audit testing and sample sizes

7/24/2019 Audit Testing and Sample Sizes

1/22

Internal Audit Testing

and Sampling TechniquesChartered Institute ofInternal Auditors May 2014


2/22

PwC

Controls Testing

Slide 1


3/22

Testing Priorities

Risk B1 Risk A1

Risk B2 Risk A2

Risk C2 Risk C1


4/22

PwC

Testing techniques

Slide 3

Controls testing

Inquiry

Re-performance

Inspection/Examination

Observation


5/22

PwC

Control testing

- Inquiry consists of seeking information ofknowledgeable people within the client

- Observation consists of looking at a processbeing performed by others

- Examination

inspection of information or data walkthrough confirming our

understanding of a process by tracingindividual transactions from beginning toend

- Re-performance independent execution ofprocedures that were originally performed aspart of managements internal controls

Tests of controls aredesigned to obtainevidence to assesstheir operatingeffectiveness.

Operatingeffectiveness meansthat the controls are

functioning asdesigned on aconsistent basis over

the period underexamination.

Slide 4

Controls testing


6/22

PwC

Determining which Testing techniqueto use

Slide 5

Level ofComfort

Controls testing

Inquiry

Re-performance

Inspection/Examination

Observation


7/22

PwC

Determining which testing techniqueto use

Considerations:

The susceptibility of the control to change.

The frequency and extent of the control.

Our initial view of the likelihood of control weakness.

Significance of the control to the control environment and how muchreliance is being placed on it.

Slide 6

Controls testing


8/22

PwC

Sampling

Sampling is the application ofauditing procedures to arepresentative group of less than100% of the items within ahomogenous population

We use non-statistical sampling

3 Steps to follow:

1. Determine the control testobjective, population andsampling unit

2. Determining the sample size3. Selecting the sample for testing

Slide 7

Value Protection - execute


9/22

PwC

SamplingManual Controls

Frequencyof Control Assumed populationsize Sample Size

Annual 1 1

Quarterly 4 2

Monthly 122 (minimum) to 5 (maximum), Select 3 if you require

a mid-range.

Weekly 52 5 to 15. Select 10 if you require a mid-range

Daily 250 20 to 40. Select 30 if you require a mid-range

Multipletimes per day

Over 250 25 to 60. Select 30 or 45 if you require a mid-range

Depends on:

Frequency of control or population size

Level of evidence that is judged to be necessary

The table below, can be used as a general rule; however, we may use asmaller sampling size:

Value protection Execute

Slide 8


10/22

PwC

SamplingManual Controls

Following factors may indicate that sample sizes should be selected at thehigher end of the ranges:

- The greater the potential financial loss or adverse event to the company ifthe control is not effective or fails:

- The more complex the control- The greater the degree of judgment in control operation


Slide 9


11/22

PwC

SamplingAutomated Controls

If IT General Controls have been tested and found to be effective, it may besufficient to only test one operation of the Automated Control


Slide 10


12/22

PwC

Audit documentation

Audit documentation must containsufficient information to enable anexperienced auditor, having no previousconnection with the engagement to:

- Understand the nature, timing, extent and results of the procedures

performed, evidence obtained, and conclusions reached

- Determine who performed the work and the date such work wascompleted, as well as the person who reviewed the work and the date ofsuch review.

- Understand the linkage between conclusions and facts

- Document what you have done and how you reached your conclusions

Slide 11

DocumentationRemember: if what

you did isntdocumented, its theequivalent of not

performed!


14/22

PwC

Confidential

13May 2014

CIIA - 14 May 2014


15/22

PwC

What are CAATs?Computer Assisted Audit Techniques

A means of accessinglarge amounts of data ina format that can provide

transparency notattainable through otherauditing procedures.

The results may be used to identify areas of

key risk, fraud, errors or misuse; improvebusiness efficiencies; verify processeffectiveness; or influence

business decisions. (ISACA August 2011)

Confidential

14May 2014

CIIA - 14 May 2014


16/22

PwC

Data analytics - methodology

Extract andupload raw data

Map andorganise data

Analyse andvisualise data

Finalise auditevidence, identifyanomalies andinsight

Confidential

15May 2014

CIIA - 14 May 2014


17/22

PwC

Computer Assisted Audit TechniquesAdvantages

Increased coverage 100% oftransactions

How can you ever pick a sample thatis representative? 1

Efficiency repeatableandautomated

Expandable model, allowing tests tobe refined, tuned, added, removed 2

Value and insight improve theperception of IA

Standing still or moving with thetimes? 3

Basis for prioritisation of whereto look next in the organisation

You can quickly identify and addressemerging issues and risks 4

Climb the maturity curve predictive business enabler

In the future it will allow audit teststo be pushed into the organisationas monitoring controls

516May 2014

CIIA - 14 May 2014


18/22

PwC

Data analytics on vendor standing dataIdentify duplicate vendors based on the same or similar (fuzzy match) vendor name.

Identifying and resolving duplicate vendor records is important as otherwise this could lead to loss, error or fraud. For

example: lossof purchasing volume discounts available where spend with a specific supplier is recorded across two ormore records for the same supplier, errorif one vendor record is updated but the duplicate vendor record is notresulting in incorrect and inconsistent records, and fraud for example where duplicate vendor records are used toprocess payments below a review threshold.

Confidential

12,253vendors listed in standing data

1,031perfect duplicates

46fuzzy match with 1

character difference


character difference


character difference17May 2014

CIIA - 14 May 2014


19/22

PwC

Exercise

You are the internal auditors to an NHS Trust. You have been asked toundertake a review to assess the accuracy of the information used to support theKPIs that are reported to the Board on a monthly basis and to externalregulators quarterly. What would you consider in devising a testing approach?

18


20/22

PwC

Exercise

You are the internal auditors to an NHS Trust. You have been asked toundertake a review to assess the accuracy of the information used to support theKPIs that are reported to the Board on a monthly basis and to externalregulators quarterly.

You are driving to work and hear on the radio that a NHS Trust in another part

of the country has got into serious trouble for mis-reporting cancer waitingtimes data. There seems to be an issue in distinguishing between cancellationsand DNAs. Would you do anything differently.

19

May 2014


21/22

PwC

Exercise

You are the internal auditors to an NHS Trust. You have been asked toundertake a review to assess the accuracy of the information used to support theKPIs that are reported to the Board on a monthly basis and to externalregulators quarterly.

You are driving to work and hear on the radio that a NHS Trust in another part

of the country has got into serious trouble for mis-reporting cancer waitingtimes data. There seems to be an issue in distinguishing between cancellationsand DNAs.

In checking the above with the client you realise that they may have innocentlymis-interpreted the above and that this might mean that they have been mis-

reporting data to their external regulators. What would you do?

20

May 2014


22/22

This publication has been prepared for general guidance on matters of interest only, and does not

constitute professional advice. You should not act upon the information contained in this publication

without obtaining specific professional advice. No representation or warranty (express or implied) isgiven as to the accuracy or completeness of the information contained in this publication, and, to the

extent permitted by law, PricewaterhouseCoopers LLP, its members, employees and agents do not

accept or assume any liability, responsibility or duty of care for any consequences of you or anyone

else acting, or refraining to act, in reliance on the information contained in this publication or for any

decision based on it.

2014 PricewaterhouseCoopers LLP. All rights reserved. In this document, PwC refers to

PricewaterhouseCoopers LLP (a limited liability partnership in the United Kingdom) which is a

member firm of PricewaterhouseCoopers International Limited, each member firm of which is a

separate legal entity.

audit testing and sample sizes

Documents