How to assess payroll risks How to assess payroll risks

How to assess payroll risks
03 Jul 2018

When assessing payroll risk, it is important to ensure such activity takes place as part of a broader enterprise-wide risk awareness exercise. This exercise needs to include a real understanding of risk tolerance and risk appetite because the scope of, and challenge posed by, payroll security has never been greater.

But managing risk before it starts to affect the business is no mean feat. Connections to, and from, internal and external third party systems should all be taken into consideration. Risk categories, and the business functions that could potentially be impacted by them, also must be thought about.

Given the current backdrop of constantly changing threats, increasing regulation around data processing, privacy and protection and challenging global megatrends relating to how we work, such considerations are becoming increasingly vital. But to tackle them effectively, it is necessary to understand the four main areas involved in security management - people, processes, technology and compliance:

  1. People

As an organisation consists of people, they are simultaneously both its greatest strength and weakness – and nowhere is this more true than in the sphere of risk assessment. Well-trained, motivated staff can, of course, be a great asset, while unfocused, unsupported or poorly trained employees can prove to be exactly the opposite.

As a result, it is important to ensure that every role with access to data has their responsibilities and accountabilities clearly laid out, documented and agreed. This situation applies not only to members of payroll teams, but also to personnel in those areas such as HR and finance that touch on the payroll function too. The same applies to third party suppliers and overseas support functions.

But it is also worth asking yourself just how confident you are that the skills, qualifications and training of your payroll team are up to scratch in areas such as the General Data Protection Regulation (GDPR). Are important internal processes such as staff vetting up to date and treated as part of an ongoing pastoral care commitment? Changes in an individual’s circumstances may provide a clue to any changes in their behaviour that could, in turn, pose a potential risk, for example.

  1. Processes

It is crucial in quality terms to ensure that payroll processes are documented from end to end. Doing so will not only help you identify any gaps in your risk mitigation efforts, it will also ensure you are able to monitor, review and make efficient changes to those processes, when required.

Taking this tack will likewise provide an accurate view of the impact of any potential changes introduced across the whole process, and where and whom they would affect.

But documenting the payroll process from end to end is also important in data management terms. This includes the protection, management, secure processing, transfer and eventual deletion of data such as new starters, leavers, transfers and promotions. The aim here is to boost efficiency and enable any changes to be made in a timely, secure way.

Another important consideration is ensuring appropriate segregation of duties is in place so that key transactions are given suitable levels of oversight and authorisation. From a fraud perspective, guarding against conflicts of interest in personnel terms is vital, as is ensuring employees are not provided with access to systems that are not directly relevant to their job roles.

It is also worth bearing in mind, however, that security measures should always be proportionate and never prevent users from actually doing their jobs.

  1. Technology

The next step is to properly assess the IT-based systems and infrastructure that run your payroll processes. Consider whether their security and resilience levels match your organisational appetite for risk and whether they are being appropriately protected and updated, patched and managed. It also makes sense to review the quality of your automated processes and controls to ensure you are not simply automating bad ones.

But it also makes sense to be aware of how your payroll systems link to other corporate or third-party systems such as HR, which includes knowing where the necessary documentation or service portals can be found should you need them.

  1. Compliance

Depending on the industry in which you operate, you may need to comply with certain standards relating to income tax, pensions or benefits when processing payroll.

Conforming to the GDPR is also high on the agenda for employers either based, or doing business, in the European Union. But be aware that the law does not just cover data processing - it also covers data retention, protection and accuracy. This means that maintaining accurate records, keeping personal data safe and securely destroying it when you no longer have the legal right to process it are all a top priority.

To help, do consider implementing standards such as ISO27001, which provides a great framework for helping companies to organise, plan and improve their processes from a risk-based security perspective. This information security standard can, in fact, be used as the basis of creating an effective payroll risk assessment function to support a sustainable, stable payroll department.

Key questions to ask yourself

  • Are your payroll processes properly documented?
  • Have you assessed the skills and competencies of your payroll team recently?
  • Do you include ongoing pastoral care as part of your vetting process so that possible risks of fraud or coercion can be taken into consideration?
  • Do you segregate job roles and system access?
  • Have you risk assessed your IT systems, which including those that link to third party applications?
  • Have you checked how compliant you are with current standards and regulations such as GDPR?
  • Do you know where your compliance gaps are and do you know how to fix them?

 Mike Gillespie

Mike Gillespie is co-founder and managing director of information security consultancy, Advent IM Ltd, and vice president of the C3i Centre for Strategic Cyberspace and Security Science. He is a senior, experienced information security practitioner of many years’ standing and is well versed in the threats posed to organisational information assets.

 

When assessing payroll risk, it is important to ensure such activity takes place as part of a broader enterprise-wide risk awareness exercise. This exercise needs to include a real understanding of risk tolerance and risk appetite because the scope of, and challenge posed by, payroll security has never been greater.

But managing risk before it starts to affect the business is no mean feat. Connections to, and from, internal and external third party systems should all be taken into consideration. Risk categories, and the business functions that could potentially be impacted by them, also must be thought about.

Given the current backdrop of constantly changing threats, increasing regulation around data processing, privacy and protection and challenging global megatrends relating to how we work, such considerations are becoming increasingly vital. But to tackle them effectively, it is necessary to understand the four main areas involved in security management - people, processes, technology and compliance:

  1. People

As an organisation consists of people, they are simultaneously both its greatest strength and weakness – and nowhere is this more true than in the sphere of risk assessment. Well-trained, motivated staff can, of course, be a great asset, while unfocused, unsupported or poorly trained employees can prove to be exactly the opposite.

As a result, it is important to ensure that every role with access to data has their responsibilities and accountabilities clearly laid out, documented and agreed. This situation applies not only to members of payroll teams, but also to personnel in those areas such as HR and finance that touch on the payroll function too. The same applies to third party suppliers and overseas support functions.

But it is also worth asking yourself just how confident you are that the skills, qualifications and training of your payroll team are up to scratch in areas such as the General Data Protection Regulation (GDPR). Are important internal processes such as staff vetting up to date and treated as part of an ongoing pastoral care commitment? Changes in an individual’s circumstances may provide a clue to any changes in their behaviour that could, in turn, pose a potential risk, for example.

  1. Processes

It is crucial in quality terms to ensure that payroll processes are documented from end to end. Doing so will not only help you identify any gaps in your risk mitigation efforts, it will also ensure you are able to monitor, review and make efficient changes to those processes, when required.

Taking this tack will likewise provide an accurate view of the impact of any potential changes introduced across the whole process, and where and whom they would affect.

But documenting the payroll process from end to end is also important in data management terms. This includes the protection, management, secure processing, transfer and eventual deletion of data such as new starters, leavers, transfers and promotions. The aim here is to boost efficiency and enable any changes to be made in a timely, secure way.

Another important consideration is ensuring appropriate segregation of duties is in place so that key transactions are given suitable levels of oversight and authorisation. From a fraud perspective, guarding against conflicts of interest in personnel terms is vital, as is ensuring employees are not provided with access to systems that are not directly relevant to their job roles.

It is also worth bearing in mind, however, that security measures should always be proportionate and never prevent users from actually doing their jobs.

  1. Technology

The next step is to properly assess the IT-based systems and infrastructure that run your payroll processes. Consider whether their security and resilience levels match your organisational appetite for risk and whether they are being appropriately protected and updated, patched and managed. It also makes sense to review the quality of your automated processes and controls to ensure you are not simply automating bad ones.

But it also makes sense to be aware of how your payroll systems link to other corporate or third-party systems such as HR, which includes knowing where the necessary documentation or service portals can be found should you need them.

  1. Compliance

Depending on the industry in which you operate, you may need to comply with certain standards relating to income tax, pensions or benefits when processing payroll.

Conforming to the GDPR is also high on the agenda for employers either based, or doing business, in the European Union. But be aware that the law does not just cover data processing - it also covers data retention, protection and accuracy. This means that maintaining accurate records, keeping personal data safe and securely destroying it when you no longer have the legal right to process it are all a top priority.

To help, do consider implementing standards such as ISO27001, which provides a great framework for helping companies to organise, plan and improve their processes from a risk-based security perspective. This information security standard can, in fact, be used as the basis of creating an effective payroll risk assessment function to support a sustainable, stable payroll department.

Key questions to ask yourself

  • Are your payroll processes properly documented?
  • Have you assessed the skills and competencies of your payroll team recently?
  • Do you include ongoing pastoral care as part of your vetting process so that possible risks of fraud or coercion can be taken into consideration?
  • Do you segregate job roles and system access?
  • Have you risk assessed your IT systems, which including those that link to third party applications?
  • Have you checked how compliant you are with current standards and regulations such as GDPR?
  • Do you know where your compliance gaps are and do you know how to fix them?

 Mike Gillespie

Mike Gillespie is co-founder and managing director of information security consultancy, Advent IM Ltd, and vice president of the C3i Centre for Strategic Cyberspace and Security Science. He is a senior, experienced information security practitioner of many years’ standing and is well versed in the threats posed to organisational information assets.