SOX sample sizes 2199



  • I am hoping someone can resolve a difference of opinion between auditors where I work, which is a construction company.
    A key control involves job forecasting. Certain jobs are required to make detailed forecasts and go through a review process each quarter. We select X jobs from each of the first and second quarters to test. So one auditor thinks the sample size is 2 as in two quarters, and that if any of the jobs selected fail the test, then the quarter fails and therefore the control fails and requires remediation/retest because it is one failure out of a sample of 2.
    Another auditor says that was the way under the old AS2 sampling table that was based on frequency, but now we have AS5 so the sample size is 2X as in the number of jobs selected for testing, times the two quarters for each job tested. So if the number of jobs selected is 50 and one fails, then the control passes.
    Which is correct? Is the sample based solely on the frequency (quarterly), or is it based on the number of transactions?



  • I don’t recall ever seeing in any of the SOX rules or interpretations any guidance on sample size.
    I would say that you need to consider the entire population of what you are testing when setting sample sizes. The population will have a direct correlation with the frequency of the operation of the control. A search of this forum will provide you with differing opinions as to sample sizes for given control frequencies.
    It is generally a judgment call when one or two samples fail whether or not to fail the control. Our practice is to pull another sample that is half the size of the first sample when we have oneor two failures within a sample. If the additional samples have no failures, then the control passes. If the additional sample has one failure, then the control fails.



  • Hello and thanks very much for responding to my question.
    There used to be a table associated with AS2, which I have seen posted here, giving sample sizes correlating to frequency. For example, the sample size for a control with quarterly frequency was set at 2. But that was AS2 which we know was fraught with flaws, and it assumed that there is one transaction per quarter.
    In my case, there are numerous homogenous transactions occurring each quarter. So on one hand your advice about considering the population size, risk, etc. makes perfect sense to me and I think is consistent with guidance in AS5. On the other hand, the statement that the population will have a direct correlation with the frequency of the control runs contrary to it. In my case, we have some quarterly frequency operations that have just one operation per quarter. Like say a quarterly reconciliation. But we also have quarterly frequency operations that run into the dozens, such as job forecasting. So I do not see a direct correlation between frequency and population. I am interested in your thoughts about this point.
    Thank you very much for the last paragraph of your response. That makes a lot of sense and reminds me of the stop-and-go sampling I used to use pre-SOX.



  • We treat the quarterly items that have multiple occurrences more like monthly or weekly controls for sampling and pull more than 2 samples. For example, we may look at the annual number of occurrences of a control (even though they may only be performed on a quarterly basis) and if they total 50, may use a sample based on a weekly control (50x per year). Alternatively, you could sample 2 quarters for each of your significant jobs when you test.



  • Thank you, kymike oh wise SOX guru, that is very helpful.


Log in to reply