How SOX Affects Payroll Professionals

The Sarbanes-Oxley (SOX) Act of 2002 is a congressional act passed to prevent future scandals of Enron proportion and is considered to be one of the most significant changes to federal securities law in the United States. The Enron scandal and other similar scandals damaged investors’ confidence in the accuracy of all public corporate financial statements. Among the major provisions of the Act are criminal and civil penalties for securities violations, as well as increased disclosure regarding executive compensation, insider trading and financial statements.

In lay terms, the SOX act essentially says that you will go to jail if you are signing off on the veracity of certain documents in a public corporation and they turn out to be incorrect, even if it wasn’t really your fault. It requires certain executives at the top to sign off on the financial statements that stockholders typically examine before buying a stock. This potentially exposes those top executives to the risk of jail time.

Who Cares About SOX?

As you might expect, the CEOs, CFOs and other executives of publicly traded companies take SOX very seriously. When a CEO takes something seriously, it typically means finding some other person in the company, or several, and requiring them to take the issue even more seriously — and that’s just what CEOs have done with SOX. It’s considered “delegation of responsibility,” “buck-passing” or “things rolling downhill” — depending on one’s point of view.

This is probably where you come in.

How Does SOX Work?

With the help of certain very large and expensive consulting companies — who love SOX, as you might imagine — a model called COSO (Committee of Sponsoring Organizations of the Treadway Commission) — was invented to spread the responsibility of SOX across organizations evenly, which ultimately leads to total corporate buy-in for obtaining accurate financial statements.

It centers around the idea that fraud and mistakes are much less likely to occur if the company follows effective processes, and that there is a procedure in place for documenting and testing these processes.

Processes have sub-processes, which have objectives, which have risks, which have controls, which have tests, which have results. These are all one-to-many relationships.

For example:

There is an HR/payroll process by which people are hired, paid, fired, given benefits, etc. One sub-process — of which there could be many — of the HR/payroll process is “payroll calculation.”

An objective of this sub-process is that people are paid correctly for work they actually did and were authorized to do. Another objective might be to keep the payroll data secure.

There could be a number of risks to the objective of correct pay for actual authorized work, such as unauthorized hours being worked, or a discrepancy between claimed and authorized hours. Buddy punching — where someone lends his badge to a friend for illicit system login and to get free money — is another potential risk.

Risks have controls, which are methods by which you ensure the process is working or that the risk is being avoided. For example, a control might be that you only pay employees for hours authorized by the timesheet software. Or you manually compare authorized hours to paid hours each pay period. Or you install a security camera at the badge reader.

Controls have tests. For example, a test would be to compare your timesheet software reports to bank records. Tests have results, which are the stored records of those comparisons. A test for buddy punching prevention is to look at the video tapes from your security camera, the result of which might be a log book describing what you saw. Tests can be performed on a weekly, monthly or quarterly basis, or as part of scheduled testing by payroll professionals, or as often as needed by internal auditors.

All of these processes, objectives, risks, controls, tests and results can be put into a SOX control matrix. Here is a sample of what one of these would look like:

Sub-ProcessObjectiveRiskControlTestResultPayroll CalculationAccurateBuddy PunchHand scanner used by all hourly employeesCompare paychecks to scanner records manuallyRecords of use compared to payroll recordsPayroll CalculationAccurateUnauthorized workTimesheet softwareCompare authorized hours to paid hoursRecords of report comparisonsPayroll CalculationAccurateWrong salary usedSeparation of duties for salary entry vs. time data entryExamine signatures on certain formsRecords of examination

This can go on and on. I’ve given some payroll-oriented examples but many SOX concerns may have nothing to do with payroll. In your company, the terminology may be different. For example, some consultancies refer to “process/sub-process” and others to “cycle/sub-cycle.” An objective may be termed a control objective. Companies like Openpages specialize in software to track all of this.

How Does SOX Affect Payroll?

Essentially, the bottom line for payroll professionals is that if you allow payroll checks to be calculated incorrectly to the degree that it affects your company’s financial statements and confuses stockholders, then you will be causing problems for your company.

There is nothing inherent in SOX that dictates that all of your company’s processes must be automated. However, automated processes are more likely to be consistently performed. Additionally, when the auditors come calling, it’s nice to be able to point to a piece of software, such as a timesheet, that provides audit trails (an easy test result), separation of authority (a natural control), and a capable reporting system (some SOX tests). This gives SOX auditors something to look at besides just you.

Should Payroll Administrators and Managers Be Expected to Understand SOX?

Absolutely. The SOX act is now a part of the way America does business. Being able to handle SOX environments is critical to the future of payroll, and that future is a complex thing. Increasingly, payroll practitioners have more than just SOX to worry about.

When payroll executives implement time and attendance systems to automate payroll, they often miss the chance to facilitate greater profitability throughout the entire company. These payroll executives are, of course, payroll experts. They are usually not, however, experts at project accounting or billing automation.

However, the time data, if collected appropriately, can also be used to automate project management, project accounting, project tracking and project estimation improvement, as well as for internal, external and reverse billing automation — and any of these can become SOX concerns. Most payroll and HR executives know little about these subjects, but increasingly, they are being asked to rise to new challenges with SOX being just one of them.

The New People Business Economy

These new challenges are a result of the tectonic shift from capital businesses to people businesses. This is a shift toward valuing time as much as money. About 50 years ago, when most people twisted bolts in a factory, workers were not considered volunteers, they were not empowered, and managing the money of the company (i.e., the capital) was much more important than maximizing the time and knowledge of the worker. Such businesses are called “capital businesses” because power and wealth flowed from the capital.

Today, capital businesses are on the wane, and companies are becoming people businesses. Simple manufacturing has moved overseas. Software, entertainment, consulting, design and architecture exemplify people businesses, but increasingly, even traditional manufacturing businesses like GM and Ford win through design and intellect rather than through excellence in bolt twisting on the shop floor.

People businesses, like software companies and architecture firms, don’t track employee time to minimize break times — if they track time at all. They do it to understand costs and automate billing and, to a lesser extent, to track salary and paid time-off, or to pay hourly knowledge workers correctly.

These areas are rife with potential SOX compliance issues. The rise of the people business is challenging news for payroll and HR executives, and it makes their function more critical than ever. Furthermore, it may be our inexperience as businesspeople in measuring creativity and other “soft” people-oriented assets that has led, to some degree, to scandals like those at Arthur Andersen, Enron and WorldCom.

How Time Management Software Is Changing

If an executive team running a company is really a team, then the responsibility of a payroll or HR executive on that team encompasses more than just payroll. Systems implemented must serve the entire company, not just automate payroll or hiring processes, and they must be SOX-compliant.

In many cases, automating billing or project management provides a much higher ROI to the organization, and this can make the case that automation is both necessary and economically feasible. Many large organizations have employees fill out more than one timesheet: one for project management, one for customer billing, one for payroll, and sometimes another for vacation/leave tracking. This is unnecessary and can damage morale. The right time management system can replace multiple systems.

Time management systems that historically have automated payroll are an outdated concept for people businesses. Time tracking is now a core business process. It should automate payroll, billing and project accounting. If SOX compliance efforts lead your company in the direction of replacing or upgrading your existing time tracking automation system, you should consider one that helps in all of these areas, particularly in project accounting, which has enormous SOX implications in its own right.

The SOX act is not only relevant to time tracking software — or to payroll or to HR — but to all the financial processes in your entire company. It is your responsibility as a payroll professional to ensure your company’s processes are the best they can possibly be.


Curt Finch is the CEO of Austin, Texas-basedJournyx, a provider of Web-based software that tracks time and project accounting solutions to guide customers to per-person, per-project profitability. In 1997, he created the world’s first Internet-based timesheet application — the foundation for the current Journyx product offering.


Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

Related Stories

LinuxInsider Channels