Download presentation
Presentation is loading. Please wait.
Published byCora Caldwell Modified over 7 years ago
1
Sox Rules For Payroll – What The Sarbanes Oxley Act Means For Payroll Managers
By: Mark Schwartz MS Payroll
3
I. SOX Summary: Passed in July 2002
Result of Enron, Worldcom and other scandals – Due to fraudulent accounting and financial reporting practices, condoned by large accounting firms Act designed to ensure transparency and accountability in the financial conduct of a business Established Public Company Accounting Oversight Board, PCAOB
4
I. SOX Summary Summary of Section 302 Periodic statutory financial reports are to include certifications that: • The signing officers have reviewed the report • The report does not contain any material untrue statements or material omission or be considered misleading • The financial statements and related information fairly present the financial condition and the results in all material respects
5
I. SOX Summary Summary of Section 302 :
Periodic statutory financial reports are to include certifications that: • • The signing officers are responsible for internal controls and have evaluated these internal controls within the previous ninety days and have reported on their findings • A list of all deficiencies in the internal controls and information on any fraud that involves employees who are involved with internal activities • Any significant changes in internal controls or related factors that could have a negative impact on the internal controls
6
I. SOX Summary Summary of Section 404
Issuers are required to publish information in their annual reports concerning the scope and adequacy of the internal control structure and procedures for financial reporting. This statement shall also assess the effectiveness of such internal controls and procedures. The registered accounting firm shall, in the same report, attest to and report on the assessment on the effectiveness of the internal control structure and procedures for financial reporting.
7
I. SOX Summary Summary of Section 802
This section imposes penalties of fines and/or up to 20 years imprisonment for altering, destroying, mutilating, concealing, falsifying records, documents or tangible objects with the intent to obstruct, impede or influence a legal investigation. This section also imposes penalties of fines and/or imprisonment up to 10 years on any accountant who knowingly and willfully violates the requirements of maintenance of all audit or review papers for a period of 5 years
8
I. SOX Summary The Act is intended to address a number of issues related to public company regulation. In particular: Require strict guidelines regarding the "quality" of reported financial information and disclosure of significant business events Establish and enforce independence requirements for members of the Audit Committee of the Board of Directors and the relationship of the external auditors Require the establishment of a corporate code of ethics, and elevate the importance of corporate responsibility and governance Require executive management and the Board of Directors to certify with respect to the adequacy of internal controls.
9
II. SOX Compliance Some of the activity is somewhat "behind the scenes", at the Executive and BOD level of your organization: The development of a corporate code of ethics The review of the structure and potential restructuring of the BOD and the Audit Committee to meet new independence requirements The refinement of Audit Committee procedural rules The creation of a Disclosure Committee of the BOD The implementation of an ethics, or "whistleblower" policy and procedure
10
II. SOX Compliance An internal control is broadly defined as an activity or practice that is designed to reduce the risk of error of misreporting that transaction, risk of fraud, or risk that the transaction is not properly authorized. For example: We have the ordering manager approve the vendor invoice before the invoice is processed for payment. We reconcile the physical cash in the register to the sales rung-up in the system to ensure that all the cash is accounted for. We verify a prospective employee's past employment to ensure they have the experience we want and that they claim to have.
11
II. SOX Compliance We employ an outside actuarial firm to validate the accrual for the company's pension liability. The Risk Manager reviews workers compensation claims for reasonableness We then document the processes and internal controls, assess whether the controls appear to be designed effectively and then test the controls to ensure that they are actually operating adequately.
12
II. SOX Compliance Some of the key controls you can expect to be responsible for from a section 404 compliance perspectives is: Payroll expense related controls such as: Adequate security over payroll related information and applications Validation and reconciliation of proper payroll amounts Proper approval for headcount additions and wage increases Verification of accurate time keeping Verification that required payroll documentation is current, properly reported and maintained
13
II. SOX Compliance Employee benefits related controls such as:
Reconciliations and validation that pension expense accruals and liabilities are accurate and properly disclosed Verification that third-party administrators are managing their processes and controls adequately (more said later) Reconciliation of employee contributions Review of workers compensation claims to ensure they are reasonable and the company is taking measures to limit losses
14
II. SOX Compliance Deferred compensation:
Review and validation that stock options are properly and accurately calculated and disclosed
15
II. SOX Compliance Other HR controls such as:
Validation that employees are adequately screened, i.e., criminal background, references, experience Consistency and propriety of employee termination processes and procedures Security of confidential employee information Management of employee whistleblower ethics complaints Consistent and proper handling of harassment and other workplace complaints
16
III. How to Comply Review your current processes with an eye on internal controls Check for proper separation of duties Evaluate your processes to ensure they Accurately record payroll information Promote timely payment and reporting Are properly reviewed and reconciled Are monitored for accuracy and completeness Financial reports are reviewed and signed off
17
III. How to Comply Examples of internal control testing:
Have the IT department create a report that compares an employees current gross and net pay to the gross and net of the prior pay period. The report lists all variances of 10% or more, which you review and validate whether it is correct or not. If a variance is cause by a procedural or system problem, then it needs to be reported and fixed.
18
III. How to Comply Examples of internal controls
Do a monthly reconciliation of the HR employee master file to the payroll register. Have the IT department create a report that performs a side-by-side comparison of employee number, SSN, or other common identifier (not advisable to use name). Review and investigate and resolve all exceptions. Again, an employee that has been entered into either one of the files, (HR employee master file, or the payroll register) without being entered into the other represents a significant internal control issue and has to be reported and fixed.
19
Separation of Duties A job or process should not be performed by a single individual or department without the review of another individual or department. Creating the separation: Set the Policy Sr. Management Authorize Sr. Management Document Payroll Implement Payroll, Acctg, Treas. Verify Auditors/other dept.
20
Separation of Duty examples
Big Company HR keeps the employee data such as rate of pay, cost center, benefits Payroll handles timecard entry, OT and PTO Payroll cuts the checks, HR hands them out Treasury completes the bank recon Small Company Acctg dept completes the bank recon Dept heads check employee lists against employees who receive paychecks Store paychecks outside the payroll dept but keep the key in payroll
21
Account Reconciliation
Check the accuracy of recorded Payroll transactions Verify that debits and credits, journal entries and general ledger balance for each transaction Compare the amount of social security tax withheld and listed on the payroll register to the amount booked on the G/L Make sure checks issued by accounts payable have been posted to the right account Verify the end of the month balance agrees with payroll dept records. It is possible that taxes with held in one month did not have to be paid by the end of the month. Reconcile discrepancies at least monthly
22
Payroll IT Level controls
Changes to applications, software and hardware are authorized, tested, approved, properly implemented and documented Physical access to computer equipment, storage media is restricted by authorization Programs and data are routinely backed up and secured
23
Authorization and Approval
Authorization is defined by your company policy-for example, all Managers are authorized to approve overtime and vacation requests for their direct reports. Approval is signing on the line, accepting responsibility for the authenticity of the form or item. It should be well known in the payroll department who, in senior management, has authorization and for what items or limits.
24
Authorization and Approval
Define the type of authorization and approval and then decide what level of procedural documentation and/or management policy must be created. There are 2 types of controls: Preventative: Stopped before it happens Detective: Find after it occurs
25
Policies and Procedures
Rules that govern a process or job. They include company policies and legal requirements. Items like OT requirements, PTO policies, federal tax return due dates, when a terminated employee must receive a paycheck Procedures Instructions for getting the job done. Should include the payroll dept’s contingency plan and instructions for entering pay data, master file data, etc. Every task performed by the dept should be defined and explained in its policies and procedures manual.
26
Procedure Documentation
What should the Payroll Dept have in writing? Company policies on overtime, benefits, vacations, sick leave, termination, recordkeeping, etc Procedures for handling payroll, tax deposits, quarterly returns, liabilities, direct deposit, acct reconciliations, etc. The entire payroll process, A to pay! Disaster recovery plans Payroll computer system user manuals Define your Master System of Record Payroll dept job descriptions Accurate Data File descriptions & location of file
27
Management Policy Who is allowed to be a ‘backup’ for absences?
How documented do the procedures have to be? How are issues reported? (and to whom?) How does the Payroll manager stay up-to-date on regulatory changes? Who is assigned to update policies? What is the procedure for approving requests for confidential information?
28
IV. Use of TPA’s Use of a TPA for payroll and/or benefits does not absolve a company of responsibility under SOX. You can do controls testing on the TPA’s site. Or, you can obtain an SAS 70 form, wherein the TPA certifies to testing and maintaining it’s own controls.
29
IV. Use of TPA’s Must ensure that the TPA’s SAS 70 relates to the processes they do for you. If they do specialized processes for you, not described in the SAS 70, you or they must test and report on controls. If internal control issues are identified, you must make sure they are resolved prior to relying on the TPA’s results for your company. Make sure you verify that info transferred to your TPA = what they receive.
30
IV. Use of TPA’s SSAE 16 - Statement on Standards for Attestation Engagements (SSAE) No. 16, Reporting on Controls at a Service Organization, was finalized by the Auditing Standards Board of the American Institute of Certified Public Accountants (AICPA) in January Meant to supersede the existing guidance (SAS 70) for performing an examination of a service organization's controls and processes.
31
V. The Internal Audit Function
Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization's operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes. (The IIA)
32
V. The Internal Audit Function
Uses a set of internationally recognized standards to guide a company’s internal audit function in effectively analyzing its own risk management, policies and procedures in order to maximize value and achieve Management goals.
33
V. The Internal Audit Function
Stages of internal auditing: Risk Assessment Audit and Engagement Planning Field Work Communication Follow-up
34
V. The Internal Audit Function
Risk Assessment Analyze financial statements and other information to decide where the greatest risk to profit and loss exists. Analyze operational and administrative functions to identify where the risk of failure, inefficiencies and ineffectiveness exists. Analyze personnel, financing, and structural architecture for effective servicing of corporate operations and goals. Re-Analyze periodically to reflect changes in legal, regulatory, economic and other environments that affect your company.
35
V. The Internal Audit Function
2. Audit and Engagement Planning Based on Risk Assessment, choose the departments, operations, offices, or functions that have the greatest risk. Develop a sound understanding of the program, activity, organization or initiative being audited, including its management practices, business processes, policies and procedures, and external and internal environments. Analyze personnel, financing, and structural architecture for effective servicing of corporate operations and goals.
36
V. The Internal Audit Function
2. Audit and Engagement Planning Demonstrate and communicate the following decisions: Significant audit issues and the reasons for pursuing them further (e.g. the results of the risk assessment) Audit objectives Audit scope, i.e. the areas, activities, systems, or processes to be examined, together with the rationale for not pursuing any related ones Audit criteria against which assessments will be made Approach or methodology that will be used for the engagement The process for communicating audit findings The projected timeline for the audit and Resource requirements.
37
V. The Internal Audit Function
3. Field Work Define the testing to be done in order to accomplish audit objectives. Decide who you need to interview and interact with. Communicate with auditee what documentation you need, and access to electronic and paper files.
38
V. The Internal Audit Function
4. Communication Write up the results of the testing. Decide if exceptions are relevant, and evidence is sufficient to support conclusions. Have auditors reports reviewed for accuracy. Draft final report and distribute to appropriate parties. Remember the IAA only points out problems. It is Departmental Management’s job to fix them.
39
V. The Internal Audit Function
5. Followup After a response is received, resolve any outstanding issues. Draft final report with revisions if necessary. Schedule follow-up testing on areas identified as being deficient. Record results for review by external auditors and top management.
40
Supplemental Material
1 Sarbanes Oxley compliance case study 2. Payroll Internal Controls 3. How to evaluate your system for fraud
41
By: Mark Schwartz MS Payroll mark@mspayroll1. com www. mspayroll1
By: Mark Schwartz MS Payroll
Similar presentations
© 2025 SlidePlayer.com Inc.
All rights reserved.