How to prevent payroll fraud with internal controls
When you have 10, 20, or 30 employees, it is relatively easy to know everyone on the payroll.
But as a business grows from 30 to 100, 200 + employees – the risk of payroll fraud increases.
It becomes more difficult to keep an eye on everyone and their timesheets. Hence the importance of having good systems, processes, and procedures.
Payroll fraud occurs when company money is stolen through the payroll system.
Payroll fraud can arise in a number of ways – by paying ghost employees, paying employees more than the company should, or employees falsifying timesheets.
What are ghost employees?
Ghost employees are essentially fictitious (bogus) employees that have been invented by fraudulent employees or external administrators (e.g., bookkeeper, accountant).
How can payroll fraud occur?
Payroll fraud can occur when employees or external administrators are trusted without having formal internal controls within their business, systems, and processes.
When there’s a lack of internal controls – especially around employee record additions, terminations, and amendments – the risk is increased.
Those that have Masterfile database access are able to create fake employees and pay themselves or an associated party. They are able to falsify pay rates or sales numbers to obtain higher commissions.
Such fraudulent activities can continue until they are detected or when the fraudulent employee leaves.
Sadly, the average period of payroll fraud is 36 months!
Yes. That’s right. 3 whopping years.
Payroll fraud is more common in casual workforce environments; however, it can happen in any workforce.
How to prevent payroll fraud in your business?
The best way to prevent fraud is through the establishment of a strong internal control environment accompanied by a thorough review process. The review and approval process should be done before payroll payments are released.
There are a combination of steps that should be taken to help protect you and your business from payroll fraud, and noted below (not comprehensive):
- Control how employees are created and terminated into the payroll system.
- Control who can make changes to the payroll system
- Segregate payroll processing duties amongst employees
- Independently review changes made to the payroll system.
- Report changes made to the payroll system
- Conduct physical verification of employees.
Step 1 – Control how employees are created and terminated into the payroll system
When adding new employees into the payroll system, allow certain employees to be able to do so. Restrict access to the system so that no additions or terminations are made without control or awareness.
When offboarding employees, have an effective process that ensures employee records are made inactive on the payroll system. Companies can forget to flag terminated employees inactive, even after the final termination payout has been made. Make sure you’re not paying for superannuation after an employee has left your company (especially when it is paid quarterly!)?
Step 2 – Control who can make changes to the payroll system
Restrict access to the payroll Masterfile to one or two independent employees / contractors. If your business has limited resources, then allow the person processing the payroll to make changes with someone independently controlling the access to the Masterfile database. They should unlock the database and lock it once changes are made.
Step 3 – Segregate payroll duties between employees
By segregating payroll duties, it will assist in making it difficult to commit payroll fraud. Break down each process task and ensure each role or function is performed by someone independent.
Some tasks to segregate:
- The person processing the payroll should not be able to make changes to employee records.
- Those approving timesheets should not be able to enter timesheets into the payroll system.
- The person reviewing the payroll payment report should differ from the person entering the payroll data.
- The person reconciling payroll reports should differ from the person reviewing the payroll report.
- The person uploading the payroll payment into the bank should be different from the person releasing the payment.
Step 4 – Independently review the changes made to the payroll system
Have independent reviews throughout the payroll process and not just from the Finance department. For example, the direct Manager should review the direct employee’s timesheets.
Conduct independent reviews of the payroll reports against employment contracts. Confirm any discrepancies against supporting evidence such as a salary increase letter. This is a good reason why all payroll changes should be formally documented in writing as evidence.
Another good internal check is to compare payroll bank details against a list of supplier bank details and identify any duplicate entries. Fraudulent employees can also add themselves as a supplier which may not be easily detectable. Also, compare the payroll payment run bank details for any duplicated bank accounts on the report.
Don’t just review the payroll rates, also review leave entitlement balances. Fraudulent employees may add additional leave to their entitlement balance or not reduce leave balances when it is taken.
Conduct various types of spot checks in detail. This will show employees or contractors that payroll is being closely monitored.
Step 5 – Report changes made to the payroll system
Generate exception reports from the payroll system for every change that is made to the payroll Masterfile database. Such a report will display – what changes were made, by whom, and when.
The report should be automatically emailed to Management and formally reviewed by someone independent. Anything unusual should be investigated immediately.
Gather evidence before questioning the employee – this will ensure no changes are made to the files (especially if they have system admin access – where they can delete files permanently). If fraud is suspected, seek independent professional advice before taking action.
Step 6 – Conduct physical verification of employees
Management should physically verify employees unannounced. They should confirm that each employee is a real person. Consider conducting this task yourself or engage an independent party to verify the existence of each employee. Eliminate any bias from the outcome.
Be proactive
To ensure you and your business are protected from payroll fraud train yourself and your employees to understand the payroll process and the risks exposed at each stage. Mitigate the risks through system controls and internal controls along with an internal audit report to Management.
If you’re unsure about how to implement internal controls, please get in touch. We will gladly access your payroll processing system and guide you through safeguarding your business.
