Samples sizes 1811
I have noted that in some organisations there are no separate sample that has been tested as a part of the walkthrough and the sample of the walkthrough and the test of operating effectiveness is merged. Does this not in effect causes the sample size to be lower than the recommended number by 1.
EMM last edited by
A walkthrough is a review of the process from start to finish. Your ext auditors should confirm to you that it is always based on a sample of 1.
E.g. Sales to Cash receipts process. This will follow the process of setting up a new customer, to order, to invoice and sale, to accounts receivable and finally to cash received or debt write off. The test is to follow all transactions with the same customer and select an order that will follow through to invoice until cash is received.
Sample sizes relate to tests of detail for the key controls only.
Agreed…All walkthroughs have to be performed end to end where as test of details are for the key controls identified.
Given that a walkthrough also covers the key controls identified is it agreeable that it be included in the sample size of the TOD’s tested? e.g. where there are 30 samples to be covered under a TOD would it be enough to test only 29 since the walkthrough would have obviously touched upon the control being tested.
I didn’t know there was a recommended number. I thought the idea was that management undertook whatever testing, etc it deemed necessary to reach a conclussion. The ext auditors could then decide for themselves whether this was unreasonable or not and do whatever testing they deemed necessary using their own sample sizes.
There is an example minimum sample testing size. Most external audit firms use this as a baseline.
CONTROL OPERATING MINIMUM CONTROL OPERATING SAMPLE
FREQUENCY SAMPLE SIZE FREQUENCY SIZE
Recurring manual 3060
times per day)
Refer page 12 of link 404institute.com/docs/FAQ.pdf
Denis last edited by
Most firms will allow the one (or more) item selected as part of the walkthrough to count towards the tests of operating effectiveness sample
Walkthrough should not be intermingled with test of controls performed later. Walkthrough is performed to benchmark a control. It is performed on all controls to make sure supplemental control could be utilized later if a particular key control is ineffective.
This walkthrough sample is not randomly selected, therefore, would not be added to a randomly generated sample size for test of controls.
I hope that this helps.
In my 19 years experience, we have never intermingled a walkthrough sample with the test of control samples.
Denis last edited by
I’ll give you an example of where this did actually happen.
We have a common programme change process for a number of applications. When our auditors were looking at the controls over this process they decided that they could do one sample of 25 to cover all applications given that it was a common process. To determine that it was indeed a common process they did a walktrough of one programme change from each application to confirm that it did, indeed, follow the common process. Having already tested one item from 16 applications they then only looked at a further 9 to complete their sample of 25.
I have a similar experience to Denis and in truth I see nothing wrong with that. There is no definitive sample size apart from the one that your own external auditor will accept. Clearly the audit firms are talking to try and maintain some consistency but a recommended size is still only a recommendation.
The sample size I use is up to 1/3 less than our auditors but they have raised no concerns about that. We also include the walkthrough testing in our sample of operating effectiveness testing and they have raised no concern about that either.
Our walkthrough is designed to ensure we understand the process and identify the key risks associated with that process. We then establish those controls that mitigate these risks and they become our key controls. We do not concern ourselves with supplemental controls
This seems to illustrate the continued concern expressed around the inconsistent and different interpretations exercised by the external review bodies.
This may work if you have a handful population. But, not for a bigger population.
In your opinion but not in the opinion of our auditors.
I worked for PWC and EY. My opinion was based on working with them.
Well, If your auditors are happy with your methodology, then who cares, I am not signing the attestation, why bother.
plaire1 last edited by
IIA (Institue of Internal Auditors) guidelines the sample size as far as I can tell, they also have the rating scale for IT (0-5, non-existent to optimized).
They also have the guidance for the deficient ratings in likelihood vs impact :
Material Weakness, Significant Deficiency, Inconsequential Internal Control Deficiency
We use that guidance so that we better support the business and have the same testing criteria.
The walkthrough has been allowed in the Design Effectiveness evaluation but not in the Operational Testing evaluation…
Just a thought…