Relevant to candidates attempting Foundations in Audit and
Audit and Assurance
This article focuses on the audit of wages but many of the points made also apply to salaries (the term payroll covers both). The distinction between the two is that wages are normally paid weekly in cash to employees working in departments such as production. Salaries, on the other hand, are paid monthly to employees normally working in administrative departments, via electronic transfers to their bank accounts. Changes in technology and less reliance on cash have blurred this traditional distinction and many hourly paid employees are now paid via bank transfer. However, in some small companies or in parts of the world where few people have bank accounts, employees are still paid in cash based on hours in attendance or work completed.
The auditor is required to plan and perform their work in order to form an opinion on the financial statements and in doing so to obtain reasonable assurance that the financial statements are free from material misstatement, whether due to fraud or error. As such this article will consider some of the key considerations that the auditor should make when planning and performing work on payroll, including the nature, timing and extent of procedures that should be carried out. The article will also consider the potential for fraud within the payroll function and some of the fraud risk factors that the auditor should be alert to when planning and performing their work.
Audit work on wages – timing
Much of the audit work on the wages system may be performed during the interim audit, through detailed controls testing, as due to the nature and volume of payroll transactions the auditor is likely to wish to place some reliance on the company’s control system. However, some substantive procedures to confirm payroll costs and wage accruals will form part of the final audit.
Interim audit work on wages should involve the normal stages of recording, evaluating and testing internal controls.
Wages control objectives
In order to evaluate the control system the auditor will firstly consider the objectives which the control activities should be designed to achieve. Typical control objectives for wages include the following:
- To ensure that employees are only paid for work done.
- To ensure that wages are only paid to valid employees.
- To ensure that all wages are authorised.
- To ensure that wages are paid at the correct rates of pay.
- To ensure that wages are correctly calculated.
- To ensure all wages transactions are correctly recorded in the books of account.
- To ensure that all payroll deductions are paid over to appropriate third parties (for example, tax authorities)
Evaluation of the internal control system
The evaluation should be performed by considering if controls exist to ensure specified control objectives are met.
Auditors often complete questionnaires to assist in system evaluation. Internal Control Questionnaires (ICQs) ask specific questions about controls relevant to each control objective. The alternative is an Internal Control Evaluation Questionnaire (ICEQs), sometimes referred to as key or control questions which focus on risks rather than objectives. They cover the same areas as control objectives and typical examples include:
- Can employees be paid for work not done?
- Can wages be paid to fictitious employees?
- Can unauthorised wages be paid?
- Can errors occur in wage calculations?
- Can wage costs be incorrectly recorded?
If the evaluation indicates that controls exist a test of controls will be performed but if controls are weak or absent then a substantive procedure will be appropriate, to determine if material misstatement has occurred.
Stages in a wages system
Five stages are shown below and typical controls identified are linked to relevant control objectives.
(i) Setting up master file data
Robust recruitment procedures are required before new employees are entered on the wages master file. Interviews should be undertaken involving senior staff to ensure the new employee has the required skills. New starters’ forms should be completed in the human resources (HR) department and copies retained along with contracts of employment. Changes to standing data on the master file should be performed by staff who are independent of processing payroll. The wages master file contains all the standing data about employees, such as name, address, date of birth, date of starting employment, employee number, rate of pay and tax code.
- Changes to master file data such as rates of pay and new starters/leavers should be supported by forms approved by a senior responsible official. (Control objectives 2 and 4)
- Access to the master file should require a responsible official’s password and a log of standing data amendments should be produced and reviewed. (Control objectives 2, 3 and 4)
- An independent check should be performed of standing data amendments log to supporting documentation. (Control objectives 2, 3 and 4)
(ii) Recording wages due
Clock cards are often used to record the hours that employees enter and leave the premises. Modern equivalents would include employee ID cards which are swiped by an electronic card reader. In this scenario employees are paid based on hours worked. If employees are paid in accordance with work completed job cards may take the place of clock cards.
- Supervision of clocking on points and control over blank clock cards (or employee ID cards) are essential. (Control objective 1)
- Clock cards should be authorised by a responsible official before they are sent to the payroll departments. (Control objectives 1 and 3)
- HR department should keep blank clock cards or ID cards, which are only issued for new employees with contracts of employment. (Control objective 2)
(iii) Calculation of wages
Hours worked should be converted to a gross wage by reference to the employee’s hourly rate of pay and deductions such as payroll taxes are made to calculate net pay. Software is normally used to produce the weekly payroll and calculation errors are less likely than with manual systems. Gross wages should be based on a standard working week (for example, 40 hours) and if overtime has been worked this should be picked up from the clock card. However, in some systems, authorised lists of overtime worked during the week are entered so that the revised gross wage can be calculated.
- Overtime forms/ listings should be reviewed and authorised by responsible managers before input to the system. (Control objectives 1 and 3)
- Software controls should include data validation (edit) checks on the data fields included on transactions, and include reasonableness, existence, range and character checks. Error reports should be produced which list rejected items– for example, employee numbers entered that do not exist. Also exception reports should list transactions that have been processed but which exceed certain pre-determined limits– for example, employees earning more than $2,000 per week or those who worked more than 30 hours of overtime. It is very important that both reports are investigated closely and if necessary data corrected and re-input. (Control objectives 2 and 4).
- A sample of payroll calculations should be checked by senior responsible official and the payroll initialled. (Control objective 5)
(iv) Payment of wages
As indicated earlier employees should either be paid in cash or by bank transfer. In the case of cash a cheque should be signed, preferably by two senior responsible officials (normally directors in small companies). Once collected from the bank the cash should be included in pay packets with payroll slips for subsequent distribution to employees.
- The payroll should be reviewed by a senior responsible official before the payroll cheque is signed. If employees are paid by bank transfer, the list should be authorised before being sent to the bank. (Control objectives 2 and 3)
- Two individuals independent of the processing of wages should be involved in the make up of pay packets and during the wages pay-out. (Control objective 2)
- Employees’ signatures should be required when wages are collected, as evidence of receipt. If employees are absent their wage packets should be entered in an uncollected wages book and returned to a safe under the control of an independent responsible official (eg the cashier). There should be a requirement for formal identification procedures to be carried out on the subsequent collection of wage packets. (Control objective 2)
(v) Accounting for wage costs and deductions
Payroll software should automatically transfer total wage costs and deductions such as tax and pension contributions to the appropriate accounts in the general (nominal) ledger. Outstanding wages owed to employees or deductions not yet paid over to the relevant third parties should be accrued and disclosed as ‘other payables’.
- Monthly comparison of actual and budgeted payroll costs and investigation of significant variances. (Control objective 6)
- Independent reconciliation of total pay and deductions between one payroll and the next. (Control objective 6)
- Annual completion of tax returns and reconciliation to total tax deducted. (Control objective 7)
The above comparisons and reconciliations should be performed by senior responsible officials who are independent of the payroll department – for example, management or financial accounting staff.
Assessing the risk of material misstatement due to fraud
The risk of fraud should be considered by the auditor when planning the work which is to be performed on payroll. Even companies that appear to have good internal controls can suffer from instances of fraud. The most common payroll frauds include:
- The inclusion of fictitious (ghost) employees on the payroll – this can happen in circumstances where blank clock-cards are kept by factory supervisors who also distribute wage packets to employees. There is also a risk of this type of fraud if staff who update the master file for changes are also involved in the preparation or distribution of wage packets.
- Deliberate timing errors – a variation on the above fraud is to include new employees on the payroll before they actually commence work or to leave them on the payroll after they have left.
- Requesting a cheque for net wages in excess of the required amount. This type of fraud is generally easier to perpetrate in manual wages systems. Alternatively, if employees are paid by bank transfer a lack of controls could provide staff with the opportunity to make changes to the list before it is sent to the bank.
- Payment of unauthorised/invalid overtime – this can happen in circumstances where the authorisation of overtime is not properly controlled or details of overtime input during the preparation of the payroll are not independently reconciled to authorised totals for the week.
The common feature that often facilitates these frauds is inadequate segregation of duties. Frauds can be difficult to prevent where there is collusion among staff. Historically organisations have lost significant sums when large numbers of staff came to expect the routine inclusion of unauthorised overtime in their pay. While it is not the responsibility of the auditor to prevent or detect fraud, the auditor must identify and assess the risk of misstatement due to fraud and respond appropriately in order to obtain sufficient appropriate evidence regarding these risks.
Typical tests of control and substantive procedures
The type of test performed will depend on the particular features of the wages system and the auditor’s evaluation of controls. Typical tests for each control objective are listed below. However, this list is not exhaustive and some of the substantive procedures may be carried out during the final audit.
- To ensure that employees are only paid for work done.
Test of control – observe clocking on procedures and the level of supervision.
Substantive procedure – select a sample of employees from the payroll and agree hours paid to individual clock cards.
- To ensure that wages are only paid to valid employees.
Test of control – attend the wages pay out.
Substantive procedure – select a sample of employees from the payroll and vouch to individual contracts of employment in HR department.
- To ensure that overtime paid is for additional hours required by the business.
Test of control – review overtime forms/lists for authorised signatures.
Substantive procedure – compare overtime costs each month with the prior year and investigate significant variances.
- To ensure wages are paid at the correct rates of pay.
Test of control – review log of amendments to master file for evidence of independent review.
Substantive procedure – obtain printout of employee wage rates and compare to HR records.
- To ensure that errors do not occur in payroll calculations.
Test of control – review payrolls for signatures as evidence of independent calculation checks.
Substantive procedure – select a sample of employees and reperform calculations of gross and net pay.
Tests to ensure the accuracy and completeness of balances in respect of wage costs and payroll deductions (Control objectives 5, 6 and 7) are normally substantive in nature and conducted as part the final audit.
A substantive audit programme should include:
- Agree total wages and deductions per selected payrolls to the amounts recorded in the individual general (nominal) ledger accounts
- Perform analytical procedures such as proof in total by using number of employees and average wage. Investigate any significant fluctuations.
- Carry out month-by-month comparisons of total wages with prior year/budgets and investigate differences.
- Agree sundry payables for tax outstanding at the year end to the payroll records and check subsequent payment to cash book.
Computer assisted audit techniques
Use the computer as an audit tool and the most common examples are test data and audit software. These could be employed during the interim and final audit of wages.
Test data consists of data submitted by the auditor to test the operation of application controls such as data-validation (edit) checks. Test data should be input using valid and invalid transactions to check the operation of these controls. Examples include:
- Input employee numbers that do not exist or are in an incorrect format – to ensure these items are rejected and included on an error report.
- Input a gross weekly pay exceeding $2,000 – to ensure these employees are included on an exception report.
- Input overtime hours exceeding 30 hours per week – to ensure these employees are also included on an exception report.
Audit software is normally used by the auditor for substantive testing and can interrogate a client’s computer files, re-perform calculations or extract items for further investigation. Examples include:
- Re-perform calculations of gross wage, deductions and casts on selected payrolls.
- Compare the payroll file at the beginning and end of the period to identify starters and leavers, which could then be checked to appropriate documentation.
- Comparing employee records on payroll file and HR files
Knowledge of the stages in a typical wages system and the link between control objectives, controls and audit tests should help students distinguish between these terms. It is also important that, for a given wages system, candidates can identify significant deficiencies in internal control, explain the implications of the deficiencies and recommend appropriate controls.
Written by a member of the FAU examining team