Direct deposit of payroll checks can open the door to theft. Also when one person is in control of payroll processes, danger lurks.
I was teaching a fraud prevention class this past Friday, and one of the participants, a school payroll clerk named Dawn, asked me to address how fraud might occur in her department. So I asked her a series of questions.
“Does your school use direct deposit?” She answered yes.
“Do you fully control the issuance of W-2s?” Dawn said yes.
“Who adds the direct deposit information to your payroll software?” She answered, “I do.”
“Can anyone else change the direct deposit file?” Her answer was no.
“Who controls the master pay rate file?” Here again, she was the only one who had rights to this payroll function.
Then I asked Dawn if she reconciles the bank statement. She said that Randy, a gentleman sitting in front of her, reconciles the account. I was also told that they have hundreds of employees.
How Can Dawn Steal?
I told the class that a person in Dawn’s position could steal in multiple ways. Here are a few:
- She can leave a terminated employee on the payroll and change that person’s bank account number to her own, allowing her to receive all payroll payments for the discontinued staff member. She can also alter the related W-2s to cover her tracks.
- She can change the master pay rate of any employee, including herself.
- She can inflate the hours worked for any employee.
How to Lessen Payroll Theft
After pointing out the flaws in internal control, I asked the class how they would reduce these threats. Angela (another student) sang out: “Create transparency by allowing another person to review or see what the payroll clerk is doing.” (This made me smile since I had been preaching this idea all morning.)
To lessen the threat of fraud, always ask, “how can I create transparency?” The answer will almost always involve allowing another individual to monitor the work of the primary persons in the process. And I am not proposing that this observing person be present 24/7—just that she periodically review the activity of the primary person (e.g., payroll clerk).
The monitoring person can be someone that works with the entity or someone from the outside (e.g., external CPA). Here are sample fraud prevention measures for the above-described threats:
- Download all the payroll records, including each employee and direct deposit bank account number; sort for identical bank account numbers (a same bank account number may mean that a terminated employee was left on the payroll, and their deposits are being routed to another person such as the payroll clerk)
- Have someone (other than the payroll clerk) pull the payroll personnel files for twenty employees and then compare the authorized pay rates (in the personnel file) to the payroll master file (in the software); tell the payroll clerk that this procedure will occur with some frequency and will happen without notice
- For hourly employees, have someone (other than the payroll clerk) pull the reported hours for two departments and review for appropriateness; inquire of the department head regarding any higher-than-normal hours
- Examine the W-2s of the payroll personnel
- Print a budget to actual salary report or a current year/prior year comparison of wages; provide the same to the governing body
- Report findings from these procedures to the governing body; do this at least once per year (regularity makes the payroll personnel think twice about theft)
By the way, the payroll clerk was the only person with access to the payroll master file. This is not necessarily a bad thing. You want to limit the number of persons with access to payroll master file, but a second person should monitor the payroll clerk’s inputs into the payroll software.
So what can you do in light of the above recommendations? Think about your own payroll system. Are there any potential threats to your payroll system?
If you’ve seen payroll fraud, please share a comment about how it happened.
Learn from the CPA Scribo newsletter!
Get my free weekly accounting and auditing digest with the latest content.