7.3 Audit Testing, Documentation, and Findings

Audit Testing Is Payroll Proof

An audit does not recalculate every paycheck by hand. It tests whether payroll controls and records are reliable enough to support compliance and financial reporting. The FPC audits domain includes internal controls, payroll system controls, accounting system controls, and audit policies and procedures. The related accounting domain includes financial reporting, accounting principles, payroll journal entries, and account reconciliation. Together, those domains ask whether payroll can prove its work.

Start every audit scenario by identifying the objective. Completeness asks whether all valid payroll records were included. Accuracy asks whether amounts were calculated correctly. Authorization asks whether the right person approved a change or payment. Cutoff asks whether payroll belongs in the correct period. Classification asks whether wages, taxes, deductions, liabilities, and expenses hit the right accounts or forms. Confidentiality asks whether sensitive data was protected. Reconciliation asks whether independent records agree.

Evidence Chain

Strong payroll evidence forms a chain. For a regular paycheck, the chain may include approved time, pay rate, earning codes, tax setup, deduction elections, payroll register, tax liability report, bank funding, employee pay statement, vendor remittance, and general ledger posting. For a bonus, it may include compensation approval, bonus population, supplemental wage tax method, payroll register, funding approval, and accounting entry. For a garnishment, it includes the order, disposable earnings calculation, priority decision, withholding, remittance, and employee notice handling.

The IRS states in Publication 15 that employment tax records should be kept for at least four years and be available for review. DOL Fact Sheet #21 states that FLSA payroll records are generally preserved at least three years, while wage-computation support such as time cards and wage-rate tables is generally kept two years. A payroll audit answer should therefore preserve the support needed to prove wages, taxes, hours, rates, additions, deductions, and filings.

Sampling and Walkthroughs

A walkthrough traces one transaction from source to final reporting. For example, choose a newly hired hourly employee and follow the record from hiring approval to master-file setup, Form W-4 withholding setup, time approval, paycheck, tax liability, direct deposit, payroll journal entry, and record retention. Walkthroughs reveal whether the process described in a procedure manual is the process actually used.

Sampling tests a selected group. The sample might include new hires, terminated employees, employees with direct deposit changes, bonus recipients, negative net checks, manual checks, high overtime, or terminated employees paid after termination. Samples should match the risk. If the risk is unauthorized direct deposit changes, sampling ordinary unchanged employees misses the point. If the risk is overtime calculation, sampling exempt salaried employees is weak.

Reconciliation Tests

Reconciliation is a core payroll audit skill because payroll creates many independent records. Quarterly wages and taxes should tie from payroll registers to Form 941. Annual employee wages should tie from Forms W-2 and W-3 to quarterly payroll returns, with differences explained. Employee deductions should tie to benefit carrier invoices, retirement plan remittance reports, court or agency orders, and liability accounts. Net pay should tie to bank funding and outstanding check or reversal activity.

A payroll clearing account is a useful audit signal. It may receive payroll funding or postings temporarily, but it should clear when cash, liabilities, and expenses are recorded correctly. A lingering balance can mean a void was not posted, a reversal missed the general ledger, taxes were accrued but not paid, a benefit deduction was withheld but not remitted, or an off-cycle payroll was coded incorrectly.

Findings and Remediation

A strong finding is not just a complaint. It states the condition, criteria, cause, effect, and corrective action. Condition: terminated employees remained active in payroll for two pay periods. Criteria: terminated employees should be removed or blocked from payment after approved termination unless final pay is authorized.

Cause: the HR-to-payroll termination interface rejected records with missing reason codes, and no one reviewed the reject report. Effect: one employee received an unauthorized payment and the clearing account required correction. Corrective action: assign reject-report review, add a reason-code edit, require payroll signoff, recover or correct overpayment, and retest next month.

Good remediation has an owner, due date, evidence, and monitoring. If an audit finds direct deposit changes were not reviewed, payroll should not only review the one change. It should update the procedure, restrict access if needed, add a report, document review, train staff, and test whether the control works. Repeating the same audit finding usually means the root cause was not fixed.

Confidentiality During Audits

Audit requests do not cancel confidentiality. Share the minimum necessary payroll data, use secure transmission, mask sensitive fields when possible, and track what was provided. A spreadsheet with full Social Security numbers, bank accounts, garnishments, and medical deduction details sent casually is a control failure. Audit evidence should be complete enough to prove the transaction and protected enough to respect employee confidentiality.

For FPC practice, ask three questions for every audit scenario: What is the risk? What evidence proves or disproves it? What control or correction would prevent recurrence? This approach works whether the question is about a paycheck sample, a failed interface, a Form 941 reconciliation, a benefit vendor variance, or a payroll journal entry.