BY MAX VAN DER KLIS-BUSINKTake Charge With a

Part I

Control FrameworkGlobal Payroll

Each organization has objectives it strives to achieve and, in pursuit of these, will encounter events and circumstances that may threaten their achievement.

These events create risks that an organization must identify, assess, and address. Some risks may be accepted, and others may be mitigated to an acceptable level. One key method for mitigating risk is the design and implementation of effective internal controls, which applies to payroll run by a global payroll function. The focus of this method is on managing risks, ensuring compliance with rules and regulations, and assuring timely salary payments. This once was primarily an accounting and auditing focus related to the commercial accounts of listed companies and uncommon in the field of taxes, let alone payroll taxes. Today’s chief financial officer (CFO) asks the payroll team questions such as, “How do I know if our payroll tax returns are filed timely and accurately?” or, “Who can guarantee that we comply with all local payroll rules and regulations?” and, “Can someone show me that all personnel expenses from payroll are included

in my monthly close?” Each global payroll function should be able to answer these types of questions and on such a level that the answers provide reasonable assurance in line with the organization’s overall risk and tax strategy.

Why Must Payroll Be in Control, and Why Now?Three trends require (or even demand) that payroll is in control. First, the response of legislators to fraud cases has led to the introduction of more stringent regulations around disclosing information on internal control. Second, a new approach by regulators toward taxpayer compliance is emerging. Third, the international payroll vendor landscape is evolving, which leads to a changing control environment.

Several accounting fraud scandals have taken place all over the world. Cases go all the way back to 1883, when fraud perpetrated by Dutch entrepreneurs led to the founding of the first Dutch accounting firm. Even then, public trust in the level of ethical standards applied by businesses

BY MAX VAN DER KLIS-BUSINK

GLOBAL PAYROLLThe o�cial magazine of the Global Payroll Management Institute

Reprinted From November 2015

had decreased. The U.S. savings and loan crisis between 1986 and 1995 led the General Accounting Office (GAO) to state that “mandatory management and audit report on internal control” could have prevented the crisis. The U.S. Congress passed the Federal Deposit Insurance Corporation Improvement Act (FDICIA) not long after. This legislation meant a shift toward transparency of organizations and (internal and external) audits on the internal organization and processes, leading to financial statements.

A more recent example that brought intense media attention was Enron, which declared bankruptcy in 2001 during the Internet bubble and resulting economic crisis. Its code of ethics led to the term “Enron ethics,” which became a catchphrase for the contradiction between words and actions. Not long after Enron, WorldCom admitted to at least $3.8 billion in accounting errors. These scandals led to the

enactment of new legislation such as the Sarbanes-Oxley (SOX) Act of 2002. SOX requires that organizations be

transparent to external stakeholders on the design and quality of their processes, and that they must be audited by an independent auditor who evaluates their level of control. Sections 302 and 404 of the Act are particularly important since they mandate that organizations include an assessment of the effectiveness of internal controls and procedures that include payroll. Many countries enacted legislation similar to SOX and FDICIA with one thing

in common: All demand organizations be transparent in the way their internal controls are designed,

implemented, and evaluated. Tax authorities also require much the same from

organizations, but for different reasons. Governments are restructuring to implement new regulatory models for their tax authorities to be more efficient and effective in their supervisory duties. Their drivers to do so are twofold: resources to detect non-compliance are often limited, and modern society demands a more cooperative attitude and approach toward taxpayers. Tax authorities are shifting from assessing all filed tax returns to focusing on high-risk taxpayers, allowing them to allocate scarce resources more effectively. This has led to the introduction of models all over the world (e.g., Australia, United Kingdom, and the Netherlands) known as “horizontal monitoring” or “cooperative compliance.” These new models are characterized as transparency in exchange for certainty on the organization’s payroll tax position. This transparency goes hand in hand with timely disclosure of risk events, positions taken in tax matters, and sharing of the underlying frameworks that should provide reasonable assurance. This

suggests that solid risk management and internal control frameworks are the basis for organizations to be able to join tax authorities in their new compliance models.

Last but not least, more and more organizations have implemented or are about to implement global payroll strategies and are centralizing their payroll functions. Organizations that already implement multi-country payroll strategies have important lessons to teach us. Too often, global or multi-country payroll strategies are designed without clear insight into the current payroll operating model, risks, and control activities. It’s not uncommon to first choose a payroll vendor, adapt its software and service solution, and then align the internal operating model accordingly. However, organizations often cite greater control over payroll risks and compliance as one of the main reasons to implement a global payroll strategy. The other most important business driver is the need for centralization to bring increased visibility to payroll data and simplify system interfaces. These drivers require a sound understanding of the current state of payroll.

Global Payroll Control FrameworkIn response to the increased need for transparency (FDICIA and SOX), the Committee of Sponsoring Organizations of the Treadway Commission (COSO) has developed two frameworks. The COSO Internal Control Integrated Framework is regarded as a best practice to enable organizations to effectively and efficiently develop and maintain internal control systems. The framework, released in 1992 and revised in 2013, enhances the likelihood of achieving business objectives and allows organizations to adapt to ongoing changes in the environment. Almost without exception, tax functions and tax advisors worldwide use the COSO framework as the basis for their own tax control frameworks (TCF). I have been fortunate enough to read and analyze the TCFs of many international organizations and have observed that payroll taxes receive little if any of the attention they deserve as one of the biggest indirect costs of organizations. This is a missed opportunity, as the framework is equally valuable for payroll taxes as for Corporate Income Tax (CIT) and Value Added Tax (VAT).

The time has come to use COSO’s framework for payroll, as it has proven its value for payroll control. COSO defines internal control in the framework, and this definition is intentionally wide because the framework applies to all types of organizations and business processes, even for different entities in one organization. I have altered this definition to match my view on internal control and the global payroll function:

The global payroll function’s processes embed internal control and are designed to provide reasonable assurance regarding the achievement of global payroll objectives relating to operations, reporting, and compliance by ensuring the Global Payroll Control Framework is put into daily practice.

In the altered definition, the aim is to provide reasonable assurance of achieving three categories of objectives. Reasonable assurance is intended, not absolute certainty, because internal control simply cannot prevent bad judgment, wrong decisions, and simple errors. The definition also refers to processes and how their design should embed internal control. The processes and the Global Payroll Control Framework (GPCF) should address all five COSO internal control components: control environment, risk assessment, control activities, monitoring activities, and information and communication. Being in control is an important mindset for each global payroll function, and a sound understanding of its definition and translation into daily practice is vital to be able to provide reasonable assurance to internal and external stakeholders. How this is achieved should all be documented in the GPCF. Four Sections of the GPCF

The GPCF consists of four sections covering all strategic, tactical, and operational topics crucial for a global payroll function and that are mentioned in COSO’s framework (see Chart 1).

Here are further explanations of what these sections encompass and how they interact with each other, the first two sections in-depth and the third section briefly. The fourth section is too country-specific to address here:

Global Payroll ObjectivesIn pursuit of being in control, each organization sets entity-level and even function-level objectives in line with the organization’s mission, vision, and strategies. Following the guidelines of COSO, these objectives should be set for operations, reporting, and compliance (see Chart 2 on the following page). The first and most important step of the GPCF is setting global payroll objectives for all three categories. For payroll, these objectives should align with the tone and objectives set forth in the code of conduct, compliance statements, and, for instance, the TCF. This ensures a holistic view and overall fit with the tax and compliance strategy of the organization. If the TCF’s aim is

Section Level Topics covered

1 Global Payroll Objectives

Strategic This section includes the scope of payroll registrations and type of taxes included in the GPCF, the global payroll objectives, how achievement of these objectives is measured, and the strategic view of the organization on its outsourcing model and payroll footprint.

2 Global Payroll Control Components

Tactical This section describes how the five components of internal control are applied in payroll and how they interact. It’s crucial to touch all topics and to ensure the tone of one component matches that of another.

3 Global Payroll Operating Model

Tactical and Operational

This section includes the payroll timelines (recurring payroll cycle, filing and payment of payroll taxes, and one-off but periodic activities) and full process narratives. The process narratives incorporate the people, systems, and sourcing elements of the global payroll operating model.

4 Country Standard Operating Procedures

Operational This section explains which member of the global payroll function periodically owns the operations of a country or entity, which is rotated at least quarterly. It also includes a full list of all standard operating procedures of a country or entity detailing how to run payroll locally in line with the GPCF.

Chart 1—The Four Global Payroll Control Framework (GPCF) Sections

to eliminate all events that increase tax risks, the compliance objective of the GPCF should leave no room for noncompliance with payroll laws, rules, and regulations.

One category should not be considered more important than another. CFOs might value certain objectives more than HR directors, which makes sense considering their own focus within the organization. If reducing the operational cost to run payroll means there is no budget for insourcing required tax knowledge, it could lead to a lowered level of compliance and cause the objectives of operations and compliance to be out of balance. CFOs also value the correct mapping of international payroll costs in the general ledger and will emphasize the importance of a correct interface between payroll and accounting systems. Since setting objectives is such an important step for the design of the GPCF, I advise letting the person accountable for payroll sign off to get the right sponsorship. Do this before moving forward with the

analysis of the five components of internal control, which are affected by the tone set in the objectives.

In SummaryFollowing the steps of COSO’s framework to create a GPCF is a best practice that can help a global payroll operation achieve control. This method can be applied in all organizations, regardless of their industry, how they have organized their payroll function, or for which regions they run payroll. Once the first version of a GPCF is released, it must be maintained, reflect daily operations, and be adjusted when the control environment changes. When an organization is considering changing its operating model, expanding into new markets, or changing its payroll vendor, the GPCF is a great tool to use as a starting point for discussion. The use of a GPCF cannot guarantee perfect outcomes, but that should not stop an organization from trying. ■

Category Explanation

Operations These objectives pertain to the effectiveness and efficiency of the global payroll function. Its objectives relate to the timeliness and accuracy of process inputs and outputs. It can also encompass the completeness of payroll administration, the total cost of ownership (TCO) of the global payroll function, and the satisfaction of customers (mostly employees) and stakeholders. The TCO should, for instance, be matched with the budget provided by a financial planning and analysis function to run payroll.

Reporting These objectives pertain to internal and external, financial and non-financial reporting. External regulators and an organization’s internal audit function set forth the reporting requirements. For a global payroll function, this could mean all payroll journals and financial reconciliations should be the result of controlled processes, as demanded by SOX or U.S. generally accepted accounting principles (U.S. GAAP). Furthermore, it could require that foreseen risks be mitigated by executing control activities effectively as part of the GPCF.

Compliance These objectives pertain to the adherence to applicable laws, rules, and regulations with which the organization and its payroll function must comply. Objectives in this category focus on fiscal and social security laws but also include rules around data privacy, retention periods, and international tax laws. Alignment with the TCF and compliance codes of the organization in this category is mandatory.

Chart 2—Global Payroll Objective Categories

The Global Payroll Management Institute (GPMI), www.GPMInstitute.com, is the world’s leading community of payroll leaders, managers, practitioners, researchers, and technology experts. Subscribers connect with each other through networking discussions, collaborative opportunities, and access to education and publications dedicated to global payroll strategies, knowledge, research, employment, and training. GPMI also publishes several global payroll texts and white papers as a benefit to subscribers. Get more information at www.GPMInstitute.com.