By: Sue Wells, Senior Consultant at A-lign CPAs
Internal Controls vs. External Controls – What are we talking about?
For a payroll company, many of the controls that are executed on a daily basis are designed to ensure that the payroll company’s client’s financial reports will not be mis-stated, and that the information gathered from and generated on behalf of clients will be “protected” from mis-handling, both electronically and manually. These controls are considered to be “externally” focused and are primarily designed to benefit the payroll company’s client, and as such, will typically be what you see described and examined in SSAE 16 audits.
A payroll company executes internally focused controls to address the risks of “being in business” as a payroll company. These risks may include: the mis-statement of the payroll company’s financial statements, that the payroll company will not meet the business needs of their clients, that the payroll company will not execute processes in a manner that will be sufficiently efficient to generate profitability, and finally the controls that will help ensure the payroll company can stay in business as a long-term “going-concern”.
Externally-Focused Payroll Controls
Key control objectives that payroll customers, or a payroll company’s external financial auditors, are concerned with include controls that are designed and executed to accomplish the following objectives:
- Help ensure that clients are initially set-up accurately and timely and that any ongoing changes made to a payroll client’s account configuration are also accurate and occur in a timely manner.
- An important control activity for this objective include both:
- The payroll client’s review and approval of the initial configuration and
- Ongoing changes made to the payroll account setup
- Help ensure that by whatever means, (electronic, manual by the client or payroll company personnel) the payroll information such as rates, hours, etc., are input accurately and timely.
- Examples of controls include verification procedures that may include manual reviews or electronic edit checks.
- Help ensure that “outputs” (i.e. payroll checks-electronic or physical, payroll reports, tax payments, tax reporting, general ledger information) are produced accurately and timely.
- These controls can include verification procedures such as:
- Exception reporting to catch “out of the ordinary” payroll results and/or
- Reports that provide the numbers of checks or advices that should be produced and/or
- Outgoing mail-handling and data transmission controls
- Provide reasonable assurance that system information, once entered into the payroll system, is protected from unauthorized or unintentional use, modification, addition or deletion.
- These controls include following appropriate procedures for adding and removing access to payroll systems and information.
- Controls provide reasonable assurance that the changes to existing applications and the development of new applications are authorized, tested, approved, and properly implemented and documented. Strong Software Development Life Cycle (SDLC) controls are necessary to achieve this control objective.
Internally-Focused Payroll Controls
Controls that are designed and executed to facilitate the long-term viability of a payroll company include the following objectives:
- Controls are in place to provide reasonable assurance that output from the payroll software that is used to report revenue and fees billed to the client is transmitted to the accounting and billing systems completely, accurately, and timely.
- These controls include comparing actual results with budgeted and forecasted results as well as reconciling payroll system reporting regarding quantities with the payroll processing company’s billing system to help ensure the payroll company bills for all services provided.
- Controls are in place to help ensure that the payroll company provides its services to customers in an efficient manner to help ensure profitability.
- To facilitate this objective, a payroll company can track set up times, accuracy, customer complaints, payroll re-runs, and any penalties paid out for failing to meet service level agreements.
Internally and Externally-Focused Controls
In attempting to classify the following control objectives, it became clear that these controls have both internal and external impacts. These controls are related in that they can each impact the payroll company and the client’s ability to continue operating:
- Physical security controls are concerned with providing reasonable assurance that access to computer equipment, storage media, program documentation, and payroll packages is restricted to properly authorized individuals and that environmental controls exist.
- Key control activities include controlling access to the equipment required to perform payroll operations as well as ensuring that environmental controls such as appropriately maintained HVAC systems and having an uninterruptible power supply are in place.
- Computer controls that concern system availability such as monitoring, backups and patch management can impact the ability of both the payroll processing company as well as its client to have uninterrupted operations.
- A current business continuity plan is necessary for a payroll processor to help ensure that the entity will continue to be a “going-concern” in the event of a disaster including physical, environmental, or pandemic incidents.
- Appropriate segregation of duties for both manual and system access to payroll funds are important for internally and externally focused controls to ensure that payroll funds are not mis-handled, intentionally or unintentionally. It is important that payroll processing system users, with the ability to modify payroll calculations, do not have the ability to execute the movement of payroll funds. Within the area of funds movement, the same user should not be able to execute and authorize funds transfers, or, to put it another way, all funds transfers should require the input from two separate users who do not have the ability to modify the fund amounts calculated by the payroll system.
- Finally, a user without the ability to modify the amounts calculated by the payroll system and without the ability to authorize or execute funds movements should independently reconcile the payroll system calculations with the actual money movements per records obtained from the relevant financial institutions.
Externally Focused Examinations
The most common type of externally focused examination of a payroll company is a SSAE 16 audit that is performed by an external CPA firm and is designed to provide an assertion, or opinion regarding the payroll company’s controls that can impact a client’s financial reporting.
Internally Focused Examinations
There are several types of examinations that can be performed with a focus on the controls that are important primarily to the payroll company itself. If the company is of a sufficient size to maintain its own internal audit department, internal auditors can perform an assessment of the payroll operations department and determine if the controls that are designed to help ensure that a payroll company is profitable and a “going-concern” are in place.
For companies that do not have an internal audit function, an outside CPA firm can be hired to act as an internal audit department and perform an examination as well as make recommendations to improve the control environment of the payroll company. The CPA firm’s level of involvement in implementing solutions to resolve gaps could, however, exclude the firm from providing an externally focused audit such as a SSAE 16 audit on the areas wherein the firm provided consulting services.
Sue Wells, CPA
888-702-5446 ext. 114