Payroll is a fundamental and high-volume operational process that must be accurately controlled and audited to prevent fraud, errors, and compliance issues. Internal auditors use a matrix of assertions and internal controls to evaluate whether each stage of payroll processing meets the integrity and accuracy standards expected. This approach allows for targeted and effective testing of the payroll function.
Payroll Process Overview
-
Step 1: Do the Prep Work – Maintain updated employee master data and wage rates.
-
Step 2: Collect Timesheet Data – Gather hours worked or performance data.
-
Step 3: Do the Math – Calculate gross pay based on approved rates.
-
Step 4: Apply Deductions – Withhold taxes, benefits, and other authorized deductions.
-
Step 5: Pay Your People – Issue payment via check or direct deposit.
Assertions and Internal Controls Matrix – Payroll Example
| Assertion | Potential Misstatement | Example of Internal Control | Relevant Questions / Audit Tests |
|---|---|---|---|
| Occurrence | Salaries paid to ghost or terminated employees | Regular reconciliation of payroll against HR records | Are all paid employees actively listed in HR? |
| Completeness | Missed payments for valid employees | Automated capture of approved timesheets from all departments | Were all approved timesheets processed in the pay run? |
| Authorization | Unapproved changes to salary or bonuses | Workflow for HR/payroll updates requiring dual authorization | Were pay rate changes authorized and documented? |
| Accuracy | Incorrect pay calculation or tax/deduction errors | Payroll software with built-in tax logic and audit trail | Do calculations match pay structure and legal deduction rules? |
| Cutoff | Pay recorded in wrong period or missing adjustments | Time entry locked by payroll cut-off dates | Are hours worked properly aligned with the pay period? |
| Classification | Labor costs misclassified (e.g., by department or project) | Coding of employee roles by department and project codes | Are wages posted to correct cost centers or accounts? |
Practical Example:
In a hospital audit, an internal auditor discovered that overtime hours were being paid based on handwritten notes rather than timesheets entered in the approved system. This created a risk to accuracy and authorization assertions. While the system had strong logic, the control weakness was manual override. The auditor recommended enforcing digital timesheet submission and system-based approval to prevent unauthorized payouts.
By applying an assertion-control matrix to the payroll cycle, internal auditors ensure payments are made only to authorized employees, for correct amounts, during proper periods, and classified accurately in the organization’s financial systems.