Bloomberg Tax
Free Newsletter Sign Up
Bloomberg Tax
Free Newsletter Sign Up

Global Payroll Processes Require Careful Risk Controls

June 22, 2022, 8:08 PM

Identifying risks and developing control mechanisms, as well as documenting the controls and other processes, is crucial to any global payroll project, a practitioner said June 22.

But first global payroll teams should draft a purpose statement to provide direction and also determine objectives to define what their success is, Max van der Klis-Busink, RPP, senior global payroll manager at Zoom, said.

“I haven’t come across a lot of payroll/global payroll functions that have actually drafted a purpose statement,” van der Klis-Busink said, adding that he has noticed the statements becoming more common.

Objectives such as effectiveness and efficiency of services and responses to employee inquiries should also be documented and monitored through key performance indicators, van der Klis-Busink said.

Global payroll processes are commonly outsourced and “most of our headaches” are in the prepayroll data review and entry steps, which also takes up the most time compared to the rest of the process, van der Klis-Busink said. He recommended putting together and maintaining a flowchart for each part of the process, including prepayroll, running payroll, and post-payroll, as well as noncyclical processes.

“But generally, that’s also not enough,” van der Klis-Busink said, because additional documentation is required. He also recommended making checklists for each part of the process, a payroll calendar that is easily accessible and live, and documentation of country-specific requirements.

“Supplement, document, make sure you grab it,” van der Klis-Busink said, speaking at the American Payroll Association’s 2022 Virtual Congress.

Risk and Control

Van der Klis-Busink defined a risk as the possibility of an event occurring that would adversely affect achievement of an objective, while defining controls as processes that mitigate one or more risks. Controls must mitigate a risk, he said.

Risks should be continuously identified and assessed and can be internal or external to the company, van der Klis-Busink said. “Whenever you lay down your risks, the next day it’s outdated,” he said.

Even lack of experience or knowledge can be a risk, he said.

Assessment of a risk can include writing a description, assessing its likelihood — how likely it is to occur — separately from its impact, and formulating a response, van der Klis-Busink said.

Designing controls to mitigate risks is also a recurring process that when effective reduces or prevents risks and increases the chance of meeting objectives, van der Klis-Busink said.

A control should have a description, a position responsible for its operation and ideally another for its documentation, classification as key or nonkey, whether it is designed to prevent or detect something, a frequency, and a sample size, van der Klis-Busink said.

Once controls are overlaid on the payroll process, other company stakeholders can see where controls and risks lie in the process, van der Klis-Busink said, recounting that he once did so to show a CFO that payroll was compliant.

However, van der Klis-Busink emphasized doing fewer controls well over implementing more, saying that increasing the number would make them difficult to maintain, document, and transfer.

Controls should also be usable for multiple countries and multiple entities so that they can be better standardized, van der Klis-Busink said.

Each step of a control should be documented, as well as the why and how of any changes, and the process should be evidenced with timestamps and separation of duties, van der Klis-Busink said.

“A nonevidenced control is not a control, because you cannot demonstrate to other people what you’ve actually done,” he said.

To contact the reporter on this story: Jamie Rathjen in Washington at

To contact the editor responsible for this story: William Dunn at