Fraud scenarios occur in payroll for a variety of reasons. First, employees are motivated to increase their net payroll. A supervisor is motivated to increase the net payroll of a good employee or the supervisor is motivated by receiving a kickback from the employee. Human resources payroll grades are unreasonable. Senior management is motivated for personal enrichment or to disguise a bribe, which is an FCPA issue. Whatever the internal person's motivation for committing the fraud scenario, payroll systems are vulnerable to internal employees committing fraud scenarios through the payroll system.
On first appearance, internal controls in most payroll systems seem sound. Separation of duties between payroll and human resources functions are deemed adequate. The company has a form for every step of the process. Approval controls are abundant throughout the entire system. However, fraud auditors should not be fooled by the evidence of an internal form, the appearance of separation of duties, and approval signatures in planning their fraud data analytics plan.
The predictability or vulnerability of the payroll system to a specific fraud scenario is how the internal control works in the real world. I refer to this as the difference between control theory and control reality.
In the legal system, there is a phrase, “form over substance or substance over form.” Payroll systems definitely have a “form over substance” from an internal control perspective. There is a form for every step. There is a form for new hires, a form to change your profile, and a form for termination. The question is, does our payroll process have “substance over form”? The key to understanding where payroll systems are vulnerable to fraud is by understanding how robust your internal controls are at each key control. The fraud auditor needs to understand the answers to who, what, where, how, and when the internal control is performed. The fraud auditor must understand the substance of the process over the form of the process.
The who question correlates to the trust factor of fraud opportunity. Supervisors and employees develop personal relationships. These relationships may cause a less robust approval process. Who relates to who actually causes the employee master file to be updated. Are human resources a true control function or an update function? Are human resources or payroll a “form” control or a “substance” control?
What is the span of internal control? How many employees does a supervisor monitor? Do employees work on staggered shifts? Does this work environment create opportunities for time reporting fraud?
Where does the hiring process occur? In a retail environment, hiring occurs at a store level. The manager interviews the employee and submits the necessary paperwork to human resources. The manager is perfectly situated to place a fictitious employee on the payroll. An employee quits work, but the supervisor continues to submit time sheets for the employee and diverts the employee's payroll check.
How is human resources notified of a change or an addition? Is the employee required to go to human resources, or does a supervisor forward the necessary paperwork?
When is the procedure performed? Is the procedure performed during normal business hours or after hours?
The intent of these questions or statements is not to suggest that internal controls are not operating as intended by management, but rather, the concept of understanding where your company is vulnerable to fraud.
The inherent fraud scheme structure is the starting point for fraud data analytics in payroll. The inherent scheme structure for entities is similar to vendors, except in payroll the entity structure is an employee. There are three entity structures in payroll fraud scenarios:
The fraud action statements for payroll are:
The good news is that fraud data analytics is easier in payroll than in vendor payments. The payroll system tends to have less data integrity issues, so data cleansing routines are less critical. The payroll calculation tends to be accurate, which is different from authorized and consistent with company policies. Therefore, most payroll data interrogation procedures and sample selection criteria are specific identification strategies versus data interpretation strategies. Now the bad news: Because of all the subsystems that are required to calculate net payroll, more time is required to understand all of these systems and gather the data.
In payroll fraud, there are two key numbers: gross payroll and net payroll. Understanding how both numbers are calculated, stored, and reported will become the basis of your fraud data analytics plan. The planning for the fraud data analytics plan requires the fraud auditor to understand the data that resides in the following files:
Starting with the human resources database, identify what information can be used for fraud data analytics. In human resources, there is the obvious information, name, address, and so on; the other relevant items of information are:
The time and attendance system starts the payroll calculation. For hourly employees, time and attendance system is the basis of their gross payroll; for full‐time employees, it indicates whether the employee is using personal time. The fraud auditor should understand how the information is created, changed, and reported. Other necessary information is the creator ID, the approver ID, the computer ID, job duties if employee performs different jobs and different rates, date, and time records for creating and changing the time record.
The table structure for payroll has two primary tables for fraud data analytics, the payroll register table, which has the results of the payroll calculation, and the payroll summary table that is used for tax reporting and various fringe benefit requirements. The fraud data analytics should be based on the payroll register table; however, the payroll summary table is useful because the table size is small in comparison to the size of all the payroll registers for the year.
The net payroll calculation is gross payroll minus deductions equals net payroll. The gross payroll is based on a salary grade, divided by the number of pay periods. Hourly employees are paid based on the number of hours multiplied by an hourly rate. Gross wages are classified based on an internal earnings code; the fraud auditor should obtain a copy of the earnings code as part of the planning.
Within the payroll system, there can be many earnings codes that mirror how the business operates. Some of these earnings codes are for classification of wages, such as vacation time. Other earnings codes are designed to increase gross payroll, such as a one‐time bonus payment. Within fraud data analytics the earnings codes are an integral part of searching for fraud in payroll.
There are two types of deductions from gross wages. Those deductions required by the government and voluntary. The fraud auditor should obtain a copy of the deduction codes as part of the planning.
Now that regular gross payroll is calculated, the next step is to understand how adjustments to gross payroll, deductions, and net payroll are reported and where the adjustment transaction is recorded in the database.
Lastly, how is net payroll calculated? Within some companies, employees are reimbursed for expenses through payroll. The company includes the reimbursement as an adjustment to net payroll.
The first report that should be created is a gross payroll and net payroll by employee. The difference between net and gross should be calculated and percentage of employee net payroll to employee gross payroll. The informational items on the report should be the number of payroll payments, the employee number, the employee grade, employee title, and department number.
There should be summary reports on payroll information:
Each of these reports can be further refined based on what the reports reveal. Summarization and filtering routines are useful in allowing these reports to be user friendly. Using the payroll frequency report:
Remember, the planning reports are intended to assist the auditor in the likelihood analysis versus the sample selection process. Using the payroll frequency report, if no manual payroll payments were issued, then no fraud scenarios could occur through manual payments. Before you start creating fraud data analytics reports, study the planning reports to ensure you understand the data.
The term ghost employee is widely used throughout the audit profession. It generally is defined as payroll payments to a person who does not exist in real life. Using the inherent scheme approach, there are 11 ghost entity types. The fraud action statement is the same for each entity type: payment for services not performed.
The fictitious employee is added to human resources file by someone with direct access or through indirect access. In many organizations, the hiring process occurs remotely from corporate human resources. For example, in retail, the store manager performs the hiring function and then submits the necessary paperwork to human resources, causing the fictitious employee to be added to the master file.
The plan can focus on the entity data, payroll register, or cross‐match to other data files to ascertain evidence of work performance. The entity data can focus on missing data and specific identification of data. The duplicate test can search for common linkage between two employees. The payroll register may have anomalies in the gross, deductions, or net payroll calculation.
Generally, employees on a world basis have a government identification number. The critical question becomes how sophisticated are the local government business systems in identifying an invalid government number for the citizen or foreign national. If yes, then an invalid number would soon be detected by government reporting; if no, then government identification numbers are not problematic for the person committing the fraud scenario.
So, where can we find a government identification number?
The employee master may search for employees missing normal employee information or perform a duplicate test to link two individuals together, one real and one fictitious. The first step is the data availability analysis to determine which fields are typically populated by human resources. The missing analysis should be based on information that would normally exist for a real employee. The scoring sheet concept is critical to using the missing data approach in that some information is simply more important than others.
The duplicate test searches for a common linkage between two employees. The test can result in many false positives if the sample selection criteria are based on one criterion. The first test is a duplicate government identification number. System internal controls should not allow a duplicate number, but better safe than sorry. The second duplicate test would focus on duplicate bank account number and duplicate address. Now, depending on the person committing the scenario, the second attribute is a duplicate department number. The reason for duplicate department number is that the payroll charge needs to be recorded to a general ledger account. Assuming the person committing the scheme is a budget owner, then the budget owner's account number is the most likely place to avoid detection. If the person committing is in payroll, then a judgmental identification of departments with ghost employee payroll charges would not be as evident. If the scheme is committed as part of a bribe scheme, FCPA violation, then the budget number may not provide a logical connection.
The payroll register provides the gross payroll, deductions, and net payroll for the fictitious employee. The payroll register anomalies are:
The best test to identify a ghost employee is evidence of work performance, the ability to match an employee in the payroll registers to an employee in a security database. Common databases are building access, parking garage access, computer access, or internal telephone system. The first level of the test is to determine if the employee in the payroll register is listed in the security database. The second level of the test is to determine if the listed employee is showing activity in the security database.
While evidence of work performance is the best test for identifying ghost employees, there are challenges with the fraud data analytics test. The first challenge is matching an employee's name between two unrelated databases. If employees are assigned an employee number, the match is relatively simple. If the match occurs on name, then the match will have spelling issues, much like the address field. The second challenge is associated with the diversity of the workforce. Finding one database for a diverse employee workforce may not be possible. The retention of access security might be limited. Lastly, how robust is the enforcement of the security program? With this aside, matching your employee database to a secondary database is the best tool to identify ghost employees.
In this scenario, the employee departs the workplace and the supervisor does not notify human resources of the employee's departure until weeks later. The scenario typically occurs in entry‐level positions or positions that have regular turnover. During the employee absence the supervisor submits the necessary time and attendance reports to cause a payroll payment. The person committing the scenario is typically a department manager, and the employee is receiving a manual check. While the supervisor could submit a change to the employee's bank account, the action seems less likely. If the person committing the scenario is a payroll person, the fraud data analytics should search for a change to bank account close to the termination date.
The first criterion is all employees who have a termination code because the scenario is a temporary takeover. We then create two homogeneous databases of terminated employees: employees paid with direct deposit and employees paid with a manual check. If the employee is paid with direct deposit, there needs to be change to bank account. If the bank account is changed, then the employee is selected for testing. If the employee is paid with a manual check, then there is no further data analytics. The sample selection is based on judgmental criteria. If the time and attendance records are automated, then examine the record to determine who created the record.
In this scenario, the employee departs the workplace and the supervisor does not notify human resources of the employee's departure. The supervisor submits time and attendance reports to cause a payroll payment. The scenario can occur either with a manual check or by causing a change to the direct‐deposit bank account. The key with this scenario is to understand the wage and tax reporting within the country. If the terminated employee is not notified of wage and tax withholding, then this scheme could occur forever. If the employee is in a country where wage and tax reporting is reported to the employee, then concealing the scheme is more difficult but not impossible. This is why country code is important. If the employee is a foreign national and the employee leaves the country on a permanent basis, then wage reporting is not a robust detection control.
The fraud data analytics plan should search for change to either the employee master file or the net payroll calculation. In the employee master file, the fraud data analytics should search for change to banking information or the address. In the payroll calculation, the change would be a decrease in withholdings or an increase in the net payroll. The employee's country of residence may also help. Nonresident employees would have a higher likelihood of having their identity assumed because government wage reporting for that person is less critical. If the time and attendance records are automated, then examine the record to determine who created the record.
In this scenario, the employee departs from the workforce and human resources are notified. However, at a later time, someone causes the employee to be reactivated on the payroll. In essence someone is taking over the identity of the employee.
The first step is to identify all employees who are reactivated. The second step is to determine if there were any changes to banking information or address information. If the time and attendance records are automated, then examine the record to determine who created the record.
In this scenario, a supervisor or payroll causes a payroll payment to occur in the employee's name before the employee actually starts working for the company. The first payment is diverted. The payment is usually associated with a manual check.
While this scheme sounds unlikely, the scheme has occurred. The likelihood depends on the nature of the workforce. The fraud data analytics for the fraud scenario will most likely not be able to identify those employees where this scheme has occurred. Remember, fraud data analytics is not designed for all fraud scenarios. The fraud data analytics for this scenario is the process of comparing the first payment to the second payment and identifying change—that is, change from manual check to direct deposit, change in voluntary deductions from gross payroll.
In this scenario, the employee is a real person and typically in collusion with a manager. The employee has a personal relationship with the manager. The employee is often referred to as a no‐show employee. The employee is typically hired with the intent of being a no‐show employee.
The previous routines are generally not effective because the person is real person and there is no change. Matching to a security database is the best opportunity to identify the no‐show ghost.
In this scenario, the employee performs no services and the payroll payment is a bribe. This scenario is typically associated with a senior manager who is in a position to override normal internal controls. While the employee is in essence a no‐show employee, the intent of the payroll payment is associated with corruption versus asset misappropriation.
The fraud data analytics will need to search for PEPs (politically exposed persons) as defined by FATF (Financial Action Task Force). There are various government and commercial databases that might be used as the matching database.
Another approach, although more time consuming, is to create a report of all new hires within the scope period, providing start date, gross salary, job title, date job title created or changed, and department code. Create a second report of contracts that link to customers that are considered government customers under the FCPA or other relevant bribery laws. Compare the hire dates to relevant customer contract dates. The sample selection is judgmental based on correlation to start date and customer contract date. The second consideration is job title and department code.
Throughout the years, I have heard that an employee who terminates employment notifies human resources; however, through an error the employee is not removed from the active payroll. The employee continues to receive a regular payroll payment and does not notify payroll of the ongoing error. While the scenario is not a true fraud scenario, I would be remiss in not mentioning the scenario.
The previous routines are generally not effective because the person is real and there is no change. Matching to a security database is the best opportunity to identify the no‐show ghost.
The temporary scenario can occur through a fictitious person or through a real person. The reason I have listed the permutation is the temporary employees tend not to have the same rigid human resource controls because the person is temporary. Oftentimes, the hiring supervisor has a high degree of control, which is what causes the scenario to occur.
The first step is to identify all employees with the code. The next step is a summary step as to gross wages and the number of payroll payments. The sample selection will be judgmental. If your company has a large seasonal employment force, the fraud data analytics will need to apply all of the previously described ghost employee schemes to the temporary employee.
This scheme is typically committed by someone in payroll. The person is paid through an override feature, manual check, or poor internal controls.
Create a list of all employees in the payroll register and match the list of employees to the human resources database. The sample selection is all employees in the payroll register, but not in the human resources database. A second test is a record count of all active employees to the number of employees listed on the payroll register. It is important to know how employees on leave are listed in human resources; otherwise, the reconciliation procedure will result in a false positive discrepancy.
Overtime fraud is simple; an employee falsifies the number of hours the employee actually works. Most overtime schemes are not complicated; the employee determines that no one is monitoring the hours submitted on a time card. Overtime fraud is a crime of opportunity. To understand the concept of opportunity, the fraud auditor needs to understand the permutations associated with the person committing the fraud scenario:
The initial search for overtime abuse is simple; the fraud data analytics searches for all employees reporting overtime. I would encourage the use of the year‐to‐date summary table as a starting point for total hours. Overtime wages can be earned by both full‐time employees and part‐time employees. Using the specific identification strategy identify all employees reporting overtime wages. For large databases, I would create two summary databases, employees having overtime and employees that do not have overtime.
The created database should contain employee number, employee name, hire date, total hours reported, gross payroll, overtime wages, and department codes. Summarize the two files by department code as total employees by department having overtime and employees in the same department not having overtime. If your company operates multiple shifts, it may be necessary to summarize by department by shift. The purpose is to identify how prevalent overtime wages are within the company and by department in the company, which is an example of understanding the data report.
The second stage of the fraud data analytics is to search for patterns of abuse. To accomplish this step, the fraud data analytics will need to access either the time record system or the payroll registers. The patterns of overtime that are consistent with overtime fraud to search for are as follows:
As a caveat, the number of overtime hours a person may work might be attributable to personal behavior traits, family issues, or supervisor rules.
There are three categories of payroll adjustment schemes: adjustments to gross pay; adjustments to deductions fields; or adjustments to net payroll. The key to understanding false adjustment schemes is to understand how payroll is calculated within your database system. In the database, there are a series of earning codes for gross payroll. The payroll system automatically calculates the “regular earnings” and the system automatically classifies payroll based on time and attendance records—that is, regular earnings or regular earnings classified as vacation wages for purposes of benefits. However, there are other earnings codes to increase an employee's wages (e.g., bonus payments) or to classify a wage as a benefit (e.g., vacation pay).
In the gross pay false adjustment scenario, an employee receives an adjustment to gross payroll. The employee supervisor may have initiated the adjustment as a form of disguised compensation or a payroll person may have recorded the adjustment to receive a kickback. Whatever the motivation for the scheme or internal control deficiency the adjustment is easy to find.
In the false adjustment deduction scenario, there are two methods. The first is to enter a contra number in the deduction field, which increases net payroll. The second false adjustment scheme is when a deduction does not occur within the payroll calculation but later is added to the employee's year‐to‐date earnings record through a false transaction. To illustrate, at the time of gross pay and net pay calculation, there are no taxes withheld from the employee's net payroll calculation. Later, an income tax adjustment transaction directly updates the employee's year‐to‐date table by increasing the employee's income tax withheld on the annual wage reporting statement to the government.
In the net payroll false adjustment scenario, the employee's net payroll is increased through an adjustment to net payroll. Many companies will reimburse employees for out‐of‐pocket expenses through payroll versus accounts payable. The indicator of this scheme is a journal posting to a non‐wage account or a reclassification entry transferring the payroll charge to a non‐wage account.
In one investigation, the controller gross payroll was $60,000 and his net payroll was $120,000. The documentation supporting the adjustment to net payroll was to reimburse the controller for out‐of‐pocket expenses ranging from office supplies to purchase of office equipment.
In the planning stage, the fraud data analytics plan created a report of gross wages by employee by grade. Employee's gross wages exceeding her grade level is the first clue that a false adjustment scheme is occurring.
The first step is to summarize an employee's earnings for the year by the earning codes. The exclusion theory would eliminate all employees with only earning codes of zero or normal earning codes associated with benefits. For the remaining employees, we would summarize by employee by earnings code to provide the gross dollars by earnings code and frequency of occurrence of the earnings code. I would include the employee's grade level in the report. In this way, we could also determine if any of the employees in the test have exceeded their salary range. The sample selection is based on an employee who has a frequency of earnings codes other than normal earnings or a large adjustment to gross payroll.
The contra entry test is simply the process of searching for a contra entry in the employee's earnings record. The contra entry is a negative number in a field that all the deductions should be a positive number. By entering a negative number, gross pay less deductions actually increases net payroll. Once the contra entry is identified, summarize the dollar impact and the frequency of occurrence.
The fraud data analytics will require two sets of data. The first data set is the payroll registers for the calendar year. The second data set is the internal database table used for wage reporting to the government. Using the payroll registers, the fraud data analytics would calculate the annual earnings record from the payroll registers. Then the recomputed earnings record would be compared to the summary table used for government earnings reporting. The sample selection would be all employees where there is a difference between recomputed table and the internal table of annual earnings.
The approach could also search for manual adjustments to an employee's year‐to‐date earnings records. If there are only a few employees with manual adjustments, the fraud auditor would review the employee's earnings records through the online system. If the number of manual adjustments is high, then it may be necessary to calculate the net payroll for those employees with manual adjustments.
The planning report of comparison of gross payroll to net payroll is the first report that will flag abuse in this area. A second planning report is to summarize journal entries originating from the payroll system. The predictability factor would be the dollar value of debits to general ledgers other than wages. Yes, the initial posting could be a debit to wages with a subsequent reclassify journal entry.
There are many reasons why an employee may receive a manual payroll payment versus an automated payroll payment ranging from bonuses to final payment resulting from termination of employment. The planning report that counts the number of payments should highlight this fraud scenario. Care must be taken to ensure the summary report captures all payroll payments. Questions to ask are:
The fraud data analytics approach will depend on the answers to the previous questions. One approach is the frequency of payroll payments by employee. A second report should search for journal entries originating from a payroll payment to a nonsalary general ledger account. A third report would search for the control number sequence associated with the manual payroll payments. The reports described in the false adjustment section may also highlight the scenario.
Another category is the search for payroll payments after termination date. The scenario would need to identify whether the employee or payroll is complicit in the payroll. If the employee is not complicit and is paid with direct deposit, then we would search for a change to bank accounts. The scenario is easier to commit when the employee receives a paper check.
The fraud data analytics creates a file of all terminated employees through the termination date. The terminated employee file would then search for all payroll payments to an employee in the terminated employee file. The termination date is compared to the payroll register, for both automated and manual payments; the resulting report should identify the frequency and dollar value of all payments after termination date. The sample selection is based on the answers to the manual payroll payments questions. So, if it is normal for an employee to receive one final payroll payment after termination date, then a frequency of two or more would be the sample selection criteria. Second criteria would also be the dollar value of the final payments.
Employees paid based on performance can be motivated or can rationalize their behavior to falsely increase their performance. A manager may assist the employee through a disguised compensation scheme or to receive a kickback from the employee. The key to building a fraud data analytics plan is to first read and understand the performance criteria plan. The fraud auditor should then identify the methods that an employee could falsify their performance statistics. The most common techniques are to:
Believe it or not, sometimes employees do not pick up their final payroll check. The scenario occurs because the final payroll check is provided to someone, either human resources or an operations manager. At some point, the person holding the check falsely negotiates the check.
Employees are often entitled to final paycheck for reasons other than hours worked (i.e., unused vacation pay). Believe it or not, employees are not always aware they are entitled to a final payroll payment. How the scenario occurs in your company will depend on your organizational structure. The scenario can occur through a direct deposit, if payroll changes the bank account number either on a temporary basis or final basis. The scenario can occur through the theft of a manual check and false negotiation.
Using the speed of payment test, compare the payment date to the bank clearing date. Since payroll checks are usually negotiated quickly, the speed of payment testing is actually searching for checks that are not negotiated quickly.
Fraud in payroll happens in large companies and small companies. While the traditional ghost employee seems to be the popular fraud scenario to discuss, the ghost schemes involving noncomplicit real persons is a more likely scenario. Overtime fraud most likely occurs in companies that have a base of hourly employees. False adjustment schemes as a form of disguised compensation occur with a greater frequency than fraud statistics would suggest.
In one fraud data analytics project, we identified an employee who was receiving an additional $200 per week in net payroll. When the employee's supervisor was questioned, not only did he admit it was false but he justified his actions as the best way to keep a good employee. Rationalization of events in payroll fraud scenarios by employees and supervisors should be expected by the fraud auditor.
If you have a limited time budget, what are the three fraud data analytics tests the fraud auditor should perform, and why should the fraud auditor perform the analysis?