What are the keys to auditing payroll correctly? While payroll is often seen as a low-risk audit area, it’s a place where considerable damages can occur (such as the $800,000 theft I witnessed last year). Today, we’ll answer questions such as, “how should I test payroll?” and “when should I perform fraud-related payroll procedures?”
In many governments, nonprofits, and small businesses payroll exceeds fifty percent of total expenses. Consequently, it is often a significant transaction area.
In this post, we will cover the following:
The primary relevant payroll assertions are:
I believe—in general—completeness and cutoff (for accrued payroll liabilities) and occurrence (for payroll expenses) are the most important payroll assertions. When a company accrues payroll liabilities at period-end, it is asserting that they are complete and that they are recorded in the right period. Additionally, by recording payroll expenses, the company is saying they are legitimate.
Perform a walkthrough of payroll to see if there are any control weaknesses. Walk transactions from the beginning (the hiring of an employee) to the end (a payroll payment and posting). What questions should you ask? Here are a few.
In performing payroll walkthroughs, ask:
Moreover, as we ask these questions, we need to inspect documents (e.g., payroll ledger) and make observations (e.g., who signs checks or makes electronic payments?).
If controls weaknesses exist, we create audit procedures to respond to them. For example, if—during the walkthrough—we see that one person prints and signs checks, records payments, and reconciles the bank statement, then we will perform fraud-related substantive procedures.
When payroll fraud occurs, understatements or overstatements of payroll expense may exist.
If a company desires to inflate its profit, it can—using bookkeeping tricks—understate is expenses. As (reported) costs go down, profits go up.
On the other hand, an overstatement of payroll can occur when theft is present. For example, if a payroll accountant pays himself twice, payroll expenses are higher than they should be—assuming the company records both checks.
Another potential for payroll misstatement lies in mistakes. Payroll errors may occur when payroll personnel don’t possess sufficient knowledge to carry out their duties.
So as we perform payroll walkthroughs, we are asking, “What can go wrong—whether intentionally or by mistake?”
The directional risk for payroll is an understatement. So, audit for completeness (and determine that all payroll is in the general ledger). Nevertheless, when theft occurs (e.g., duplicate payments), an overstatement of payroll can occur.
The primary risks for payroll are:
As you think about these risks, consider the control deficiencies that allow payroll misstatements.
In smaller entities, it is common to have the following control deficiencies:
So what controls should be in place? Here’s a list of payroll controls from Steve Bragg.
Another key to auditing payroll is understanding the risks of material misstatement.
In auditing payroll, the assertions that concern me the most are completeness, occurrence, and cutoff. So my RMM for these assertions is usually moderate to high.
My response to higher risk assessments is to perform certain substantive procedures: namely, a reconciliation of 941s to the payroll in the general ledger. Why? The company has an incentive to file 941s accurately since the returns are subject to audit by governmental authorities. Therefore, if the 941s are correct, then the reconciliation validates payroll.
Theft can occur in numerous ways—such as duplicate payments or ghost employees. If control weaknesses are present in the payroll cycle, consider performing fraud-related procedures.
In a duplicate payment fraud, the thief—usually a payroll department employee—intentionally pays himself twice.
Another fraud threat is that of leaving a terminated employee on the payroll—especially if the company uses direct deposit. A payroll department employee can change a terminated employee’s bank account number to his own. The result? Each payroll he receives two payments (his own and that of the terminated employee still in the system). In the first paragraph of this post, I mentioned an $800,000 payroll theft. This was the method used by the fraudster. The payroll clerk left multiple terminated employees in the system and changed their bank account numbers to her own.
Once your risk assessment is complete, you’ll decide what substantive procedures to perform.
My customary tests for auditing payroll are as follows:
In light of my risk assessment and substantive procedures, what payroll work papers do I normally include in my audit files?
My payroll work papers normally include the following:
In summary, today we looked at the keys to auditing payroll. Those keys include risk assessment procedures, determining relevant assertions, creating risk assessments, and developing substantive procedures. My go-to substantive procedure is to reconcile payroll to 941s. I also review payroll withholding accounts, and I recompute the salary accrual. Finally, if merited, I perform fraud-related payroll procedures.
Look for my next post in The Why and How of Auditing. Next week we’ll look at how to audit debt.
If you’ve missed my prior posts in this audit series, click here.
Get my free weekly accounting and auditing digest with the latest content.
Charles Hall is a practicing CPA and Certified Fraud Examiner. For the last thirty years, he has primarily audited governments, nonprofits, and small businesses.He is the author of The Little Book of Local Government Fraud Prevention and Preparation of Financial Statements & Compilation Engagements. He frequently speaks at continuing education events.Charles is the quality control partner for McNair, McLemore, Middlebrooks & Co. where he provides daily audit and accounting assistance to over 65 CPAs. In addition, he consults with other CPA firms, assisting them with auditing and accounting issues.
Please log in again. The login page will open in a new window. After logging in you can close it and return to this page.
Sign up for my