That may have been a bit of a theory to digest- but you’ve had a full week for that, so I hope we are in good shape to move forward with our GPCF.‍

I will be focusing less on the theory, and more on how the controls are practically implemented, and how Payzaar supports this, in the next four blog articles. Four? Yes, when I started writing this article, I noticed there is so much to share, I need one more article in this series!

Of course, let me first link this to the overall best practices around Global Payroll Management. While all components are truly interlinked, the GPCF focuses on the section Risk & Control as part of the component Global Payroll Governance, and as it is also linked to the Objectives section as part of the component Global Payroll Strategy.

The baseline: Process-independent controls

I call these baseline controls as I believe these controls should be implemented for any payroll. Regardless of size, complexity, service delivery model, geography… you have to implement these. 

Role-Based Access Control

These roles (RBAC) are controls that look after giving global payroll (or its stakeholders) access to payroll platforms in line with their roles and responsibilities. This essentially means you only have access to the regions, countries, entities and data (i.e. employee-level or not) that you ought to. You can also only make changes (i.e. edit rights, configuration) and perform actions (i.e. approvals) which your role is allowed to make. This mitigates a variety of risks such as data breaches, internal fraud, compliance violations, and audit trail integrity. In terms of platform access, there are some tough choices to make:

• Do you allow Global Payroll to make changes in your global HCM?
• Do you allow Global Payroll to make journal entries in your Finance ERP?
• Who can approve, reject, or edit a payroll and make configuration changes?
• Does Finance have access to employee-level data to support reconciliations?
• Does HR have access to the payroll platform to make changes and view data?

The answers to these questions, and more, determine your RBAC. In my experience, the more complex and spread out your business is, the harder this gets. Just imagine you operate a hybrid service delivery model with some local best-of-breed payroll platforms, and perhaps some consolidated regional providers with hand-picked local providers. 

How are you going to ensure a sound RBAC across all those platforms?

By implementing Payzaar. We can set up very sophisticated RBAC including access to certain regions, countries, and entities with employee-level data restrictions. There are various pre-defined profiles for common users, and you can select their roles down to a period workflow setting for editors and approvers.

And the best part? Everything is 100% audit ready 100% of the time: Run RBAC reports and audit logs of all changes, actions, and approvals. Our platform works with any service delivery model whether in-house or outsourced. Standardise and digitise your controls. Go beyond Excel and beyond folders.

Payroll Cycle Segregation of Duties

This has always been a project for me in every global manager role: define the roles per payroll cycle and per payroll. I used to define these roles:

• Preparer: This is the main responsible team member for the payroll. They ensure all the payroll processes are monitored and executed. Do questions come in? They are the first responder. 
• Reviewer: This is the buddy of the preparer, and is responsible for reviewing all the processed data and evidenced controls from the preparer.
• Approver: This is the approver of any results before they are finalised.

Ideally, you would have three different team members for each of these roles per payroll. However, not everyone has the luxury to do that, and I have been in those situations too. What I used as a rule is that the preparer can never be the reviewer (i.e. no four-eyes principle), but the preparer could also be the approver. I used to take the preparer and approver role if the team was under-resourced, and I just had to process payrolls. I always wanted team members to review me (yeah, review the manager!) before I approved anything. To ensure less key-person-dependencies and to ensure knowledge transfer, standardisation, and overall engagement I switched these roles quarterly or at least bi-annually. I advise everyone to implement the same.

Now, how do you implement these roles?

I used to have a spreadsheet maintaining these roles and it just showed in spreadsheet-based controls (or hard copy prints back in the days!) with version control on how these roles were operated. With Payzaar, you can fully digitise these roles and be audit-ready. Your payroll calendar is digitised, has standard steps, dates, times, and users assigned to it. You can assign multi-level reviewers, approvers and give access to a specific set of payrolls.

In the “I always remember and log” activity log, all the interactions, reviews, messages, controls, approvals are automatically named, dated, and time-stamped. Gone are the days of maintaining folder structures per payroll, year, and month to store data and evidence. Gone are the days of using chat (i.e. MS Teams Chat, Slack, Zoom Chat) to ask for approvals and record screenshots. Welcome to 2024 my friends. Payzaar is so much more than a platform, it in my view is THE platform to digitise, standardise, and automate your controls, truly making you 100% audit-ready. 

Just think of how you operate now; regardless of how you process locally and via what system, you still need to operate controls and maintain those; you can now standardise them with Payzaar.

Self-Audit

Self audits… say what? Yes, you heard that right - self-audits!

I must admit that when I was first introduced to self-audits I was terrified. Terrified in the sense of asking my peers to review my process and controls against the standard control descriptions, and in return also audit other peers on their processes. What if my team and I made a mistake? What if I find a mistake or error from my peers? What would this do with our relationship?

In the end that was all fine and in fact, I loved the experience. A self-audit can be asking someone who has not been a preparer, review in the audit period. This means they will not be biased and can audit your controls with a fresh set of payroll eyes. Based on the documented controls, the evidence is gathered for a specified time period and reviewed against the control designs, just like if you were audited by internal or external auditors. But instead by friends, whose intent is to help you prepare for audits. I encourage everyone to think of implementing this.

Of course, we support this at Payzaar so you can do this with very low effort. Where I used to be sent on a wild goose chase to find audit evidence, you can just give temporary access to the internal “auditor” for the entity in scope. This way they can find the evidence themselves; this saves time for the one being audited, and allows the auditor to truly review the process (not just the control evidence). You can also replicate (or in true auditor speak: reperform) the controls from scratch to see if the same result is achieved.

Auditors: let them come, you’ll give them cake

I have spoken to many, many Global/Regional Payroll Managers and when the topic of “audit” comes up you can see the virtual shivvers takeover. Painful, dreadful, time-consuming is what comes up. We then complain and talk trash a bit, but when we don't, I always like to unpick the topic. What makes the audit so hard aside from the quality of the auditor. What makes it hard for you specifically, what can help you? And this always comes up:

1. I do not have access to my own data and am dependent on local payroll providers. And this takes time, follow-ups, and costs additional fees (out of scope).
2. I have not standardised my controls across in-house and outsourced payrolls, so I spend a lot of time explaining this to auditors.
3. I do not have my audit evidence readily available, and it’s pretty much Excel or email (“I approve”) based.
4. I just don’t have the time to properly look at audits.

When hearing this, I am always a little bit sad. I feel their pain and frustration, but I am equally energised myself. I sit here at Payzaar with my experience and I can relate, except now I can offer a platform and service that can truly take away all this pain. I spend hours and days using the platform and configuring it as if I were managing global payroll. And yes, we tick all the boxes, with up to 40% time saved across all payroll processes, which frees up your team for more value-added tasks. And since you will always be audit-ready, there’s no need for anxiety - Let them come!

So, what now?

I hope this triggered some thinking around how you operate RBAC, cycle roles, and self-audits. These baseline controls should, in my view, be implemented, documented, and properly evidenced (emphasis on properly!) for all global payrolls. In the next blog article, I will focus on the pre-payroll controls. So stay tuned for more!

I am a Global Payroll Professional and a passionate one too! After managing global payrolls across the world for about 20 years, I found there must be a better way of doing this. I joined Payzaar - the global payroll management platform everyone needs and can easily implement.

Oh yes, we are just fun to work with too - Let's chat about the Payzaar Experience! And who knows, I might just deliver you a demo that you’ll truly enjoy.