if a payroll accountant pays himself twice, payroll expenses are higher than they should be—assuming the company records both checks.

Payroll Mistakes

Another potential for payroll misstatement lies in mistakes. Payroll errors may occur when payroll personnel don’t possess sufficient knowledge to carry out their duties. 

So as we perform payroll walkthroughs, we are asking, “What can go wrong—whether intentionally or by mistake?” 

Directional Risk for Payroll

The directional risk for payroll is an understatement. So, audit for completeness (and determine that all payroll is in the general ledger). Nevertheless, when theft occurs (e.g., duplicate payments), an overstatement of payroll can occur.  

Primary Risks for Payroll

The primary risks for payroll are:

  1. Payroll is intentionally understated 
  2. Inappropriate parties receive payments
  3. Employees receive duplicate payments

As you think about these risks, consider the control deficiencies that allow payroll misstatements.

Common Payroll Control Deficiencies

In smaller entities, it is common to have the following control deficiencies:

  • One person performs two or more of the following: 
    • Approves payroll payments to employees,
    • Enters time or salary rates in the payroll system, 
    • Issues payroll checks or makes direct deposit payments,  
    • Adds or removes employees from the payroll system
    • Reconciles the payroll bank account
  • A second person does not review the payroll before payment 
  • No one performs surprise audits of payroll 
  • Appropriate procedures for adding and removing employees are not present
  • No one compares payroll expenses to a budget

So what controls should be in place? Here’s a list of payroll controls from Steve Bragg.

Another key to auditing payroll is understanding the risks of material misstatement.

Risk of Material Misstatement for Payroll

In auditing payroll, the assertions that concern me the most are completeness, occurrence, and cutoff. So my RMM for these assertions is usually moderate to high. 

My response to higher risk assessments is to perform certain substantive procedures: namely, a reconciliation of 941s to the payroll in the general ledger. Why? The company has an incentive to file 941s accurately since the returns are subject to audit by governmental authorities. Therefore, if the 941s are correct, then the reconciliation validates payroll.

auditing payroll

Picture from AdobeStock.com

Theft can occur in numerous ways—such as duplicate payments or ghost employees. If control weaknesses are present in the payroll cycle, consider performing fraud-related procedures. 

In a duplicate payment fraud, the thief—usually a payroll department employee—intentionally pays himself twice. 

Another fraud threat is that of leaving a terminated employee on the payroll—especially if the company uses direct deposit. A payroll department employee can change a terminated employee’s bank account number to his own. The result? Each payroll he receives two payments (his own and that of the terminated employee still in the system). In the first paragraph of this post, I mentioned an $800,000 payroll theft. This was the method used by the fraudster. The payroll clerk left multiple terminated employees in the system and changed their bank account numbers to her own.

Once your risk assessment is complete, you’ll decide what substantive procedures to perform.

Substantive Procedures for Payroll

My customary tests for auditing payroll are as follows:

  1. Reconcile 941s to payroll 
  2. Recompute accrued payroll 
  3. Review payroll withholding accounts for appropriateness and vouch subsequent payments for any significant amounts
  4. Compare payroll to budget and examine any unexplained variances 
  5. When control weaknesses are present, design and perform fraud detection procedures
  6. Compare accrued vacation to prior periods and current payroll activity 

In light of my risk assessment and substantive procedures, what payroll work papers do I normally include in my audit files?

Common Payroll Work Papers

My payroll work papers normally include the following:

  • An understanding of payroll-related internal controls 
  • Risk assessment of payroll at the assertion level
  • Documentation of any payroll control deficiencies
  • Payroll audit program
  • An accrued salaries detail at period-end
  • A summary of any significant payroll withholding accounts with supporting information
  • A detail of vacation payable (if material) with comparisons to prior periods
  • Budget to actual payroll reports
  • A reconciliation of 941s to the general ledger
  • Fraud-related payroll work papers (when needed)

In Summary

In summary, today we looked at the keys to auditing payroll. Those keys include risk assessment procedures, determining relevant assertions, creating risk assessments, and developing substantive procedures. My go-to substantive procedure is to reconcile payroll to 941s. I also review payroll withholding accounts, and I recompute the salary accrual. Finally, if merited, I perform fraud-related payroll procedures.

Look for my next post in The Why and How of Auditing. Next week we’ll look at how to audit debt.

If you’ve missed my prior posts in this audit series, click here.

Learn from the CPA Scribo newsletter!

Get my free weekly accounting and auditing digest with the latest content.

Powered by ConvertKit

Please note: I reserve the right to delete comments that are offensive or off-topic.

Leave a Reply

Your email address will not be published. Required fields are marked *

5 thoughts on “Auditing Payroll: The Why and How Guide

  1. One test we do is to have the chief executive – assuming they aren’t involved in processing payroll – review the W2 forms, to make sure that they recognize all of the names, and that payroll amounts are reasonable. For small to medium size organizations, this is a pretty good test.

  2. In case of auditing the payroll, if the auditor finds that the client’s internal controls surrounding payroll have been poorly designed and are assessed by the auditor as ineffective. How will this discovery impact on the elements of the audit risk model? and what will be the implications of this to the strategy adopted by the auditor for the audit of payroll?

    I appreciate your help in this regards.

    • Alex, it depends on what the weakness is. For example, if one person controls the removal of employees from payroll (upon termination) with no second person review and that same person can change the former employee’s bank account number to their own, then contol risk is high for the occurrence assertion. Then your risk of material misstatement Is probably high. In response, you’ll perform audit tests to look for potential duplicate payroll payments to one person (the payroll clerk). This is just an example. There are many ways payroll control weaknesses impact RMM and the audit procedures.

      • Thanks for your helpful feedback I appreciate your help. I’ve got some more questions about the auditor opinion towards the financial statements and I would be very grateful if you could answer them briefly. The questions are as follows:

        1- If an auditor has been audited a firm for five years. In the past three years, their financial condition has steadily declined. In the current year, for the first time, the current ratio is below 2:1, which is the minimum requirement specified in the firm’s major loan agreement. Now the auditor have reservations about the ability of the firm Ltd to continue in operation for the next year. If the firm makes no disclosure regarding this issue, what audit opinion and/or modified wording should the auditor issue?

        2- This scenario is different and independent from above one, if the auditor was unable to be present at the annual stock take of a company X due to airline disruption caused by flooding and storms around balance date. Inventory is a material balance sheet item for the company. The auditor have not been able to establish, through alternative procedures, the existence and valuation of inventory at balance date because the company does not keep perpetual inventory records. What audit opinion should the auditor issue here?

        I would appreciate again your help in this regard, answering these questions will help me for my CPA exam.