Payroll in Practice: 10.16.2023

Question: A company is reviewing internal controls for payroll. Given the amount of automation in the process, can segregation of duties be implemented effectively?

Answer: The purpose of internal controls with respect to payroll is to provide reasonable assurance that assets are safeguarded and company records are complete and accurate. Safeguarding assets includes compliance with legal requirements and fraud prevention.

Segregation of duties is a type of control in which the various functions related to a control objective are divided among two or more people. Control objectives are goals that address how an organization will manage risk. For example, a control objective related to an employee self-service module might be that information in the module is complete and accurate. Another control objective might be assurance that employee-initiated changes are actually made by the employees.

Traditionally, segregation of duties involves three functional categories: custody, record keeping, and authorization. For control purposes, no one person should be able to perform all three functions for a particular control objective.

Custody relates to access to the subject of the control objective such as payroll data. Traditionally, this function was viewed as physical control of assets such as cash in the checking account or objects such as checks and signature plates. With the rise of automated systems, it also relates to security controls over the data system and the data itself.

Custody also relates to the physical control of documents such as timecards, cancelled checks, or bank statements. For example, the person responsible for numbered documents is not performing recordkeeping but is instead the custodian of the records. That person’s concern is accounting for all the documents in the numbered series and following up on any missing documents. This also involves recording documents that are voided or destroyed and arranging that documents are destroyed according to the organization’s retention policy.

Recordkeeping involves access to “the books” and relates to recording and altering transactions. A recordkeeper records the transactions shown on the documents but would not be responsible for retaining or disposing of them.

Authorization involves reviewing and approving transactions for accuracy and completeness, such as signing checks or verifying time records.

In practice, segregation can also be achieved by separating tasks within a function. For example, with respect to a payroll checking account, a third party such as a bank is already involved in custody and recordkeeping. Requiring that the bank mail the payroll checking account statements to the business owner’s home rather than the business location controls access (custody) to the statements and provides an opportunity for independent review and reconciliation by someone outside the payroll process.

Through an employee self-service module, employees may enter direct deposit information into the system or update their Form W-4, Employee Withholding Certificate (authorization and recordkeeping). The system itself should provide a means of ensuring that the person making the change to the W-4 is, in fact, the employee and not someone else. This might involve security measures such as multifactor authentication.

An employee self-service system may also provide checks on data entered into the system. For example, the system itself could monitor changes for reasonableness or authorization. Alternatively, someone in payroll could review a printout to determine whether changes are reasonable or whether, for example, an employee’s request for an additional amount to be withheld each pay period exceeds gross pay for the period.

The system might disallow changes that an employee is not allowed to make, such as a change that would withhold less than required under a currently effective lock-in letter. The system might also notify employes and designated contacts when unauthorized changes are made. This designated contact might be someone uninvolved in the payroll process.

The system itself should keep and produce a log of all changes made, with details as to who made the changes. Although payroll personnel may receive a copy of the log to verify that transactions were processed correctly, they would not have access to the log itself and would not be able to alter it (custody of system data).

Someone, possibly in human resources, might also receive the log and store electronic versions of the Form W-4 and state equivalent forms in a secure file. The virtual forms would be maintained in accordance with the organization’s recordkeeping requirements just as if they were paper forms, and hard copies could be provided upon request from authorities such as the IRS or state departments of revenue. The bank should have a second record of all changes to the direct deposit part of the system.

One reason for using an automated system is to reduce the human factor and thus lessen the risk of problems ranging from data entry mistakes to fraud. The computer may also serve to segregate duties by taking on a great deal of the recordkeeping and data custody functions. This works where access is controlled and changes are securely logged. In addition, the system should monitor changes to the data to ensure that anyone making changes has the proper authorization.

The point of segregating duties is to involve more than one person in the transaction. A self-service module should include at least two people and a computer. For example, the employee enters the data through the self-service module (authorization and recordkeeping), the payroll clerk verifies the information (authorization), and the computer processes and stores the data (recordkeeping and custody).

This column does not necessarily reflect the opinion of Bloomberg Industry Group, Inc., the publisher of Bloomberg Law and Bloomberg Tax, or its owners.

Author Information

Patrick Haggerty is the owner of a tax practice in Chapel Hill, North Carolina, and an enrolled agent licensed to practice before the Internal Revenue Service. The author may be contacted at phaggerty@prodigy.net.

Do you have a question for Payroll in Practice? Send it to phaggerty@prodigy.net.