Sample size testing querit 1745
I have a monthly control which is based on the fact that debtors statements are sent out on a monthly basis.
The objective of this would be that any customer issues are normally communicated to the company on receipt of such statements, therefore, providing Finance with an awareness of any disputes prior to creating a month -end debtors provision.
The problem is that there are approximately 200 statements sent each month. Our SOX sample sizes require 3 months to be tested for a monthly control. Does this mean that we have to review all 200 statements for accuracy for 3 months ( i.e 600 statements)?
Any suggestions as to sample sizing or a better approach to testing the control activity would be greatly appreciated.
milan last edited by
A number of the Big 4 accounting firms have developed sampling guidelines that can be used to determine sample sizes based on the frequency of a key control.
In your case, you do not need to review all of the debtor statements…you simply should select your sample making sure to select a number for examination in each of the three months.
For example, you might select 10 statements for review in each month…Jan/Feb/Mar for a total of 30 items selected. Again, the sampling guideline that you use will determine the number of items selected.
The PwC Practical Guide to Compliance with 404 is a good document. I think it has been referenced on this forum many times and you can search the forums for the link if you can’t locate it through google.
Hope this helps,
I am ex - PwC myself, so I am aware of their guidelines. The problem is that our auditors are KPMG, and their guidelines require larger sample sizes than PwC (Hence the 3 month selection as opposed to 2). As you are aware, internal auditors have to meet a sample size that is the same as or larger than that of their ext auditors.
I am going to go for 20 samples per month, as this will also cover a sample of 60 which should ( hopefully) satisfy KPMG.
WrightLot last edited by
I have no doubt that a sample of 60 will satisfy KPMG. Is the production of statements virtually identical for all 200 each month or putting that differently are the key controls generic for all statements?
Our sample size for a monthly control is 3. For a recurring control (more often than daily) it is 30. Clearly it is for you to decide based on resourcing, etc but I would have thought 60 was excessive for a monthly control. Even 30 feels large unless the methodology for each of the statements are significantly different or the key controls for producing them occur more frequently than monthly.
All statements are identical and KPMG require us to test 3 months for monthly controls. My rationale for 60 is loosely based on recurring (more than daily) controls freuquencies, as KPMG will test 45 samples for such occurences where the risk is medium, and 60 where the risk is high.
Based on the uniformity of documents, the testing itself should be quite simple and very repetitive, so, hopefully, 60 documents should not take more than 3.5 to 4 hours to test and document
milan last edited by
Some good points from WrightLot…%0A’Our sample size for a monthly control is 3.’%0A’For a recurring control (more often than daily) it is 30.’%0A’…60 was excessive for a monthly control. Even 30 feels large…’%0AI agree. The sample sizes seem large and result in ‘over auditing’ and sampling inefficiency. You can check a sampling table available from the AICPA and it will show that you can perform tests of controls and achieve +/- 5% tolerable error with a much smaller sample size.%0AEven if resources are available and this test of control effectiveness can be performed in 3.5 - 4.0 hrs. to test/document, you might find it necessary to explain why you picked a smaller sample size to test a different control that is also performed monthly.%0AIn short, it might be a good idea to follow a consistent sampling approach because it will increase the reliability and comparability of your test efforts and related conclusions.%0AHope this further helps,%0AMilan
Chhaava last edited by
I worked as a consultant for a SOX life cycle where KPMG were external auditors. This client had a very strong control environment. Therefore, KPMG were okay with an overall sample size of 40.
To guide you further, I need more information.
Are these statements generated through the system? Can we generate all these 200 statements at one time? In that case we can procure a log of the task performed to generate these statements electronically to substantiate the mere fact of statements being printed. We would expect these statements to be printed in the mailing room printer enabling despatch by the mailing room independent of Accounts Receivable personnel.
And after this we can perform the basic testing of selecting between 15 to 20 accounts to make sure that statements were printed and despatched.
I hope that this helps.
Chhaava last edited by
I meant 15 to 20 accounts per month to be the sample size.
yes, all statements printed are done so in a uniform manner and are printed and maintained by our IS department as opposed to the Finance department. Our objective is to ensure that the control activity takes place (all IS tetsing and controls are determined by a separate department).
KPMG have been driving up our sample sizes and I would assume that they do not feel that they can detemine anything low risk on the basis that:
- 2005 was their first year as our external auditors
- 2006 As an FPI, this is our first year of official compliance with SOX
abu12 last edited by
I also think the sample sizes are excessive - it is a monthly control (so by defintion lower sample sizes than a daily control). It can also be regarded as a system control - as generated by the IT team and not fianance. Therefore I would have thought the control is effectively was the statement batch run or not - i.e. did the print run happen, were the statements posted. yes / no. This would be a mimimal sample.
If your control is are the statements verified before sending or reconciled (i.e. manual checking) then that could be a higher sample size.
This sounds more like KPMG seeking higher fees than a real need for a high sample size (well in my opinion anyway)
Thanks for the feedback Andrew.
It is unlikely to be fees related for the current year as our company has received an exemption from external audit testing for SOX in 2006 (small company FPI - we still have to issue certifications on of 20-F)