Payroll is one of the most important fuels that keeps the engine of your company running. It also represents a potential risk that is often overlooked. The 2014 REPORT TO THE NATIONS ON OCCUPATIONAL FRAUD AND ABUSE published by the Association of Certified Fraud Examiners reported that payroll fraud may be not as uncommon as one thinks. The survey highlighted nine sub-categories of asset misappropriation schemes, each representing a specific way that employees misappropriate organizational resources. 1 Payroll frauds accounted for 10.2% of the total asset misappropriation category in frequency. The median loss was $ 50,000.002. While overall these frauds were not the most significant in either categories, what makes payroll fraud uniquely challenging is a combination of risks that make the payroll cycle a potentially rich target environment for fraud. The association further reports that Payroll Fraud happens in 27 percent of all businesses and occurs nearly twice as often in small organizations with less than 100 employees than in large ones.
Some of the reasons for this may be:
• The diversity of how and where payroll may be processed from pay period to pay period
• A predictable payroll processing schedule
• The complexity of the accounting such as wage attachments, multiple bank accounts and EFT's
• Technology and the proliferation of combined systems for accounting and payroll that are often not easily understood
How can HR and payroll practitioners get a better handle on fraud prevention practices and heighten their awareness of the opportunities for fraud?
Understand the end to end process and the inputs and outputs
Looking at the end to end cycle you often find a chain of controllable events. Events are closely aligned with the employment life cycle. Hiring, terminating and transferring employees and their compensation data create payroll events with unique vulnerabilities to fraud. Monitoring these as exceptions provides a visibility that can shed light on potential fraud here.
Segregate payroll duties
The new hire onboarding process brings a unique set of exposures. Personal and banking information may be exposed as a new hire provides personal data online and/or on paper. Reviews of new employees to confirm the validity of their information and verify their existence should be done by individuals outside the payroll function. The objective of segregating duties is not to add cost or work but to highlight where an opportunity for fraud may exist. The focus is segregation of duties between individuals, not functions. Segregation of duties and regular rotations of individuals in key functions prevents the potential for collusion.
Inspect payroll offices and computers regularly
On one of my first audit assignments, my manager had a sign on her desk, it read "People rarely do what you expect, but often what you inspect." Experience has taught me this is more than just a simple parable. Regular inspections of the payroll office and the payroll records by someone outside of the payroll department are valuable to help reduce exposures to loss. Technology assets used to enter new employee data should be regularly reviewed to ensure they are free from electronic devices such as key stroke loggers or other hidden programs to surreptitiously gather data.
Audit the communication path
When money and records are exchanged between the payroll provider and the employer, there is a shared exposure to loss. The technology team at all points of the communication path must ensure the link that they oversee is protected from exposure and regularly audited for unintended content that could alter or affect data. Whenever possible, a closed loop communication is preferable.
The repetitive nature of the payroll process lends itself to potential complacency. Regular oversight and vigilance remain critical aspects of fraud prevention. Understanding the mutual security practices and technology offerings of both the payroll provider and employer is critically important when transferring data and money.
Perform exception reporting
Exception reporting that highlights certain aspects of payroll transactions is helpful. Changes made to employee bank accounts, anomalies in check amounts, differences in frequencies of pay and withholding changes are all transactions worthy of exception oversight. The key to good exception reporting is developing reports based on unexplained anomalies in such a manner that reviews can be done efficiently without a high degree of false positives. Efficient exception reporting not only helps in identifying potential fraud but also heightens awareness and enhances the perception of detection.
Eliminate "ghost employees"
To keep ghost employees off of the payroll, watch for employees who have no withholdings or personnel files independent of their payroll records. Other tips to identify ghost employees include:
• Salaries that are different, especially those that are not repeated or are exceptionally large.
• Bank deposits listed by bank account number that have different employee names but common bank account numbers.
• Employees' pay made in varying payroll frequency usually set up as a one-time or unique pay.
• Dormant but resurrected payroll records in which individuals may take advantage of temporary absences or seasonal employment lapses.
Ghost employee records often contain unique information such as a decedent's Social Security number. The Social Security Administration offers a list called the Death Master File, which can be searched to determine the legitimacy of the Social Security numbers. Running the issued Social Security numbers in your payroll file against this list is a useful exercise that can be conducted on an ad-hoc or annual basis.
Some other thoughts
After being captured, prolific Depression-era bank robber Willie Sutton was asked why he robbed banks. Mr. Sutton replied, "Because that's where the money is." In business today, payroll may represent a large portion of an organization's expenses. An unprotected payroll process can create a "perfect storm" of opportunity for potential fraud. When employers follow published security and privacy standards, and conduct basic exposure analyses, the loss of funds and data can often be prevented.
© 2017 McGovern & Greene LLP All rights reserved.
Questions or comments?