This is kind of a poll. I have a question I am hoping to get experienced answers to about how large organizations audit their workforce. I have no specific organization or business in mind, this is a general question on how this is done.
How does a business audit itself (or have an outside audit done) to make sure that a) all the people it thinks are on the payroll actually exist and b) they accurately know and report how much they really get paid. I am assuming there are cases of fraud in the world that make this a good idea. Lets assume that the organization has lots of field offices and people who are paid for different time-periods: full-time 40 hours/week, part-time, seasonal workers, on-call emergency workers, etc. so that taking a reported number o employees and multiplying by an average salary is not useful.
Clearly every large organization has a central payroll and accounting department. So that department can detect many problems-or cause them in the case of correctly paying people ( ). But how does the organization detect problems in the central system? If a clerk in payroll maintains eleven pay accounts for a field office that in fact only has 10 employees? I can imagine situations where the clerk doesn’t even realize there is a problem. She was told to maintain 11 accounts and the field office is half-way around the world, so that is what she does. The fact that the bank account for the 11th person happens to be controlled by the field office manager is not something she can detect.
Are such controls a normal part of any large organization? Is this something a routine annual audit would detect? Is the monitoring an internal function (ie internal auditor) or an external function? Is it done routinely or only when problems are suspected? Is that the reason there are usually payroll departments and human resources departments so that one can check the other?
Any experiences or explanations would be appreciated.
Why are you assuming that the organization wants to make sure everybody is paid and reports earnings correctly?
The company’s responsibility, and the part they audit, covers only those payments made by the company. Usually this is reported to tax authorities electronically, as either a single large file or a batch job with individual files (the details vary by location). Whether employees then file their taxes correctly or not is not the company’s responsibility. And many companies have very little interest and in fact quite the opposite in paying according to the law: those aren’t going to check whether they are doing everything legally, just whether what they do doesn’t ring too many bells.
Most large companies employ an internal audit department that designs programs to routinely look for fraud, compliance with company policies, reviews of internal controls, etc. Also, management reviews financial information, etc. for performance, etc. to determine if the results appear unusual or if something doesn’t appear correct. ie, if I’m in charge of a department, I should also be monitoring the total costs associated with my department, if it appears that my labor costs is too high, I’m going to look into it.
I can’t speak for larger organizations, but at a previous employer I was in the account department and dealt with our auditors. These auditors were hired by/reported to the board of directors and would come in twice a year for internal audits.
One of the ways they’d test payroll is to take the payroll for the year (which matched up to the bank account) and pick out 5 - 10 employee names and ask to see their employee files. These files were controlled by HR and included things like resumes, tax forms, copies of licenses, signed reviews, signed write-ups, etc. And the auditor could/did ask to speak with the employee directly.
Any fake employees would need to have such a file built, with forms signed by people in various departments. It would require the co-operation of multiple unrelated people to build up a convincing employee file, and they could still get randomly caught if they couldn’t produce the person to the auditor.
This is what we did. We had about 2000 employees and they’d check a couple hundred every six months. The only thing I ever saw come out of it was the discovery that an employee was double-dipping - he worked for the company, but he had another job in a different department thru a temp agency (yep, he was working 16 hours a day, 5 days a week, for over a year).
The short answer is that good companies put various “controls” in place to prevent fraud, errors and other waste. Broadly speaking, controls consist of things like:
Separating roles and responsibilities
Multiple layers of approvals and independent checks
Automated reporting
Periodic audits
But yeah, mistakes sometimes happen. People commit fraud. Companies get sloppy.
Auditors (i.e. Deloitte, EY, KPMG, PwC) usually just make sure the companies financial statements make sense, although part of that is (theoretically) looking for fraud. I say “theoretically” because that list used to include Arthur Andersen.
Well, primarily to save money. If a given department is costing 12 salaries but getting all their work done with 11, then it is in the companies best interests to cut costs. Besides the whole follow the law and protect one’s reputation thing.
This is one of the reasons I asked. I hear all the time that “companies get audited every year” and wondered whether that meant the columns in the financial report all totaled up correctly or whether the audit actually was designed to detect fraud and illegal accounting.
Every audit I’ve been through seemed more worried about making sure the accounting was proper (tax authorities don’t like companies overstating expenses, understating revenue, etc) and only catching stupid/massive fraud.
The sort of little frauds, like a phantom employee, should be caught by internal controls. The auditors I deal with spot check that our internal controls are followed but don’t look for the fraud itself. In other words, the auditors aren’t looking (too much) for extra payroll, they looking that the managers and accounting department are doing what they should to catch the extra payroll.
Things of course could be different at larger or publicly traded companies. I don’t have experience with those kinds of audits.
I am getting the gist of the concept here.
Audits are not intended to detect small-scale fraud on the order of a few phantom employees or salary padding, but large-scale fraud where the company might be siphoning off millions to fake accounts.
To detect small-scale fraud the company needs to have internal controls capable of detecting the strange case of the disappearing employee or the some employee getting two salaries for one job-or small-scale things like that.
But I would really like to hear from accounting people on what they know of this subject.
The cases I know which don’t follow the law aren’t reporting too many workers; they’re paying the workers less than they should (no overtime) and often part of what the pay above base salary (such as a part of the actual amount of overtime due) is under the table. And yes, this is often done in a very large scale, although each individual worker is told that their own envelope is “a personal favor”. Part of the reason for this is that they perceive it as saving money over, you know, actually paying what they should; many workers see the untaxed envelopes as a benefit, and any workers which get part of their pay in an envelope know that reporting it means losing the job.
Sounds like you are trying to get the lay of the land, to decide if your scheme is likely to be detected. Most frauds eventually get discovered, mainly because the employees perpetuating the fraud, get greedy and get sloppy, or take vacation and it’s too difficult to keep it hidden forever.
I always ask my employees what their amount is? The look at me and ask what I’m talking about. I say, “What is the amount you would need to embezzle to feel comfortable?” And they think a little bit, and almost always give some really low amount, like $1 million or $10 million. I laugh, and say that’s not nearly enough. They look at me quizzically and I say, I’d need at least $500 million, because you need enough to get away forever and never be seen again, and you will likely need to spend a good chunk of that amount hiding the rest of it so it can’t be traced. $10 million will just find you in jail.
Audits are really intended to make sure proper accounting practices (GAAP) are followed. One of the limitations is that massive fraud can be missed by the auditors if the company’s upper management is conspiring to hide it (i.e. Enron).
But assuming the company itself is intending to commit massive fraud, the creation of internal controls is really managed by a combination of accounting, IT, procurement, business processes and dedicated information security, cyber security, and “governance/risk/compliance” teams. In a sense this has become an industry unto itself.
Well, fair comment I guess. However, wide of the mark. I am retired and am not involved in any business.
My question was sparked by a local political race where one side demands increased auditing of the local government and the other side says the current auditing is sufficient. It got me thinking about what actually happens in an audit. If the principals in a business (or government-I think there was a case in California a few years ago where the local bosses had awarded themselves huge salaries and hid the amounts in poor bookkeeping) have set up a system to steal $, would a routine audit detect that? Is a routine audit ever intended to detect fraud? Or just bad bookkeeping?
Audits prepared by external audits are designed to detect material misstatements. Material meaning that the amount of the misstatement would change the opinions or decisions of the users of the financial statements. If the “local bosses” had the authority to award themselves these larger salaries, but would be a political or public relations problem in known, wouldn’t be disclosed in an audit. Audits are not designed to expose PR problems, just where controls were violated, etc.
Internal audits can designed to uncover or detect whatever the persons requesting them want them to do. The more detailed the more costly the audit will be.
). But how does the organization detect problems in the central system? If a clerk in payroll maintains eleven pay accounts for a field office that in fact only has 10 employees? I can imagine situations where the clerk doesn’t even realize there is a problem. She was told to maintain 11 accounts and the field office is half-way around the world, so that is what she does. The fact that the bank account for the 11th person happens to be controlled by the field office manager is not something she can detect.