The point of payroll security
Payroll Security Audit Australia 2026. Payroll is a target. It holds identity data (TFNs, bank details), it moves money on a schedule, and it generates government filings that must be accurate. If something goes wrong, fraud, error, or a data leak, you’re suddenly juggling recovery, regulator questions and people who can’t pay rent. The fix isn’t a silver bullet; it’s a small set of controls you run every single pay cycle.
What you’re protecting (and who cares)
There are three assets to defend. First, money in transit, your ABA/Direct Entry files and bank batches. Second, identity and tax data, especially TFNs, which are covered by the Privacy (Tax File Number) Rule 2015 and the Taxation Administration Act (you can’t collect, use, disclose, or keep TFN information outside what tax/super law allows). Third, regulatory filings, notably Single Touch Payroll (STP) Phase 2, where each pay event is an approved form lodgement, with an authorised declarer saying it’s “true and correct.” Treat each of these as a system with clear owners and auditable steps.
The top attack paths (so you can block them)
Start with the boring but real: business email compromise (BEC) and payment redirection. The Australian Cyber Security Centre’s 2023–24 threat trends for businesses show BEC and email compromise are among the top-reported crimes, with almost $84 million in BEC losses and an average loss over $55,000 per confirmed incident. Translation: most “hacks” in payroll look like a convincing email that changes bank details, or a quietly compromised inbox approving a fake supplier change.
On the tech side, attackers win by stealing credentials and bypassing weak admin rights. The ACSC’s Essential Eight remains the baseline: patching, application controls, hardening macros, MFA and backups make it much harder to hijack the systems that feed payroll. It isn’t flashy; it’s effective.
Process first: a maker-checker for money and data
Here’s the simplest change with the biggest payoff: no single person can both create and approve a pay batch or change bank details. Your internet banking already supports importing ABA/Direct Entry files and separate authorisation; use it every time. On CommBiz, for example, uploaded payment files sit in an “Authorisations required” queue; at ANZ you import an ABA file and a separate user approves. If your bank offers a NameCheck-style beneficiary verification, turn it on; it reduces misdirected payments.
Add a call-back rule: any request to change an employee or supplier bank account must be validated via a phone number you already trust, not the contact details in the email. That single habit collapses most BECs. The ACSC’s guidance on protecting against business email compromise is blunt: attackers impersonate trusted senders to alter payment instructions, assume they will try.
Lock down the ABA file path
ABA (BECS Direct Entry) files are just text. Easy to edit, easy to swap if you’re careless. Treat the workflow like cash: the payroll system exports the file to a restricted folder, a second person checks totals and random samples, and a bank approver signs it off in online banking. Don’t email ABA files and don’t leave them in chat. AusPay+ explains BECS/Direct Entry’s limitations; you should assume the file itself offers no built-in tamper protection. Your protection is access control and approvals.
Identity and privacy: TFNs are special
TFNs are not just “personal data”, they’re protected by a specific rule. The TFN Rule 2015 and OAIC guidance require you to limit who can access TFN information, keep it secure, and only collect/use/disclose it where tax/super law permits. If TFN information is breached and likely to cause serious harm, you may have to notify under the Notifiable Data Breaches (NDB) scheme) as soon as practicable. Payroll, HRIS and email attachments are common weak points; lock them down.
STP Phase 2: why mapping is a security control
STP Phase 2 moved from one “gross” number to disaggregated reporting: paid leave, allowances (by purpose), overtime, bonuses/commissions, directors’ fees and salary sacrifice are all separately reported per income type. That granularity is more than compliance; it’s also anomaly detection. If a “new allowance” quietly appears to hide a fraud, your STP preview should light up. Run the preview every pay and match it to your payslip lines before you lodge.
And remember: each pay event is an approved form lodged to the ATO, so the person hitting “submit” must be authorised to make that declaration. If you use a BAS/tax agent or a managed payroll intermediary, document the STP authorisation to act.
Super is heavier and about to get faster
Two cash-control realities: the Superannuation Guarantee is 12% on payments made from 1 July 2025, and from 1 July 2026 you’ll be paying SG on payday (a 7-day “due to fund” window), with the ATO’s Small Business Super Clearing House closing, no new registrations after 1 October 2025. Practically: you’ll lose the quarterly float, so failed super batches will show up faster and bite harder. Put dual approvals and clearing-house reconciliations on a monthly cadence now.
Records: keep the audit trail for seven years
Fair Work requires time and wages records to be kept 7 years. That’s not just admin: when money goes missing, your ability to prove who changed what and when is how you recover quickly and avoid penalties. Store payslips, time records, approvals and STP packs together for each pay run.
People and permissions: set the floor, then enforce it
You don’t need a CISO to raise the bar. Do four things well:
- MFA everywhere, banking, payroll, HRIS, email. The ACSC treats it as baseline Essential Eight hygiene.
- Least privilege, payroll processors shouldn’t be global admins; bank approvers shouldn’t export ABA files.
- Two-person control, one builds, one approves, every time (ABA files, bank account changes, STP lodgement). Banking platforms already support import/authorise separation, use it.
- A call-back culture for bank changes and unusual payment requests (see BEC guidance).
The runbook you actually need (copy this)
Before each pay
Lock the cut-off for changes. Export the ABA to a restricted folder. A second person verifies headcount, totals and 2–3 random net pays. Compare STP Phase-2 preview to the draft payslips line-by-line, allowances, paid leave, overtime and salary sacrifice must match in names and amounts. Only then import the ABA to the bank for separate authorisation.
After each pay (48 hours)
Confirm the bank batch equals net pay; reconcile super accrued vs paid at 12%; file the pay-run summary, STP preview, W1/W2 view and the bank batch receipt with the approver’s name. If your clearing-house gives you confirmation files, attach them; they’re gold when someone asks “did my super land?”
Monthly
Run super ageing (nothing past due), do a deductions ledger check (salary sacrifice destinations are correct), and sample employee bank detail changes for validated call-backs. This is how you catch drift before quarter-end.
Incident response: what to do when it’s going wrong
If you suspect BEC, fraud or a leak, act in this order:
1) Stop the loss. Freeze further payments, revoke sessions, reset credentials and turn on enforced MFA if it wasn’t already. Contact your bank immediately, recovery windows on misdirected payments close fast.
2) Call the experts. The ACSC hotline (1300 CYBER1) can guide triage and response and point you to current advisories; larger incidents may need a DFIR firm.
3) Check your legal triggers. If TFN information or other personal info is involved and serious harm is likely, the NDB scheme requires you to notify the OAIC and affected individuals as soon as practicable. Build a short template now so you’re not drafting on a bad day.
4) Fix the root cause. If the path was “bank change by email,” hard-ban email changes and require call-back on a known number. If it was a single admin doing everything, implement maker–checker and rotate duties.
How cyber controls meet payroll reality
You don’t need a giant program. Implement the Essential Eight to a sensible maturity (start with MFA, patching, application control and backups), then wire those controls into payroll steps: restricted folders for ABA exports, signed approvals attached to the pay record, and least-privilege bank/HRIS roles. The ACSC’s Essential Eight assessment guide explains how to measure progress without drowning in paperwork.
Governance that survives daylight
Write down who can add a new pay item, who can create an ABA, who approves it, and who lodges STP. Record delegations in your bank and payroll systems so the software enforces your policy. For STP, keep the authorisation to act (if using an agent) with each finalised pay event. That paper trail turns audits from a week of archaeology into a 20-minute check.
When to get outside help
Bring in a specialist, managed payroll or a security partner, when any of these are true:
- You can’t maintain segregation of duties (e.g., a single trusted person still does everything).
- You’ve had a payment redirection or credential compromise and need DFIR, bank liaison and NDB assessment. The ACSC trends show the risk is real and rising; speed and expertise matter.
- Your STP mapping keeps drifting (errors in disaggregation of gross). An experienced operator will fix the mapping once so your STP preview exactly mirrors the payslip, every time.
- You’re shifting cash timing for payday super and need help rebuilding approvals and reconciliations before the SBSCH shuts to new users and the 7-day due-to-fund clock starts.
The 30-day uplift plan
Week 1: Turn on MFA for payroll, HRIS, email and banking. Lock down the ABA export path to a restricted folder; stop emailing payment files. Publish the call-back rule for bank changes.
Week 2: Implement two-person control: one generates, one approves, both for ABA and STP lodgement. Test STP Phase-2 previews vs payslips and fix mapping.
Week 3: Rehearse your incident playbook: who calls the bank, who calls 1300 CYBER1, who assesses NDB triggers, who drafts the message to affected staff.
Week 4: Reconcile super accrued vs paid at 12% and stand up a monthly super ageing report. Decide your path for payday super and clearing-house replacement.
Bottom line
Most payroll breaches are boring: a believable email, a rushed approval, a text file swapped in the wrong folder. Your defence is equally boring, and that’s why it works. Enforce maker–checker, run an STP preview every pay, protect ABA files, and treat TFNs like the regulated identifiers they are. Add ACSC’s Essential Eight on top and you’ve moved from “hoping” to “operating.” With SG now 12% and payday super coming, the money will move faster. Make sure your controls do too.