The recent widely reported $35 million payroll fraud at US cloud-based payroll services provider MyPayrollHR has raised serious concerns among businesses worldwide. How could such a fraud happen? Why weren't controls in place to prevent it? Could it happen again? Anyone involved in outsourcing their payroll processing should act proactively to minimise the risk of fraud.
The details of the heist at MyPayrollHR are still under investigation. However, the heart of the problem appears to be ineffective – or almost non-existent – controls over escrowed bank accounts and the transfer of funds into and out of clients' and employees' accounts.
The MyPayrollHR case is just the latest example of how poor fiduciary controls can put the financial health of companies, employees and shareholders at risk at a stroke. Even when payroll services are outsourced, the client company remains liable for any errors or losses – and at risk of prosecution if taxes are not paid on time.
Payroll is often the largest financial commitment a company has, making it an obvious target for criminals – insiders and outsiders. While cloud-based services have made payroll processing more cost-effective and attractive – especially for small and medium-sized enterprises – they have opened new channels for fraudsters. Vigilance is essential.
Criminals fuse motive, opportunity and means. By tightening up processes in all three areas, companies can eliminate potential points of failure and make payroll, and other, crime very difficult to commit.
There is always a chance that an individual – employee or outsider – is tempted to commit a fraud, so it is important to close down the opportunity. There need to be established checks and balances, with several sets of eyes checking and approving calculations and payments, to make it difficult for any individual to get around the system.
The motive for payroll fraud is generally personal gain. In the MyPayrollHR case, it appears that a fairly small service provider was unable to resist the lure of stealing $35 million in one relatively easy hit. The opportunity will have arisen from shortcomings in the proceeding involved. A payroll partner with a multi-billion-dollar balance sheet, global presence and a reputation built on trust is unlikely to have the motive to commit fraud on a similar scale. It's always worth checking into your payroll services provider's financial position, and its standing in terms of industry certifications and other clients' opinions and experiences.
A key factor is keeping the payment mechanism separate from payroll processing. At TMF Group, we recommend this. We prefer our clients to maintain control over local bank accounts and payments. In some countries this is a legal requirement. We perform the payroll gross-to-net calculations, produce a bank payment file – formatted and encrypted to industry-wide standards – which our clients then use to make payments to employees and the tax authorities.
Should clients outsource the payment function to us, this is handled by a separate part of the business. Payments are typically made using an in-country trust account with very tight payment controls. In the event of an erroneous payment, funds can only be repaid to the originating account and never to a new third-party account, as appears to have been the case with MyPayrollHR.
It is imperative to ask your payroll services provider exactly how the funds are handled, where they are held and when payments are made for each period.
TMF Group has implemented an ISAE (International Standards on Assurance Engagements) control framework for its payroll services to ensure inherent risks are minimised. Furthermore, we have done this in every country where we deliver payroll services, ensuring compliance, despite local variation.
TMF Group provides clients with a client payroll manual setting out clear, transparent and auditable processes for payroll handling. These, in turn, are externally audited at regular intervals.
Many outsourced payroll providers act as aggregators, subcontracting their services to a range of third-party providers, especially when the contract covers many countries. This reduces transparency and control over the supply chain, opening up opportunities for fraudulent activity. TMF Group has, therefore, established its own subsidiaries through which our services are delivered in all our markets – over 80 of them.
As business services increasingly move to cloud-based models, it's tempting to think technology has all the answers to the challenges of efficient growth and cost-control. However, financial risks can be amplified by technology as well as mitigated. Human factors will also be involved. This makes it more important than ever to understand where the risks are and to have thorough processes and controls in place to minimise them.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.