SOX Compliance Can Transform Payroll Management
Finch presents an example of a SOX matrix for an HR/payroll process by which people are hired, paid, fired, given benefits, etc. A SOX subprocess could be “payroll calculation,” and the objective of the subprocess is that people are receiving the correct payment for work they actually performed. Risks in this area could include “buddy punching” or unauthorized work or wrong salary information entered into the system. Controls a business owner might want to introduce could be the use of hand scanners to identify hourly employees, timesheet software that records authorized hours and separation of duties for salary entry vs. job entry.
But Finch argues that the HR professional on the executive team must view his or her responsibility as extending beyond the SOX compliance for payroll data entry to other business functions that depend on time tracking data. When SOX efforts lead a company to consider an upgrade in payroll systems, he says, the payroll professional should consider one that helps in all business processes.
Most large companies have outsourced the repetitive tasks related to payroll processing, and according to William Laurent, writing in DMReview.com, these companies need to consider SOX requirements in the relationship ensure that their vendors:
- Satisfy all current regulatory and compliance requirements that may affect the relevant business spheres of a client and specifically the business areas that drive the processes and functions being outsourced.
- Have in place appropriate internal governance controls and policies.
Executive audit committees, Laurent says, are finally beginning to understand their responsibilities in IT governance as it relates to outsourced vendor management and outsource service procurement.
“The current vigorous regulatory environment, coupled with rapidly changing technology and business landscapes, demands that executives fully weigh their potential downsides and risks of each outsourcing services relationship before jumping to outsource critical business functions,” Laurent cautions, according to DMReview.com.
E-filing can help smaller companies that depend on payroll services companies to manage their vendor risks. Mr. Robert McCampbell, the United States attorney in Oklahoma City, suggests that payroll service clients get a copy of Form 941, the form filed by most businesses when they pay quarterly payroll taxes, the New York Times reports, and use the Electronic Federal Tax Payment System to monitor those payments. He also suggests that business owners make theirs the address of record, not the payroll service's, so that if the I.R.S. sends a notice of overdue payment, they will see it.