Sox Rules For Payroll What The Sarbanes Oxley
Sox Rules For Payroll – What The Sarbanes Oxley Act Means For Payroll Managers By: Mark Schwartz MS Payroll mark@mspayroll 1. com www. mspayroll 1. com 916 -849 -6275 The. Industry. Calendar. com 1
Welcome! Thank you for choosing us for your training needs! The. Industry. Calendar. com 2
I. SOX Summary: �Passed in July 2002 �Result of Enron, Worldcom and other scandals – Due to fraudulent accounting and financial reporting practices, condoned by large accounting firms �Act designed to ensure transparency and accountability in the financial conduct of a business �Established Public Company Accounting Oversight Board, PCAOB
I. SOX Summary of Section 302 � Periodic statutory financial reports are to include certifications that: • The signing officers have reviewed the report • The report does not contain any material untrue statements or material omission or be considered misleading • The financial statements and related information fairly present the financial condition and the results in all material respects
I. SOX Summary of Section 302 : � Periodic statutory financial reports are to include certifications that: • • The signing officers are responsible for internal controls and have evaluated these internal controls within the previous ninety days and have reported on their findings • A list of all deficiencies in the internal controls and information on any fraud that involves employees who are involved with internal activities • Any significant changes in internal controls or related factors that could have a negative impact on the internal controls
I. SOX Summary of Section 404 � Issuers are required to publish information in their annual reports concerning the scope and adequacy of the internal control structure and procedures for financial reporting. This statement shall also assess the effectiveness of such internal controls and procedures. � The registered accounting firm shall, in the same report, attest to and report on the assessment on the effectiveness of the internal control structure and procedures for financial reporting.
I. SOX Summary of Section 802 � This section imposes penalties of fines and/or up to 20 years imprisonment for altering, destroying, mutilating, concealing, falsifying records, documents or tangible objects with the intent to obstruct, impede or influence a legal investigation. � This section also imposes penalties of fines and/or imprisonment up to 10 years on any accountant who knowingly and willfully violates the requirements of maintenance of all audit or review papers for a period of 5 years
I. SOX Summary The Act is intended to address a number of issues related to public company regulation. In particular: � Require strict guidelines regarding the "quality" of reported financial information and disclosure of significant business events � Establish and enforce independence requirements for members of the Audit Committee of the Board of Directors and the relationship of the external auditors � Require the establishment of a corporate code of ethics, and elevate the importance of corporate responsibility and governance � Require executive management and the Board of Directors to certify with respect to the adequacy of internal controls.
II. SOX Compliance Some of the activity is somewhat "behind the scenes", at the Executive and BOD level of your organization: � The development of a corporate code of ethics � The review of the structure and potential restructuring of the BOD and the Audit Committee to meet new independence requirements � The refinement of Audit Committee procedural rules � The creation of a Disclosure Committee of the BOD � The implementation of an ethics, or "whistleblower" policy and procedure
II. SOX Compliance An internal control is broadly defined as an activity or practice that is designed to reduce the risk of error of misreporting that transaction, risk of fraud, or risk that the transaction is not properly authorized. For example: � We have the ordering manager approve the vendor invoice before the invoice is processed for payment. � We reconcile the physical cash in the register to the sales rung-up in the system to ensure that all the cash is accounted for. � We verify a prospective employee's past employment to ensure they have the experience we want and that they claim to have.
II. SOX Compliance � We employ an outside actuarial firm to validate the accrual for the company's pension liability. � The Risk Manager reviews workers compensation claims for reasonableness � We then document the processes and internal controls, assess whether the controls appear to be designed effectively and then test the controls to ensure that they are actually operating adequately.
II. SOX Compliance Some of the key controls you can expect to be responsible for from a section 404 compliance perspectives is: Payroll expense related controls such as: � Adequate security over payroll related information and applications � Validation and reconciliation of proper payroll amounts � Proper approval for headcount additions and wage increases � Verification of accurate time keeping � Verification that required payroll documentation is current, properly reported and maintained
II. SOX Compliance Employee benefits related controls such as: � Reconciliations and validation that pension expense accruals and liabilities are accurate and properly disclosed � Verification that third-party administrators are managing their processes and controls adequately (more said later) � Reconciliation of employee contributions � Review of workers compensation claims to ensure they are reasonable and the company is taking measures to limit losses
II. SOX Compliance Deferred compensation: �Review and validation that stock options are properly and accurately calculated and disclosed
II. SOX Compliance Other HR controls such as: � Validation that employees are adequately screened, i. e. , criminal background, references, experience � Consistency and propriety of employee termination processes and procedures � Security of confidential employee information � Management of employee whistleblower ethics complaints � Consistent and proper handling of harassment and other workplace complaints
III. How to Comply Review your current processes with an eye on internal controls Check for proper separation of duties Evaluate your processes to ensure they 1) 2) 3) • • • Accurately record payroll information Promote timely payment and reporting Are properly reviewed and reconciled Are monitored for accuracy and completeness Financial reports are reviewed and signed off
III. How to Comply Examples of internal control testing: �Have the IT department create a report that compares an employees current gross and net pay to the gross and net of the prior pay period. The report lists all variances of 10% or more, which you review and validate whether it is correct or not. If a variance is cause by a procedural or system problem, then it needs to be reported and fixed.
III. How to Comply Examples of internal controls � Do a monthly reconciliation of the HR employee master file to the payroll register. Have the IT department create a report that performs a side-byside comparison of employee number, SSN, or other common identifier (not advisable to use name). Review and investigate and resolve all exceptions. Again, an employee that has been entered into either one of the files, (HR employee master file, or the payroll register) without being entered into the other represents a significant internal control issue and has to be reported and fixed.
Separation of Duties � A job or process should not be performed by a single individual or department without the review of another individual or department. � Creating the separation: Set the Policy Authorize Document Implement Verify Sr. Management Payroll, Acctg, Treas. Auditors/other dept.
Separation of Duty examples Big Company HR keeps the employee data such as rate of pay, cost center, benefits Payroll handles timecard entry, OT and PTO Payroll cuts the checks, HR hands them out Treasury completes the bank recon Small Company Acctg dept completes the bank recon Dept heads check employee lists against employees who receive paychecks Store paychecks outside the payroll dept but keep the key in payroll
Account Reconciliation Check the accuracy of recorded Payroll transactions � Verify that debits and credits, journal entries and general ledger balance for each transaction � Compare the amount of social security tax withheld and listed on the payroll register to the amount booked on the G/L � Make sure checks issued by accounts payable have been posted to the right account � Verify the end of the month balance agrees with payroll dept records. It is possible that taxes with held in one month did not have to be paid by the end of the month. � Reconcile discrepancies at least monthly
Payroll IT Level controls � Changes to applications, software and hardware authorized, tested, approved, properly implemented and documented � Physical access to computer equipment, storage media is restricted by authorization � Programs and data are routinely backed up and secured
Authorization and Approval Authorization is defined by your company policy-for example, all Managers are authorized to approve overtime and vacation requests for their direct reports. Approval is signing on the line, accepting responsibility for the authenticity of the form or item. It should be well known in the payroll department who, in senior management, has authorization and for what items or limits.
Authorization and Approval Define the type of authorization and approval and then decide what level of procedural documentation and/or management policy must be created. There are 2 types of controls: Preventative: Detective: Stopped before it happens Find after it occurs
Policies and Procedures Policies Rules that govern a process or job. They include company policies and legal requirements. Items like OT requirements, PTO policies, federal tax return due dates, when a terminated employee must receive a paycheck Procedures Instructions for getting the job done. Should include the payroll dept’s contingency plan and instructions for entering pay data, master file data, etc. Every task performed by the dept should be defined and explained in its policies and procedures manual.
Procedure Documentation What should the Payroll Dept have in writing? � Company policies on overtime, benefits, vacations, sick leave, termination, recordkeeping, etc � Procedures for handling payroll, tax deposits, quarterly returns, liabilities, direct deposit, acct reconciliations, etc. � The entire payroll process, A to pay! � Disaster recovery plans � Payroll computer system user manuals � Define your Master System of Record � Payroll dept job descriptions � Accurate Data File descriptions & location of file
Management Policy Who is allowed to be a ‘backup’ for absences? How documented do the procedures have to be? How are issues reported? (and to whom? ) How does the Payroll manager stay up-to-date on regulatory changes? Who is assigned to update policies? What is the procedure for approving requests for confidential information?
IV. Use of TPA’s �Use of a TPA for payroll and/or benefits does not absolve a company of responsibility under SOX. �You can do controls testing on the TPA’s site. �Or, you can obtain an SAS 70 form, wherein the TPA certifies to testing and maintaining it’s own controls.
IV. Use of TPA’s � Must ensure that the TPA’s SAS 70 relates to the processes they do for you. If they do specialized processes for you, not described in the SAS 70, you or they must test and report on controls. � If internal control issues are identified, you must make sure they are resolved prior to relying on the TPA’s results for your company. � Make sure you verify that info transferred to your TPA = what they receive.
IV. Use of TPA’s SSAE 16 - Statement on Standards for Attestation Engagements (SSAE) No. 16, Reporting on Controls at a Service Organization, was finalized by the Auditing Standards Board of the American Institute of Certified Public Accountants (AICPA) in January 2010. Meant to supersede the existing guidance (SAS 70) for performing an examination of a service organization's controls and processes.
V. The Internal Audit Function �Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization's operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes. (The IIA)
V. The Internal Audit Function �Uses a set of internationally recognized standards to guide a company’s internal audit function in effectively analyzing its own risk management, policies and procedures in order to maximize value and achieve Management goals.
V. The Internal Audit Function Stages of internal auditing: 1) Risk Assessment 2) Audit and Engagement Planning 3) Field Work 4) Communication 5) Follow-up
V. The Internal Audit Function Risk Assessment 1. • • Analyze financial statements and other information to decide where the greatest risk to profit and loss exists. Analyze operational and administrative functions to identify where the risk of failure, inefficiencies and ineffectiveness exists. Analyze personnel, financing, and structural architecture for effective servicing of corporate operations and goals. Re-Analyze periodically to reflect changes in legal, regulatory, economic and other environments that affect your company.
V. The Internal Audit Function 2. Audit and Engagement Planning • • • Based on Risk Assessment, choose the departments, operations, offices, or functions that have the greatest risk. Develop a sound understanding of the program, activity, organization or initiative being audited, including its management practices, business processes, policies and procedures, and external and internal environments. Analyze personnel, financing, and structural architecture for effective servicing of corporate operations and goals.
V. The Internal Audit Function 2. Audit and Engagement Planning Demonstrate and communicate the following decisions: � Significant audit issues and the reasons for pursuing them further (e. g. the results of the risk assessment) � Audit objectives � Audit scope, i. e. the areas, activities, systems, or processes to be examined, together with the rationale for not pursuing any related ones � Audit criteria against which assessments will be made � Approach or methodology that will be used for the engagement � The process for communicating audit findings � The projected timeline for the audit and � Resource requirements.
V. The Internal Audit Function 3. Field Work �Define the testing to be done in order to accomplish audit objectives. �Decide who you need to interview and interact with. �Communicate with auditee what documentation you need, and access to electronic and paper files.
V. The Internal Audit Function 4. Communication � Write up the results of the testing. Decide if exceptions are relevant, and evidence is sufficient to support conclusions. � Have auditors reports reviewed for accuracy. � Draft final report and distribute to appropriate parties. � Remember the IAA only points out problems. It is Departmental Management’s job to fix them.
V. The Internal Audit Function 5. Followup �After a response is received, resolve any outstanding issues. �Draft final report with revisions if necessary. �Schedule follow-up testing on areas identified as being deficient. �Record results for review by external auditors and top management.
Supplemental Material 1 Sarbanes Oxley compliance case study 2. Payroll Internal Controls 3. How to evaluate your system for fraud
Wrap Up • We hope you learned a lot from this session and your questions were answered – If, however, we didn't get to your specific question or your question was too specific to bring up in a public session, simply contact the presenter By: Mark Schwartz MS Payroll mark@mspayroll 1. com www. mspayroll 1. com 916 -849 -6275 The. Industry. Calendar. com 41
Thank You For Attending! • Your feedback is crucial to help ensure a superior learning experience – You will receive an evaluation email from us, which should take less than five minutes to complete – Responses are anonymous Questions? Please Contact Us. Support@The. Industry. Calendar. com 770. 410. 5787 │ The. Industry. Calendar. com 42
- Slides: 42