Determining the right sample size for IT controls testing, Insights into industry standards / best practices

Most business processes are automated and integrated with IT application systems, resulting in many of the controls at this level being automated as well. These controls are known as application controls. However, some controls within the business process remain as manual procedures, such as authorization for transactions, separation of duties and manual reconciliations. Therefore, controls at the business process level are a combination of manual controls operated by the business and automated business and application controls. Both are the responsibility of the business to define and manage, although the application controls require the IT function to support their design and development. 

For manual controls, the frequency of the occurrence of the control is taken into consideration (daily, weekly, monthly, quarterly, and yearly). Also taken into account are the risks placed on the control (High/Medium/Low) and other factors based on the understanding of the control environment. These factors, listed below, drive the auditor to select a higher sample size

  1. Complex controls prone to failure.
  2. Controls where the significance of the judgments must be made in connection with its operation.
  3. Controls over significant processes where the assessed risk of failure of the controls to operate effectively is higher than normal.
  4. Controls that have a pervasive effect on other controls or processes.
  5. Controls that are relatively more important (e.g., some controls may address multiple control area components).
  6. Controls that are not protected by multiple layers of redundant controls.
  7. Controls recently implemented or remediated.

Alternatively develop a simple matrix to select your sample size based on the risk ranging High-Medium-low and sample size also from small to high. 

The Modified Pareto's principle is also used for sample selection. In this, if the sample size exceeds 20 then random 20% of the dataset as sample size. If the number is <=20 take 100% as sample size. The dataset size/population is for the period under consideration (preferably >=quarter).

Another factor affecting sample size selection is the appetite for risk of organization to start with. Assess the risk and subsequently that would determine the amount of testing to be done.

There should be a separate plan to select controls that are being retested and this calls for a minimum time period and a minimum number of samples to be tested. For example...If a Daily Control is being retested there must be a minimum 20 day test period with a minimum of 10 samples pulled.

For automated controls reduce the sample size to what is appropriate to audit risk. If this is an environment that has a “good history” of audits IT Controls that have traditionally demonstrated high compliance ratios then the sample size is reduced based on good judgment. However, every automated control has some risk of failure and hence one needs to vary the sample size accordingly. It is also important to auditors that automated controls are operational and effective since this will provide assurance to auditors that information generated from the system is valid, accurate and complete. Based on this assurance from the system, auditors can then place the appropriate level of reliance on the controls of the information system.