Terminations - SOX issue or not? 2447

  • Say an employee is terminated from the company, but because the company’s termination process is screwed up, the company continues to pay the employee after his/her departure. Is this considered a SOX issue?
    I guess my question is how does it materially impact the financials? Wouldn’t the company continue to Dr. Expense and Cr. Cash on the employee? Would this problem be more of an operational control issue?

  • Is paying salaries to terminated employees who should no longer get those salaries t a SOX issue in general?
    YES, definitely since the salary payments impact the payroll expense and cash and probably social security expenses in the financial statements.
    The question whether it is a material weakness in internal control over financial reporting, only a significant deficiency or just an ordinary control deficiency depends on the nature and the potential monetary magnitude of the impact on the consolidated financial statements.
    What is the nature of the problem? Is it fraud because a payroll clerk is in collusion with terminated employees to continue to pay them salaries or because the payroll clerk continues to pay salaries to terminated employees but changed their bank account details to a bank account controlled by him or her? Or are we just talking about errors, because the information that somebody gets terminated is never passed on to payroll or because they forget to do the changes in the payroll system or other reasons?
    Are the problems with the controls only at a specific subsidiary of the group or only related to one specific payroll clerk? In order to determined the maximum monetary impact of the control deificiency, you would then need to look at the total annual salary payments including social security expenses that are processed by this subsidiary or this payroll clerk and only count the average annual terminated employees if you assume that worst case all of them had been forgotten.
    Doing an audit of terminated employees and checking for how many of them they continued to pay salaries will show whether it was a one time slip (just forgot something) or whether it the issue is related to a deficiency in the process, controls or the employee doing the work.

  • Another issue to consider regarding terminated employees is system access. If a terminated employee is still receiving paychecks, one must also assume that his I.T. privileges such as ERP access and email are still intact. If so, and if the terminated employee has access to sensitive material on the company’s ERP, then THAT is the real SOX issue.
    A paycheck accidentally sent to a terminated employee may just be a symptom of more widespread I.T./GCC control deficiencies.

  • Yes, I also agree with both of these 2 good replies. The extra actual salaries paid might not appear as a material risk. However, if HR doesn’t have this well controlled then there is the ’ potential ’ for significant IT risks (SOX 404) and even the extra USDUSDUSD can add up over time, when you include benefits, SSN payments, etc.
    COBIT 4 is often used as by many SOX external auditors … In section PO-7, employee terminations are defined as a control point, esp. PO-7.8
    Free copy of COBIT 4 available
    I believe that SOX Auditors would write these up a point of recommendation when they evaluate controls in affirming SOX compliancy to senior management. This same need also applies to General Controls, SAS-70, and other applicable audits as well.
    Finally in working with auditors for over 30 years – when they find a basic control like this missing, a ‘fishing expedition’ 😉 may begin, as a control weakness like this might lower their confidence that audit exposures are well controlled.

  • Agree with much of what has been said before.

    1. This is definitely a control deficicency
    2. Payroll is normally an in-scope process for most organisations
      Do we actually have misstated financial reporting? If we properly account for the erroneous payment it doesn’t necessarily have an ICFR impact. Furthermore, in most organisations the scope of the deficiency is unlikely to be material enough to represent a significant or material weakness i.e. if enough departing employees were failing to be removed from the payroll to be material to the financial reporting one would hope that other detective controls would come into play.
      To me the bigger risk here is operational/commerical i.e. money is going out of the door which shouldn’t and the organisation’s ability to recover it may or may not be questionable. Here the value in control is not around SOX compliance but in supporting financial performance.

Log in to reply