Sampling issues 1219
auditorofsox last edited by
while going through one of the posts here, I suddenly bumped into this thought. I am going to narrate a situation to the best of my understanding. Pls forgive me if i commit any mistake and correct me. Here it goes…
I am an internal IT Auditor(Sox). I, along other internal auditors, have been hired to assure the company that for every critical process identified by the management, there are sufficient controls over identified risks associated with possibilities of misstatement of financial statements. Let say management , with the suggesions(if any) of internal audit committee, has identified 10 applications that are critical and on an avarage, there are 15 controls per application.
The Job of internal auditors is to submit a report to the management on efficiency of the internal controls over financial reporting. This report will then be produced to external auditors. They will take a sample of the given controls for each application to test the effectiveness of the controls.
I think that as an internal auditor, I have to test each and every control for each critical application. We, as an internal auditor, are not supposed to test effectiveness on samples. Becuse it is quite possible that the controls that are left out of sample, may contain some deficiencies and quite posible that external auditor may choose them as their sample.
Please correct me if I am wrong…