audit testing and sample sizes
TRANSCRIPT
-
7/24/2019 Audit Testing and Sample Sizes
1/22
Internal Audit Testing
and Sampling TechniquesChartered Institute ofInternal Auditors May 2014
-
7/24/2019 Audit Testing and Sample Sizes
2/22
PwC
Controls Testing
Slide 1
-
7/24/2019 Audit Testing and Sample Sizes
3/22
Testing Priorities
Risk B1 Risk A1
Risk B2 Risk A2
Risk C2 Risk C1
-
7/24/2019 Audit Testing and Sample Sizes
4/22
PwC
Testing techniques
Slide 3
Controls testing
Inquiry
Re-performance
Inspection/Examination
Observation
-
7/24/2019 Audit Testing and Sample Sizes
5/22
PwC
Control testing
- Inquiry consists of seeking information ofknowledgeable people within the client
- Observation consists of looking at a processbeing performed by others
- Examination
inspection of information or data walkthrough confirming our
understanding of a process by tracingindividual transactions from beginning toend
- Re-performance independent execution ofprocedures that were originally performed aspart of managements internal controls
Tests of controls aredesigned to obtainevidence to assesstheir operatingeffectiveness.
Operatingeffectiveness meansthat the controls are
functioning asdesigned on aconsistent basis over
the period underexamination.
Slide 4
Controls testing
-
7/24/2019 Audit Testing and Sample Sizes
6/22
PwC
Determining which Testing techniqueto use
Slide 5
Level ofComfort
Controls testing
Inquiry
Re-performance
Inspection/Examination
Observation
-
7/24/2019 Audit Testing and Sample Sizes
7/22
PwC
Determining which testing techniqueto use
Considerations:
The susceptibility of the control to change.
The frequency and extent of the control.
Our initial view of the likelihood of control weakness.
Significance of the control to the control environment and how muchreliance is being placed on it.
Slide 6
Controls testing
-
7/24/2019 Audit Testing and Sample Sizes
8/22
PwC
Sampling
Sampling is the application ofauditing procedures to arepresentative group of less than100% of the items within ahomogenous population
We use non-statistical sampling
3 Steps to follow:
1. Determine the control testobjective, population andsampling unit
2. Determining the sample size3. Selecting the sample for testing
Slide 7
Value Protection - execute
-
7/24/2019 Audit Testing and Sample Sizes
9/22
PwC
SamplingManual Controls
Frequencyof Control Assumed populationsize Sample Size
Annual 1 1
Quarterly 4 2
Monthly 122 (minimum) to 5 (maximum), Select 3 if you require
a mid-range.
Weekly 52 5 to 15. Select 10 if you require a mid-range
Daily 250 20 to 40. Select 30 if you require a mid-range
Multipletimes per day
Over 250 25 to 60. Select 30 or 45 if you require a mid-range
Depends on:
Frequency of control or population size
Level of evidence that is judged to be necessary
The table below, can be used as a general rule; however, we may use asmaller sampling size:
Value protection Execute
Slide 8
-
7/24/2019 Audit Testing and Sample Sizes
10/22
PwC
SamplingManual Controls
Following factors may indicate that sample sizes should be selected at thehigher end of the ranges:
- The greater the potential financial loss or adverse event to the company ifthe control is not effective or fails:
- The more complex the control- The greater the degree of judgment in control operation
Value protection Execute
Slide 9
-
7/24/2019 Audit Testing and Sample Sizes
11/22
PwC
SamplingAutomated Controls
If IT General Controls have been tested and found to be effective, it may besufficient to only test one operation of the Automated Control
Value protection Execute
Slide 10
-
7/24/2019 Audit Testing and Sample Sizes
12/22
PwC
Audit documentation
Audit documentation must containsufficient information to enable anexperienced auditor, having no previousconnection with the engagement to:
- Understand the nature, timing, extent and results of the procedures
performed, evidence obtained, and conclusions reached
- Determine who performed the work and the date such work wascompleted, as well as the person who reviewed the work and the date ofsuch review.
- Understand the linkage between conclusions and facts
- Document what you have done and how you reached your conclusions
Slide 11
DocumentationRemember: if what
you did isntdocumented, its theequivalent of not
performed!
-
7/24/2019 Audit Testing and Sample Sizes
13/22
PwC
The changing shape of internal auditIncreased use of technology
Drivers for change (top 3):
1. Complexityincreased use of technology within the
business | higher volume of transactions |increased automation | businesses driven bydata | devil is in the detail | how do you find aneedle in the hay stack?
2. More for lesspressure to deliver more with less | value |quality | efficiency | insight | pressure todeliver with less resource and using samples?
3. Resourcesskills sets | innovation | technologicallyminded team | reduced fear factor |development opportunities for your people?
Confidential
12May 2014
CIIA - 14 May 2014
-
7/24/2019 Audit Testing and Sample Sizes
14/22
PwC
Confidential
13May 2014
CIIA - 14 May 2014
-
7/24/2019 Audit Testing and Sample Sizes
15/22
PwC
What are CAATs?Computer Assisted Audit Techniques
A means of accessinglarge amounts of data ina format that can provide
transparency notattainable through otherauditing procedures.
The results may be used to identify areas of
key risk, fraud, errors or misuse; improvebusiness efficiencies; verify processeffectiveness; or influence
business decisions. (ISACA August 2011)
Confidential
14May 2014
CIIA - 14 May 2014
-
7/24/2019 Audit Testing and Sample Sizes
16/22
PwC
Data analytics - methodology
Extract andupload raw data
Map andorganise data
Analyse andvisualise data
Finalise auditevidence, identifyanomalies andinsight
Confidential
15May 2014
CIIA - 14 May 2014
-
7/24/2019 Audit Testing and Sample Sizes
17/22
PwC
Computer Assisted Audit TechniquesAdvantages
Increased coverage 100% oftransactions
How can you ever pick a sample thatis representative? 1
Efficiency repeatableandautomated
Expandable model, allowing tests tobe refined, tuned, added, removed 2
Value and insight improve theperception of IA
Standing still or moving with thetimes? 3
Basis for prioritisation of whereto look next in the organisation
You can quickly identify and addressemerging issues and risks 4
Climb the maturity curve predictive business enabler
In the future it will allow audit teststo be pushed into the organisationas monitoring controls
516May 2014
CIIA - 14 May 2014
-
7/24/2019 Audit Testing and Sample Sizes
18/22
PwC
Data analytics on vendor standing dataIdentify duplicate vendors based on the same or similar (fuzzy match) vendor name.
Identifying and resolving duplicate vendor records is important as otherwise this could lead to loss, error or fraud. For
example: lossof purchasing volume discounts available where spend with a specific supplier is recorded across two ormore records for the same supplier, errorif one vendor record is updated but the duplicate vendor record is notresulting in incorrect and inconsistent records, and fraud for example where duplicate vendor records are used toprocess payments below a review threshold.
Confidential
12,253vendors listed in standing data
1,031perfect duplicates
46fuzzy match with 1
character difference
96fuzzy match with 2
character difference
231fuzzy match with 3
character difference17May 2014
CIIA - 14 May 2014
-
7/24/2019 Audit Testing and Sample Sizes
19/22
PwC
Exercise
You are the internal auditors to an NHS Trust. You have been asked toundertake a review to assess the accuracy of the information used to support theKPIs that are reported to the Board on a monthly basis and to externalregulators quarterly. What would you consider in devising a testing approach?
18
-
7/24/2019 Audit Testing and Sample Sizes
20/22
PwC
Exercise
You are the internal auditors to an NHS Trust. You have been asked toundertake a review to assess the accuracy of the information used to support theKPIs that are reported to the Board on a monthly basis and to externalregulators quarterly.
You are driving to work and hear on the radio that a NHS Trust in another part
of the country has got into serious trouble for mis-reporting cancer waitingtimes data. There seems to be an issue in distinguishing between cancellationsand DNAs. Would you do anything differently.
19
May 2014
-
7/24/2019 Audit Testing and Sample Sizes
21/22
PwC
Exercise
You are the internal auditors to an NHS Trust. You have been asked toundertake a review to assess the accuracy of the information used to support theKPIs that are reported to the Board on a monthly basis and to externalregulators quarterly.
You are driving to work and hear on the radio that a NHS Trust in another part
of the country has got into serious trouble for mis-reporting cancer waitingtimes data. There seems to be an issue in distinguishing between cancellationsand DNAs.
In checking the above with the client you realise that they may have innocentlymis-interpreted the above and that this might mean that they have been mis-
reporting data to their external regulators. What would you do?
20
May 2014
-
7/24/2019 Audit Testing and Sample Sizes
22/22
This publication has been prepared for general guidance on matters of interest only, and does not
constitute professional advice. You should not act upon the information contained in this publication
without obtaining specific professional advice. No representation or warranty (express or implied) isgiven as to the accuracy or completeness of the information contained in this publication, and, to the
extent permitted by law, PricewaterhouseCoopers LLP, its members, employees and agents do not
accept or assume any liability, responsibility or duty of care for any consequences of you or anyone
else acting, or refraining to act, in reliance on the information contained in this publication or for any
decision based on it.
2014 PricewaterhouseCoopers LLP. All rights reserved. In this document, PwC refers to
PricewaterhouseCoopers LLP (a limited liability partnership in the United Kingdom) which is a
member firm of PricewaterhouseCoopers International Limited, each member firm of which is a
separate legal entity.