You are the internal audit senior responsible for conducting an assurance engagement of the XYZ Company payroll process. This process has not been audited for three years and, as such, is due in the normal audit cycle. There have been no significant changes since the previous audit, that is, there were no system changes, no reorganization of personnel, and no substantive procedural changes. However, during the last assurance engagement, the internal audit function identified several observations, some of which were considered significant. The significant observations related to: Information pertaining to employees leaving the company was not communicated to the IT department, resulting in extended delays before those employees' systems rights were terminated. Hours paid to nonexempt employees were not supported by approved timesheets. Amounts withheld for employees were not consistent with elections made by employees. The possibility existed that phantom (ghost) employees could be included in the payroll without detection. Payroll management implemented actions to address all significant observations and the internal audit function conducted limited follow-up procedures to validate that the planned actions were completed. This is the first audit since the follow-up procedures were completed. The following is pertinent information to the payroll assurance engagement: "XYZ employs approximately 4,400 employees. Approximately 2,700 of those employees are salaried, the rest are hourly. Employees are paid biweekly. Hourly employees earn pay at straight time for the first 80 hours in a biweekly pay period, time and a half for the next 20 hours in a pay period, and double time for any hours exceeding 100 hours in a pay period. The company utilizes a widely used and market tested payroll package (Pay Right) for processing of all payroll transactions.  

The payroll system interfaces with the general ledger system. XYZ has established a separate payroll imprest account for the processing of payroll checks. Amounts are deposited in this account from the company's general account to cover any checks presented against the imprest account each day. Certain non-payroll items are deducted from the payroll checks, including: Employee loans to cover the cost of extra benefits or computer purchases. Contributions to long-term retirement plans. Contributions to charitable organizations, such as the United Way. Contributions to political action committees (PACs). Payroll expenses and the related payroll accruals are considered material to the company. Based on the above information, perform the following steps to conduct a payroll assurance engagement. D.Document a potential process flow in a detailed flowchart. Make sure that this flowchart identifies key risks and controls and has at least one potential design inadequacy. E.Develop potential key performance indicators for the process you documented in step D. F.Identify which controls are considered key controls. As part of this analysis, document your assumptions regarding the effectiveness of entity-level controls and how such controls affect the payroll process-level controls, if at all. G.Link the key controls to the identified risks. H.Prepare a Risk and Control Matrix to cover the appropriate information from steps C through G. Conclude on the overall design adequacy of the payroll process. I.Create a test plan for gathering evidence regarding the operating effectiveness of all key controls. J.Develop potential test results of testing for all tests conducted. Make sure to identify y at least two observations related to the operating effectiveness of key controls. K.Add the results of steps I and J above to the Risk and Control Matrix. Document your conclusions on the effectiveness of control operation. L.Develop observations based on the engagement results that outline the condition, criteria, cause, and effect for each observation.