IPPF – Practice Guide

Auditing Executive
Compensation
and Benefits
April 2010
 IPPF – Practice Guide
Auditing Executive Compensation and Benefits

Table of Contents
Introduction................................................................................................................. 1

Executive Summary..................................................................................................... 1

Definition and Structure.............................................................................................. 1

Risks .......................................................................................................................... 2

Employment Market Risk . .................................................................................. 2

Compliance Risk ................................................................................................ 2

Financial Reporting Risk .................................................................................... 2

Reputation Risk . ................................................................................................ 3

Operating Risk ................................................................................................... 3

External Business Relationships ........................................................................ 3

Audit Approach ........................................................................................................... 3

Auditing Board Compensation and Benefits........................................................ 4

Auditing External Business Relationships .......................................................... 5

Audit Considerations .................................................................................................. 5

Access to Information ........................................................................................ 5

Privilege ............................................................................................................. 5

Skills and Knowledge ......................................................................................... 5

Audit Program Development ....................................................................................... 6

Board of Directors and Committees ................................................................... 6

Management ...................................................................................................... 8

External Business Relationships ...................................................................... 10

Appendix A – Types of Executive Compensation and Benefits .................................. 12

www.theiia.org/guidance / B
 IPPF – Practice Guide
Auditing Executive Compensation and Benefits

Introduction are several specific risks internal auditors should consid-

er, including employment market, compliance, financial
Executive compensation and benefits (ECB) programs reporting, reputation, operating, and external business
have risks that require effective board governance (direc- relationship risks. ECB programs also are subject to fraud
tion and oversight) and management (development, mon- risk.
itoring, and administration) processes. Internal auditors
have an important role in providing assurance that ap- Due to the sensitive nature of this area, internal auditing
propriate and effective controls are in place around ECB must have an appropriate audit approach and access to
programs. the necessary information. While there can be obstacles
to obtaining this information, internal audit needs to
Auditing the structure and operation of ECB programs is proceed in accordance with its charter.
a legitimate and appropriate role for internal auditing. If a
risk assessment indicates a review is warranted, the chief The audit scope could include a focus on the board, man-
audit executive (CAE) should add ECB to the audit plan, agement, and extended business relationships.1 There are
which the board will review and approve. Internal audit- a number of unique aspects in audits of each of these
ing will choose the audit approach and design risk-based areas of focus which should be considered before per-
audit procedures. forming audit work.

This practice guide is not intended to address all the con-

siderations necessary for performing an audit of ECB.
Definition and Structure
It provides discussions relating to such an audit and in- Compensation and benefits are the aggregate of various
cludes several considerations that may be relevant to an payments, reimbursements, and personal use of assets
organization’s business activities or risk profile. that are a benefit to the employee and a cost to the organi-
zation. The cost can be direct costs for the benefits, or in-
The International Professional Practices Framework’s cremental costs, such as administration. The components
(IPPF’s) International Standards for the Professional Prac- of ECB vary among organizations; significant differences
tice of Internal Auditing (Standards) include attribute and may exist among organization types (publicly or privately
performance standards pertaining to activities of internal held, government, not-for profit, etc.) sizes, and locations.
audit, including audits of ECB programs. This practice Components of ECB include salary, bonuses, perquisites
guide assumes conformance with the standards for all au- (fringe benefits), equities, and some reimbursable busi-
dit work and discusses how the execution of such audit ness expenses. For additional discussion and examples,
work could be performed. refer to Appendix A.

Executive Summary Boards2 review and approve compensation strategies to

attract and retain appropriate leadership for the organi-
Strong governance systems are needed for ECB pro- zation, while managing stakeholder expectations for cost
grams, as management often is in the position of both de- management and alignment of compensation with the or-
signing and recommending its own compensation. There ganization’s performance.

1
External business relationships include suppliers, customers, and partners. For more guidance, refer to the IIA Practice Guide “Auditing External Business Relationships.”
2
A board is a governing body, such as a board of directors, supervisory board, head of an agency or legislative body, board of governors or trustees or a non-profit organization, or any other
designated body of the organization. For this guide, board may also refer to committees of the board.

www.theiia.org/guidance / 1
 IPPF – Practice Guide
Auditing Executive Compensation and Benefits

Management is often in the position of designing and rec- • It fails to design controls.
ommending its own compensation programs, as well as • The processes for gathering and reporting regulatory
board compensation programs. Strong board governance required ECB data is not reliable (accurate, com-
systems are needed to manage the inherent conflict of in- plete, timely, etc.).
terest and potential for collusion.
• Management intentionally or unwittingly designs
processes that fail to apply regulations appropriately,
Many organizations outsource compensation and benefit
such as employment benefits, income tax regula-
services, such as pensions, medical and insurance ben-
tions, or accounting standards.
efits, financial and tax planning services, recruitment, and
outplacement. Some may outsource processing functions, The organization may fail to comply with its policies and
such as payroll and accounting. Outsourcing adds ad- procedures if:
ditional complexity and risk over monitoring of controls • Executives make illegal or unethical decisions to gen-
and creates a challenge when trying to understand the full erate more personal benefits than those approved.
spectrum of controls in place.
• The board fails to act responsibly in meeting its
governance role.
Risks • The organization may fail to comply with contractual
ECB exposes organizations to several risks. The board and or other legal obligations if:
management have ultimate responsibility for assessing • It does not generate sufficient resources to pay
and managing these risks. for agreed-upon severance and post-retirement
benefits, or if such resources are not appropriately
The CAE should understand and assess these risks to de- safeguarded.
termine the need for an audit and for planning, scoping, • Processes are not designed to manage customer
and resourcing. Some of the risks identified herein may or joint venture billing requirements. For ex-
cover more than one risk category, and many are also eth- ample, some contracts may stipulate what types
ics/fraud risks.3 or percentages of compensation and benefits are
chargeable, and such terms and conditions may
Employment Market Risk differ among customers and partners.
If the ECB is not competitive in the employment market,
the organization may fail to attract or retain individuals Financial Reporting Risk
with the necessary and desired qualifications to fill key The organization may:
roles. The organization could fail to achieve its goals and
objectives due to weak leadership. • Misclassify or hide over-generous, illegal, or unethi-
cal ECB, which could also lead to failure to disclose
Compliance Risk (compliance risk).
The organization may fail to comply with laws and regula- • Misclassify or misreport financial or operating data
tions if: to create the illusion that goals were reached (to
qualify for bonus payments or to improve/retain the
• It does not know or understand the applicable laws market value of equities, for example).
and regulations. • Report incorrect valuations or inappropriate es-
For more information, refer to the IIA publication “Managing the Business Risk of Fraud, a Practical Guide.” The document also discusses governance and audit procedures relevant to
3

this topic.

www.theiia.org/guidance / 2
 IPPF – Practice Guide
Auditing Executive Compensation and Benefits

timates and accruals due to poor accounting and poorly designed and fails to motivate executives.
disclosure controls. • Fail to optimize costs (and meet shareholder expec-
tations) if the ECB is not linked to organizational
Reputation Risk performance, both short and long term. However,
The organization may: linking excessive portions of compensation to per-
• Create internal morale issues if executives are eli- formance may encourage fraud or other illegal or
gible for inequitable or unreasonable ECB. unethical behavior. An excessive portion of com-
• Fail to effectively develop, communicate, and de- pensation linked to short-term performance targets
fend the ECB strategies, exposing the organization increases this risk.
to challenges by shareholders, employees, media, • Fail to optimize costs if the full financial impact is
government, and other stakeholders. Stakeholders not considered when developing ECB strategies. For
value transparency and organizations that accept example, some benefits may be attractive to execu-
accountability for their decisions. An organization’s tives but may not be deductible expenses when
reputation can be negatively impacted if stakeholders calculating the organization’s income taxes, or may
perceive the ECB programs are rewarding failure or not be recoverable as part of ‘overhead rates’ from
socially unacceptable behavior, especially when the customers. Increases to ECB in response to tight
organization is government funded or not-for-profit. employment markets may also not be removable
The organization should screen its strategies and once market conditions improve.
communications periodically to consider social and • Encourage behavior that is inconsistent with the in-
economic factors. terests of relevant stakeholders (e.g., bonus practices
may reward excessive risk taking or, alternatively,
Operating Risk create a culture that does not innovate).
The organization may:
• Introduce a high opportunity for error or fraud External Business Relationships
through the design of complex ECB programs. ECB The organization may fail to:
programs may have high inherent risk where they • Adequately provide for control requirements in
involve many systems and departments, in-house and contracts with outsourced service providers, such as
third party administrators, and/or are highly regu- those that process payroll, pensions, etc.
lated. A complex legal structure in the organization is
often associated with a more complex EC structure • Monitor controls over information administered by
which increases inherent risk of error. outsourced service providers.

• Fail to design appropriate governance processes and

internal controls, resulting in inadequate feedback
and oversight to improve processes, inadequate Audit Approach
controls over inherent conflicts of interest in board
compensation and executive compensation, or pres- The CAE’s decision to perform an audit, the approach,
sures leading to management override of controls. scope, and sample size, should be based on a risk assess-
ment of the subject, including the inherent risk of the pro-
• Fail to achieve its goals and objectives if the ECB is
cesses and potential consequences.

www.theiia.org/guidance / 3
 IPPF – Practice Guide
Auditing Executive Compensation and Benefits

Internal auditing should determine whether ECB will assessed and subject to separate audits.5 Internal auditing
be scoped as one audit or a series of audits. The audit(s) should consider the results of these audits when planning
could be further refined into reviews at subsidiary or divi- the ECB audit program. If these functions are not audited
sion levels; reviews of board compensation and benefits independently, additional testing may need to be done, in-
and executive compensation and benefits; and reviews of cluding testing of relevant general information technology
processes administered by the organization and those ad- (IT) and application controls.
ministered by outsourced service providers.
In some organizations, the board or management requests
If internal auditing typically conducts audits of depart- that internal auditing conduct specific tests on ECB re-
ments rather than processes or subjects, proposing an lated issues, such as an annual audit of executive expense
ECB audit would be different from the usual approach accounts. With the knowledge gained from a risk assess-
because it crosses departments and requires the coopera- ment or ECB audit, the CAE could consider approaching
tion of many department heads. The CAE could choose the board with a plan that would replace the annual audit
to break down the subject into departments, such as hu- with a higher risk process, expand on the audit, or rotate
man resources (HR), payroll, legal, accounts payable, two or three key processes, to optimize risk assurance and
etc., so that each audit would cover the issues required audit resources
to ultimately form an opinion at the macro level.4 Audit
recommendations may also require the involvement of The CAE also could approach an evaluation of ECB as a
many departments and, if significant, may require CEO consulting engagement, e.g., as a proactive review of ECB
acceptance. The CAE should anticipate challenges and to identify whether there are any issues that may be con-
consider this deviation from the norm in the audit plan. trol weaknesses, embarrassing, or controversial. Because
ECB issues are often sensitive and developed at a senior
There might be some concern from members of manage- level, facilitating a control self-assessment by manage-
ment or the board if internal auditing will be evaluating ment is not an optimum approach.
board governance of ECB and it has never audited board
processes before. However, board governance is a signifi- Auditing Board Compensation and Benefits
cant control factor in ECB and usually is included in the Management may develop recommendations for board
audit scope. The CAE may choose to conduct two audits, compensation and benefit programs, creating an oppor-
one of the board processes and one of management pro- tunity for collusion or conflict of interest in board com-
cesses, before forming an opinion. Another approach is to pensation. The CAE determines whether to include board
review the board processes as a consulting engagement compensation and benefits in the audit scope, and wheth-
rather than as an audit. er to test for board member use of assets and receipt of
payments. This determination should be consistent with
Generally, an audit of ECB is a subset of the employee the charter of the internal audit activity. If the audit scope
compensation and benefit programs audit and is not a includes the board, audit tests could include board mem-
comprehensive audit of all the systems used to admin- ber names wherever the considerations included in the
ister and account for ECB. This guide assumes that the Audit Program Development section of this guide men-
payroll, accounts payable, banking, etc. functions are risk tion “executives and their families.”

For more information on forming opinions, refer to the IIA Practice Guide “Formulating and Expressing Internal Audit Opinions.”
4

The results of those audits may impact the reliability of the data used in an audit of ECB.
5

www.theiia.org/guidance / 4
 IPPF – Practice Guide
Auditing Executive Compensation and Benefits

If management applies pressure to internal auditing re- Regardless of executive and board support, auditors may
garding the audit work program and results, the CAE can encounter some resistance from personnel in the HR or
seek support from the board. payroll functions. Part of their responsibility is to ensure
confidentiality and they may try to restrict the auditors.
Auditing External Business Relationships Their level of concern is usually greater when dealing with
If internal auditing has never audited external business information about executives or pending program changes
relationships, and the risk assessment indicates that an that have not yet been approved or announced. Auditors
audit is warranted, the CAE needs to determine whether need not be intimidated or frustrated by this issue, rath-
the organization has the right to audit under the contract er they should be aware of, and respect, these concerns,
and ensure that an appropriate audit reporting process is while still getting the job done. Auditors can help these
developed.6 personnel understand the internal audit activity, the scope
of access, the auditor’s professionalism, and how the in-
Audit Considerations formation will be used and protected. Being responsive
to concerns may help reduce conflict and may require
Executive and board compensation is often subject to being innovative in the audit approach or practices. For
public disclosure requirements, accounting standards, example, the audit team might use senior level staff, such
and external auditing. This should be factored into the as audit managers, to perform some of the more sensitive
nature of work performed. For example, the external audi- tests, such as review of board materials.
tors may have reviewed the completeness and accuracy of
reported benefits but not reviewed the controls for ensur- Privilege
ing appropriateness of those benefits. In some countries, certain organizations have the right to
invoke privileged communication between the organiza-
If the board has not approved an audit of ECB as part of tion and its legal counsel. Management or the board might
the annual audit plan, the CAE should obtain such ap- invoke this right, and the CAE may be directed to conduct
provals and buy-in to the scope before beginning. This the audit and communicate results in conformance with
action provides the CAE with the support necessary for legal requirements. To comply, the CAE must understand
such a sensitive topic and reduces impediments to the au- how legal privilege applies to the organization and to in-
dit process. ternal audit work.

Access to Information The CAE should consider the liability risk associated with
If there is no internal audit charter, or if the charter is not the audit, such as when an audit is initiated in conjunc-
clear about access to records, facilities, and personnel, the tion with a fraud investigation. The CAE should consult
CAE could use some of the risk, control, and governance with legal counsel before beginning such an audit, as this
factors identified in this guidance to convince the board situation may be cause for invoking privilege.
and management of the value of such an audit and to gain
cooperation regarding full access.7 The CAE may request Skills and Knowledge
that the chairman of the board and the CEO issue a mem- Due to the sensitive nature of ECB, and the senior level
orandum to the relevant board members and department personnel involved, auditors should be discreet, tactful,
heads stating their support for the audit and encouraging and confident. Generally a more experienced, senior-level
cooperation from all parties. auditor is part of the team.
For more information, refer to IIA guidance “Auditing External Business Relationships.”
6

Refer to the International Professional Practices Framework Standards and Practice Advisories relating to key elements of an internal audit charter to effectively establish or modify a
7

charter for your organization.

www.theiia.org/guidance / 5
 IPPF – Practice Guide
Auditing Executive Compensation and Benefits

ECB transactions in most organizations are recorded in • Is there enough information provided, with
electronic systems applications. Extracting and analyzing enough time to deliberate and ask questions be-
data and crosschecking between databases usually require fore making decisions? Is the information com-
the audit team to have IT skills and to use computer-as- plete and accurate?
sisted audit techniques. • Are the board members qualified, and do they
have independent,8 qualified advisers to help
Audit Program Development them make appropriate ECB decisions?
• Is the board seeing the full scope of ECB, or just
This section includes various concepts, potential tests,
a few elements (such as base salary and annual
and questions to help auditors create an audit program. It
cash incentive awards, without considering long-
is not a comprehensive list, nor should all of these consid-
term equity awards)?
erations be tested. As always, the risk assessment should
lead to development of an appropriate program. • Is the information system used for gathering and
summarizing information reliable?
Board of Directors and Committees • Are the organization’s programs benchmarked?
A critical board role related to ECB is to balance the in- Are the appropriate industries/competitors select-
terests of shareholders (risk management and fiduciary ed for benchmarking? Is benchmarking causing
responsibility) with those of management (who desire to unintended consequences such as a bidding war
be paid well commensurate with work performed). The or “competition of egos”?
board needs to approve a strategy that balances short- and
• Does the board understand the organization’s
long-term goals and attracts, retains, and motivates people
required disclosures and disclosure controls, and
to achieve those goals in an ethical culture. The board
does it approve disclosure of ECB?
is also responsible for managing the other ECB risks rel-
evant to the organization and managing the expectations • Does the board review and approve all relevant
of other stakeholders. aspects of the pension, profit sharing, and simi-
lar funds (e.g., fund managers, fund investment
The conflict of interest risk in ECB warrants board re- strategies, audits, disclosures, and valuations)?
sponsibility for risk assessment, approval, and monitoring. • Does the board receive and discuss results of
Most organizations use a board committee — the com- ECB audits by regulators or customers? Is the
pensation or HR committee — to perform this role. Many board reacting appropriately to such information?
organizations structure such a committee to be indepen-
dent from management, with the right to retain outside • Is there evidence of approvals for new ECB
advisers (legal or subject matter experts) to assist in evalu- programs and for material changes? Are board
ating strategies and programs. approvals made in compliance with bylaws and
granted authorities?
When designing audit procedures appropriate for the or- • How are board compensation and benefits de-
ganization and scope, there are several considerations. termined? Are independent and qualified advis-
ers used? Are board compensation and benefits
1. Board and committee terms of reference, minutes, programs benchmarked? Are they aligned with
agendas and information packages relevant to ECB. performance results?

Consider the volume, value, and types of other consulting work done for the organization by the advisory firm when evaluating the adviser’s independence.
8

www.theiia.org/guidance / 6
 IPPF – Practice Guide
Auditing Executive Compensation and Benefits

2. Board self-assessment surveys and results (consider- • Has the board articulated its ECB strategies and
ing the impact of the responses in relation to ECB objectives? Are the strategies designed to motivate
governance). appropriate behaviors? Is the board monitoring
results? Would the strategies be deemed appropri-
• Is the board satisfied with its processes? With
ate by media, the public, or other stakeholders?
management information? With its indepen-
dence? With its use of external advisers? • How does the board deal with special circum-
stances? For example, if share market price is
3. Board performance evaluations of the CEO and
an element of the bonus program, it is generally
other executives.
assumed that management can impact the value
• Is it a reasonable process, and is it done fre- of the organization, and therefore the share price.
quently enough? Is there a balance of short- and But is the bonus program re-evaluated when
long-term objectives? Are the compensation and significant market swings occur (either up or
benefit awards aligned with organizational and down) that management cannot influence? Does
individual performance? Are all appropriate per- the ECB consider change of control (mergers and
formance criteria included? acquisitions, majority ownership, or significant
change in board membership)?
• Is the board reviewing the performance evalua-
tions and subsequent compensation and benefits • What is the strategy related to post-employment
that the CEO awards to his or her subordinates? benefits and severance (e.g., golden handshakes
or golden parachutes)?
4. Key employee retention plans.
• Does the ECB strategy balance the tangible
• Is the board considering the impact of ECB on (money, assets) with the intangible (culture, op-
key employees identified in the retention and suc- portunities, monitoring, status, mission) to attract
cession plans? and retain appropriate personnel?
5. Employment contracts and termination agreements. • Is the board aware of, and satisfied with, how
much HR and payroll costs (direct and adminis-
• Has the board signed any employment contracts
trative) are expended on behalf of executives and
with the CEO or other executives? Did the board
how much for other employees?
obtain independent legal counsel?
• What is the strategy for offering allowances,
• Have the terms and conditions been integrated
rather than reimbursement of expenses? Is it
into the board’s risk discussions? Have they been
reasonable and cost-effective?
disclosed appropriately? Have they been account-
ed for appropriately? • How does ECB fit into the organization’s risk as-
sessment, and what controls have been adopted
• Does the board review employment contracts
to ensure success?
signed by the CEO for other executive positions?
Along with reviewing documents, the internal auditors
• Do termination agreements appear to reward
can gather information by surveying the board and com-
failure (e.g., severance paid to “keep quiet” or
mittee members and/or interviewing them.
bonuses paid when results are poor)?
6. ECB strategies and objectives.

www.theiia.org/guidance / 7
 IPPF – Practice Guide
Auditing Executive Compensation and Benefits

Management • Do they cover post-retirement ECB (e.g., medical

There are a significant number of management responsi- and pensions)?
bilities involved in developing, administering, and moni- 2. Payroll.
toring executive compensation, so reasonable attention
is required when planning and scoping the audit. For ex- • Are the salary and benefits complete and accurate
ample, a simple objective, such as “Is the organization in (e.g., approved programs and increases/awards)?
compliance with disclosure regulations?” requires review • Are classifications, computations, withholding,
of many systems, such as payroll, accounts payable, cost remittances, and filings compliant with regulatory
center accounts, board processes, contracts, and regula- and contractual requirements?
tory filings and may extend beyond the organization into
• Do IT controls prevent unauthorized changes?
external business relationships.
3. Accounts Payable.
Internal auditors need to evaluate their organization,
• Are expense accounts in compliance with com-
regulated compensation and benefits for their operating
pany policies, regulatory requirement, and con-
locations, and employment contracts for examples of po-
tractual obligations?
tential ECB to be scoped into their audit programs. Any
departments that could pay, reimburse, or pay suppliers • Can the vendor master be compared with the
on behalf of executives and their families, as well as those check register for payments made to executives or
departments that manage company assets, might be in- their family members (e.g., address matching)?
cluded in the scope. • Do IT controls prevent unauthorized changes?

There are several considerations when designing audit • Are expense accounts of executive assistants
procedures appropriate for the organization. unreasonable, or are the executive’s expenses
claimed by the assistant and approved by the
1. Compensation policies and procedures. executive?
• Can accounts payable and treasury records be
• Have they been approved by the board? Have crosschecked with addresses from HR for pay-
they changed, and are the changes significant? ments sent to executives or their family (for ac-
Are they aligned with other board and manage- tive, retired, and terminated employees)?
ment strategies? Are all compensation programs
aligned within the organization, consistently re- • Can the “ship to” addresses from purchase orders
warding or penalizing similar behavior or actions? be crosschecked with employee addresses?

• Are they administered effectively and applied 4. Corporate treasurer or finance function.
consistently and fairly by managers? • Are cash advances or petty cash reimbursements
• Are proportions of short- and long-term, fixed and to executives or family members used appro-
variable (at risk), legally required benefits versus priately? Are advances cleared appropriately, in
optional, cash/non-cash reasonable? Are they compliance with policies and procedures?
competitive in the market? Are they consistent • Have wire transfers to executives, their families,
with industry standards? and organizations commonly known to supply

www.theiia.org/guidance / 8
 IPPF – Practice Guide
Auditing Executive Compensation and Benefits

perquisites (e.g., for vehicle repairs, golf or enter- Year,” news clippings regarding ECB, etc.?
tainment facilities, clubs, transportation, and gift • Do payments from executive programs appear to
shops) been accounted for appropriately? reward failure —for example, a bonus paid to an
• Have share transfers to executives and family executive for achieving targets through significant
members been controlled appropriately? Are lay-offs or facility shutdowns? This action could
regulations affecting securities trading complied lead to public outrage if the perception is that
with (e.g., trading bans and blackout periods)? Do the executive’s income is more important than
compensation or benefits that are paid as shares, the employees’ incomes. Other examples include
rights, warrants, or options (related to company significant payments to executives who are termi-
stock) require strong controls to ensure valuation, nated for failure to perform (golden parachutes)
accounting, disclosure, and taxation are handled or to encourage an executive to “go quietly.”
appropriately? 8. Employment contracts, including termination and
• Do payments made to the organization by execu- loan agreements.
tives indicate undocumented loans or reimburse-
ment for personal use of the organization’s credit • Are employee loans legal? If so, are there any
card? regulatory restrictions that apply to loans?

5. Audit results and action plans. • Are the loans given at market interest rates, or
below? Are repayment terms reasonable, and are
• By regulators, such as government tax authorities they being met? Is there collateral/security for the
or securities exchanges. loan? Check for loan write-offs or loan forgive-
• By customers, who may have the contractual right ness.
to audit direct costs or rates charged. • Are key executives entitled to any of their em-
• By external auditors for compliance with account- ployer’s products or services free of charge or
ing standards, disclosure requirements, and ethics at a discounted rate? If so, is this appropriately
or risk management issues. recorded and approved?

• Does management’s strategy appear to be “We’ll 9. Turnover statistics, exit interviews.

do it this way until we get caught”? Are internal • Do results indicate ongoing or pending issues?
control weaknesses addressed timely and appro- The auditor may expand the audit program based
priately? on these results.
6. Market surveys, employee satisfaction surveys, and • Have these results been reviewed with the board
benchmarks. and executive management?
• Do results indicate ongoing or pending issues? 10. The administrative cost center charges for execu-
Have they been reviewed with the board and tives/administrative assistants.
executive management?
• Are there charges paid directly to vendors where
7. Public perception. the executive benefits? These could include
• Does the company receive recognition, such as charges for clubs, travel, gifts, and entertainment.
“Top 10 Companies to Work For,” “CEO of the If so, have the charges been approved and report-
ed/classified appropriately?

www.theiia.org/guidance / 9
 IPPF – Practice Guide
Auditing Executive Compensation and Benefits

11. Facilities and equipment. department than the general employee benefit
payment system handles the executive payment/
• Can use of the organization’s assets by the execu-
reimbursement process (e.g., one reimbursement
tive and his or her family provide useful informa-
processed through payroll and another through ac-
tion to evaluate potential ECB (e.g., by checking
counts payable). Take for example reimbursement
logs and manifests)? Assets to consider include
of employees at a specific rate for each mile/kilo-
company vehicles (e.g., planes, trains, automo-
meter driven (to cover operating and capital costs)
biles, trucks, boats, snowmobiles, and jet skis),
when the executive is also provided with a vehicle
housing (e.g., homes, apartments, resorts, cabins,
or vehicle allowance.
trailers, hotels, and camps), dining and entertain-
ment facilities (e.g., cafeteria, catering contracts, 15. Employment taxes.
restaurants, meeting rooms, theatres, and audito-
• Are benefits handled via accounts payable or simi-
riums), and computers and telecommunications
lar, non-payroll functions?
(e.g., laptops, blackberry devices, phones, printers,
photocopiers, cameras, and software). • Are specified benefits taxable in one jurisdiction
(country, state, or province, etc.), but not taxable
• Are some of the assets located in personal resi-
in another? If so, is the organization treating the
dences?
benefits appropriately on tax returns and financial
12. Financial reporting. statements?
• Are accounting and financial reporting correct? For 16. Metrics Used for Calculation of Compensation.
example, are costs in the right accounts, cut-offs
• Are compensation amounts based, at least in part,
appropriate, accruals, estimates and valuations
on specified metrics? If so, are metrics easily verifi-
appropriately applied to transactions, commit-
able (e.g., based on public external data such as
ments, and agreements? Are significant variances
stock price or revenue growth) or dependent on
explained?
internal data which is not as easily verified?
13. Public and Regulatory filings (ECB related, such as
17. Override of ECB controls.
disclosures and taxes).
• Is it possible for management to override con-
• Are they complete, accurate, and timely?
trols in ECB, including IT controls? For example,
• Are descriptions of ECB elements clear and un- executives could apply pressure on clerical staff or
derstandable, providing the right level of transpar- their administrative assistants.
ency?
• Are ECB amounts accurately presented, derived
External Business Relationships9
from processes with sufficient internal controls?
Many organizations outsource compensation and ben-
14. Double dipping. efit services as well as payroll and accounting services. If
vendor audits have been scoped into the audit plan, some
• Is it possible for an executive to be reimbursed
of the previous review considerations may need to be
twice for some expense? The risk of double
performed.
dipping is greater when a different system or

For more information, refer to the IIA Practice Guide “Auditing External Business Relationships.”
9

www.theiia.org/guidance / 10
 IPPF – Practice Guide
Auditing Executive Compensation and Benefits

Reputation risk is often based on association with, deemed vendor’s customer.

influence over, or deemed agreement with ECB policies of External organizations may restrict access to certain pro-
business partners. For example, an executive may receive cesses or information. Internal auditing may need to use
remuneration as an officer of a related organization. If joint an independent third party to perform all or part of the
venture or partnership arrangements are included in the audit and provide assurance.
scope, consider designing your audit program with the fol-
lowing considerations.

Within your organization:

• Do contracts include a “right to audit clause” and

requirements for confidentiality? Have they been ap-
proved appropriately?
• What are the criteria for selecting vendors and were
they followed? How is vendor performance measured
and reported?
• What proportion of the vendor fees are related to
serving executives versus other employees?
• How are vendor controls monitored by the contract
or program manager?

Within the service provider’s organization:

• Are there adequate IT controls to protect the organi-

zation’s information? Attestation standards from pub-
lic or regulatory audit standard setters are a source of
information.
• Are distributions to executives accurate and com-
plete? Are they compliant with policy? How are
changes authorized?
• Is there evidence of the organization’s entertainment
of executives (vendor expense accounts and promo-
tional activities such as golf tournaments, fishing
or resort trips, and gifts)? Is it consistent with both
organizations’ policies?
• Is there evidence of possible conflict of interest with
the vendor’s customer list? For example, a board
member works for an organization that is also the

www.theiia.org/guidance / 11
 IPPF – Practice Guide
Auditing Executive Compensation and Benefits

Appendix A – performance. Awards may be paid as a fixed amount or a

percentage of salary, and may be paid in currency, shares,

Types of Executive gift cards, property, or services (e.g., vacations, cars,

jewelry, and spa treatments).
Compensation and Benefits Bonus: Remuneration paid for achieving a specific goal.
There are many compensation and benefit types, but those Bonuses may be structured for short- or long-term perfor-
discussed herein are generally unique to executives, or mance of the organization, department, or individual. Bo-
where executives receive enhanced programs and payouts nuses are generally paid once, then must be earned again.
compared with other employees. Bonuses may be paid as a fixed amount or a percentage of
salary, and may be paid in currency, shares, stock options,
To determine which ECB programs to include in the scope property, or services (e.g., vacations, cars, jewelry, and spa
of an audit, auditors should consider the unique aspects of treatments). Bonuses based on organization goals may be
the ECBs of the organization, employment contracts, regu- referred to as profit sharing, gain-sharing, “tantieme”, or in-
lated compensation, and complexity of the organization. centive plans. Gain sharing is a program that returns cost
savings to the employees, usually as a lump-sum bonus.
Family members also may obtain benefits that are attribut- It is a productivity measure, as opposed to profit sharing,
able to the executive. Some benefits are considered tax- which is a profitability measure.
able income for the recipient and some are not deductible
by the organization for tax purposes (varies based on legal Commission: Pre-established remuneration paid for
jurisdiction). Some compensation and benefits are legally achieving specific sales (per piece, volume, or value based)
mandated, while others are discretionary (varies based on or a marketing service goal (e.g., referrals to new customers
legal jurisdiction), and some forms of benefits may be con- or entry into new markets).
sidered illegal in some jurisdictions.
Pension: A fixed or variable rate of remuneration paid
If the organization offers any ECB programs to contractors, periodically to a former, qualified employee (or his or her
the internal auditor should consider the potential legal and beneficiary) who has reached a specific retirement age or
ethical impacts. is deceased. Pension plans are often defined benefit plans
or defined contribution plans and are highly regulated in
Compensation many countries. Employees may receive pension payments
Allowance: Fixed payments paid periodically to reason- from both their employers and from governments. Pen-
ably approximate the employee’s costs for a particular type sion plans may be combined with insurance schemes in
of expense (e.g., car, housing, and clothing allowances). superannuation plans or provident funds for the welfare
Once received, employees may use the money as they of the employee. Executives generally have enhanced pen-
choose. sion plans that exceed the standard for other employees. A
company may offer various types of retirement plans (e.g.,
Awards:10 Similar to a bonus, but most often used to re- qualified for preferential tax treatment or non deferred
ward individual goal achievement (e.g., safety milestones benefit plans) and all should be reviewed for benefits due
or years of service) or for unexpected or extraordinary an executive.

In Australia, an award is a pay scale related to an industrial agreement (union led); however, in many international organizations, an award is as described in this appendix.
10

www.theiia.org/guidance / 12
 IPPF – Practice Guide
Auditing Executive Compensation and Benefits

Perquisites: Benefits (often called fringe benefits) offered Financial and Retirement Planning: An allowance or
at the employer’s discretion, rather than benefits required service that assists the employee in creating and managing
by law. Examples of perquisites include company cars or a personal financial plan and budget. Accounting and tax
car allowances, parking, airline lounge memberships, and preparation services, as well as advising on investment and
use of corporate jets. Perqs (colloquial term) are often se- tax strategies, also may be included.
niority based and may also include the “right of first refusal”
for event tickets, job openings, conference attendance, etc. Gifts: Gifts can include currency (e.g., cash or gift cards
for retail outlets), shares, property, or services (e.g., vaca-
Severance: Remuneration made to an employee upon tions, cars, jewelry, and spa treatments) given to employ-
termination from the organization. Severance can take the ees. When business property that is regularly used by the
form of a lump sum payment or may be paid out over a employee is given to the employee upon termination, this
specified period. Severance may be paid as a fixed value or is considered a gift (e.g. office furniture, phone, computer,
a percentage of salary, and may be paid in currency, shares, and tools).
property, or services (e.g., health-care benefits, outplace-
ment services, cars, jewelry, club memberships, and access Health Examination Allowance: An allowance typically
to employee discounts). Severance is generally determined up to a certain value for a periodic health examination.
by laws and company policy, which is influenced by case
law (from court rulings on cases of challenges to sever- Insurance: Payment for all, or a portion of, premiums for
ance pay). Executive severance that has been pre-agreed life and disability insurance, medical and dental care, un-
in an employment contract is often referred to as a golden employment insurance, home and car insurance, etc. The
handshake or a golden parachute. Severance may also be organization may also choose to self-insure and pay directly
referred to as a gratuity payment. Executives generally re- for any of these types of losses, or they may reimburse em-
ceive enhanced severance programs compared with other ployees for all or a portion of insurance coverage or deduct-
employees. ibles.

Benefits Loans: No- or low-interest loans to employees for reloca-

Athletic or Cultural Facility Seats: The purchase of tion, purchase of company shares, purchase of home com-
seats or facilities (boxes) in sports arenas or performing arts puters, etc.
centers with the intent to use the tickets for entertaining
customers and as employee rewards. Personal use of the Outplacement: Services provided to assist terminated
tickets by executives, directors, and employees is consid- employees in preparing for and finding employment else-
ered a benefit. where.

Athletic, Cultural, Dining, and Travel Club Mem- Personal Use: Free, personal use of company facilities or
berships: Reimbursing or paying directly for employee equipment, such as housing, dining rooms, hotels, resorts,
(and/or family) memberships in health clubs (e.g., gyms, computer and communication technology, recreational ve-
spas, pools), sports clubs (e.g., golf or tennis), entertain- hicles (e.g., snowmobiles, jet skis, yachts), theaters, and
ment clubs (e.g., gambling, dining and dancing), and air- cameras. Free personal use of the organization’s services
line lounges as benefits. is also a benefit, including beauty treatments, professional
services, facility and equipment maintenance, decorating,
delivery, and use of staff to help with a personal activity.

www.theiia.org/guidance / 13
 IPPF – Practice Guide
Auditing Executive Compensation and Benefits

Relocation: Covers the costs associated with transferring • Public transit passes or tickets.
an employee to a new location. Benefits are often derived • Transportation from home to work (e.g., by bus).
from the types of costs covered by the relocation program.
• Use of the company airplane, train, or boat.
For example, allowances may be paid for miscellaneous
costs, loans to purchase houses, signing bonuses, remote • Purchase of airline tickets or vacation packages.
location allowances, storage of personal effects that re- • Frequent flyer points from trips taken for business
main behind, tax and financial planning services, pass- purposes, if the employee is able to use the points for
ports, language training, guarantees of spousal income or personal travel.
spousal placement services, guaranteed paid trips to alter-
Taxes: When the organization pays the employment/in-
nate locations (e.g., family visits), tuition fees and school
come taxes on behalf of the employee, by paying the gov-
searches for children, maintenance of recreation property,
ernment directly, by reimbursing the employee, or by in-
and paid leave for moving.
creasing bonus payments to cover the estimated cost of
taxes.
Savings and Investment: Programs that facilitate and
administer employee savings. Many organizations choose
to contribute to such investments.

Security Services: Usually provided as a result of threat

assessments and risk management programs, but they also
may have a personal benefit associated with them. Ex-
amples of security services include personal bodyguards,
alarm systems or patrols in the homes of executives, home
safes or panic rooms, and self-defense training. Security
Services may also be known as Executive Protection Pro-
grams.

Transportation: Transportation available to employ-

ees, and/or their families, for personal use (i.e., no busi-
ness purpose can be rationalized, or the transportation is
deemed as personal by regulations). Benefits take many
forms, including:

• Allowances.
• A vehicle — where the organization purchases or
leases a car, truck, etc. A process for reimbursement
of operating expenses often accompanies this benefit.
• A vehicle and chauffer.
• Parking.
• Airline lounge memberships.

www.theiia.org/guidance / 14
 IPPF – Practice Guide
Auditing Executive Compensation and Benefits

Authors:
• Lynn C. Morley, CIA

Reviewers and Contributors

• Abraham D. Akresh
• Douglas J. Anderson, CIA
• David F. Bentley
• Steven E. Jameson, CIA, CCSA, CFSA
• Norman D. Marks
• James A. Rose, III, CIA

www.theiia.org/guidance / 15
About the Institute Disclaimer
Established in 1941, The Institute of Internal The IIA publishes this document for information-
Auditors (IIA) is an international professional as- al and educational purposes. This guidance mate-
sociation with global headquarters in Altamonte rial is not intended to provide definitive answers
Springs, Fla., USA. The IIA is the internal audit to specific individual circumstances and as such
profession’s global voice, recognized authority, ac- is only intended to be used as a guide. The IIA
knowledged leader, chief advocate, and principal recommends that you always seek independent
educator. expert advice relating directly to any specific situ-
ation. The IIA accepts no responsibility for any-
About Practice Guides one placing sole reliance on this guidance.
Practice Guides embody an IIA statement to as-
sist a wide range of interested parties, including Copyright
those not in the internal audit profession, in un- The copyright of this practice guide is held by The
derstanding significant governance, risk, or con- IIA. For permission to reproduce, please contact
trol issues and in delineating the related roles and The IIA at [email protected].
responsibilities of internal auditors on a signifi-
cant issue. Practice Guides are part of The IIA’s
International Professional Practices Framework.
As part of the Strongly Recommended category
of guidance, compliance is not mandatory, but
it is strongly recommended and the guidance is
endorsed by The IIA through formal review and
approval process. For other authoritative guid-
ance materials provided by The IIA please visit
our Web site, www.theiia.org/guidance.

global headquarters T: +1-407-937-1111

247 Maitland Ave. F: +1-407-937-1101
Altamonte Springs, FL 32701 USA W: www.theiia.org