You need formidable payroll internal controls because payroll threats can be external (e.g., cybercriminals) and internal (e.g., payroll employees).

Here's what you need to know about what payroll internal controls are and why you need them:
-
Payroll internal controls are the best way to protect your employees and your company's sensitive information.
-
Without payroll internal controls, confidential information can be compromised.
-
Internal payroll controls help employers meet their payroll obligations.
-
Payroll audits help you determine how well you're meeting your payroll obligations.
Your payroll department contains sensitive information, which must be protected at all costs. The best way to safeguard this information is to adopt and maintain payroll internal controls.
What are payroll internal controls?
Payroll internal controls are measures employers implement in their payroll department to protect payroll information and ensure accurate payroll transactions. These controls come in various forms and ultimately depend on the risk factor involved.
Before we get into the different types of payroll internal controls, let’s examine why employers need them.
The importance of payroll internal controls
Payroll is privy to the following employee or employer information (and more):
- Personal data — such as Social Security Number and home address
- Bank account information
- Time and attendance data
- Wages and salaries
- Tax withholdings
- Form W-2
- Benefits information
- Payroll tax information
Without payroll internal controls, this information can be compromised through:
- Payroll diversion scams
- Time theft
- W-2 phishing schemes
- Pay rate modification
- Ghost employees
Let’s go through each of these in more detail.
Payroll Diversion Scams
Between January 1, 2018, and June 30, 2019, the FBI’s Internet Crime Complaint Center (IC3) received claims regarding total reported losses of $8.3 million due to payroll diversion scams.
According to the FBI’s report, “In the last year, IC3 reported seeing an increase in the number of BEC complaints related to the diversion of payroll funds.”
This type of scheme involves someone in the HR or payroll department receiving a direct deposit change request from a criminal impersonating an actual employee. When this occurs, the change in direct deposit routes the employee’s paycheck to an account that’s under the criminal’s control.
Time Theft
This is an instance of when an employee intentionally inflates their hours worked. For example, they have a coworker clock in and out for them — known as “buddy punching.” Or, they record more hours on their paper timesheet than they worked.
W-2 Phishing Schemes
Cybercriminals attempt to access employees’ Form W-2 data, such as their:
- Social Security numbers
- Wages
- Tax withholding
They may use this information to file fraudulent tax returns, or they might sell the data on the dark web.
Pay Rate Modification
A payroll employee colludes with a non-payroll employee. In this fraud scheme, the payroll employee increases the non-payroll employee’s pay rate in the payroll system. The payroll employee then returns the pay rate to normalcy after a few pay periods to lower the odds of detection.
Ghost Employees
A payroll employee defrauds the company by paying a “ghost” employee through the payroll system and pocketing the payments.
The ghost employee may take the form of:
- A fictitious person, made up by the payroll employee
- A terminated or deceased employee not removed from the payroll system
- A person who has never worked for the company
What’s your biggest 2022 HR challenge that you’d like to resolve
Answer to see the results
The Compliance Factor
Employers must execute their payroll obligations — including paying employees — accurately and on time. Otherwise, they can face a slew of headaches and governmental penalties. Internal payroll controls help employers meet their payroll obligations.
Types of payroll internal controls
Payroll internal controls come in many forms. Below we detail the more prominent controls to help you verify that your compliance processes are in place and effective.
Automated Time and Attendance System
This eliminates paper timesheets and employees padding their hours worked. Modern time and attendance systems allow employees to clock in and out from anywhere, from any device. They come with fraud protection features that confirm the employee’s identity and geographic location, thereby eradicating buddy punching.
Timecard Verification
Managers should verify their employees’ timecards before submitting the data to payroll. They should clear up any timecard inconsistencies with the employee beforehand. In addition, managers should know the consequences of falsifying employees’ timecards.
Segregation of Duties
This is vital to reducing fraud by payroll employees.
By separating payroll duties, you ensure that no sole person has total control over your payroll activities.
At a minimum, consider segregating the following tasks:
- Timecard approval
- Payroll processing
- Paycheck signing
- Contact with banks
- Payroll tax preparation
If you have only 1 payroll employee, designate a qualified individual (e.g., someone in accounting) to verify payroll transactions before and after each payday.
Training on Payroll Diversion Scams
Educate your payroll employees on the dangers of payroll diversion scams and how to combat them. These email scams often contain tell-tale signs like grammatical errors and incorrect sender email addresses.
You can thwart direct deposit email scams by verbally verifying the direct deposit change request with the actual employee.
Dedicated Payroll Bank Account
Establish a separate bank account dedicated solely to payroll. Put only the amount for the upcoming payroll into this account. This way, if someone tries to fraudulently cut a check afterward, the bank will reject it due to insufficient funds.
Check Signing Authority
Keep your list of authorized check signers current. If a check signer leaves the company, remove them from the list immediately and inform your bank accordingly.
Pay Raise Verification
Verify pay increases with the employee’s boss. To further reduce the risk of collusion, you can institute a 2-step verification process.
For example, verify the pay raise with not only the employee’s supervisor but also the supervisor’s boss.
Payroll Audits
Payroll audits help you determine how well you’re meeting your payroll obligations. They show strengths and weaknesses in your payroll:
- System
- Processes
- Procedures
Payroll audits often reveal the need for stronger payroll internal controls. You can hire an external auditor or assign someone in-house who is qualified. Either way, the goal is to examine your payroll function microscopically to see what’s working and what improvements are needed.
Access to Payroll System
Due to the confidential nature of payroll, only a limited number of authorized individuals should have access to the payroll system. Designate access based on a “need-to-know” basis.
For example, your payroll manager needs higher-level access than your payroll clerk.
Terminated Payroll Employees
If you’re not careful, a disgruntled or untrustworthy payroll employee can harm your company on their way out the door. For example, during their 2-week termination notice period, they may commit embezzlement or steal employees’ personal information.
Unless an employment contract says otherwise, many employers make payroll employees’ termination effective immediately and pay them for their two-week notice. This is true regardless of whether the termination is voluntary or involuntary.
Employers need payroll internal controls
This is the best way to protect your employees and your company’s sensitive information.
As we’ve demonstrated, payroll threats can be external (e.g., cybercriminals) and internal (e.g., payroll employees). Therefore, you need formidable payroll internal controls. We’ve provided some solutions, such as:
- Automated timekeeping
- Segregation of duties
- Check signing authorization
- Payroll audits
However, you’ll need to take additional measures. For example, run reports to help you detect errors in your payroll transactions. Coordinate with your bank, as well, to improve your payroll security controls.
Implementing payroll internal controls is just the start. You must also monitor and update them. Consider using payroll software that strengthens payroll internal controls, not weakens them.
Ultimately, the software should safeguard payroll data and boost compliance. To learn more, check out Zenefits all-in-one HR software.