Payroll and IT Issue 1288



  • I have just been informed that a person involved with IT cannot have any thing to do with the payroll for a company. Our payroll is done w/a large firm over the internet 8O
    What does IT have to do with the payroll?



    1. Check your source. ‘A person involved with IT cannot have any thing to do with the payroll’ - that seems a little bit too restrictive for me.
    2. What kind of involvement your IT person needs to have with payroll and WHY?.


  • Employee started out as a bookkeeper many yrs ago, and kept certain duties involved with that, but also took on their network systems, and now is being told that he ca’t do both under 404



  • Could he potentially change salaries or issue off cycle checks to himself or other employees? Would he be able to create ‘fake’ employees? It seems like this is an example of where segregation of duties is a must.



  • It depends on what particular IT duties he/she performs. If he/she is a system administrator for a totally unrelated software (e.g. inventory management system), then it’s fine. But in case he/she can possibly alter payroll data transmitted to/from your payroll outsourcer, then you’ve got an issue. And pretty often this would be the case. For example,

    1. He/she administers user IDs/passwords for the company’s network -> can create access for himself/herself to HR data;
    2. He/she has access to the data interface between the company’s HR and your payroll outsourcer
    3. He/she has access to the server where your company’s payroll data is stored
      The possibilities are many, so I agree that you need to think seven times prior to allowing a person combine their IT responsibilities with payroll responsibilities. Again, this would be acceptable only if their IT responsibilities are limited to some other system totally unrelated to payroll.


  • A Segregation of Duties Matrix is available at:
    auditnet.org/docs/Segregation of duties.xls
    The spreadsheet has a tab for Payroll - Human Resources, and provides basic activities that should be segregated for adequate internal control.
    Regards,
    Milan



  • A Segregation of Duties Matrix is available at:
    auditnet.org/docs/Segregation of duties.xls
    Thanks for sharing, as this is a good planning document 🙂



  • Another good planning tool is to take a look at the SAS-70 report from the payroll provider. If it’s ADP, for example, they will have one. Take a look at the ‘user organization control considerations’ or ‘client control considerations’ that are typically outlined in section II (Description of Controls) of a SAS-70 and make sure you are meeting those requirements.
    Finance/accounting departments typically restrict IT access to their payroll and treasury applications. The drawback, however, is these systems are no longer being managed by IT professionals under the same IT general control processes established for other SOX systems. Therefore, it is incumbant upon finance/accounting to maintain appropriate IT general control processes of their own. That can be challenging since IT is not their day job.
    Many payroll / treasury applications run on dedicated PCs and are web based. To take advantage of company wide IT general control processes, IT can be granted limited access to maintain hardware, apply patches, upgrade the OS, etc. However, they would not be granted access to the applications for reasons described in other posts. Under this scenario, these applications can take advantage of entity change control/configuration management processes, and the accounting / finance department only has to worry about managing logical access to these applications (that’s usually not too difficult given the limited number of user accounts on most payroll / treasury applications).
    Ed


Log in to reply