1
GENERAL PAYROLL CONTROLS
Dates in scope:
Risk # Risk
1 Unauthorized initial pay rate
Unauthorized/unsupported deductions
2 (statutory deductions and benefits).
3 Unauthorized set-up of direct deposit
Manual checks do not have appropriate
support and are not signed by authorized
4 signer
5 Terminated employees are paid
Check printer and blank checks are not
physically safeguarded and is accessible to authorized individuals. 2. Pre-signed
6 unauthorized individuals
Check stock are not numbered sequentially
7 or are not reviewed for gaps
Signature plate or file is not appropriately Signature plate or file is accessible only to
8 safeguarded
Payroll adjustments are not authorized and Adequate documentation must be kept to
9 supported by adequate documentation.
Interface between HR and payroll system is
10 not reconciled or is incomplete.
Garnishments and other non-statutory
deductions (e.g., gift shop) are not
11 supported by adequate documentation.
Additions to employee master are not
12 authorized.
Audit Program Payroll Pay Practices Ghost Employees
Expected Control
Initial pay rate is approved by HR and the
department manager and documentation is
included on the employee's files.
Signed W4 forms and enrollment forms are
included in the employee files to support
statutory deductions and employee
benefits, respectively.
Employees with direct deposit have a
signed copy of their Direct Deposit
Authorization Form on their personnel file.
Manual checks must be signed by two
authorized individuals who do not have
access to HR/Payroll system. In addition,
supporting documents for manual checks
are reviewed before being signed by
authorized signers.
Terminated employees are inactivated in
the payroll system in a timely manner.
1. Check printer and blank checks are kept
in a locked area, accessible only to
checks are not allowed.
Checks are sequentially pre-numbered.
authorized individuals.
support all payroll adjustments.
File sent to ADP is reconciled to data
received by ADP
Adequate documents are included in the
employee files to support non-statutory
deductions.
New employees should have supporting
documents such as job application, payroll
document (W4), identification document
(driver's license and Social Security Card),
and other required documentation (i.e. Drug
Screen and Reference Check Statement,
and Criminal Background Check statement)
filed in their employee file
Step # Testing Documents/Info Needed
Select a sample of new employees for period under audit and obtain supporting List of new employees for period under
GC1 documents ensuring that initial pay rate is approved by the appropriate individual audit
Select a sample of employees and trace statutory deductions (i.e. taxes) and benefits to
GC2 supporting documents. Payroll Register
Select a sample of employees with direct deposit set-up and obtain copies of signed Payroll Register; Direct Deposit
GC3 Direct Deposit Authorization Form Authorization Form
Select a sample of manual/on-demand checks processed for period under audit and List of manual/on-demand checks
obtain copies of supporting documents and determine if signed by two authorized processed for period under audit
GC4 individuals. (Payroll Register)
Obtain list of terminated employees for period under audit and verify if subsequent
payroll checks/payments were processed after date of termination. If processed, obtain List of termed employees for period
GC5 documentation as to valid reason. under audit; Payroll Register
GC6 Observe where check printer and blank checks are kept. Check for pre-signed checks. N/A
Observe whether check stocks are numbered sequentially and identify if any are
GC7 missing. N/A
GC8 Observe if signature plate is used; If file is used, determine who has access to the file. N/A
Select a sample of payroll adjustments (all if under 30) and trace to supporting List of payroll adjustments for period
GC9 documentation. under audit
Reconciliation of file sent to ADP to file
GC10 Compare file sent to ADP to file received by ADP. received by ADP
List of garnishments or other non-
Select a sample of garnishments and other non-statutory deductions (all if under 30) and statutory deductions for period under
GC11 trace to supporting documentation. audit (Payroll Register)
Select a sample of additions to the employee master and trace to supporting List of new employees for period under
GC12 documentation. audit
Gen Payroll Controls
7/5/2012
 2

Risk # Risk Expected Control Step # Testing Documents/Info Needed

Payroll advances are set-up in the payroll

Payroll advances not deducted from system so that it automatically deducts the Select a sample of payroll advances (all if under 30) and check subsequent paycheck to List of payroll advances for period
13 subsequent pay check advance to the subsequent paycheck. GC13 determine if the advance was deducted under audit (Timekeeping Data)

The ADP New Hire Report is populated

New employee can be entered into the
system without it being listed on the ADP
14 new hire report
15 Termination checklist incomplete
based on a unique and a required field. It is
also important that the field cannot be
backdated such as the new hire date or
start date, because someone can easily
backdates so that a "fictitious" new
employee entered into the system will not Observe if a new employee can be entered into the system without it being listed on the
be listed on the ADP New Hire Report. GC14 ADP new hire report N/A
Compare separation checklist to Renown’s checklist and make recommendations.
N/A; testing is only for recommendations GC15 (Observation only .) Separation checklist

Gen Payroll Controls

Audit Program Payroll Pay Practices Ghost Employees 7/5/2012
 1

SEGREGATION OF DUTIES
Dates in scope:

Risk # Risk Expected Control Step # Testing Documents/Info Needed

Payroll personnel are not able to enter or delete
Payroll personnel are able to enter or delete employees in the system. If they do then there is a
employees in the system, providing opportunity to report generated, which is reviewed by an
1 create and pay fictitious employees without detection independent party. SOD1A Observe for both regular and special payroll runs N/A
Payroll personnel are able to change pay rate and Payroll personnel are not able to change pay rate
benefit information, in the system, providing and benefit information in the system. If they do then
opportunity to give themselves or others a pay raise there is a report generated, which is reviewed by an
2 or additional benefits independent party. SOD1B Observe for both regular and special payroll runs N/A
Reconciliation of payroll bank account is performed Payroll bank account reconciliation is performed by Obtain copies of payroll bank reconciliations for Completed Payroll Bank
by payroll personnel, providing opportunity to conceal someone who did not process and/or sign the payroll period under audit and identify who prepared and Reconciliation for period
3 any misappropriation checks. SOD2 who reviewed the reconciliation under audit
Reconciliation of what is recorded in the G/L to the
payroll register is performed by payroll personnel, Reconciliation of G/L to the payroll register is Obtain copies of G/L entries for period under audit Completed Payroll
providing opportunity to conceal any performed by someone who did not process and/or and trace to the payroll register. Identify who Reconciliation to the G/L for
4 misappropriation sign the payroll checks. SOD3 prepared and who reviewed the reconciliation. period under audit

Termination checks are distributed by someone other

than the person who inputs and authorized payroll. If
Termination checks are distributed by payroll not possible, terminated employees should be Obtain copies acknowledgement of last pay check Acknowledgement of last pay
personnel, providing opportunity to pay a fictitious required to sign an acknowledgment that they’ve pick-up for a sample of employees terminated for check pick-up for a sample of
5 "terminated" employee without detection received the last pay check. SOD4 period under audit employees

No employee or group should be in a position both to

6 Lack of segregation of duties
perpetrate and to conceal errors or fraud in the
normal course of their duties. In general, the principal
incompatible duties to be segregated are:
• Custody of assets,
• Authorization or approval of related transactions
affecting those assets, and
• Recording or reporting of related transactions
• Control activity SOD5 Walkthrough Segregation of duties matrix for payroll N/A

Audit Program Payroll Pay Practices Ghost Employees SOD 7/5/2012

 1

BANK RECONCILIATIONS
Dates in Scope:
If recently performed by external auditors, these steps are N/A.

Risk # Risk Step # g , Testing p p Documents/Info Needed

Payroll bank reconciliations are
not performed effectively and/or
1 timely
timely. In addition perform detail testing for 1 of the months: 1) Test the schedule for clerical accuracy. 2) Agree
bank balance and ending balance to the general ledger and bank statement, respectively. 3) agree
reimbursement wire (transferred from the operating account) to the net pay per the period’s payroll control total
per the payroll system. 4) Select 3 reconciling items and test that the items were properly included as
reconciling items, including tracing the selected items to the following month’s bank statement to ensure all
items properly cleared the account. Test additional items if large or unusual reconciling items exist. 5) Review
the subsequent month’s bank statement for unusual and/or large checks, checks of even dollar amounts (i.e.
$500 or $1,000, etc.), or unreasonably out of sequence checks. 6) Review the outstanding checks list for
checks outstanding for an unusually long period. Determine the status of the outstanding check, determine the Payroll Bank
need for any adjustments, and document findings. Document the company’s process for dated checks and Reconciliation and
voided checks. 7) For voided checks, if any, review the voided checks to ensure they have been properly supporting documents
BR1 defaced. Inquire as to reasons for voided as deemed necessary. for the past 3 months

Using the documents obtained from SOD3, determine reconciliation to the G/L is performed monthly. In addition Payroll Reconciliation to
perform detail testing for 1 of the months: 1) Agree balances on the reconciliation to the general ledger and the the G/L and supporting
Payroll data is not reconciled to payroll ledger. 2) Review and investigate any large or unusual reconciling items. 3) Obtain Labor Distribution documents for the past 3
2 the G/L effectively and/or timely BR2 Report or similar report for a sample of departments and verify that payroll balance agrees with the G/L months

Audit Program Payroll Pay Practices Ghost Employees Bank Rec 7/5/2012
 1

GHOST EMPLOYEES
Dates in scope:

NOTE: Each test on its own would not indicate a ghost employee. However, employees with exceptions in several tests would warrant further review and explanations should be required for
duplicates and discrepancies.
Risk # Risk Step # Testing Documents/Info Needed
1 Ghost Employees GE1 Look for employees with PO box address Employee Master
2 Ghost Employees GE2 Look for different employee IDs with same or similar addresses Employee Master
3 Ghost Employees GE3 Look for different employee IDs with same or similar names Employee Master
4 Ghost Employees GE4 Look for different employee IDs with same or no SSN Employee Master

5 Ghost Employees GE5 Look for employees with duplicate employee number or out of normal range. Employee Master
6 Ghost Employees GE6 Look for employees with no withholdings Payroll Register
7 Ghost Employees GE7 Look for employees who aren't on the system email listing List of employees on the email system
8 Ghost Employees GE8 Look for employees with same SSN as travelers List of travelers with SSNs; Employee Master with SSNs.
Report listing employees with direct deposit and their direct
9 Ghost Employees GE9 Look for different employee IDs with direct deposit going to the same bank account deposit info such as bank account #
Look for employee IDs listed on the payroll register but not on the HR system and
10 Ghost Employees GE10 vice versa Payroll Register and Employee Master
Look for employees in the payroll register that have different base rates than the
11 Ghost Employees GE11 rates listed in the employee master file Payroll Register and Employee Master
Compare employee SSN to Social Security Administration list.
12 Ghost Employees GE12 http://www.ssa.gov/employer/ssnv.htm Employee Master

13 Ghost Employees GE13 Identify hotel addresses in the area and search for employees with those addresses Employee Master
14 Ghost Employees GE14 Look for employees with addresses at a mailbox etc. location Employee Master
15 Ghost Employees GE15 Look for employees with a base rate outside of job code range Employee Master and job code salary ranges

Audit Program Payroll Pay Practices Ghost Employees Ghost Employees 7/5/2012
 1

CONFLICT OF INTEREST
Dates in scope:

Risk # Risk Step # Testing Documents/Info Needed

1 Conflict of Interest CI1 Look for employees that are on the vendor master list (by SSN or by Name) Employee Master and Vendor Master
2 Conflict of Interest CI2 Look for employees being supervised by a relative (same last name) Employee Master

Audit Program Payroll Pay Practices Ghost Employees Conflict of Interest 7/5/2012
 1

PAY PRACTICES
Dates in scope:

Risk # Risk Step # Testing Documents/Info Needed

Identify employees with more than $10,000 in gross pay and review back-up evidence
1 Possible misappropriation of assets PP1 to determine if the amounts paid are reasonable. Payroll Register
Identify employees with more than $5,000 in net pay and review back-up evidence to
2 Possible misappropriation of assets PP2 determine if the amounts paid are reasonable. Payroll Register

Identify employees paid the same amount as both a regular and a special check run or
3 Possible misappropriation of assets PP3 both as a check and a direct deposit during the same pay period. Payroll Register

4 Lack of compliance with policies and procedures PP4 Identify employees accruing greater than the maximum leave or sick pay per policy. Leave and Sick Balance Data
Lack of compliance with policies and procedures;
5 Overcompensation PP5 Identify employees with negative leave or sick pay balances. Leave and Sick Balance Data
Identify employees receiving 1) leave; 2) holiday; or 3) sick pay who do not qualify.
6 Lack of compliance with policies and procedures PP6 (Use hire date, not status change date) Payroll Register
Identify employees receiving benefits who do not qualify. (Use hire date, not status
7 Lack of compliance with policies and procedures PP7 change date) Payroll Register
Lack of compliance with policies and procedures;
8 Overcompensation PP8 Identify employees receiving bonuses who do not qualify (only if applicable). Payroll Register

Identify employees receiving 1) bereavement pay; 2) jury duty pay; 3) continuing

9 Lack of compliance with policies and procedures PP9 education pay who do not qualify for it. (Use hire date, not status change date) Payroll Register

Identify employees receiving 1) relocation pay or 2) moving expense reimbursement

10 Lack of compliance with policies and procedures PP10 more than six months after their hire date or that have not been authorized by HR. Payroll Register
Identify employees paid shift differential and test a sample to determine whether they
11 Lack of compliance with policies and procedures PP11 are qualified (based on position and department) to receive it. Payroll Register

Lack of compliance with policies and procedures and
inefficient use of resources and inefficient use of
12 resources.
13 Lack of compliance with policies and procedures
Identify per-diem employees and summarize number of hours worked per pay period
and compare to policy. Also 1) compare departments with high overtime to
PP12 departments with low per diem and 2) identify per diem employees with zero hours. Payroll Register
Determine whether employees receiving call-back and/or on-call pay are eligible
PP13 according to policies and procedures. Payroll Register

14 Inefficient use of resources PP14 Identify departments and employees with most 1) call back and 2) on-call pay. Payroll Register
Identify employees with 1) call back pay and no on-call pay; and 2) on-call pay and no
15 Inefficient use of resources PP15 call back pay. Payroll Register
Identify employees with 1) both licensed and non-licensed on-call pay; and 2) licensed
16 Overcompensation PP16 call pay who do not have a licensed position. Payroll Register
17 Inefficient use of resources PP17 Identify departments and employees with most overtime pay. Payroll Register
Identify departments and employees with most incremental overtime pay. Incremental
18 Inefficient use of resources PP18 overtime is less than 1 hour Payroll Register
19 Inefficient use of resources PP19 Identify departments and employees with most double-time pay. Payroll Register

Pay Practices
Audit Program Payroll Pay Practices Ghost Employees 7/5/2012
 2

Risk # Risk Step # Testing Documents/Info Needed

Identify full-time employees working more than 18 regular hours per day (Do not
include leave hours) Determine for how many pay periods this occurred for each
20 Inefficient use of resources PP20 employee. Timekeeping Data
Identify full-time employees working more than 80 regular hours per pay period. (Do
not include leave hours). Determine for how many pay periods this occurred for each
21 Inefficient use of resources PP21 employee. Payroll Register
Identify part-time employees working more than 72 regular hours per pay period. (Do
Inefficient use of resources and underpaying for not include leave hours). Determine for how many pay periods this occurred for each
22 benefits. PP22 employee. Payroll Register
Identify employees receiving regular + leave hours greater than their standard hours in
23 Inefficient use of resources PP23 the same pay period. Payroll Register
Identify employees who continuously worked 1) more or 2) less than their FTE
Inefficient use of resources and overpaying or requirement. Continuously means if they worked more than their FTE for 6
24 underpaying for benefits. PP24 consecutive pay periods. Payroll Register
25 Overcompensation PP25 Identify exempt employees with premium pay Payroll Register

Identify timecards edits which resulted in increased or decreased pay. Determine

26 Inefficient use of resources PP26 which departments and employees have most number of timecard edits Timecard Edits Data
Inappropriate timecard approval and lack of
segregation of duties. and lack of segregation of
27 duties. PP27 Identify individuals who can approve their own timecard Timecard Approval Data

28 Inappropriate timecard approval PP28 Identify individuals below supervisor level who have ability to approve timecards Timecard Approval Data
29 Inappropriate timecard approval PP29 Identify individuals who can approve individuals outside their own cost center Timecard Approval Data
Identify timecards for a specific period that were not approved by 1) the employee; 2)
30 Unauthorized timecard PP30 the employee's manager/supervisor; 3) neither Timecard Approval Data
Timecard Approval Data;
31 Unauthorized overtime PP31 Identify employees with overtime pay whose timecards were not approved Payroll Register
Timecard Approval Data;
32 Unauthorized leave or sick pay PP32 Identify employees with leave or sick pay whose timecards were not approved Payroll Register
Electronic Payroll pay rules;
33 Incompliance with policies and union contract PP33 Trace system pay rules to the HR policies and union contract (if applicable). HR policies
34 Inefficient use of resources PP34 Identify departments and employees receiving the most bonuses Payroll Register

Select a sample of employees with pay raise/decrease for period under audit and
obtain supporting documents ensuring that pay raise/decrease is approved by the Payroll Register; Employee
35 Unauthorized/unsupported pay raise/decrease PP35 appropriate individual and supported by adequate documentation. Master

Select a sample of employees and recalculate gross pay per the payroll register based
Gross pay is not equal to hours worked per timecard x upon hours worked per timecard approved by manager and/or employee and Payroll Register; Personnel
36 authorized pay rate PP36 authorized pay rate per employee's personnel action form or equivalent form Action Form or equivalent

Pay Practices
Audit Program Payroll Pay Practices Ghost Employees 7/5/2012