ICAEW.com works better with JavaScript enabled.
Exclusive

Q&A: January 2024

Helpsheets and support

Published: 12 Jan 2024 Update History

Exclusive content
Access to our exclusive resources is for specific groups of students, subscribers, users and members.
Log in Find out more
Back to top
If your firm provides payroll services to an audited entity there are implications for the auditor. This Audit & Assurance Faculty Q&A outlines the considerations.

My audit client uses my firm’s payroll department. What are the implications for the audit?

There are various matters and International Standards on Auditing (ISAs) for the auditor to consider in this scenario. 

If your firm is in the UK, you will initially need to consider whether this accounting service can be provided in accordance with the Financial Reporting Council’s Ethical Standard. Assuming the audited entity is not a Public Interest Entity, the service is permissible provided the threats to independence have been assessed and appropriate safeguards implemented. The most common threats are self-review and management.

The use of a separate payroll team and ensuring that all decisions regarding the payroll are undertaken by informed management may be sufficient.

When considering independence, however, it is important to consider the range and scope of services provided to a client. 

For example, in addition to payroll the firm may also be asked to undertake bookkeeping, prepare VAT returns and prepare financial statements that will be audited. Although safeguards can be implemented for each of these services, the firm should consider if, at an overall level, a reasonable and informed third party would consider independence to be impaired. These considerations, together with disclosure to and agreement with those charged with governance, should be recorded and evidenced on the audit file.

When planning the audit you also need to consider the requirements of ISA 402/ISA (UK) 402, Audit Considerations Relating to an Entity Using a Service Organization. In the scenario you describe, the audited entity has outsourced its payroll to a service organisation and this service organisation is your audit firm.

Payroll costs will usually be a significant element of the financial statements and the auditor will need to obtain an understanding of the impact on the entity’s system of internal control. This will provide a basis to identify and assess the risks of material misstatement.

As part of understanding the audited entity under ISA 315/ISA (UK) 315, the interaction between the entity and the service organisation needs to be understood. It is strongly recommended that the audit team obtains, reviews and retains on the audit file a copy of the service level agreement (engagement letter) for the provision of these services, as this should set out the controls and respective responsibilities, including matters such as receipt of information, approval by the entity of changes to the payroll (joiners, leavers, pay rates), approval of the prepared payroll by entity management and, if performed by the firm, the processing of payments. This insight will help the audit team direct the focus of their evaluation of relevant controls and evidence the impact on their audit testing.

Standard procedures can be documented on relevant files, although care will be needed if any bespoke procedures have been agreed with an individual client. Where all payrolls follow the same process, the design effectiveness and implementation of the controls within the firm’s payroll department can be assessed centrally.

The audited entity should also have designed and implemented appropriate controls. The controls are likely to cover areas such as how changes to payroll data are authorised, approval of payroll information and processing of journals. The design effectiveness and implementation of the relevant controls must be documented and tested under ISA 315/ISA (UK) 315. This will normally be part of a walk-through test. This work is needed even where the audit strategy does not include testing the operating effectiveness of controls. 

While there is often an understandable focus on the payroll cost, sight should not be lost of the related compliance with operation of taxation and other laws and regulations relevant to the operation of payroll. Typically, the payroll provider will have a contractual responsibility to help ensure compliance. The audit team having a clear and evidenced understanding of the payroll platform used by their firm and its accreditation (evidenced), should enable them to justify and reduce (if not eliminate) deduction testing and gain overlapping assurance when auditing pay-as-you-earn and National Insurance liabilities.

In responding to the assessed risk of material misstatement, sufficient appropriate audit evidence will normally be available from records held at the entity. If further information is required, additional procedures can be performed at the payroll department. Other audit work with the entity could also be undertaken on enquiries or inspections by tax authorities, and the treatment of complex remuneration costs such as performance bonuses and benefits in kind. 

If it is decided as part of the audit strategy to include testing the operating effectiveness of controls and if evidence of the controls addressing the relevant assertions is not available at the entity, then controls at the payroll department may need to be tested. There is no reason why the auditor cannot test, for audit purposes, the operating effectiveness of controls operated by the payroll department of the firm. It is important that the self-review safeguard is maintained.

In summary, where an audited entity uses the firm’s payroll department the audit team should:

  • ensure that independence is assessed and safeguards are implemented;
  • understand the flow of information between the entity and the payroll department;
  • identify and assess the design effectiveness and implementation of key controls;
  • assess the risk of material misstatement; and
  • design appropriate audit responses to the assessed risks.

The use of the firm’s payroll department should make communication and access to information easier, but it does not reduce the requirement to maintain professional scepticism and perform appropriate audit procedures in response to the assessed risks. 

Key resources

FRC Revised Ethical Standard

ISA (UK) 402

ISA (UK) 315

ISAs from the International Auditing and Assurance Standards Board

Recommended content

ICAEW Faculty
5 white paper aeroplanes in flight, and one blue one peeling off upwards.
Join the Audit and Assurance Faculty

Stay ahead of the rest with our comprehensive package of essential guidance and technical advice.

Find out more
Audit and Assurance conference
Audit and assurance conference and webinars

The annual Audit & Assurance Conference, upcoming webinars, and recordings of past webinars to watch on demand.

Webinars
hijab business woman in office
Audit in depth

In-depth guidance on completing all stages of an audit as well as how to make the decision as to whether or not an audit is required.

Find out more
Open AddCPD icon

Add Verified CPD Activity

Introducing AddCPD, a new way to record your CPD activities!

Log in to start using the AddCPD tool. Available only to ICAEW members.
Login

Add this page to your CPD activity

Step 1 of 3
Download recorded
Download not recorded

Please download the related document if you wish to add this activity to your record

What time are you claiming for this activity?
Mandatory fields
Next step

Add this page to your CPD activity

Step 2 of 3
Mandatory field
Back Next step

Add activity to my record

Step 3 of 3
Mandatory field
Back Add activity to my record

Activity added

Go to my CPD record

An error has occurred
Please try again

If the problem persists please contact our helpline on +44 (0)1908 248 250
Add activity to my record