Semi-related to this is that payroll is a risky area for external auditors. Payments are generalyl made to people who the auditors will never meet (thousands of them for big companies, or more) so there's always a risk that those people don't exist and that someone has fraudulently created an employee (as in, someone who is responsible for hiring people creates John Doe, registers him as an employee, paycheques go to the person responsible). As an auditor, couple of techniques to deal with this risk, such as examining employee files, googling person's name, but my favourite, and probably the most effective, is asking non-management if they know who that person is. If Steve in Shipping doesn't know who John Doe is, when he is apparently also in Shipping, is a sign that something fishy is going on.