TeamMate Data Analytics Software
ComplianceJune 10, 2021

Audit Analytics: Is sampling enough for internal controls testing?

By: Stefan Davis

Virtually every auditor, whether internal or external, has to test the effectiveness of internal control procedures.

For an external auditor, internal controls effectiveness testing allows you to have comfort over an assertion without needing to test substantively. For an internal auditor, a significant part of their role is providing assurance to management and the audit committee over internal control effectiveness, especially if their organization is subject to Sarbanes-Oxley requirements.

Solutions

TeamMate Analytics

Audit analytics

Learn More
Provide deeper insights more quickly and reduce the risk of missing material misstatements.
Learn More
View a Demo
Contact Us

Sampling theory

Traditionally, sampling would be used to test internal control effectiveness, using sample size guidance, usually something like this:

  • For a control that operates monthly, test 2
  • For a control that operates weekly, test 8
  • For a control that operates daily, test 30
  • For a control that operates more than once a day, test 30

The logic behind this guidance is that if the control has operated effectively for the sampled instances, you can be comfortable that it has operated effectively every time.

Sampling reality

Unfortunately, in reality this is often not the case – as auditors we see it time and time again in well-known, large organizations, which appear to have strong controls environments. They get a case of the “This one’s” or “This time’s”:

  1. All “Disbursements over limit” are meant to be approved by two directors but “this one” was incredibly urgent so only one signature was provided
  2. Inventory counts for high value goods should be conducted weekly, but, “this time” they were not done for 2 weeks while the responsible person was out of office
  3. Purchase orders should to be created and approved by 2 different people – “this one” managed to be released to suppliers without approval or approved by the creator of the PO
  4. The Finance Director is not supposed to be able to post journals, but “this time” their system access has not been setup correctly, so they can
  5. Purchase invoices over $100,000 should be approved by the CEO, but “this one” was only just over so was just signed by the CFO

When occurrences like these are identified using sampling with a few items, it is clear that there may be many, many others that are missed. Of even more concern, when using sampling, you potentially have a very high likelihood of missing these single control failures. Consider:

  • If you only test 2 examples of a monthly control, there is an 83% chance you’ll miss a single control failure during the year
  • If you test 8 examples of a weekly control, there is an 85% chance you’ll miss a single control failure
  • If you test 30 examples of a daily control (assuming it is carried out on weekdays), there is an 88% chance you’ll miss a single control failure
  • If you test 30 examples of a control that operates more than once a day, there could be a 99% chance (or higher) that you’ll miss a single failure

View a demo

3 Simple Tests Using TeamMate Analytics
How to perform 3 commonly used tests using TeamMate Analytics
TeamMate Analytics empowers all auditors to perform powerful data analytics. Learn how the software can increase assurance and reduce your exposure to risk. In this short demo, we'll walk you through 3 commonly used tests and how easy it is to run tests on complete data sets.

Length: 5 minutes, 8 seconds
View Demo

A solution

The only way to get any real comfort over the operating effectiveness of an internal control procedure is to test every instance of it running.

Now, if the control is conducted completely offline, outside of any systems, that is likely to be impractical. However most controls are now evidenced somewhere in an organization’s computer systems. By obtaining a download of transactions from these systems, you can very easily test the control against 100% of the transactions, using Computer Aided Audit Tools (CAATs; also known as “audit data analysis” or “data analytics”).

As an example, let’s look at what can happen to the “This one’s” and “This time’s” from our 5 sampling scenarios above when we utilize a data analytics tool:

  1. Easily extract all approved transactions with less than two approvers. For those with two approvers you can match those approvers to a list of management/directors to ensure they all have approval authority and the limits
    Watch Video
  2. Summarize the inventory count log by week and location to ensure that all locations were counted at least once a week
    Watch Video
  3. Use an exception report to extract all entries where the creator and approver are the same or where there is no approval at all
    Watch Video
  4. Match the journal transactions to the approved system access log to identify all transactions entered by non-approved personnel
    Watch Video
  5. Extract all purchase invoices over $100,000 where the approvers do not include the CEO
    Watch Video

With a data analytics tool, all of these analytics can be conducted in a matter of minutes. And, each of these tests can be made repeatable to easily run on a regular basis, or, if need be, by different auditors. These are just a few simple examples, but data analysis can be used in many different ways to test a wide range of internal controls.

Subscribe below to receive monthly Expert Insights in your inbox

Stefan Davis
Stefan Davis
Senior Product Manager
Stefan is the co-founder of TeamMate Analytics and an expert on the application of Data Analytics to Audit. He started his career with KPMG in the UK, working in External and Internal Audit for a huge range of clients from small owner-managed businesses to global FTSE100 companies, including many well-known Manufacturers, Retailers and Financial institutions.
Solutions

TeamMate Analytics

Audit analytics

Learn More
Provide deeper insights more quickly and reduce the risk of missing material misstatements.
Learn More
View a Demo
Contact Us

Related Insights

  • Designing a formal internal audit strategy
    Article
    Compliance
    March 12, 2024

    Designing a formal internal audit strategy

    Every organization's internal audit department requires a well-planned and structured strategy. The following guide is designed to walk you through each step.
    Learn More
  • Understanding cybersecurity: An overview to help protect your organization
    Article
    Compliance
    December 13, 2023

    Understanding cybersecurity: An overview to help protect your organization

    The cyber-threat landscape is evolving. Data analytics can be a proactive approach to cybersecurity using data collection, aggregation, and analysis to protect the well-being of your organization.
    Learn More
  • Utilizing data analytics to help support ESG reporting
    Article
    Compliance
    ESG
    December 12, 2023

    Utilizing data analytics to help support ESG reporting

    ESG reporting is a significant concern for organizations, and ESG data analytics is the solution for efficiently collecting and analyzing the vast amount of information needed.
    Learn More
  • Five-step root cause audit planning analysis, using data analytics
    Article
    Compliance
    October 25, 2023

    Five-step root cause audit planning analysis, using data analytics

    Data analytics play a pivotal role in guiding audits and helping to uncover insights. Download this report to learn how the technique of root cause analysis can help internal auditors unravel the narrative behind the numbers.
    Learn More
Back To Top