Enhancing and Restoring Safety & Quality Cultures - Dave Litwiller - May 2024...
GPMI December 2015
1. BY MAX VAN DER KLIS-BUSINK
Take Charge With a
Part II
Control Framework
Global Payroll
Editor’s Note: In the November issue of Global Payroll, Max
van der Klis-Busink explained how he used the Committee
of Sponsoring Organizations of the Treadway Commission
(COSO) framework as the basis of his Global Payroll Control
Framework (GPCF). He also laid out the objectives of the
framework. In Part II, he lays out the first three components
of internal control over payroll.
T
he next step toward designing the GPCF is addressing
the (five) components of internal control. COSO’s
framework extensively addresses these five
components and it’s stated that without them, internal
control simply cannot be achieved. The components
apply to all objectives, processes, and functions within an
organization and to the global payroll function specifically.
Internal control is a dynamic process, so components are
interrelated and influence each other. Risk assessment, for
instance, not only influences the design of control activities
to mitigate assessed risks, but also
may highlight the need to implement
monitoring activities. I will address the
first three in this contribution and will address the other two
(with the Global Payroll Operating Model) in Part III.
Control Environment
The control environment is the set of standards, processes,
and structures that provide the basis for carrying out internal
control across the organization. The executive management
establishes the tone at the top and externalizes it in policies
and codes applicable to all functions of an organization. Take
notice of which policies allow the global payroll function to
embed internal control in its processes. These could be codes
of conduct related to social compliance, business ethics, or
for instance information security.
If the code of conduct says employees should strictly
comply with applicable laws and regulations or that all
digital and hard copy information must not be disclosed
BY MAX VAN DER KLIS-BUSINK
GLOBAL PAYROLLThe official magazine of the Global Payroll Management Institute
Reprinted From December 2015
2. without prior consent, it influences daily payroll operations
and the tone set in global payroll objectives. Company
policies reveal either explicitly or implicitly whether internal
control is taken seriously, whether decisions affecting payroll
tax are taken opportunistically, or if ethical values and
integrity prevail in these situations. This tone has an effect
on how risks are assessed and labeled and thus how control
activities are designed. This is also the reason why a GPCF is
different for each organization. The control environment also
includes information on the IT infrastructure, the customers
and stakeholders of the global payroll function, and an
overview of the global operating model. Finally, summarize
the payroll environment to gain insight into the complexity
of the payrolls and countries in the GPCF’s scope, such as
the number of employees, currency, time zone, processing
period (weekly, biweekly, monthly, etc.), and the turnover in
employees. Use these insights to identify and assess risks
and to manage the workload within the global payroll
function in assigning responsibilities.
Risk Assessment
For internal control to be effective, organizations
must identify risks that have or may have an adverse
effect on achieving global payroll objectives. This
is not a one-time event when designing the GPCF,
but should be systematically implemented and
evaluated as circumstances change. Numerous
changes can affect internal control for payroll, such
as starting business in a new country, implementing
a new HR-system, or adding new employment terms.
Risks can roughly be categorized in two categories: those
present in payroll processes, and those that occur outside
of payroll but that may have an effect on the organization’s
position on payroll taxes. These two risk categories then
apply to the global payroll operating model and need to be
specified as country-specific risks to reach the level of detail
required to really be in control of global and local payroll.
These local risks could include the difference in how new
hires are processed and the timing of registering them. In
assessing local risks, these factors typically increase local
payroll complexity and thus increase risk: benefits in kind,
travel and business expenses, hiring and firing employees,
and global mobility (expats).
Before assessing risks, identify them by analyzing the
global payroll function’s current processes and control
environment. The global payroll function can identify risks
alone, but collaborating with other internal and external
stakeholders will enable a more objective analysis. This
analysis can be done by interviewing other support functions
(finance, HR, treasury,
etc.) and payroll vendors,
sending questionnaires to
customers, or analyzing
payroll data. As long as
the risks are identified,
the method succeeds. Once
the risks are identified,
assess and describe them in a
standardized order. Include a risk
header, risk classification, and the
intended response to the risk. In the header, describe the risk
and the global payroll objective on which the risks may have
an adverse effect. Below are three examples of common risks
identified in global payroll operating models:
• Payroll changes (new hires, contract changes, and
departing employees) not being included in the payroll
change sheet, causing inconsistencies in payroll master
data resulting in incorrect payroll output;
• Not meeting payroll timelines in accordance with
the GPCF, having an adverse effect on deadlines
communicated to stakeholders, customers, vendors, and
filing deadlines;
• Insufficient funds on payday, which prevents salary
payments and the payment of payroll taxes, resulting in
non-compliance.
Control Activities
The actions an organization or function establishes to
mitigate identified and assessed risks are control activities.
It’s common to build control activities into processes as
routine controls and everyday business decisions, such
as segregation of duties, sign-offs on output, four-eye
principle (two-person rule), automated system blocks,
and authorizations. Control activities are normally a
response to assessed risks, such as those described before.
Since payroll is mainly a transactional process, business
processes usually include so-called transaction controls
with a direct and clear link to an assessed risk.
Start designing control activities by analyzing current
control activities, inventorying the assessed risks, and
identifying the potential the current global payroll operating
model provides to mitigate it. The aim should always be
to mitigate all assessed risks or to knowingly accept not
mitigating them. An organization also should stop control
activities that do not mitigate risks and add no (business)
value. After gaining insight into the required controls and
the feasibility of implementing them, describe them. Include
these elements: a description in the header; a classification of
3. key or non-key; the control objective, type and method; and
the systems utilized to perform the control activity. Label
the controls as key or non-key based on three discretionary
items: the level of complexity of the activity, the level of
professional judgment required to execute the activity, and
the risk of management being able to override the activity
to get things done. Each control has an objective such as
accuracy, completeness, validity of data, or the segregation
of duties. Have a combination of control objectives that
together mitigate interrelated risks. Here are three control
activities typically incorporated in the processes of the
global operating model:
• Payroll changes processed on the payroll change sheet
are checked and approved prior to further processing
by another member of the global payroll function in
accordance with sections 3 and 4 of the GPCF;
• In the online banking system, the global payroll function
has a profile setup that allows only initiating and partly
authorizing a payment before it is executed by the global
controller;
• Sign-off on the preliminary payroll output is only given
to the payroll vendor after the global payroll manager
has approved the last preliminary output via email.
These control activities pursue different objectives. The
first one, for instance, pursues accuracy, completeness,
and validity, while the second and third pursue correct
authorization and segregation of duties. They also differ in
type, which can be defined as either detective, preventive,
or corrective (see table below).
A combination of control activities will ensure better
control over risks. Next, list the systems utilized to perform
the control. In order for the auditors to easily write their
audit plans, include evidence obtained as proof of the
control, if performed, and the frequency of the control on
a global and local level. Finally, map each control activity
to one or more described risks and add it to the Risk and
Control Matrix (RCM). This RCM provides the necessary
insight enabling you to answer the question CFOs tend to
ask: “Are all of our identified risks mitigated with control
activities?” It’s a great document to share with internal and
external auditors.
In Summary
In this contribution, I have exemplified the first three
components of internal control. Once these are designed and
addressed, the final two components (Monitoring Activities
and Information & Communication) are the next logical
steps. These will ensure that separate evaluations on the
function of control are conducted and that information is
communicated properly and timely. Make sure to read Part
III, where I also will address the Global Payroll Operating
Model for you to start the design of your own GPCF. ■
Control Types and Definitions
Control type Definition
Detective Designed to detect errors or
irregularities that may have
occurred before the output of
a process is delivered to the
customer or stakeholder.
Preventive Designed to keep errors or
irregularities from occurring in
the first place; this is the most
favorable type of control for
the global payroll team.
Corrective Designed to correct errors
or irregularities that have
been detected and therefore
already have occurred.
The Global Payroll Management Institute (GPMI), www.GPMInstitute.com, is the world’s leading community of payroll leaders, managers, practitioners, researchers,
and technology experts. Our subscribers connect with each other through networking discussions, collaborative opportunities, and access to education and publications
dedicated to global payroll strategies, knowledge, research, employment, and training. GPMI also publishes several global payroll texts and white papers as a benefit to our
subscribers. Get more information at www.GPMInstitute.com.