P. 1
"Sampling" for Internal Audit, ICFR Compliance Testing

"Sampling" for Internal Audit, ICFR Compliance Testing

Ratings: (0)|Views: 12,419|Likes:
Published by Transformer781
Sampling and control testing are required for SOX, PCI, HIPAA, HITECH, and IT Internal Control compliance. The sampling techniques used by management for control design, evaluation, and testing could be more effective if the sample sizes used by management are designed differently from those used by auditors. This writing provides research on the rationale for these differences, as well as recommending a structured approach to either "Valid Statistical Sampling", or non-statistical Sampling. However, additional research on Binomial sample plan design and control testing (used for compliance control testing) has not been included in this version.
Sampling and control testing are required for SOX, PCI, HIPAA, HITECH, and IT Internal Control compliance. The sampling techniques used by management for control design, evaluation, and testing could be more effective if the sample sizes used by management are designed differently from those used by auditors. This writing provides research on the rationale for these differences, as well as recommending a structured approach to either "Valid Statistical Sampling", or non-statistical Sampling. However, additional research on Binomial sample plan design and control testing (used for compliance control testing) has not been included in this version.

More info:

Published by: Transformer781 on Aug 10, 2009
Copyright:Attribution Non-commercial

Availability:

Read on Scribd mobile: iPhone, iPad and Android.
download as DOC, PDF, TXT or read online from Scribd
See more
See less

02/17/2013

pdf

text

original

 
Internal Auditing and Management Testing: SamplingTechniques
ByJames J. Finn, MBA, CISA, and CIAIndependent ConsultantJames J. Finn, is the founder of an independent Financial, IT, andICFR consulting business, and has worked as a CFO, programmanager (PMO), internal auditor, and compliance consultant for small, medium and large public companies and for Mutual InsuranceCompanies. Mr. Finn holds a BSBA degree in Finance with Honors,and an MBA from Northeastern University, Boston Massachusetts. Through the years, Mr. Finnhas acquired over 25 years of hands-on experience at various financial positions ranging from“Management Trainee” at the First National Bank of Boston, to “CFO and VP of Finance” at acommercial printer, Dynagraf Inc. Also, as a qualified, CIA, and CISA, he has focused oninternal controls and compliance programs for Sarbanes Oxley, since 2004.In addition to authoring this “Guideline”, he has written comments to the SEC on SarbanesOxley related issues, and was the editor for a comprehensive accounting policy and proceduresguideline for Digital Equipment Corporation’s worldwide internal “Product Line ManagementAccounting” system, and a “White Paper” titled “The Great SOX Caper” which discusses theimpact of AS-2 and AS-5 on SOX programs.Version 1.50, 2/10/10While this document is believed to contain correct information, the author, James J. Finn doesnot make any warranty, express or implied, or assume any legal responsibility for its accuracy,completeness, or usefulness. Reference herein to any specific product or publication does notnecessarily constitute or imply its endorsement, recommendation, or favoring by the author. Theviews and opinions expressed are those of the author.
Intellectual Property of James J. FinnCopyright 2009 ©For discussion and negotiation purposes only
-1-
2010
Finn Consulting LLC James J Finn
 
Table of Contents
I. Guideline Overview ......................................................................................................... 3A. Description ..........................................................................................................3B. Scope and Application of the Guideline ............................................................. 3C. Purpose of the Guideline .....................................................................................4II. Sampling and Risk ..........................................................................................................5A. What is sampling? ...............................................................................................6B. What is Sampling Risk? ...................................................................................... 7III. Sample Bias ................................................................................................................... 9A. Risk of Sample Bias ........................................................................................... 9B. How Sample Bias Arises ...................................................................................101. Bias from Sampling Procedures ............................................................102. "Crazy Eddies, Inc.", an example of fraud ........................................... 12IV. Use of Sampling in Auditing .......................................................................................15A. Sampling Methods and Procedures ...................................................................15B. Statistical Sampling ..........................................................................................171. General considerations ........................................................................172. Specific Considerations for Auditing .................................................... 203. Valid Statistical Sampling Examples ....................................................21C. Nonstatistical Sampling ...................................................................................271. General Considerations: .........................................................................272. Specific Considerations for auditing ..................................................... 28D. Testing of Controls, Non Inferential sampling .................................................321. Intended End Use of a Sample (inferential vs. non inferential) ...........322. Sampling Steps for tests of Controls ..................................................... 36E. Practical Limitations on Sampling ....................................................................37F. Statistical Inference and Sample Size ................................................................38G. The Rise and fall of Statistical Sampling in Auditing ......................................39V. Effective Statistical Sampling ......................................................................................40A. Probability Theory ............................................................................................40
Intellectual Property of James J. FinnCopyright 2009 ©For discussion and negotiation purposes only
-2-
 
I.
Guideline Overview
A.Description
This guideline surveys the concepts underlying the use of sampling techniques tostrengthen the sufficiency, relevance, and reliability of evidence collected to support internalaudit conclusions and managements testing for internal control and financial reporting procedureeffectiveness. Evidence that is derived from effective sampling techniques would be one way of fulfilling the requirements of “Practice Advisory 2310-1: Identifying information”, and, sincesampling is based on testing a relatively small number of items, it can be a cost effectivetechnique. This guideline is intended to provide practical information related to improvingsampling techniques. In addition, this guideline reviews the history of sampling, and providesexamples of erroneous conclusions in auditing caused by intentional sample bias (fraud) or byunintentional sample bias (incorrect sampling training or techniques). Sampling is viewed in acomparative manner that provides insights into the use of similar sampling techniques inindustries where sampling is governed by military specifications, and ISO commercial standards.Sampling, as used in internal auditing, has generally relied on the PCAOB authoritativeguidance contained in AU 350, the AICPA Audit Guide, and the prior AICPA guidance as provided by SAS-39, which has been amended by SAS-111. These sources are analyzed andexpanded upon to address the practical application of statistical and non-statistical samplingtechniques for internal auditing and management control testing.
B.Scope and Application of the Guideline
Sampling is essentially a process of gathering partial information with an expectation thatthe partial information can be used to determine either a statistic (e.g. the mean, or median value)of a population of interest, or to estimate the percentage of occurrence of an items feature(attribute) in a population of interest. In addition to using sampling to determine statistics for a population, sampling can also be used to determine the probability that a “lot” or “batch” of  products or transactions have an “acceptable” percentage of deficiencies. This application of sampling is generally referred to as “Lot Acceptance” testing, or, in auditing, as “controlstesting”. In each case, sampling and examining items for a statistic or the presence or absence of an attribute is a process, which can be used with great effect by an internal auditor or 
Intellectual Property of James J. FinnCopyright 2009 ©For discussion and negotiation purposes only
-3-

Activity (28)

You've already reviewed this. Edit your review.
1 hundred reads
1 thousand reads
oolabanji liked this
Luka Čirjak liked this
9841548000 liked this
9841548000 liked this
econlady liked this
rkusic liked this
st mas agung d liked this
jacoby121 liked this

You're Reading a Free Preview

Download
/*********** DO NOT ALTER ANYTHING BELOW THIS LINE ! ************/ var s_code=s.t();if(s_code)document.write(s_code)//-->