Sample Sizes and _and_quot;cycles_and_quot; 687

  • Has anyone heard of a ‘rule of thumb’ for samples sizes that if you know the total population then you pull 30% for your sample (even when the external auditor or test script asks for a larger amount)?

  • Hi ugogirl,%0AThis sounds like it would lead you to performing a lot more testing than is necessary for the more frequent controls. For example, if a control were exercised on a daily basis, the population would be 365 over a year. 365 x 30% = ~110 samples. Not to mention some controls may be execised 3 times per day or more… 8O %0AOn the other hand, for a monthly control, this would lead you to a sample size of 4, which is in-line with the big-4’s. I think applying the 30% rule to anything beyond a weekly control frequency would create unneccessary burden. Maybe 30% for controls exercised weekly or less… 20% for annual controls… 15% for controls exercised more than twice a day…? Someone better with statistics could probably prepare the %0A’assurance’ curve for this one… 😮 %0AGood point about the control testing being performed on an annual basis - I know that some companies perofrming quarterly testing have not taken this into consideration and have ended up doing a lot more testing than would otherwise be necessary.%0ACheers,%0Alordkukuface

  • for a daily process, we were given a sample size of 50-60. and yes they do expect screen shots or some kind of evidence for all of them. an important clarification we just got is that the sample size is on an annual basis. this is important for us because we are doing sox testing now and we will do it again in 4th quarter. this means we would pull 25-30 now and then another 25-30 for the later round of testing.
    If the evidence of the control is a screenshot then this suggests automated control to me. If you are looking at automated controls then you can go down a GCC test of one route.
    Can’t imagine anything more pointless or soul destroying than pulling 50 screenshots for one control 8O

  • actually the screen shots are to show the approvals from user managment and IT management (external auditor wants to see: approval to start the project, approval of test results, and approval to migrate to production). these approvals are done via a software product that does help desk tickets, workflow, and change management. the only way to get the evidence is screen prints unfortunately.

  • You don’t need to keep any document as testing evidence that you can easily reproduce. Just ensure that your testing write-up covers what you tested and includes enough information to reproduce that testing. Usually, a test matrix with the attributes tested, the results of the tests and a conclusion as to the effectiveness of the controls is adequate.
    If you think that it is easier to keep the documents than reproduce later, that is a decision that you will have to make.

  • the external auditor has stated they want evidence in hardcopy stored in binders as part of the working papers. otherwise, we would take the easy route.

  • Who is your external auditing company?

  • It is certainly easier for the auditor to access if he doesn’t have to wait for you to recreate the screenshot. This may help to reduce auditor time and fees (though I can’t imagine that it will save them that much time)

  • HP,
    It would frowned upon here if I told you the name of the external auditing firm. However, I can say it is not one of the big 4.

  • the external auditor has stated they want evidence in hardcopy stored in binders as part of the working papers. otherwise, we would take the easy route.
    Tell them to off :evil:
    If the evidence is held electronically then they need to review it electronically. SOX does not require you to do unnecessary work because your auditors are incompetent.

Log in to reply