When you assess a client’s payroll control risk during your audit, remember that the control risk is directly impacted by payroll internal controls set in place by the business. A company can introduce errors and fraud in its payroll mainly in three ways. When auditing your company’s payroll, keep the following in mind:
Paying fictitious employees: Causing checks to be issued to fictitious or “ghost” employees is outright fraud, and it can be the work of multiple employees working together (called collusion) or one employee (if controls are weak). It occurs when a fake employee is entered into the payroll system and starts receiving paychecks.
Paying terminated employees: When employees separate from a company, most have exit interviews during which human resources questions them about their reasons for leaving and gathers all company-owned equipment. At that time, human resources should update the employee master file showing the termination and date.
If a terminated employee gets paid by mistake or because of a breakdown in controls, the result is an error. But manipulation of the terminated employee’s payment method is fraud. An example would be changing the terminated employee's payment from direct deposit to a paper check mailed to an address controlled by the fraudulent employee. Larger companies often require their employees to use direct deposit to cut costs. However, you still occasionally find an employer that hands out checks on payday or mails them.
Paying current employees who haven’t worked: Fraud can be quite simple to perpetrate in this scenario. After all, the employee is already in the system, so no changes to the employee master file need to be authorized and entered. A department manager could agree to pay an employee when she isn’t at work, and the fraudulent payment is divvied up between the two employees.