Payroll Security 101

Payroll Security 101: The Basic Steps

A Definitive handbook includes 11 essential tips for ensuring payroll security in your business

Table of contents

In March 2021, Arup, a UK-based engineering firm that employs 16,000 people across 140 countries, had to tell its workers that their personal details – including addresses, bank account numbers, sort codes, and national insurance numbers – had been compromised. This happened after Arup’s payroll service provider, Symatrix, was the victim of a ransomware attack.

Symatrix was not the first and not the last victim of ransomware attacks. Companies of all sizes collect personally identifiable information (PII) about their employees to process payroll, making payroll data a gold mine for hackers. A payroll information data breach can lead to identity theft, fraud, and loss of employee trust. It can also affect the financial security of your business and its reputation.

Payroll security consists of all the measures taken to protect sensitive employee information (bank details, addresses, social security numbers, etc) from potential threats both in and outside of the company.

11 Tips for Ensuring Payroll Security

Ensuring payroll security requires employing multiple practices from different disciplines: data security, employee training, financial auditing, outsourcing services, etc. These are the main practices you should consider:

1. Provide proper employee training

According to the International Association of Privacy Professionals, 85% of all data breaches are unintentional or inadvertent. This stresses the importance of training employees on the business’s payroll system, and strict guidelines for handling personal information responsibly.

2. Include payroll security in your business security measures

Incorporating payroll practices into your business’ security measures ensures that the relevant policies are always accessible to employees. The following measures should be part of your security strategy:

  • Limiting the number of employees with access to sensitive employee data
  • Making ACH (automated clearing house) payments in the US.
  • Encouraging employees to receive direct deposits instead of printed checks, which are more vulnerable to payroll fraud.
  • Using cloud security in your payroll service
  • Ensuring compliance according to the data processing agreements

3. Make sure your payroll software is updated

Keeping your payroll software up to date limits your exposure to security threats and gives you access to the latest third-party integrations. Including a clear update policy in your company’s payroll and security procedures is the best way to ensure that your software is constantly updated. This is an essential tip for managing your payroll risk.

4. Enforce employee password changes

Routine password changes – every 60 to 90 days – should be stated in the company’s security procedures and be part of the payroll system training. Setting up multi-factor authentication is also highly recommended.

5. Separation of payroll duties

Companies in which a single person performs all the payroll tasks are more likely to have security issues. Dividing the payroll tasks between a few employees reduces the risk of data theft and fraud. As a bonus, requiring more employees to review the payroll process will also minimize mistakes.

6. Limit the amount of sensitive information printed on checks

While some employees still prefer checks over direct deposits, printed checks that include personal information expose you to data breaches. If you are forced to work with checks, make sure they don’t include any sensitive information (e.g., home address and social security number).

7. Reduce time theft

Time theft, also known as timesheet falsification, occurs when employees intentionally misrepresent the amount of time they worked in their time sheets.  Creating clear time and attendance policies and, even more importantly, implementing time and attendance software can help reduce time theft significantly.

8. Address security risks while offboarding employees

Former employees with access to sensitive information are responsible for many security breaches. When a payroll employee leaves the company, the offboarding process must include removing their access to your payroll software and recovering company assets, such as security credentials and laptops.

9. Conduct an annual payroll audit

Payroll security audits help companies prevent data breaches, fraud, and embezzlement threats. Any payroll security audit should start by talking with the payroll team and the IT department to evaluate current procedures and gather valuable feedback. Then, you’ll need to confirm employee information (pay rates and periods), compare hours in payroll records vs. hours reported on timecards, and run a ledger report to ensure every transaction aligns with your payroll records.

10. Outsource your payroll operations

Working with a third-party payroll provider can ensure your employees’ data is protected by comprehensive security measures. If you decide to go this route, you must do your due diligence. That includes gathering information about:

  • Data encryption
  • Security features in time-tracking processes
  • Which servers are being used to store the data
  • Employee access to payroll history
  • Pay slip distribution
  • The provider’s reputation, including how it handles security issues

11. Educate your employees on payroll security

Providing guidelines for handling personal information and training on the business’s payroll system is not enough. Payroll and HR employees need to be aware of all the different threats to payroll security and be equipped with tools to stop them.

2 pamphlets


Payroll Software Checklist

Audit Trail

An audit trail is a sequence of computer events that records every business transaction. It includes source documents and entries in the company’s accounting system, enabling you to trace each transaction from start to finish.

Built-in compliance

Any business can attest to the ongoing compliance challenge, especially companies with employees in multiple countries. In the US alone, companies must take into account ACA compliance (Affordable Care Act), FMLA compliance (Family Medical Leave Act), FLSA compliance (Fair Labor Standards Act), and COBRA compliance (Consolidated Omnibus Budget Reconciliation Act).

That’s why a built-in compliance feature – ensuring that your payroll data, time entries, tax withholdings, and benefits payments are in line with local, state, and federal employment laws – is a must in every good payroll software.

ISO certification

ISO (International Organization for Standardization) is the highest standard for information security, providing the framework for identifying information security risks. While ISO develops the standard, it is not involved in the certification process, which is performed by external certification bodies.

ISO 27001 is the world’s best-known standard for information security management systems (ISMS) and their requirements. Additional best practices in data protection and cyber resilience are covered by more than a dozen standards in the ISO 27000 family.

SOC compliance

System and Organization Controls (SOC) is a suite of reports published by the American Institute of Certified Public Accountants  (AICPA). There are three main SOC reports:

SOC 1 – a report on controls at a service organization relevant to financial reporting.

SOC 2 – a Report on controls at a service organization relevant to security, availability, processing integrity, confidentiality or privacy.

SOC 3 – a report on trust services criteria at a service organization for general use.

Easy access and control

Payroll software with easy access control allows you to grant different types of permission, restrict access when necessary, and ensure that only a few employees can see and interact with sensitive data.

Data encryption

In cybersecurity, data encryption is the act of converting data from a readable format into an encoded format, which can only be read after it’s decrypted by someone who has the encryption cipher or algorithm. Payroll data and all payroll-related documents must be encrypted for protection in the event of a data breach.

Employee training

A good payroll system will include a built-in training program that allows your employees to get familiar with the software in no time.

System updates

Like any other top-quality software, your payroll solution must regularly deploy updates to ensure that all the security features are up-to-date.

Payroll Auditing – Step by Step

1. Look at the employees listed on your payroll

Verify that the list matches your employment records and delete employees who are no longer with the company.

2. Analyze the numbers

Make sure that each employee’s pay rate is correct and corresponds with the employee’s records. Pay close attention to employees who recently received a promotion and/or a pay raise, and to non-exempt employees who work overtime regularly.

3. Verify that PTO is correctly labeled

Every type of paid time off – vacation days, sick leave, bereavement leave, etc. – must be labeled correctly to ensure that employees are not over or under-compensated for their work.

4. Cross-check your findings

Compare your payroll records to the company’s general ledger and make sure they match. The next step is to reconcile your payroll records with your bank statements. Many companies have a separate payroll account to make this step easier.

5. Confirm payroll withholdings

Make sure that all payroll withholdings – federal and state income taxes, social security, Medicare, and other mandatory benefits – are correctly withheld for each employee. All wages and tax withholding amounts listed on your payroll reports should match your payroll records.

Common payroll security risks

  • Ghost employees

    A ghost employee is a person who is on the employer’s payroll but does not actually work for the company. This can happen if a former employee continues to get paid after they leave the company, or if a payroll employee creates a fake employee in the system.

  • Inaccurate overtime exemptions

    Salaried employees in the US are either “exempt” or “nonexempt” from receiving overtime pay, based on the requirements outlined in the Fair Labor Standards Act (FLSA). To avoid this pitfall, review the Department of Labor’s guidelines.

  • Employee misclassification

    Employee misclassification is the illegal practice of labeling workers as independent contractors – usually to reduce labor costs – when they should be classified as employees.

  • Human error

    Whether it’s negligence or failure to follow security protocols, human error is the most common reason for data breaches. A survey conducted by software security company Egress in 2021 revealed that 84% of the IT companies surveyed had suffered a data breach directly from human error.

  • System failures and data loss

    While some system failures are caused by server breakdown or human error, most are caused by phishing scams and ransomware attacks, which often render several systems, including payroll, inaccessible. To prevent data loss in a ransomware attack, make sure your payroll system is backed up.

  • Payroll leakage

    In 2018, two former employees of the Indianapolis Bond Bank were charged with theft and insurance fraud after being accused of stealing nearly $400,000 in unauthorized pay and benefits. One of the employees, who handled the bond bank’s payroll, was paid $170,000 in the 12 months before being fired, although her annual salary was $57,500.

    When workforce management solutions are not properly integrated with existing systems, you get a payroll leakage like the one committed in the Indianapolis Bond Bank. Such internal frauds poses a growing threat to companies. 46% of the surveyed organizations in PwC’s latest Global Economic Crime and Fraud Survey reported experiencing fraud, corruption, or other economic crimes in the last 24 months. In 31% of the cases, the main perpetrator was a company employee.

Ensure your payroll process is secure

Payroll security is the foundation of the trust between employees and companies. Here at Papaya Global, making payroll processes more secure is a top priority, which is why data security companies like Checkmarx, Cato, and CyberArk choose Papaya as their global payroll provider. Schedule a demo to learn more.


How often should a payroll audit be conducted?

Companies should conduct a payroll audit at least once a year. However, quarterly or monthly audits can help spot security breaches early on and provide insights into the health of your payroll system.

How can payroll software help with payroll security?

Payroll software includes several features that ensure payroll security: data encryption, easy access and control, built-in compliance, audit trail, etc. In addition, payroll software companies hold prominent certifications and audit reports in the field of information security.

How can internal control overcome payroll fraud?

Several internal control mechanisms can play a role in overcoming payroll fraud: separation of payroll duties, payroll audits, easy access and control, and a separate bank account for payroll.

What are the main objectives of payroll internal control?

The main objectives of payroll internal control are: protecting confidential employee information; preventing fraud, theft, and forgery; and ensuring accurate and reliable payroll records.