You are the Auditor-in-Charge assigned to conduct an assurance engagement of the BFF Corp?s payroll process. This process hasn?t been audited for three years. There have been no significant changes since the previous audit: there were no system changes, no reorganization of personnel, and no substantive procedural changes. However, during the latest audit, internal audit identified several observations, some of which were considered significant. The significant observations were:

1. Information pertaining to employees leaving the company was not communicated to the IT department, resulting in extensive delays before those employee?s system rights were terminated.
2. Hours paid to non-exempt employees were not supported by an approved time sheet.
3. Accounts withheld for employees were not consistent with elections made by employees.
4. The possibility existed that phantom employees could be included in the payroll without detection.

Payroll management implemented actions to address all significant observations, and IA conducted limited follow-up procedures to validate that the planned actions were completed. This is the first audit since the follow-up procedures were completed.

The following is pertinent information to the payroll audit:

1. BFF employs over 4,400 employees. Approximately 2,700 of those employees are salaried, the rest are hourly.
2. Employees are paid bi-weekly.
3. Hourly employees earn pay at straight-time for the first 80 hours in bi-weekly pay period, time-and-a-half for the next 20 hours in a pay period and double time for any hours exceeding 20 hours in a pay period.
4. The company utilizes a widely used and market tested payroll package for processing of all payroll transactions.
5. The payroll system interfaces with the general ledger system.
6. BFF has established a separate payroll imprest account for the processing of payroll checks. Amounts are deposited in this account from the general account to cover any checks presented against the imprest account each day.
7. Certain non-payroll items are deducted from the payroll checks, including the following:

• Employee loans to cover the cost of extra benefits or product purchases.
• Contributions to long-term retirement plans.
• Contributions to charitable organizations.
• Contributions to Political Action Committees

Payroll expenses and related payroll accruals are considered material to the company.

Based on the above information, perform the following steps to conduct the payroll audit: (please provide your answers directly below each section)

I. Process objectives

Determine at least 3 payroll department objectives that would be relevant to this engagement.

Answer:

II. Identifying process risks

Create a list of potential risk scenarios for each objective. Include a minimum of 8 risks in total. (Label each risk with a reference number/letter for step III below).

Answer:

III. Risk assessment

Based on the identified risk scenarios, define the key payroll risks and assess the risks.

1. 1. Your will need to make assumptions regarding impact and likelihood for this assessment.
   2. Document your assumptions about the payroll system and other relevant information that would allow the audit manager to review your work.

Answer:

Based on your assumptions stated above, please populate the below table with your labeled risks in the table below:

IMPACT	High
Medium
Low
	Low	Medium	High
LIKELIHOOD

Optional work: Create a flowchart for your payroll system. Refer to the exhibits in the textbook as to symbols and structure for what a similar process flowchart may look like. You do not need to submit this document, but It could help me to better understand your payroll system as well as helping you to document the various steps involved in a payroll process, its related risks and control activities. .

IV. Control Assessment

For this section of the assignment, you?ll be working on completing a Risk & Control Matrix (RCM) in the attached Excel worksheet. You will be asked to identify control activities for the higher risks (at least 4) identified in step III above, and conclude whether the applicable key controls are adequately designed to mitigate such risks; please note a special situation where you will be asked to assume that at least 1 risk is inadequately designed (see Excel spreadsheet) Again, you?ll need to make some assumptions about ?your payroll process: (these assumptions will be graded for logic/reasonableness and should be fully documented within your answers) in addition to using the background information from above. Then, you?ll create a test plan for gathering evidence regarding the operating effectiveness of those controls that need to be tested. Reasonable results of testing should be assumed and documented in the RCM worksheet. And then document your conclusions on the effectiveness of controls activity operation.

Attached Excel worksheet: Payroll RCM.xls.

BFF Payroll Audit Name: Risk & Control Matrix (Note: Include at least 4 of your identified risks) Ref Process-Level Risk Note: For this assignmetn, you'll need to assume that at least 1 risk is inadequately designed) Control Activity Control activity A (Example: Employees 1 (Example: The hours actually worked by hourly employees are falsified) sign own timesheets attesting to its accuracy). Control activity B (per assumptions) Control activity A (per assumptions) 2 TBD Control activity B (per assumptions) Control activity C (per assumptions) TBD 3 TBD 4 TBD 5 TBD 6 7 Key (Y/N) Design Adequacy evaluation Y ? ? ? ? ? TOE Approach Test A & B (Select a population of (Example: The indicated key control activities .......) are adequate to manage this risk to an acceptable level) (Example: The indicated key control activities are NOT adequate to manage this risk to an acceptable level; And, discuss why there is a design gap). TBD Testing results Testing conclusions Result A (Example: 5% of timesheets were .....). Result B (details...) TBD Result C... TBD TBD TBD TBD TBD TBD