Sample size - PCAOB guidance 1634

  • Hello all, I am a newbie and was wondering if there was any guidance provided by PCAOB for sample sizes for test of operating effectiveness. If so, could anybody guide me to the text? Thanks. I tried googling it but did not find anything worthwhile.

  • Hi,
    The PCAOB does not prescribe suggested sample sizes in connection with performing tests of operating effectiveness for SOX.
    This information is more appropriately found if you search on the web site for the external audit firm that will be assessing compliance with SOX for your company.
    If PricewaterhouseCoopers is your auditor, they have a document that prescribes suggested sample sizes based on the frequency of the control. I am sure KPMG, Deloitte, and Ernst and Young have developed similar guidelines.
    If you still cannot locate the PwC document, try searching this site using the search term ‘sampling’ and I am quite certain that you will find links and other useful information about sampling.
    Hope this helps,

  • That helps, thanks a lot.

  • I work with KPMG and they have agreed a set criteria for sample sizes based on risk, frequency, etc. What I found interesting is that they have not provided any guidance on what happens if, heaven forbid, an error is found - do I increase sample sizes, do I fail the process imediately and remediate. Is there any guidance out there that I can give my testing team?

  • If you genuinely believe the error to be a one-off you can increase your sample size (normally in the range of 50-100% increase) and if you find no further exceptions can call the control a pass.%0ANo point in doing this if you believe it to be a genuine fail - better to report and remediate.

  • Thanks. I find it interesting that the audit bodies are so precise regarding sample sizes at the initial stage but then offer no guidance. I have just come across an E-and-Y rule which is if one error in 30 is found 30 the sample is increased by 1/3 to 40. A second error and the sample increases to 60. A third error and that process fails.

  • I think the detailed sampling guidelines are a carry-over of specific sampling instructions that were developed for audit clients. Performance of the tests will achieve a desired level of precision and reliability based on statistical computations.
    As in all audit efforts, sound auditor judgment is important to ensure that conclusions derived from the performance of audit procedures are valid and reasonable.

  • I have read guidance that specifies a maximum number of deviations among a sample set categorizing the control as an effective or a highly effective control. For a test of operational effectiveness of a control that is performed multiple times a day, if the control is considered highly effective, the plan is for 0 deviations among 25 samples and if there is 1 deviation identified, increase the sample size by 25. If another deviation is identified, the control fails the test. Likewise, if the control is considered effective, 1 deviation is planned and if any more than that is identified, the sample size is increased by 25. It is suggested that the sample size not be increased more than once.

  • Thanks for sharing your insight. It was helpful.

Log in to reply