Background :In the IT Industry, the key asset is the human resource. Payroll for an information technology company therefore forms the single largest component of expense. The success of an IT based organisation depends on the size and quality of its human resource. The activity is performed by these resources at the client’s site which often is spread over the world and in the development centres within the country. This results in movement of resources between clients and development centres.
The remuneration packages payable to these resources vary as per the location of the work execution. Salary and allowances for onsite work done by them are payable in foreign exchange. In the process the administrative effort involved in payroll processing is extremely high. The need for integrity of data during payroll processing is equally critical to ensure proper disbursement.
Considering that the core competence of the organisation is catering to client’s soft-ware requirements, a number of organisations are outsourcing this complex activity to entities that specialise in this area. The auditee organisation under consideration is one such IT-based organisation.
ABC Softwares Ltd had outsourced its payroll to a third party service provider. As a part of the cost reduction exercise, the executive management decided to manage its payroll in-house. Inputs from Audit Committee regarding the risks involved in managing payroll in-house were also obtained.
The Audit Committee also directed its outsourced internal audit firm to carry out an internal audit in a short span of time with a view to comment on the reasonable-ness of internal controls. Any major weakness observed could be rectified by the Finance and Accounts Departments. The internal audit would be more in the nature of systems audit as it is to be carried out in the first month — immediately after the new in-house system has gone live and the processing of payroll carried out.
Based on the above background, the partner-in-charge of the internal audit firm had a meeting with his audit manager to chalk out the audit programme. As the first step, a flowchart of the payroll processing activity was prepared.
Based on the inputs gathered during the flowcharting process and arising out of the study of the flowchart and the audit manager’s experience with the company, a detailed checklist was also prepared for meeting the audit programme objectives. The checklist identified the objectives and risk and control issues for this area — Refer Exhibit 1.
Considering that this audit involved large volume of transactions spread over multiple locations/files, the traditional method of manual vouching would take 15 mandays for the audit. It was therefore decided to use a data analysis software — IDEA — to carry out a 100% check on all transactions for the month. (Using IDEA, the audit for 1500 employees would take only three days). In this way the time dimension was managed. Additionally back up steps taken in the analysis would also be available in the software.
Observations arising from the Internal audit :
Following the checklist and using IDEA, the audit was completed in three days time. Overall the observations on systems and procedures in payroll showed reasonable internal controls except for the following :
Payroll executive had access to the password for change of Master data. This was a serious internal control weakness. (CFO immediately acted on this and had the password rights withdrawn from the Payroll executive and ensured that hence-forth all changes to Master data would be authorised by him only — weakness occurred due to oversight and he was happy that it was pointed out by internal audit. This ensured that in the very first month itself after having payroll being processed in-house, it had been set right).
Other observations — some of which were not related to changeover but internal processes irrespective of whether the payroll was processed in-house or out-sourced were :
Part A : Issues related with
Human Resources Department :
1. In certain cases the documents of new appointees for the period 1st April’02 to 30th June’02 in the Employee File were incomplete as regards :
- Absence of signature of HR Representative in Declaration Form for date of joining, date of birth and bank account application form,
- Incomplete Checklist for joining formalities,
- In a few cases medical fitness certificate and salary details of previous employment are not held on record.
- leading to the risk that candidates without requisite skill sets may join the company or that their previous track record with earlier organisation may not be clear.
2. On analysing the data captured in the input statements as prepared by HR Department with the Salary Register, an exception list of discrepancies in telephone call charges and transport deduction due to improper processing by Payroll executive was extracted, analysed and reviewed.
As per clarification given by Payroll executive, input was not given by HR Department in the specified format in case of telephone deduction. To avoid improper processing in future, matter should be clarified after discussion with Payroll executive regarding format in which input data should be provided to him for processing payroll.
3. On an analysis of the input statements prepared by Administration and Ac-counts Departments for the month of June’02 which are sent to HR Depart-ment, following exceptional discrepancies were found.
(a) Using the criteria check on dates of resignation of employees, the Input statement regarding Transport Deduction, prepared by Administration Depart-ment showed names of resigned employees also. Though this doesn’t have any impact on salary, it appears that Administration Department had not updated its database regarding employees availing transport facility.
(c) Loan Deduction Statement sent by Accounts Department showed in-correct employee number in case of employee availing PLA Advance due to which no deduction of loan amount was made leading to non-recovery of the instalment.
Informed that processes for additional checks and balances would be introduced to prevent recurrence of such issues.
Part B : Issues related with
Finance Department :
1. Delay of 1 month in deposit of part amount of TDS on salary for the month of April’02 leading to non-compliance of Income-tax Act, 1961. Total amount of TDS should be verified from Salary Register before deposit.
2. As per the Foreign Travel Kit expense policy, if any full time employee is deputed for an overseas assignment for a period of less than 6 months, he is eligible for Foreign Travel Kit Advance upto Rs.10,000/-. This advance has to be settled on submission of bills either within 4 days of taking the advance or within 12 days of returning from the overseas trip, failing which, the entire amount will be deducted from the next salary due to the employee, without any prior notification.
As on 30th June’02, Travel Kit Advance amounting to Rs.1,24,950/- was outstanding in 231 cases. Out of these in 4 cases, advance totalling to Rs.24,000/- was outstanding for more than 6 months as on 30th June’02. Two of these employees had come to India and again gone back onsite without adjusting the advance amount.
Conclusion : The internal auditor was able to conclusively provide an assurance on the adequacy of the internal controls to the Senior Management of ABC Softwares Ltd and its Audit Committee since shifting the processing from outside vendor to in-house team. The systems were also streamlined in line with the internal audit observations.
Internal Audit Objectives for Payroll :
(a) To ensure that only valid employees are paid at the correct and authorised rate;
(b) To ensure that the calculations of all payments and deductions are correct and in accord with the relevant taxation and other regulations and requirements;
(c) To ensure that all deductions are correctly calculated and accounted;
(d) To ensure that unauthorised access to the payroll system and data is prevented;
(e) To ensure that all payroll transactions are accurately reflected in the accounting system;
(f) To ensure that regular and accurate management and statutory information is produced and
(g) To ensure that company is following all statutory laws and regulations.
Risk and Control Issues for Payroll :
1. Is the payroll system adequately protected from either misuse or unauthorised access ?
2. What mechanisms prevent the set up of fictitious employees on the payroll system ?
3. How can management be sure that only valid employees are being paid via the payroll ?
4. What prevents the set up of incorrect or inaccurate payroll data (i.e. salary rates) ?
5. Are payroll salary rates correct in relation to agreed pay scales/national rates, etc. ?
6. Are payroll payment transactions (i.e. overtime, bonus, salary increases, etc.) adequately authorised (prior to data entry) and correctly entered ?
7. What prevents the entry and processing of duplicated payroll payment data ?
8. How can management obtain assurance that the payroll system accurately calculates net salary and accounts for all disbursements ?
9. What mechanisms prevent the incorrect calculation of income tax and any other statutory deductions ?
10. How can management be certain that all the necessary taxation and other deductions are correctly accounted for and paid over to the relevant authorities ?
11. Are all Holidays and Sickness payments accurate, valid and within both the Company policy and legislative requirements ?
12. Are all exceptional payments adequately authorised ?
13. Are pension and any other welfare deductions accurately calculated, deducted from salary and accounted for as inputs to their target systems ?
14. What mechanisms prevent staff fraud or malpractice in relation to payroll activities ?
15. Are payroll runs adequately reconciled to the accounting system and anomalies promptly identified and resolved ?
16. What processes prevent the generation of inaccurate, incomplete or duplicated Bank credit data (i.e. for automated fund transfer system such as HDFC account transfer) ?
17. Are payroll payments, automated fund transfer data or salary cheques subject to adequate levels of authorisation?
18. What prevents payroll payments continuing to be made to former staff members who have left the organisation ?
19. Are allowances including Foreign Kit made to the staff based on their posting — onsite and offshore —correctly computed and disbursed ?
20. Is sensitive or confidential payroll data adequately protected from un-authorised access ?
21. Are all the necessary/statutory payroll outputs and forms accurately produced and distributed in accordance with the required timetables ?
22. Are comprehensive and up-to-date payroll procedures available ? Has specific responsibility for the payroll function been suitably defined and allocated ?