PAYROLL/HUMAN RESOURCES OPERATIONAL REVIEW AUDIT PROGRAM Contributed December 23, 2002 by Phyllis Patrick
Area of Review:
ABC Health System (5 Hospitals, Hospitals, Medical School) Ent. Conf:
Nature of Review:
Operational Review of Payroll/Human Resources Related Functions
Auditors:
Fldwrk Begin: Fldwk End:
Director: Managers:
DESCRIPTION OF AUDIT PROCEDURES A. GENERAL/ADMINISTRATIVE GENERAL/ADMINISTRATIVE ITEMS 1. Review the most recent Audit Services report issued, if applicable. 2. Document the minutes of the Entrance Conference meeting. 3. Obtain a department Table of Organization. Organization. If a formal document is not available, create one from interviews with administrative/manageme administrative/management nt staff. 4. Document our understanding of payroll procedures through interviews with departmental management. 5. Determine how many many FTEs are involved in the H/R and Payroll function. function. Obtain organizational chart. 6. Obtain copies of departmental Policies and Procedures, if available. 7. Determine how many employees are paid through payroll. 8. Determine what reports are used used by departments for monitoring payroll. payroll.
B. DATA ANALYSIS ANALYSIS PLANNING, ACQUISITION, ACQUISITION, and INTEGRITY INTEGRITY 1. Identify both the business and and technical objectives of the review and determine determine what data is needed to meet those objectives. 2. Determine the data data owner(s). Meet all security and confidentiality confidentiality requirements of of the data owners for access to and use of the data. 3. In consultation with the data data owners and/or and/or IT, determine: determine: (a). the source of the data data (e.g., mainframe, minicomputer, PC) and the the best way to acquire the data; (2). which files, fields, and records will be needed; (3). how the data analysis fits with the business process flow of the operations. 4. Become familiar with available standard reports reports and technical manuals, as appropriate, for the area under review. 5. Request preliminary data and table table samples (min. 100 records) in order to conduct high level analysis, refine data requirements, and test before working with entire file. 6. Prepare a formal, written request for for the data needed to complete the the review (use Sample Letter format in Audit Services Policies and Procedures, Section 2-11, Review Preparation.) Specify: source of data and required fields; time time period (e.g., Calendar Calendar Year 2001, etc.), storage format, data format (request flat file), control totals (number of records and numeric field totals), record layout information (field names, field start positions, field lengths, field types, field descriptions). 7. Submit request to data owner(s), owner(s), with copy to IT staff who will prepare the data. 8. Using ACL software, create Input Input File Definitions for the review data. 9. Conduct data integrity tests tests (e.g., assure that files are correct ones for the time period specified. Run the Verify command in ACL to ensure there there is no corrupt data and to test the field definitions. Compare ACL view with the printed printed sample files received earlier. Document results. 10. Develop an understanding of the data data by using ACL commands, e.g., Count, Total, Total, Statistics, Stratify, Classify. Document results. 11. Use ACL commands and functions to analyze analyze the data and develop results consistent with the audit objectives. Use Command Log, Project Notes, and and view notes to document the work performed. 12. Conclude data analysis analysis phase by: (a) confirming findings with with those who can verify them; (b) trying to find reasons for anomalies; (c) discussing findings with team members and data owners; (d) conducting follow-up analyses as required; (e) documenting findings and incorporating in the report.
C. FIELD FIELD WORK WORK I. Field Work - New Hires 1. Review HR report (new hire report) report) and randomly select x new hires/ entity
5/30/02 Last Update 12/23/2002
W/P Ref.
COMPLETED BY
PAYROLL/HUMAN RESOURCES OPERATIONAL REVIEW AUDIT PROGRAM
DESCRIPTION OF AUDIT PROCEDURES 2. Note important information on a spreadsheet (i.e. name, ss#, pay rate). Identify and define all fields available. 3. Trace information to supporting documentation in the employee files and on-line system to ensure accuracy. 4. Test the following attributes: New hire approved by appropriate management levels. HR initiated addition of new hire to payroll in a timely manner. Payroll added new hire to payroll register in a timely manner. Ensure that key dates/steps within the process are documented to evaluate timeliness and identify bottlenecks 5. Analyze the information relating to step 4. and determine why the process is not working properly and what recommendations would improve the process. 6. Note all exceptions and assess with manager the potential need for further testing/increased sample size 7. Determine the level of knowledge sharing and collaboration between employees in both the HR and Payroll Departments.
II. Field Work - Terminations/Deletions from Payroll 1. Document our understanding of procedures for deleting employees from active payroll 2. Review HR report (most recent payroll register) and randomly select x terminated employees. 3. Test the following attributes: Termination requested / approved by appropriate management levels. HR or employee initiated termination. Termination of employee occurred on-line the same date as what is listed in the personnel file. Using the payroll register data file, confirm that no payments subsequent to termination date were issued to the employee. 4. Analyze the information relating to step 3. and determine why the process is not working properly and what recommendations would improve the process. 5. Note all exceptions and assess with manager the potential need for further testing/increased sample size
III. Field Work - Current/Existing Employees/ Overtime Analysis 1. Document our understanding of controls in place to review the number and dollar amount of checks cut prior to distribution. 2. Document our understanding of the Paid Time Off (PTO) policy. 3. Review HR report (most recent payroll register) and randomly select x current employees. Name, SSN, Rate of Pay, exempt/non-exempt status (if applicable), status (FT or PT), accrued vacation and sick time. Trace this information to supporting documentation in the personnel file. Ensure that all information is current and correct. Ensure vacation and sick ti me accruals are accurate according to company policy. For these employees, obtain the timesheet and recalculate regular and overtime pay to ensure compliance with organizational guidelines. Determine who authorizes timesheets and signature approval requirements . 4. Review overall overtime (OT) utilization and OT trends for the total employee population for each hospital noting departmental usage/individual hours and rankings -Review and understand OT procedures for union employees -Perform OT analysis of manual time entries. 5. Analyze the information relating to step 3. and 4. and determine why the process is not working properly and what recommendations would improve the process. 6. Note all exceptions and assess with manager the potential need for further testing/increased sample size 7. Test a sample of 1099's to review supporting documentation for indepent consultants that were previous employees prior to layoffs
5/30/02 Last Update 12/23/2002
W/P Ref.
COMPLETED BY
PAYROLL/HUMAN RESOURCES OPERATIONAL REVIEW AUDIT PROGRAM
DESCRIPTION OF AUDIT PROCEDURES
IV. Field Work - Pay Rate Changes 1. Document our understanding of policies and procedures for the initiation and execution of Pay Rate changes. Check to see if pay rate changes are supported by the documentation and in accordance with institutional policy 2. Select x employees receiving a pay rate change and agree to applicable HR information. Verify the following attributes: Appropriate level of management approved the rate change. Subsequent disbursements occurred at the new rate. Documentation supporting rate change is on-file in HR. 3. Analyze the information relating to step 2 and determine why the process is not working properly and what recommendations would improve the process. 4. Note all exceptions and assess with manager the potential need for further testing/increased sample size
V. Field Work - Manual Checks 1. Understand the policy and procedure for issuing manual checks (should be uncommon for reg. Pay employees, if not why and suggest solutions to improve controls 2. Obtain the Payroll manual check log. 3. Select x manual checks generated and recalculate using the employee's on-line rate of pay, withholdings and benefits. Ensure that manual checks are adequately supported by appropriate documentation and consistent with policy. 4. Review manual check activity noting the following: Number of checks issued is reasonable. Proper documentation is included with the manual check. Review the manual check logs for any large and unusual disbursements. Test as appropriate. Maintenance of the check logs, reconciliation procedure, physical security
VI. Field Work - Complete/Accurate recording of payroll in GLReconciliation (Time Permitting) 1. Speak with E&Y regarding their testwork in this area to avoid duplication of efforts 2. Pending authorizing from external auditors, review external audit w/p documentation to gain an understanding of the reconciliation procedures 3. Update our understanding of procedures used for the recording of payroll activity in the G/L. Consider the method used to allocate department level payroll data to the appropriate G/L code. 4. Update our understanding of procedures used for the reconciliation of Payroll activity per the Payroll register to the GL. 5. Review the reconciliation of the Payroll register to the GL and test to ensure it is performed routinely. (We should not perform a reconciliation ).
VII. Field Work - Physical Security 1. Ensure checks are locked in a secure area. 2. Note procedure regarding access to the area. 3. Are computers turned off at the end of the day? 4. When a computing resource is used by more than one individual, are users required to exit from applications accessed via their personal userID and password before leaving the workstation? 5. Are users required to shut down their workstation at the end of the shift, unless it is being used in a continuing business process, e.g., batch processing)?
D. SYSTEM ACCESS/SECURITY
5/30/02 Last Update 12/23/2002
W/P Ref.
COMPLETED BY
PAYROLL/HUMAN RESOURCES OPERATIONAL REVIEW AUDIT PROGRAM
DESCRIPTION OF AUDIT PROCEDURES 1. Are there written control policies and procedures that govern access to payroll and HR databases and provide for regular, ongoing review of system access? 2. Is a comprehensive list of systems access by employee maintained and reviewed periodically (e.g., quarterly) for appropriateness by management and IT? 3. Does management approve specific written standards regarding categories of jobs/employees who are granted permission to access various types of information in the system, with appropriate segregation of duties and access limited to "need to know" to perform job functions? 4. Are password management procedures adequate to assure that authentication, changing of passwords, and best practices are in place?
E. EMPLOYEE SURVEY- DISTRIBUTION AND ANALYSIS F. ADDITIONAL AREAS Perform any testing deemed necessary in areas that arise during the review that warrant attention.
G. FINAL Discuss preliminary findings with client. Obtain management response and possible action plans.
5/30/02 Last Update 12/23/2002
W/P Ref.
COMPLETED BY