Internal control testing: What role does sampling play?
Auditors must test the effectiveness of internal controls before signing off on your financial statements. But it’s impossible to analyze every transaction that’s posted to the general ledger, due to time and budget constraints. Instead, auditors select and analyze a representative sample of transactions to make assertions about the entire population. Here’s more on how sampling works — along with the pros and cons of using it during internal control testing.
Picking a sample
Auditors may use statistical techniques to develop a sample of transactions to test. For example, an auditor might select enough transactions to represent a specific percentage of 1) the total transactions in an account, or 2) the company’s total assets or revenue. Alternatively, a sample of transactions may be pulled randomly using statistical sampling software.
Auditors also can use nonstatistical sampling techniques based on a dollar threshold or professional judgment. These techniques tend to be more effective when the CPA has many years of audit experience to ensure that the sample chosen is representative of the population of transactions.
Before analyzing a sample, your auditor has expectations about the number of “exceptions” (such as errors and omissions) that will appear in the sample. If the actual exceptions exceed the auditor’s expectation, he or she may need to perform additional procedures. For instance, your auditor might expand the sample and conduct more testing to assess the degree of noncompliance.
Ultimately, your auditor might conclude that your internal controls are ineffective. If so, he or she will perform more work to estimate the magnitude of the control failure.
Pros vs. cons
Sampling helps keep audit costs down by streamlining the internal control testing process. It also reduces disruptions to business operations during audit fieldwork. When applied correctly, the results of sampling are theoretically as accurate as if the audit team had analyzed every transaction posted to the general ledger. But, in practice, sampling can sometimes cause problems during internal controls testing.
For example, sampling presumes that controls function consistently across the whole population of transactions. If an exception doesn’t appear in the sample — because the sample was too small or otherwise unrepresentative of the entire population — your audit team could reach the wrong conclusion about the effectiveness of your internal controls.
There’s also a risk that your audit team could rely too heavily on nonstatistical sampling. Relying more on judgment than statistical methods could result in errors, especially if an auditor lacks professional experience.
A collaborative process
You can help maximize the benefits of sampling by providing the audit team with document requests in a timely manner and following up on your auditor’s management points at the end of each year’s audit. It’s frustrating to both auditors and business owners when internal control weaknesses recur year after year. Our auditors have extensive experience testing internal controls, and we’d be happy to answer any questions you have on testing and sampling techniques.