Week 7 Lecture 7 - Auditing Payroll & Personnel Cycle PDF

Summary

This document is a lecture on auditing procedures for payroll and personnel cycles, which are important in accounting audits. It covers topics like sampling, statistical and non-statistical considerations, and highlights the importance of proper controls for withholding and paying taxes.

Full Transcript

AUDIT PRACTICE AND
PROCEDURES II

Auditing Payroll and
Personnel Cycle and IT
Audit
Week Seven
 Recap of Last Class

Audit Sampling
Sample Risk
Statistical and Non-Statistical Sampling
Probabilistic versus Non-Probabilistic Sampling
Types of Sampling; Sample Decisions
 The payroll and personnel cycle

In a typical audit, the main differences between the payroll and personnel cycle and other
cycles include:

There is only one class of transactions for payroll. Most cycles include at least two
classes of transactions. For example, the sales and collection cycle includes both sales and
cash receipts transactions, and often includes sales returns and charge-off of uncollectible
accounts. Payroll has only one class because the receipt of services from employees and the
payment for those services through payroll usually occur within a short time period.

Transactions are generally far more significant than related balance sheet accounts.
Payroll-related accounts such as accrued payroll and withheld taxes are usually small
compared to the total amount of transactions for the year.

Internal controls over payroll are effective for almost all companies, even small ones.
Strict federal and state regulations encourage effective controls for withholding and paying
payroll taxes. Also, employee morale problems can occur if employees are not paid or are
underpaid.
 The payroll and personnel cycle

The payroll and personnel cycle begins with hiring employees and
ends with paying them for the services they performed and the
government and other institutions for withheld and accrued
payroll taxes and benefits. In between, the cycle involves obtaining
services from employees consistent with company objectives, and
properly accounting for the services.
The overall objective in the audit of the payroll and personnel
cycle is, of course, to evaluate whether the account balances
affected by the cycle are fairly stated in accordance with
applicable accounting standards
Typical accounts in the payroll and
personnel cycle are shown in Figure
20-1. T accounts are used to illustrate
the way in which accounting
information flows through the various
accounts in the payroll and personnel
cycle. In most systems, the accrued
wages and salaries account is used only
at the end of an accounting period.
Throughout the period, expenses are
charged when the employees are
actually paid rather than when the
labor costs are incurred. Accruals for
labor are recorded by adjusting entries
at the end of the period for any earned-
but-unpaid labor costs.
 Business Function - Human Resources

The human resources department provides
an independent source for interviewing and
hiring qualified personnel. The department
is also an independent source of records for
the internal verification of wage
information, including additions and
deletions from the payroll and changes in
wages and deductions.
 Business Function - Timekeeping and Payroll Preparation

Timekeeping and payroll preparation are important in the audit of
payroll because they directly affect payroll expense for each period.
Adequate controls are necessary to prevent misstatements in the
following four activities:
Prepare time records by employees
Summarize and calculate gross pay, deductions, and net pay
Payment of payroll
Prepare payroll records
 Business Function – Payment of Payroll

The approval and distribution of payroll must be carefully
controlled to prevent theft. To increase control, payroll
disbursements are generally processed separately from other
disbursements.
Payments are issued to employees in exchange for services
performed. Payments may be made by check but are usually
deposited directly into employees’ individual bank accounts.
The amount paid is the gross pay less taxes and other
deductions withheld.
 Business Function – Preparation of Payroll Tax Returns
and Payment of Taxes

Federal and state payroll laws require the timely preparation
and submission of payroll tax returns. Most computerized
payroll systems prepare payroll tax returns using information
on the payroll transaction and master files. To prevent
misstatements and potential liability for taxes and penalties, a
competent individual must independently verify the output.
 METHODOLOGY FOR DESIGNING TESTS OF CONTROLS
AND SUBSTANTIVE TESTS OF TRANSACTIONS

Internal control for payroll is normally highly structured and well controlled to
manage cash disbursed, to minimize employee complaints and dissatisfaction, and to
minimize payroll fraud. Because of relatively common payroll concerns from
company to company, high-quality computerized payroll accounting programs are
available.

Tests of controls and substantive tests of transactions procedures are the most
important means of verifying account balances in the payroll and personnel cycle.
These tests are emphasized because of the lack of independent third-party evidence,
such as confirmation, for verifying accrued wages, withheld income taxes, accrued
payroll taxes, and other balance sheet accounts. Furthermore, in most audits, the
amounts in the balance sheet accounts are small and can be verified with relative ease
if the auditor is confident that payroll transactions are correctly entered into the
computer and payroll tax returns are correctly prepared.
 METHODOLOGY FOR DESIGNING TESTS OF CONTROLS AND SUBSTANTIVE
TESTS OF TRANSACTIONS

Even though tests of controls and substantive tests of transactions are
the most important parts of testing payroll, tests in this area are
usually not extensive. Many audits have a minimal risk of material
misstatements, even though payroll is often a significant part of total
expenses. There are three reasons for this:
1. Employees are likely to complain to management if they are
underpaid.
2. All payroll transactions are typically uniform and uncomplicated.
3. Payroll transactions are subject to audit by federal and state
governments for income tax withholding, Social Security, and
unemployment taxes.
 Understand Internal Control—Payroll and Personnel Cycle

Internal controls vary from company to company; therefore, the auditor must identify the
controls, significant deficiencies, and material weaknesses for each organization.

Controls the auditor intends to rely on to reduce assessed control risk must be tested with
tests of controls.

If the auditor is reporting on the effectiveness of internal control over financial reporting,
the level of understanding controls and extent of tests of controls must be sufficient to issue
an opinion on the effectiveness of internal control over financial reporting.

Substantive tests of transactions vary depending on the assessed control risk and the other
considerations of the audit, such as the effect of payroll on inventory.

Tests are not actually performed in the order given in Table 20-2. The tests of controls and
substantive tests of transactions are combined when appropriate and are performed in as
convenient a manner as possible, using a performance format audit program.
 key controls for the payroll and personnel cycle

Adequate Separation of Duties - Separation of duties is important in the payroll and
personnel cycle, especially to prevent overpayments and payments to nonexistent employees.
The payroll function should be kept independent of the human resources department, which
controls key payroll activities, such as adding and deleting employees. Payroll processing
should also be separate from the issuance of payroll disbursements.

Proper Authorization - As already noted, only the human resources department should be
authorized to add and delete employees from the payroll or change pay rates and deductions.
The number of hours worked by each employee, especially overtime, should be authorized by
the employee’s supervisor. Approval may be noted on all time records or done on an
exception basis only for overtime hours.
 key controls for the payroll and personnel cycle

Adequate Documents and Records - The appropriate documents and records depend on the nature of
the payroll system. Time records are necessary for hourly employees but not for salaried employees. For
employees compensated based on piece rate or other incentive systems, different records are required. For
many companies, time records must be adequate to accumulate payroll costs by job or assignment.
Prenumbered documents for recording time are less of a concern for payroll because the completeness
objective is normally not a concern.

Physical Control Over Assets and Records - Access to unsigned payroll checks should be restricted.
Checks should be signed by a responsible employee, and payroll should be distributed by someone
independent of the payroll and timekeeping functions. Any unclaimed checks should be returned for
redeposit. If checks are signed by a signature machine, access to the machine should be restricted.
Similarly, when payment occurs through direct deposit, access to systems used to authorize payments
should be restricted.

Independent Checks on Performance - Payroll computations should be independently verified,
including comparison of batch totals to summary reports. A member of management or other responsible
employee should review the payroll output for any obvious misstatements or unusual amounts. When
manufacturing labor affects inventory valuation or when it is necessary to accumulate costs by job,
adequate controls are necessary to verify the proper assignment of costs.
 Inventory and Fraudulent Payroll Considerations

Auditors often extend their payroll audit procedures if payroll
significantly affects the valuation of inventory, or when the
auditor is concerned about the possibility of material fraudulent
payroll transactions, such as nonexistent employees or fraudulent
hours.
 METHODOLOGY FOR DESIGNING TESTS OF DETAILS OF BALANCES

During the first two phases of the audit, auditors assess
control risk and perform tests of controls and substantive
tests of transactions. After completing these tests and
assessing the likelihood of misstatement in financial
statement accounts in the payroll and personnel cycle, the
auditor follows the methodology for designing tests of
details of balances.
 METHODOLOGY FOR DESIGNING TESTS OF DETAILS OF BALANCES

Identify Client Business Risks Affecting Payroll (Phase I) - Significant client business risks affecting
payroll are unlikely for most companies. However, client business risk may exist for complex
compensation arrangements, including bonus and stock option plans and other deferred compensation
arrangements. For example, many technology and other companies provide extensive stock options as part
of their compensation packages for key employees that significantly impact compensation expense and
shareholders’ equity.

Set Performance Materiality and Assess Inherent Risk (Phase I) - Most companies have a large number of
transactions involving payroll, often with large total amounts. However, balance sheet accounts are
normally insignificant, except for labor charged to inventory. Aside from the potential for fraud, inherent
risk is typically low for all balance related audit objectives. There is inherent risk of payroll fraud because
most transactions involve cash. Therefore, auditors often consider the occurrence transaction related
objective important.

Assess Control Risk and Perform Related Tests (Phases I and II)

Perform Analytical Procedures (Phase III) - The use of analytical procedures is as important in the payroll
and personnel cycle as it is in every other cycle.
Design and Perform Tests of Details of Balances for Liability and Expense Accounts
(Phase III) - The verification of the liability accounts associated with payroll, often termed
accrued payroll expenses, is ordinarily straightforward if internal controls are operating
effectively. When the auditor is satisfied that payroll transactions are being correctly
recorded in the payroll journal and the related payroll tax forms are being accurately
prepared and taxes promptly paid, the tests of details of balances should not be time
consuming. The two major balance-related audit objectives in testing payroll liabilities are:
1. Accruals in the trial balance are stated at the correct amounts (accuracy). 2. Transactions
in the payroll and personnel cycle are recorded in the proper period (cutoff). The primary
concern in both objectives is to make sure that there are no understated or omitted accruals.
Next, we examine the major liability accounts in the payroll and personnel cycle.
Chapter 12 – The Impact of
Information Technology on
the Audit Process
 HOW INFORMATION TECHNOLOGIES IMPROVE INTERNAL CONTROL

There are several benefits to internal control that result from the continued integration
of IT in accounting systems:

Computer controls replace manual controls. The obvious benefit of IT is the ability to handle
large amounts of complex business transactions cost-effectively. Because computers process
information consistently, IT systems can potentially reduce misstatements by replacing manual
procedures with automated controls that apply checks and balances to each processed
transaction. This reduces the human errors that often occur in manually processed
transactions..

Higher-quality information is available. Complex IT activities are usually administered
effectively because the complexity requires effective organization, procedures, and
documentation. This typically results in providing management with more and higher-quality
information, faster than most manual systems. Once management is confident that information
produced by IT is reliable, management is likely to use the information for better management
decisions.
 ASSESSING RISKS OF INFORMATION TECHNOLOGY

Although IT can improve a company’s internal control, it can also affect
the company’s overall control risk. Many risks in manual systems are
reduced and in some cases eliminated. However, there are risks specific to
IT systems that can lead to substantial losses if ignored. If IT systems fail,
organizations can be paralyzed by the inability to retrieve information or
by the use of unreliable information caused by processing errors. These
risks increase the likelihood of material misstatements in financial
statements. Specific risks to IT systems include:

1. Risks to hardware and data
2. Reduced audit trail
3. Need for IT experience and separation of IT duties
 Risks to Hardware and Data

Although IT provides significant processing benefits, it also creates unique risks in protecting hardware
and data, as well as introducing potential for new types of errors. Specific risks include the following:

Reliance on the functioning capabilities of hardware and software. Without proper physical
protection, hardware or software may not function or may function improperly.

Systematic versus random errors. When organizations replace manual procedures with technology-
based procedures, the risk of random error from human involvement decreases. However, the risk of
systematic error increases because once procedures are programmed into computer software, the
computer processes information consistently for all transactions until the programmed procedures are
changed.

Unauthorized access. IT-based accounting systems often allow online access to electronic data in
master files, software, and other records. Because online access can occur from remote access points,
including by external parties with remote access through the Internet, there is potential for illegitimate
access.

Loss of data. Much of the data in an IT system are stored in centralized electronic files or off-site via
cloud computing. This increases the risk of loss or destruction of entire data files.
 Reduced Audit Trail

Misstatements may not be detected with the increased use of IT due to the loss of a visible audit trail, as
well as reduced human involvement. As accounting systems continue to embrace emerging technologies,
automated procedures continue to replace traditional types of authorizations in many IT systems.

Visibility of audit trail. Because much of the information is entered directly into the computer, the use
of IT often reduces or even eliminates source documents and records that allow the organization to trace
accounting information.

Reduced human involvement. In many IT systems, employees who deal with the initial processing of
transactions never see the final results. Therefore, they are less able to identify processing misstatements.

Lack of traditional authorization. Advanced IT systems can often initiate transactions automatically,
such as calculating interest on savings accounts and ordering inventory when pre-specified order levels
are reached. Therefore, proper authorization depends on software procedures and accurate master files
used to make the authorization decision.
 Need for IT Experience and Separation of IT Duties

IT systems reduce the traditional separation of duties (authorization, record keeping, and
custody) and create a need for additional IT experience.

Reduced separation of duties. Computers do many duties that were traditionally
segregated, such as authorization and record keeping. Combining activities from different
parts of the organization into one IT function centralizes responsibilities that were
traditionally divided. IT personnel with access to software and master files may be able to
steal assets unless key duties are segregated within the IT function.

Need for IT experience. Even when companies purchase simple off-the-shelf accounting
software packages, it is important to have personnel with knowledge and experience to
install, maintain, and use the system. As the use of IT systems increases, the need for
qualified IT specialists increases. Many companies create an entire function of IT
personnel, while other companies outsource the management of IT operations.
 INTERNAL CONTROLS SPECIFIC TO INFORMATION TECHNOLOGY

To address many of the risks associated with reliance on IT, organizations often implement
specific IT controls. Auditing standards describe two categories of controls for IT systems:
general controls and application controls.

General controls apply to all aspects of the IT function, including IT administration; separation
of IT duties; systems development; physical and online security over access to hardware,
software, and related data; backup and contingency planning in the event of unexpected
emergencies; and hardware controls. Because general controls often apply on an entity-wide
basis and affect many different software applications, auditors evaluate general controls for the
company as a whole.

Application controls typically operate at the business process level and apply to processing
transactions, such as controls over the processing of sales or cash receipts. Auditors must
evaluate application controls for every class of transactions or account in which the auditor plans
to reduce assessed control risk because IT controls will be different across classes of transactions
and accounts. Application controls are likely to be effective only when general controls are
effective.
General Controls
 Separation of IT Duties

Separation of IT Duties To respond to the risk of combining
traditional custody, authorization, and record-keeping
responsibilities by having the computer perform those tasks,
well-controlled organizations respond by separating key duties
within IT.
For example, there should be separation of IT duties to prevent
IT personnel from authorizing and recording transactions to
cover the theft of assets. Figure 12-2 shows an ideal separation of
duties. Ideally, responsibilities for IT management, systems
development, operations, and data control should be separated as
follows:
 Systems Development

Systems development includes:

Purchasing software or developing in-house software that meets the organization’s
needs. A key to implementing the right software is to involve a team of both IT and
non-IT personnel, including key users of the software and internal auditors. This
combination increases the likelihood that information needs as well as software design
and implementation concerns are properly addressed. Involving users also results in
better acceptance by key users.

Testing all software to ensure that the new software is compatible with existing
hardware and software and determine whether the hardware and software can handle
the needed volume of transactions. Whether software is purchased or developed
internally, extensive testing of all software with realistic data is critical. Companies
typically use one or a combination of the following two test approaches:
 Physical and Online Security

Physical and Online Security Physical controls over
computers and restrictions to online software and related data
files decrease the risk of unauthorized changes to programs
and improper use of programs and data files. Security plans
should be in writing and monitored. Security controls include
both physical controls and online access controls.
 Backup and Contingency Planning

Backup and Contingency Planning - Power failures, fire,
excessive heat or humidity, water damage, or even sabotage can
have serious consequences to businesses using IT. To prevent
data loss during power outages, many companies rely on battery
backups or on-site generators. For more serious disasters,
organizations need detailed backup and contingency plans such
as off-site storage of critical software and data files or
outsourcing to firms that specialize in secure data storage.
 Hardware Controls

Hardware Controls Hardware controls are built into computer
equipment by manufacturers to detect and report equipment
failures. Auditors are more concerned with how the client
handles errors identified by the hardware controls than with
their adequacy. Regardless of the quality of hardware controls,
output will be corrected only if the client has provided for
handling machine errors.
Application Controls
Application controls are designed for each software application
and are intended to help a company satisfy the six transaction-
related audit objectives discussed in previous chapters. Although
some application controls affect one or only a few transaction-
related audit objectives, most controls prevent or detect several
types of misstatements.
Application controls may be done by computers or client personnel.
When they are done by client personnel, they are called manual
controls. The effectiveness of manual controls depends on both the
competence of the people performing the controls and the care they
exercise when doing them. For example, when credit department
personnel review exception reports that identify credit sales exceeding
a customer’s authorized credit limit, the auditor may need to evaluate
the person’s ability to make the assessment and test the accuracy of the
exception report.
When controls are done by computers, they are called automated
controls. Because of the nature of computer processing, automated
controls, if properly designed, lead to consistent operation of the
controls.
Application controls fall into three
categories: input, processing, and output.
Although the objectives for each category are
the same, the procedures for meeting the
objectives vary considerably. Let’s examine
each more closely.
 Input Controls

Input controls are designed to ensure that the information entered into the computer
is authorized, accurate, and complete. They are critical because a large portion of
errors in IT systems result from data entry errors and, of course, regardless of the
quality of information processing, input errors result in output errors. Typical
controls developed for manual systems are still important in IT systems, such as:

Management’s authorization of transactions
Adequate preparation of input source documents
Competent personnel
 Processing Controls

Processing controls prevent and detect errors while
transaction data are processed. General controls, especially
controls related to systems development and security,
provide essential control for minimizing errors. Specific
application processing controls are often programmed into
software to prevent, detect, and correct processing errors.
 Output Controls
Output controls focus on detecting errors after processing is completed,
rather than on preventing errors. The most important output control is
review of the data for reasonableness by someone knowledgeable about the
output. Users can often identify errors because they know the approximate
correct amounts. Several common controls for detecting errors in outputs
include

Reconcile computer-produced output to manual control totals
Compare the number of units processed to the number of units submitted
for processing
Compare a sample of transaction output to input source documents
Verify dates and times of processing to identify any out-of-sequence
processing
 Auditing in Less Complex IT Environments

Auditors in smaller companies often audit around the computer when general controls are
less effective than in more complex IT environments. Often, smaller companies lack
dedicated IT personnel, or they rely on periodic involvement of IT consultants to assist in
installing and maintaining hardware and software. The responsibility of the IT function is
often assigned to user departments, such as the accounting department, where the hardware
physically resides..
Many organizations with non-complex IT environments often heavily rely on desktop and
networked servers to do accounting system functions. The use of computers creates the
following unique audit considerations:
 Auditing in More Complex IT Environments

Auditors use three categories of testing approaches when auditing through the computer: test
data approach, parallel simulation, and embedded audit module approach..

Test Data Approach - In the test data approach, auditors process their own test data using
the client’s computer system and application program to determine whether the automated
controls correctly process the test data. Auditors design the test data to include transactions
that the client’s system should either accept or reject. After the test data are processed on the
client’s system, auditors compare the actual output to the expected output to assess the
effectiveness of the application program’s automated controls.

When using the test data approach, auditors have three main considerations:
1. Test data should include all relevant conditions that the auditor wants tested.
2. Application programs tested by auditors’ test data must be the same as those the client
used throughout the year.
3. Test data must be eliminated from the client’s records.
Parallel Simulation Auditors often use auditor-controlled
software to do the same operations that the client’s software
does, using the same data files. The purpose is to determine
the effectiveness of automated controls and to obtain evidence
about electronic account balances. This testing approach is
called parallel simulation testing.
Auditors commonly do parallel simulation testing using generalized
audit software (GAS), which are programs designed specifically for
auditing purposes.

Generalized audit software provides three advantages: it is relatively
easy to train audit staff in its use, even if they have had little audit-
related IT training, the software can be applied to a wide variety of
clients with minimal customization, and it has the ability to do audit
tests much faster and in more detail than using traditional manual
procedures.
Here are two common uses of generalized audit software.
ISSUES FOR DIFFERENT IT
ENVIRONMENTS
 Issues for Network Environments

The use of networks that link equipment such as desktops, midrange computers, mainframes,
workstations, servers, and printers is common for most businesses. Local area networks (LANs)
link equipment within a single or small cluster of buildings and are used only within a company.
LANs are often used to transfer data and programs from one computer or workstation using network
system software that allow all of the devices to function together. Wide area networks (WANs) link
equipment in larger geographic regions, including global operations.

It is common for networks to consist of various combinations of equipment and procedures, which
may not have standard security options. Lack of equipment compatibility across a network may
occur when responsibility for purchasing equipment and software, maintenance, administration, and
physical security resides with key user groups rather than with a centralized IT function. Sometimes
network security may be compromised when networks consist of equipment with incompatible
security features.

When clients have accounting applications processed in a network, the auditor should learn about
the network configuration, including the location of computer servers and workstations linked to
one another, network software used to manage the system, and controls over access and changes to
application programs and data files located on servers.
 Issues for Database Management Systems

Database management systems allow clients to create databases that include information that
can be shared across multiple applications. In non-database systems, each application has its
own data file, whereas in database management systems, many applications share files.
Clients implement database management systems to reduce data redundancy, improve control
over data, and provide better information for decision making by integrating information
throughout functions and departments.

Companies often integrate database management systems within the entire organization using
enterprise resource planning (ERP) systems that integrate numerous aspects of an
organization’s activities into one accounting information system. ERP systems share data
across accounting and non-accounting business functions of the organization. For example,
customer order data may be used by accounting to record a sale, by production to meet
increased production demand, by purchasing to order additional raw materials, and by human
resources to arrange labor schedules.
 Issues for Database Management Systems

Controls often improve when data are centralized in a database management
system by eliminating duplicate data files. However, database management
systems also can create internal control risks. Risks increase when multiple
users, including individuals outside of accounting, can access and update
data files. To counter the risks of unauthorized, inaccurate, and incomplete
data files, companies must implement proper database administration and
access controls. With the centralization of data in a single system, they must
also ensure proper backup of data on a regular basis. Auditors of clients
using database management systems should understand the clients’ planning,
organization, and policies and procedures to determine how well the systems
are managed. This understanding may affect the auditor’s assessment of
control risk and the auditor’s opinion about the operating effectiveness of
internal control over financial reporting
 Issues for e-Commerce Systems

The use of e-commerce systems also exposes sensitive company data, programs, and hardware to
potential interception or sabotage by external parties. To limit these exposures, companies use
firewalls, encryption techniques, and digital signatures..

A firewall protects data, programs, and other IT resources from unauthorized external users accessing
the system through networks, such as the Internet. A firewall is a system of hardware and software
that monitors and controls the flow of e-commerce communications by channeling all network
connections through controls that verify external users, grant accesses to authorized users, deny
access to unauthorized users, and direct authorized users to requested programs or data.

Encryption techniques protect the security of electronic communication when information is
transmitted and when it is stored. Computerized encryption changes a standard message or data file
into one that is coded (encrypted), requiring the receiver of the electronic message or user of the
encrypted data file to use a decryption program to decode the message or data. A public key
encryption technique is often used, where one key (the public key) is used for encoding the message
and another key (the private key) is used to decode the message. The public key is distributed to all
approved users of the e-commerce system. The private key is distributed only to internal users with
the authority to decode the message.
 Class Discussion

What are the Issues faced When
Clients Outsource IT Services
The End