Internal Audit Testing

and Sampling Techniques

Chartered Institute of
Internal Auditors – May 2014
Controls Testing

PwC Slide 1
Testing Priorities

Risk B1 Risk A1

Risk B2 Risk A2

Risk C2 Risk C1
Controls testing

Testing techniques

Inquiry

Observation

Inspection/
Examination

Re-performance

PwC Slide 3
Controls testing

Control testing

Tests of controls are - Inquiry – consists of seeking information of

designed to obtain knowledgeable people within the client
evidence to assess - Observation – consists of looking at a process
their operating being performed by others
effectiveness. - Examination
Operating ◦ inspection of information or data
effectiveness means
◦ walkthrough – confirming our
that the controls are
understanding of a process by tracing
functioning as
individual transactions from beginning to
designed on a
end
consistent basis over
the period under - Re-performance – independent execution of
examination. procedures that were originally performed as
part of management’s internal controls

PwC Slide 4
Controls testing

Determining which Testing technique

to use

Re-performance

Level of Inspection/
Comfort Examination

Observation

Inquiry

PwC Slide 5
Controls testing

Determining which testing technique

to use

Considerations:
• The susceptibility of the control to change.
• The frequency and extent of the control.
• Our initial view of the likelihood of control weakness.
• Significance of the control to the control environment and how much
reliance is being placed on it.

PwC Slide 6
Value Protection - execute

Sampling

• Sampling is the application of 3 Steps to follow:

auditing procedures to a
representative group of less than 1. Determine the control test
100% of the items within a objective, population and
homogenous population sampling unit

• We use non-statistical sampling 2. Determining the sample size

3. Selecting the sample for testing

PwC Slide 7
Value protection – Execute

Sampling
Manual Controls
Depends on:
• Frequency of control or population size
• Level of evidence that is judged to be necessary
The table below, can be used as a general rule; however, we may use a
smaller sampling size:
Frequency Assumed population
Sample Size
of Control size
Annual 1 1
Quarterly 4 2
2 (minimum) to 5 (maximum), Select 3 if you require
Monthly 12
a mid-range.
Weekly 52 5 to 15. Select 10 if you require a mid-range
Daily 250 20 to 40. Select 30 if you require a mid-range

Multiple
Over 250 25 to 60. Select 30 or 45 if you require a mid-range
times per day

PwC Slide 8
Value protection – Execute

Sampling
Manual Controls

Following factors may indicate that sample sizes should be selected at the
higher end of the ranges:
- The greater the potential financial loss or adverse event to the company if
the control is not effective or fails:
- The more complex the control
- The greater the degree of judgment in control operation

PwC Slide 9
Value protection – Execute

Sampling
Automated Controls

If IT General Controls have been tested and found to be effective, it may be

sufficient to only test one operation of the Automated Control

PwC Slide 10
Documentation
Remember: if what
Audit documentation you did isn’t
documented, it’s the
equivalent of not
Audit documentation must contain performed!
sufficient information to enable an
experienced auditor, having no previous
connection with the engagement to:
- Understand the nature, timing, extent and results of the procedures
performed, evidence obtained, and conclusions reached
- Determine who performed the work and the date such work was
completed, as well as the person who reviewed the work and the date of
such review.
- Understand the linkage between conclusions and facts
- Document what you have done and how you reached your conclusions

PwC Slide 11
 Confidential

The changing shape of internal audit

Increased use of technology

Drivers for change (top 3):

1. Complexity
increased use of technology within the
business | higher volume of transactions |
increased automation | businesses driven by
data | devil is in the detail | how do you find a
needle in the hay stack?

2. More for less

pressure to deliver more with less | value |
quality | efficiency | insight | pressure to
deliver with less resource and using samples?

3. Resources
skills sets | innovation | technologically
minded team | reduced fear factor |
development opportunities for your people?

May 2014 12
PwC CIIA - 14 May 2014
 Confidential

May 2014 13
PwC CIIA - 14 May 2014
 Confidential

What are CAATs?

Computer Assisted Audit Techniques

A means of accessing
large amounts of data in
a format that can provide
transparency not
attainable through other
auditing procedures.
The results may be used to identify areas of
key risk, fraud, errors or misuse; improve
business efficiencies; verify process
effectiveness; or influence
business decisions. (ISACA August 2011)

May 2014 14
PwC CIIA - 14 May 2014
 Confidential

Data analytics - methodology

Extract and Map and Analyse and Finalise audit

upload raw data organise data visualise data evidence, identify
anomalies and
May 2014 insight 15
PwC CIIA - 14 May 2014
Computer Assisted Audit Techniques
Advantages

How can you ever pick a sample that Increased coverage – 100% of
is representative? 1 transactions

Expandable model, allowing tests to Efficiency – repeatable and

be refined, tuned, added, removed 2 automated

Standing still or moving with the Value and insight – improve the
times? 3 perception of IA

You can quickly identify and address Basis for prioritisation of where
emerging issues and risks 4 to look next in the organisation

In the future it will allow audit tests Climb the maturity curve –
to be “pushed” into the organisation
as monitoring controls
5 predictive business enabler

May 2014 16
PwC CIIA - 14 May 2014
 Confidential

Data analytics on vendor standing data

Identify duplicate vendors based on the same or similar (fuzzy match) vendor name.
Identifying and resolving duplicate vendor records is important as otherwise this could lead to loss, error or fraud. For
example: loss of purchasing volume discounts available where spend with a specific supplier is recorded across two or
more records for the same supplier, error if one vendor record is updated but the duplicate vendor record is not
resulting in incorrect and inconsistent records, and fraud for example where duplicate vendor records are used to
process payments below a review threshold.

12,253
vendors listed in standing data

1,031
perfect duplicates

46 96 231
fuzzy match with 1 fuzzy match with 2 fuzzy match with 3
character difference character difference character difference
May 2014 17
PwC CIIA - 14 May 2014
Exercise

You are the internal auditors to an NHS Trust. You have been asked to
undertake a review to assess the accuracy of the information used to support the
KPIs that are reported to the Board on a monthly basis and to external
regulators quarterly. What would you consider in devising a testing approach?

PwC 18
Exercise

You are the internal auditors to an NHS Trust. You have been asked to
undertake a review to assess the accuracy of the information used to support the
KPIs that are reported to the Board on a monthly basis and to external
regulators quarterly.
You are driving to work and hear on the radio that a NHS Trust in another part
of the country has got into serious trouble for mis-reporting cancer waiting
times data. There seems to be an issue in distinguishing between cancellations
and DNAs. Would you do anything differently.

May 2014
PwC 19
Exercise

You are the internal auditors to an NHS Trust. You have been asked to
undertake a review to assess the accuracy of the information used to support the
KPIs that are reported to the Board on a monthly basis and to external
regulators quarterly.
You are driving to work and hear on the radio that a NHS Trust in another part
of the country has got into serious trouble for mis-reporting cancer waiting
times data. There seems to be an issue in distinguishing between cancellations
and DNAs.
In checking the above with the client you realise that they may have innocently
mis-interpreted the above and that this might mean that they have been mis-
reporting data to their external regulators. What would you do?

May 2014
PwC 20
This publication has been prepared for general guidance on matters of interest only, and does not
constitute professional advice. You should not act upon the information contained in this publication
without obtaining specific professional advice. No representation or warranty (express or implied) is
given as to the accuracy or completeness of the information contained in this publication, and, to the
extent permitted by law, PricewaterhouseCoopers LLP, its members, employees and agents do not
accept or assume any liability, responsibility or duty of care for any consequences of you or anyone
else acting, or refraining to act, in reliance on the information contained in this publication or for any
decision based on it.

© 2014 PricewaterhouseCoopers LLP. All rights reserved. In this document, “PwC” refers to
PricewaterhouseCoopers LLP (a limited liability partnership in the United Kingdom) which is a
member firm of PricewaterhouseCoopers International Limited, each member firm of which is a
separate legal entity.