What Are Payroll Internal Controls? And Why You Need Them

May 28, 2022
What Are Payroll Internal Controls? And Why You Need Them

Your payroll department contains sensitive information, which must be protected at all costs. The best way to safeguard this information is to adopt and maintain payroll internal controls.

What are payroll internal controls?

Payroll internal controls are measures employers implement in their payroll department to protect payroll information and ensure accurate payroll transactions. These controls come in various forms and ultimately depend on the risk factor involved. Before we get into the different types of payroll internal controls, let's examine why employers need them.

The importance of payroll internal controls

Payroll is privy to the following employee or employer information (and more):

  • Personal data — such as Social Security Number and home address
  • Bank account information
  • Time and attendance data
  • Wages and salaries
  • Tax withholdings
  • Form W-2
  • Benefits information
  • Payroll tax information

Without payroll internal controls, this information can be compromised through:

  • Payroll diversion scams
  • Time theft
  • W-2 phishing schemes
  • Pay rate modification
  • Ghost employees

Let's go through each of these in more detail.

Payroll Diversion Scams

Between January 1, 2018, and June 30, 2019, the FBI's Internet Crime Complaint Center (IC3) received claims regarding total reported losses of $8.3 million due to payroll diversion scams.

This type of scheme involves someone in the HR or payroll department receiving a direct deposit change request from a criminal impersonating an actual employee. When this occurs, the change in direct deposit routes the employee's paycheck to an account that's under the criminal's control.

Time Theft

This is an instance of when an employee intentionally inflates their hours worked. For example, they have a coworker clock in and out for them — known as "buddy punching." Or, they record more hours on their paper timesheet than they worked.

W-2 Phishing Schemes

Cybercriminals attempt to access employees' Form W-2 data, such as their:

  • Social Security numbers
  • Wages
  • Tax withholding

They may use this information to file fraudulent tax returns, or they might sell the data on the dark web.

Pay Rate Modification

A payroll employee colludes with a non-payroll employee. In this fraud scheme, the payroll employee increases the non-payroll employee's pay rate in the payroll system. The payroll employee then returns the pay rate to normalcy after a few pay periods to lower the odds of detection.

Ghost Employees

A payroll employee defrauds the company by paying a "ghost" employee through the payroll system and pocketing the payments. The ghost employee may take the form of:

  • A fictitious person, made up by the payroll employee
  • A terminated or deceased employee not removed from the payroll system
  • A person who has never worked for the company

The Compliance Factor

Employers must execute their payroll obligations — including paying employees — accurately and on time. Otherwise, they can face a slew of headaches and governmental penalties. Internal payroll controls help employers meet their payroll obligations.

Types of payroll internal controls

Payroll internal controls come in many forms. Below we detail the more prominent controls to help you verify that your compliance processes are in place and effective.

Automated Time and Attendance System

This eliminates paper timesheets and employees padding their hours worked. Modern time and attendance systems allow employees to clock in and out from anywhere, from any device. They come with fraud protection features that confirm the employee's identity and geographic location, thereby eradicating buddy punching.

Timecard Verification

Managers should verify their employees' timecards before submitting the data to payroll. They should clear up any timecard inconsistencies with the employee beforehand. In addition, managers should know the consequences of falsifying employees' timecards.

Segregation of Duties

This is vital to reducing fraud by payroll employees.At a minimum, consider segregating the following tasks:

  • Timecard approval
  • Payroll processing
  • Paycheck signing
  • Contact with banks
  • Payroll tax preparation

If you have only 1 payroll employee, designate a qualified individual (e.g., someone in accounting) to verify payroll transactions before and after each payday.

Training on Payroll Diversion Scams

Educate your payroll employees on the dangers of payroll diversion scams and how to combat them. These email scams often contain tell-tale signs like grammatical errors and incorrect sender email addresses. You can thwart direct deposit email scams by verbally verifying the direct deposit change request with the actual employee.

Dedicated Payroll Bank Account

Establish a separate bank account dedicated solely to payroll. Put only the amount for the upcoming payroll into this account. This way, if someone tries to fraudulently cut a check afterward, the bank will reject it due to insufficient funds.

Check Signing Authority

Keep your list of authorized check signers current. If a check signer leaves the company, remove them from the list immediately and inform your bank accordingly.

Pay Raise Verification

Verify pay increases with the employee's boss. To further reduce the risk of collusion, you can institute a 2-step verification process. For example, verify the pay raise with not only the employee's supervisor but also the supervisor's boss.

Payroll Audits

Payroll audits help you determine how well you're meeting your payroll obligations. They show strengths and weaknesses in your payroll:

  • System
  • Processes
  • Procedures

Payroll audits often reveal the need for stronger payroll internal controls. You can hire an external auditor or assign someone in-house who is qualified. Either way, the goal is to examine your payroll function microscopically to see what's working and what improvements are needed.

Access to Payroll System

Due to the confidential nature of payroll, only a limited number of authorized individuals should have access to the payroll system. Designate access based on a "need-to-know" basis. For example, your payroll manager needs higher-level access than your payroll clerk.

Terminated Payroll Employees

If you're not careful, a disgruntled or untrustworthy payroll employee can harm your company on their way out the door. For example, during their 2-week termination notice period, they may commit embezzlement or steal employees' personal information. Unless an employment contract says otherwise, many employers make payroll employees' termination effective immediately and pay them for their two-week notice. This is true regardless of whether the termination is voluntary or involuntary.

Employers need payroll internal controls

This is the best way to protect your employees and your company's sensitive information. As we've demonstrated, payroll threats can be external (e.g., cybercriminals) and internal (e.g., payroll employees). Therefore, you need formidable payroll internal controls. We've provided some solutions, such as:

  • Automated timekeeping
  • Segregation of duties
  • Check signing authorization
  • Payroll audits

However, you'll need to take additional measures. For example, run reports to help you detect errors in your payroll transactions. Coordinate with your bank, as well, to improve your payroll security controls. Implementing payroll internal controls is just the start. You must also monitor and update them. Consider using payroll software that strengthens payroll internal controls, not weakens them. Ultimately, the software should safeguard payroll data and boost compliance. To learn more, check out TriNet's all-in-one HR software.

This communication is for informational purposes only; it is not legal, tax or accounting advice; and is not an offer to sell, buy or procure insurance.

This post may contain hyperlinks to websites operated by parties other than TriNet. Such hyperlinks are provided for reference only. TriNet does not control such web sites and is not responsible for their content. Inclusion of such hyperlinks on does not necessarily imply any endorsement of the material on such websites or association with their operators.

ESAC Accreditation
We comply with all ESAC standards and maintain ESAC accreditation since 1995.
Certified PEO
A TriNet subsidiary is classified as a Certified Professional Employer Organization by the IRS.