Year 26 – 2013 – Payroll

 I haven’t looked at payroll very often; at least not as often as I think I should or would have liked.  Payroll can be a significant cost to an organization – easily representing 50% of a company’s total expenditures in some industries – but senior management seems to think that the controls over payroll are good and therefore it is low risk.   This belief is often transferred to audit even though studies, and the analysis I have performed over the years, have indicated that this may not be the case.  The ACFE Report to the Nations (2016) stated that payroll fraud occurred in 8.5% of the fraudulent disbursement fraud and had a median loss of $90,000.   It also stated that payroll schemes were twice as common in small organizations as in larger organizations.  This may add some credence to the belief that the controls are better in larger organizations but it may be simply that auditors in larger organizations are not looking at payroll; however, larger organization can sometimes have larger frauds.  When I did perform analysis on payroll I typically found errors and occasionally fraud.

As part of an audit at a large US city, I was asked to examine payroll.  The audit objective sought to ensure that the controls contributed to a payroll function that was efficient and effective and that pay was accurate.  I performed a number of common tests to support the audit objective.

In my post for Year 21 – 2008, I described an analysis which looked at the pay rates for different categories of employees.  This same analysis identified two employees who were being paid more than 25% over the pay rate for other employees in the same job category/position.   A second, simple, analysis identified eight missing check numbers.  The manager asked for more information and I replied, “I can’t tell you much more than you have eight checks that were not issued”.  I provided the missing check number and encouraged the manager, and the auditors, to look into the matter.  Missing checks could be checks that were accidentally destroyed when the check were being printed or (my concern) stolen blank checks.  The controls over the blank check stock needed to be reviewed as well as determining the procedures when checks were being printed (what do you do to damaged, misprinted, or otherwise unusable checks?).

Note: to perform the analysis by job category to identify employees being paid more than the usual rate for the category, I ran a Min/Max ratio analysis.  For each job category (rows in the output file), it calculates the Total amount and gives the minimum, maximum and average amount for each job category.  Starting in version 11, ACL provides a checkbox which will includes this information when you Classify or Summarize on a field.  In version 12, the option to include the standard deviation for each row was also added.

Another analysis looked at the length of time it took to get new employees on the payroll.  Using data from the HR system which gave the employee start date, I ran an analysis to determine how long it took before they received their first paycheck.  Management expectations that it would be the next pay period or certainly the second pay period, however the analysis showed that in 31% of the cases, employees did not receive their first pay for more than 28 days (almost four pay periods after their start date).  Drilling down by pay office revealed problem with the HR on-boarding process in two regions which contributed to the late paychecks.

I also did an analysis to determine if employees were being paid before their “start date” or after their “termination date”.  There was no evidence of control weaknesses in these areas.


Lessons-Learned – Similar problems occur all the time.  It is worth looking at what types of controls weakness have occurred elsewhere when planning an audit.  Look at the ACFE and other reports produced by the big accounting firms, perform a simple Internet search, and check the ACL forum to see what others have found. I find the same types of problem are happening in different industries around the world.

Secondly, there is a reason why the standard set of commands were developed by ACL: they are useful.  I have used the basic commands thousands of times to perform useful analysis.  In this case GAPS, a standard ACL command, identified missing checks.  The results of the standard commands can be extremely useful – you need to understand when to use them and, importantly, how to interpret the analysis.

Lastly, even large payroll system can have errors; and when they do they can be even more significant.  I recently learned about a hospital payroll system which was being run on SAP that was overpaying employees (more than $1M in overpayments in a year).  It was a systemic problem tied to interfaces, pay tables, and complex hourly schedules, work days, and numerous employee classifications.  In another case, employees agreed to be on-call during the Australia Day public holiday, and were subsequently recalled for duty.  However, the payroll system did not identify this as a holiday and incorrectly calculated entitlements, resulting in significant underpayments.  These examples highlight the fact that auditors cannot rely on the controls – in fact the Statement on Auditing Standards (SAS) #94 states that substantive testing alone is not sufficient when the data is gathered, processed, and reported via IT systems.  It requires auditors to test the IT controls and recommends the use of analytics to do so.  This includes any IT system, not just payroll.

I have only discussed errors in employee pay, but there are also errors that can impact on income tax.  In Accounting Today Brian Cumberland, a managing director with Alvarez & Marsal Taxand, LLC in Dallas, offer his list of the top ten payroll errors: 1. Classification of Employees as Independent Contractors; 2. Failure to Subject Vendor Payments to Backup Withholding; 3. Failure to Issue Appropriate Tax Forms; 4. Not Including the Fair Market Value of Gift Cards, Prizes and Awards in Employees’ Income; 5. Failing to Timely Deposit Withheld Taxes; 6. Failure to Timely Deposit Withholding Taxes on Vested Restricted Stock and Exercise of Stock Options; 7. Incorrectly Excluding Expense Reimbursements from Reportable Wages; 8. Failure to Include Nonqualified Deferred Compensation in Executives’ Incomes; 9. Not Including the Appropriate Value of Taxable Fringe Benefits in Employees’ Income; and 10. Excluding Travel and Commuting Expense Reimbursements from Employees’ Income. (Source:

Year 24 – 2011 – Fraud Detection – part 1

By 2011, I was becoming more and more involved in data analysis to detect fraud.  I had been doing this for years but had never really thought about the approaches I was taking to assess fraud risk and determine the analytics to perform.  The following is the result of my deliberations (which continue to this day).

Fraud Detection

The unrelenting advancement of technology is affecting virtually every aspect of our lives.  And as technology becomes more pervasive, so do schemes to commit fraud. Fraudsters are taking advantage of users’ inexperience with newer technology and weaknesses in the controls to perpetuate these schemes.  This is proving to be a challenge for evaluators, auditors and investigators in their efforts to identify and detect fraud.  However, technology is also a tool that can help prevent and detect fraud. Data analysis techniques can search for the symptoms on fraud that are buried in the millions of transactions flowing through the business process.

Whether you are investing to see if a fraud occurred or following up on an allegation of fraud, a good first step is to understand the ‘why’ of fraud.  The “Fraud Triangle”, created by famed criminologist Donald Cressey, outlines three basic things that must be present in order for fraud to occur: opportunity, pressure or motivation, and rationalization.

Opportunity.  An opportunity is likely to occur when there are weaknesses in the internal control framework or when a person abuses a position of trust.  For example:

  • organizational expediency e.g. it was a high profile rush project and we had to cut corners;
  • downsizing means that separation of duties no longer exists;
  • business re-engineering removed checks and balances in the control framework

Pressure.  The pressures are usually financial in nature, but this is not always true.  For example, unrealistic corporate targets can encourage a salesperson or production manager to commit fraud.  The desire for revenge – to get back at the organization for some perceived wrong; or poor self-esteem – the need to be seen as the top salesman, at any cost; are also examples of non-financial pressures that can lead to fraud.   In addition, living a lavish lifestyle, a drug addiction, and many other aspects can influence someone to commit fraud.

Rationalization.  In the criminal’s mind rationalization usually includes the belief that the activity is not criminal.  They often feel that everyone else is doing it; or that no one will get hurt; or it’s just a temporary loan, I’ll pay it back, and so on.

Interviews with persons who committed fraud have shown that most people do not originally set out to commit fraud.  Often they simply took advantage of an opportunity; many times the first fraudulent act was an accident – perhaps they mistakenly processed the same invoice twice.  But when they realized that it wasn’t noticed, the fraudulent acts became deliberate and more frequent.

Interestingly, studies have shown that the removal of the pressure is not sufficient to stop an ongoing fraud.  Also, the first act of fraud requires more rationalization than the second act, and so on.  As it becomes easier to justify the acts occur more frequently and the amounts increase in value.  This means that, left alone, fraud will continue and the losses will increase.

While I have been unable to find conclusive evidence to support the 10-80-10 rule, but it is well known in the ACFE-world.  Basically, it states that 10% of the people would never commit fraud; 80% might; and 10% are actively searching for opportunities to commit fraud.  I think as auditors and fraud investigators we must be concerned not only with the 10% who are actively attempting to commit but, but also the 80% who might.  By ensuring that the fraud triangle is not adversely affecting these people we can prevent fraud and save people careers and lives.

Pressure – audit can examine corporate performance targets and inform management of times when targets are likely to contribute to cutting corners, bypassing controls and possibly committing fraud.

Rationalization – an audit of corporate value and ethics program and the top-at-the top can help to make sure that the tone-at-the-top is aligned to organizational goals and objectives.

Opportunity – by performing fraud risk assessments and addressing control weakness in the areas most prone to fraud audit can protect the 80% from making a mistake.

Next week I will describe two approaches that can assist you in determining where you have fraud risks and the data you require to perform analytics to determine if fraud is happening.

Year 22 – 2009 – SAP Extract

Imagine my excitement when I had 7 responses to my previous post on Payroll and then my utter disappointment when I found out that all we in Russian and had nothing to do with the content of my blog.  This continued for several days and suddenly switched to English posts about Credit Unions.  In total I had over 65 spam bot posts including two that wanted to help me monetarize my site.

On the positive side, I was talking to Franco who said that he reads my blogs every Monday and the most recent post gave him some ideas of a payroll analysis he wanted to perform.

Audit example – Standard SAP extract:  By now, I had been extracting SAP data for 10 years and had developed a “Standard SAP Extract”.  While SAP has more than 70,000 tables, I was using 2 main tables and 9 master tables.  Using this set of data, I had supported hundreds of audits.  In addition, I had changed companies twice and was able to use the exact same extract (and all of my ACL scripts) at the new companies.  Unfortunately, it took between 6-12 months to get the extract built at the new company.

Continue reading Year 22 – 2009 – SAP Extract

Year 15 – 2002 – Part 2 – IT Audit

Second part of article on making IT Audits more effective and value-added ….

The next area that will need to be address by CAEs is ensuring that risk-based audit plans are relevant and that selected audits provide maximum value to senior management.  Today’s business environment changes rapidly to adjust to market conditions, evolving legislation and economic forces; and the risk-based audit plan must keep pace with this rapid change if it is to properly identify and assess emerging risks that can impact the achievement of business objectives.

ISACA standards state that appropriate risk assessments approach should be used when developing the overall IS audit plan.  Risk should also guide IT auditors in determining priorities for the allocation of resources to provide assurance regarding the state of the IT control processes.  This means that risk should drive the IT audit plan and the focus of IT audit resources.  IT audit should use a top-down approach that starts with the identification of the business objectives.  The next step should be the identification of the key controls required, in both the application system and the business process, to provide assurance for the business objectives.  Finally, IT audit should identify the applications where the IT controls need to be tested in order to focus IT audit effort where it is needed most.

IT audit plans also need to lay the groundwork for integrating IT audit expertise within non-IT auditor to ensure that the risks associated with the IT systems are considered when assessing the overall risk in a business process.  Conversely, you should also be looking at the risks in the business processes and determining the IT controls that are mitigating these risks.

Continue reading Year 15 – 2002 – Part 2 – IT Audit

Year 15 – 2002 – Part 1 – IT Audit

Many audit shops rely on IT auditors to support their use of data analytics; however, the IT audits typically focus on general and application controls.  Around this time I wrote an article for the EDPACS magazine which encouraged IT auditors to look beyond the black box – to look at how IT supports, drives, and impact business processes.  I have included below.

IT Auditors need to come out of the black box

Are you an IT auditor who takes comfort in your specialized knowledge and feels secure in assessing general and application controls – but does no more?  Then you need to wake-up to today’s business environment and step out of your comfort zone.  You also will probably need to pull the general auditor away from the safety of pure compliance audits.  The notion of the integrated auditor was usually applied to the need for the general auditor to increase his/her knowledge of IT.  Alternatively, general audit teams were encouraged to include an IT auditor to assess the IT controls.  It was a one-way street that added IT expertise to the operational audit program.

Today, we are going through yet another time of economic and organizational upheaval.  IT auditors need to look at how they are contributing to the organization’s flexibility and sustainability.  They need to ensure that information systems supporting business processes are not obstructing the very improvements in operations that they are supposed to achieve.  IT auditors need to better understand the operations of the organization and how IT contributes to their effectiveness and efficiency.

As IT becomes more and more integrated with business operations, the role of IT audit is changing, moving beyond the black box, to a role that is tied directly to the achievement of business objectives.   Business processes rely on automated systems for controls and to support efficient and effective processes.  As a result, IT risks are a part of, not separate from, business risks.  In the current market conditions, marked by rapidly changing risks and tough economic conditions, testing of IT controls by IT auditors and compliance testing by general auditors cannot separately address risks and opportunities resulting from the integration of complex technology into multiple business processes.

Continue reading Year 15 – 2002 – Part 1 – IT Audit

Year 13 – 2000 – Back to Work after a Year of Consulting

This was another exciting year for me.  First, in 1999, I had decided to take a year off without pay and do some sub-contracting for ACL (I forgot to mention this in 1999 post).   It gave me the opportunity to really expand my analysis skills.  Also, I worked on the development of DirectLink for SAP which really forced me to develop a better understanding of SAP – something that has been valuable ever since.

I also submitted short articles to the IIA’s Internal Auditor magazine and won two Honourable Mention Roundtable Awards for stories on “Travel Bonus” and “It is Really a Good Deal”.  In 2001 I would garner my first Ted Keys Roundtable Award for “who’s Managing the Goods” and my second in 2005 for “of Mice and Money”.   My last honourable mention was in 2005 for “Winning over the CIO”.   The article highlighted audits I had worked on where – surprise – analytics was instrumental in arriving at the audit findings.

Continue reading Year 13 – 2000 – Back to Work after a Year of Consulting

Year 12 – 1999 – Part 2 – Drilling down into A/P risks

Technically, we were still in the planning phase of the A/P audit – but had already identified several areas of risk that needed to be analyzed further.

The early payments represented a potential fraud.  If you paid within 15 days, you should receive an early payment discount of between 1.5 -2.5% depending on the vendor’s terms.   In addition to reviewing the invoices with ‘immediate’ payment terms, we calculated the difference between the latter of the receipt of goods or invoice received date, and the check date.  Then we stratified using intervals of 0-5, 6-10, 11-15, 16-20, 21-25, 26-30, and >30 days.  The total number and amount of transactions paid within 15 days was determined.  The analysis showed that only 4.6 percent of the transactions were paid within 15 days, however, this represented almost 16 percent of the total payments made.

The auditors review the transactions that were paid within 15 days and found that early payment discounts were claimed in 87% of the cases.  A Classify determined that the other invoices were all processed at the same A/P office; belonged to only three vendors; and were processed by two A/P clerks.  The unclaimed early payment discounts, calculated at 2%, totaled $832,000.

The team leader had concerns about two possible fraud scenarios.  In the first, the A/P clerk processes the original transaction for the full amount of the invoice and subsequently requests a credit from the vendor, for the early payment discount amount, and keeps the credit.  The second scheme involves deliberating pay invoices early, without claiming the early payment discount, and receiving a kickback from the vendor.

To identify the first type of fraud, the team leader send out confirmation letters to the three vendors that had been paid early, requesting them to provide details on the terms and amount of the payment.  All three vendors replied that they had initially been paid the full amount, but had subsequently sent the company a check for the amount of the discount.  The auditors asked the companies for copies of the canceled checks; the two A/P clerks had endorsed them all.

Continue reading Year 12 – 1999 – Part 2 – Drilling down into A/P risks

Year 8 – 1995 – HR analysis

Our analytics team was running on all cylinders and achieving significant results.  There was not just my opinion, we received an ISACA Award of Excellence at the Info Tech Audit ’95 conference for leadership and contribution to IT Audit Community.  Amazingly, it was a $1,000 cash award.  The team (3 people) went for out for a celebratory dinner and donated the remaining funds to a local charity.

By how we had a steady stream of auditors seeking data extractions from 30+ information systems.  We had standard monthly extracts in place for the major systems (8-10) that we accessed on a regular basis; and we were able to handle one-offs fairly well.  We still heard the usual arguments from IT (you do not have authority to access the data, it contains personal info, you don’t have the security, etc.) when we sought access to a new system, but we were getting better at countering their arguments with solid facts and obtaining the necessary access.  The more difficult issue was changes to existing applications.  We were not informed when things like record layouts, file names, transaction types, etc. changed.  This meant that we had to constantly be verifying the integrity of our standard extracts and scripts that we had developed.

To date we had used the personnel data to verify pay rates as part of a payroll audit; to determine personnel costs for a cost recovery audit; and for a number of other audits that required HR information.

The first HR audit to use data analysis was an audit of an employee reduction program.  The company was downsizing and eligible employees were being offered a buyout package.  The package was made available to full time employees and the buyout was based on years of service (including casual or part time employment) and current salary rate.  The initial audit objective was to determine if the buyouts were for the correct amount.

Continue reading Year 8 – 1995 – HR analysis