7.2 Internal Controls, Segregation, and Audit Trails

What Internal Controls Do in Payroll

An internal control is a designed activity that helps payroll pay the right person, the right amount, at the right time, from the right account, with the right reporting and accounting treatment. Payroll controls protect assets, employee data, tax compliance, and financial reporting. The FPC audits domain specifically includes internal controls, payroll system controls, accounting system controls, and audit policies and procedures, so control vocabulary is testable even when the question looks operational.

Think in three control families. Preventive controls stop a bad transaction before payroll is released. Examples include role security, required approvals, edit checks, and locked pay calendars. Detective controls identify problems after input or processing. Examples include variance reports, register reviews, bank reconciliations, and W-2 to 941 reconciliations. Corrective controls fix root cause and restore accurate records. Examples include amended returns, corrected wage statements, control redesign, and training.

Segregation of Duties

Segregation of duties means no one person controls a transaction from beginning to end. In payroll, the high-risk duties are authorization, master-file setup, time approval, payroll processing, payment release, tax deposit approval, vendor remittance, and bank or general ledger reconciliation. A payroll clerk who can create an employee, enter hours, process pay, change direct deposit, and reconcile the bank has too much control, even if the person is honest.

Small payroll teams cannot always separate every duty. The FPC answer is not to ignore the issue. Use compensating controls: owner review, controller signoff, exception report review by someone outside processing, bank activity review by accounting, or periodic audit testing. The point is independent eyes over the highest-risk steps.

Audit Trails

An audit trail is the record that lets a reviewer reconstruct a payroll event. For system changes, strong audit trails show the user ID, date and time, field changed, old value, new value, source approval, and reviewer signoff. For calculations, the trail includes pay code, hours, rate, taxable wage treatment, deductions, taxes, and net pay. For corrections, it shows the original error, correction reason, employee impact, tax impact, accounting impact, and filing or repayment steps.

Audit trails are especially important for master file changes, direct deposit changes, pay-rate changes, manual checks, voids, reversals, bonus runs, garnishment setup, tax location changes, and administrator access. A change report that says only modified is weak. A report that shows old bank account masked, new bank account masked, changed by user, effective date, employee confirmation, and independent review is stronger.

Control Attributes Examiners Like

A control is not effective simply because it exists in a policy manual. It needs ownership, timing, evidence, and follow-up. Ownership answers who performs the control and whether that person is independent enough. Timing answers whether the control happens before payroll, after payroll, monthly, quarterly, or annually. Evidence answers what proves the control occurred. Follow-up answers what happens to exceptions.

A payroll register review is a good example. A supervisor glancing at total net pay is not much control. A stronger review compares total gross, net, tax liabilities, deductions, headcount, negative net checks, terminated-employee payments, large one-time payments, and department totals to expected ranges. The reviewer documents exceptions and signs off before funding. If a bonus payroll is twice the expected total, the control catches it before cash leaves.

Payroll Examples

Consider a rate-change scenario. HR approves a promotion from $24 to $27 per hour effective June 1. Payroll imports the change. A change report shows effective date, old rate, new rate, and approval workflow. An independent reviewer confirms that the retroactive amount covers only the correct pay period and that overtime premiums were recalculated if required. The audit trail supports both the master-data change and the paycheck calculation.

Now consider a phantom employee risk. If payroll can add an employee and release payment without independent review, a fake employee can receive direct deposit. Controls include HR-created employee records, required government ID and Form I-9 workflow, bank-account validation, new-hire report review, and post-payroll comparison of active paid employees to HR rosters. The best FPC answer usually chooses a control that prevents or detects the fake employee through independent evidence.

Control Failures and Remediation

When a control fails, payroll should fix the immediate payroll and the process. If a deduction interface omitted new health plan elections, the immediate fix may be an off-cycle refund or catch-up deduction review. The process fix may be a carrier feed control total, an effective-date edit, and a documented monthly carrier invoice reconciliation. Audit findings should not stop at someone forgot. They should identify why the control design or performance allowed the error.

For exam purposes, distrust answers that depend on trust, shared passwords, undocumented verbal approvals, or after-the-fact employee complaints. Prefer answers that use approved source documents, system restrictions, independent reconciliation, exception reporting, and retained evidence. Payroll controls are not bureaucracy. They are the practical reason employees get paid, taxes are deposited, confidential data stays protected, and financial statements are not misstated.