Practitioner’s Perspective: Payroll Can Help Develop Sarbanes-Oxley Compliance Narrative

The HR & Payroll Resource Center is your integrated, comprehensive source for HR and Payroll information that merges news, analysis, and guidance – including custom answers,...

By Charlotte Hodges  

Charlotte Hodges, CPP, payroll manager for Towers Watson & Co., is a member of the Payroll Administration Guide board.  

The Sarbanes-Oxley Act, established more than a decade ago to combat corporate financial fraud, imposed strict controls on those overseeing financial accounts, including payroll administrators.

Payroll departments can help comply with the law by minimizing or avoiding risks through documented measures. These controls are summarized in a process narrative, which is the written documentation that defines internal controls, data flows, calculations, system components and responsibilities.

For example, a particular control may be described as one that provides reasonable assurances that errors would be prevented or that there would be timely detection after an error occurs.

The payroll department member overseeing the process would document, test and provide ongoing oversight and monitoring of the controls. Overall responsibility for compliance may belong to an internal audit group, which would conduct effectiveness testing on behalf of management.

Standard Operating Procedures

Documenting standard operating procedures helps to ensure consistency and accuracy while enforcing checks and balances as outlined in the Sarbanes-Oxley payroll narrative. The procedures provide auditors with the steps that were taken to produce the control test results.

The payroll process also has subprocesses, which come with individual objectives and associated risks and controls. The controls, which would be included in the Sarbanes-Oxley narrative, ideally would be tested annually by internal and external auditors. Documented reviews should be kept, and they may be required in an audit.

When developing a Sarbanes-Oxley narrative, the focus is to document controls and subsequently identify critical controls that address potential misstatements. These controls vary by employer: manual or automated processes, in-house or outsourced payroll or the use of third-party vendor files.

Critical payroll-related compliance controls should be reviewed  and tested on a regular basis.

For example, a critical control might be related to a process where an interface file containing bonus payments is generated each pay period through the human resources department. An ad hoc report is generated after the bonus file is uploaded to the payroll system and calculated. The results are compared and the bonus payment is reconciled back to the original interface file. The reconciliation is reviewed and approved by the payroll manager before the final payroll disbursement.

How the payroll system is entered and updated should be included in the narrative. Only authorized personnel should have access to the system through security controls relevant to their roles within the payroll department.

The processing of payroll for salaried employees can be another critical area. The control activity might be the generation of a discrepancy report that compares salary amounts in the human resources system to the salary payments from payroll. Discrepancies would be reviewed by the payroll manager before the point in the process where final authorization is provided to disburse the payroll.

Critical controls should be reviewed and tested on a scheduled basis. Controls that are not critical are generally considered secondary and can fail without affecting the overall payroll process.

The importance of secondary controls should not be minimized, however, and they should be monitored. In some cases, noncritical controls can be evaluated under a self-assessment program. The procedural documentation also may be reviewed as part of the assessment. Operating procedures should be kept up to date because processes often are streamlined or changed for a number of reasons, including system upgrades.

Developing Testing Cycles

Testing cycles may comprise several components. In some cases, an internal audit can conduct a cycle before an external audit, allowing any deficiencies to be addressed before further audits. Control deficiencies are generally addressed as part of the self-assessment process.

As part of a testing cycle, payroll may be asked to respond to requests for data that would be used for testing purposes in other areas.

For example, as part of the testing cycle for the area responsible for employee benefits, a request could be made for a report that provides Section 401(k) deduction amounts for employees for a particular pay cycle. The sum of the amounts deducted from employee paychecks may then be compared with the payment that was sent to a third-party vendor to ensure the amounts are the same.

In developing a Sarbanes-Oxley narrative, employers should include enough detail to show the relationship between the control objectives and the related risks. A regular review of the payroll narrative and supporting documentation provides the first step in support of meeting Sarbanes-Oxley compliance objectives.