sample size 2849



  • Hi all
    hope to get feedback
    how to determine the size of the sample of datas to meet the compliance control requirements basicaly when it is schedule quaterly or monthly or anualy
    please provide advice
    thanks in advance
    sel



  • We use the following sample sizes (consistent with what our external auditor uses)
    Annual - 1
    Quarterly - 2
    Monthly - 3
    I would suggest that you have a conversation with your auditor to ensure that they are comfortable with your sample size selection. This could reduce the amount of test work (and fees to you) that they need to perform.



  • The sample size is determined based on both the frequency and the risk level.
    These are what our company uses, which our auditors (PwC) were okay with:
    Annually:
    1 sample
    Quarterly:
    2 samples
    Monthly:
    High Risk: 5 samples
    Med Risk: 3 samples
    Low Risk: 2 samples



  • Hi all
    thanks Risys82 for reply
    i’s almost as we have
    relating to the sample used during the control. we had the following point:
    one colleague has said that, if we kept as record the sample used during the control, and we presented to one assessor of this control, we will biase the assess because we shown him one fixed sample. according him, we should just presented to him the control result and the list of the full population and let him take his sample, like this, the random rule would be respected…
    please advice
    thanks in advance



  • I agree the sample size is informed by the frequency and the level of risk.
    What are people’s thoughts on setting the level of risk - is this purely subjective based on historic error count, manual-ness of the process, potential size of error?
    How do people feel the ‘tone at the top’ control environment impacts samlpe sizes (ie recruitment and retention policies / corporate values / role of the Board and Audit Committe / effectiveness of internal audit function) - surely a company which has a good ‘company level control environment’ would require less testing than one with a low level of ‘company level controls’??



  • What are people’s thoughts on setting the level of risk - is this purely subjective based on historic error count, manual-ness of the process, potential size of error?
    We first do our risk ranking at the control objective level, then each control activity takes on the risk of the objective that it maps to. If a control activity maps to multiple objectives (e.g., one medium and one high), then the control activity assumes the higher risk. We risk rank objectives by weighing the likelihood of an error, the potential magnitude of an error, the materiality of the related financial statement line item(s), etc.



  • What are people’s thoughts on setting the level of risk - is this purely subjective based on historic error count, manual-ness of the process, potential size of error?
    I agree with the excellent approach shared by NC_Sox that it must be based on Risk Management priniciples including likelihood and materiality to the financial statements. Certainly, the SOX Coordinator must ensure that financial controls are well tested to satisfy the external audit firm and senior management concerns.
    Sampling and Testing criteria are also well defined here:
    SOX 404 - TOP DOWN Risk Assessment:
    http-and-#58;//en.wikipedia.org/wiki/SOX_404_top-down_risk_assessment
    At each step, qualitative or quantitative risk factors are used to focus the scope of the SOX404 assessment effort and determine the evidence required. Key steps include:

    1. identifying significant financial reporting elements (accounts or disclosures)
    2. identifying material financial statement risks within these accounts or disclosures
    3. determining which entity-level controls would address these risks with sufficient precision
    4. determining which transaction-level controls would address these risks in the absence of precise entity-level controls
    5. determining the nature, extent, and timing of evidence gathered to complete the assessment of in-scope controls


  • hi all
    thank you for replies.
    what about the archive of controls samples as i’ve asked previously ( the colleague remark). if an auditor come and ask to check the evidences for one control. would he accept to check the population from where the sample had been taken. from me, it is a funny idea. Once the control had been done and the conclusion had been established. it is finish. no need to change every time the population.
    isn’t it?



  • A sample is just what it states that it is - a sample of the whole population. The external auditor may or may not pick the same sample to test to gain confidence that a control is effective.



  • Agreed
    but the background file, used to do the control has to be keept as it is. to take another sample is just to check ?



  • hi all
    thank you for replies.
    what about the archive of controls samples as i’ve asked previously
    I’m not exactly sure what you’re asking, but see if this helps. Our process owners monitor (or self assess) their own controls quarterly. Sometimes this self assessment involves sampling. If, for example, a process owner picks a sample of 15 invoices to test that a control performed appropriately, we ask that they simply keep a list of the invoices sampled so the self assessment could be re-performed by an auditor if needed. We don’t require them to make copies of all the sampled items, etc. As kymike said, the auditors may re-perform the same sample, or they may choose to pick a different sample.



  • hi NC sox
    you had answerd my question, thank you for that. the argue was about the ( i would take your example) invoices used for the controls. the guy was suggested to not keep it, just keep the result of control and if one auditor come, he has to choice again his sample. it is in my opinion funny because, of course the auditor is free to get any others sample if he want to test the effectiveness of the controls, but the sample used for the controls are just the support of the controls results
    thank you once again
    selena


Log in to reply