Professional Documents
Culture Documents
Controls Testing
PwC
Slide 1
Testing Priorities
Risk B1
Risk B2
Risk C2
Risk A2
Risk C1
Risk A1
Controls testing
Testing techniques
Inquiry
Observation
Inspection/
Examination
Re-performance
PwC
Slide 3
Controls testing
Control testing
PwC
Slide 4
Controls testing
Re-performance
Level of
Comfort
Inspection/
Examination
Observation
Inquiry
PwC
Slide 5
Controls testing
PwC
Slide 6
Sampling
PwC
3 Steps to follow:
1.
2.
3.
Slide 7
Sampling
Manual Controls
Depends on:
Frequency of control or population size
Level of evidence that is judged to be necessary
The table below, can be used as a general rule; however, we may use a
smaller sampling size:
Frequency
of Control
Assumed population
size
Sample Size
Annual
Quarterly
Monthly
12
Weekly
52
Daily
250
Multiple
times per day
Over 250
PwC
Slide 8
Sampling
Manual Controls
Following factors may indicate that sample sizes should be selected at the
higher end of the ranges:
- The greater the potential financial loss or adverse event to the company if
the control is not effective or fails:
- The more complex the control
- The greater the degree of judgment in control operation
PwC
Slide 9
Sampling
Automated Controls
If IT General Controls have been tested and found to be effective, it may be
sufficient to only test one operation of the Automated Control
PwC
Slide 10
Documentation
Audit documentation
Remember: if what
you did isnt
documented, its the
equivalent of not
performed!
PwC
Slide 11
Confidential
1. Complexity
increased use of technology within the
business | higher volume of transactions |
increased automation | businesses driven by
data | devil is in the detail | how do you find a
needle in the hay stack?
3. Resources
skills sets | innovation | technologically
minded team | reduced fear factor |
development opportunities for your people?
May 2014
PwC
12
CIIA - 14 May 2014
Confidential
May 2014
PwC
13
CIIA - 14 May 2014
Confidential
A means of accessing
large amounts of data in
a format that can provide
transparency not
attainable through other
auditing procedures.
The results may be used to identify areas of
key risk, fraud, errors or misuse; improve
business efficiencies; verify process
effectiveness; or influence
business decisions.
(ISACA August 2011)
May 2014
PwC
14
CIIA - 14 May 2014
Confidential
Extract and
upload raw data
May 2014
PwC
Map and
organise data
Analyse and
visualise data
Finalise audit
evidence, identify
anomalies and
insight
15
CIIA - 14 May 2014
1
2
3
4
5
Confidential
12,253
vendors listed in standing data
1,031
perfect duplicates
May 2014
PwC
46
96
231
fuzzy match with 3
character difference
17
CIIA - 14 May 2014
Exercise
You are the internal auditors to an NHS Trust. You have been asked to
undertake a review to assess the accuracy of the information used to support the
KPIs that are reported to the Board on a monthly basis and to external
regulators quarterly. What would you consider in devising a testing approach?
PwC
18
Exercise
You are the internal auditors to an NHS Trust. You have been asked to
undertake a review to assess the accuracy of the information used to support the
KPIs that are reported to the Board on a monthly basis and to external
regulators quarterly.
You are driving to work and hear on the radio that a NHS Trust in another part
of the country has got into serious trouble for mis-reporting cancer waiting
times data. There seems to be an issue in distinguishing between cancellations
and DNAs. Would you do anything differently.
PwC
May 2014
19
Exercise
You are the internal auditors to an NHS Trust. You have been asked to
undertake a review to assess the accuracy of the information used to support the
KPIs that are reported to the Board on a monthly basis and to external
regulators quarterly.
You are driving to work and hear on the radio that a NHS Trust in another part
of the country has got into serious trouble for mis-reporting cancer waiting
times data. There seems to be an issue in distinguishing between cancellations
and DNAs.
In checking the above with the client you realise that they may have innocently
mis-interpreted the above and that this might mean that they have been misreporting data to their external regulators. What would you do?
PwC
May 2014
20
This publication has been prepared for general guidance on matters of interest only, and does not
constitute professional advice. You should not act upon the information contained in this publication
without obtaining specific professional advice. No representation or warranty (express or implied) is
given as to the accuracy or completeness of the information contained in this publication, and, to the
extent permitted by law, PricewaterhouseCoopers LLP, its members, employees and agents do not
accept or assume any liability, responsibility or duty of care for any consequences of you or anyone
else acting, or refraining to act, in reliance on the information contained in this publication or for any
decision based on it.
2014 PricewaterhouseCoopers LLP. All rights reserved. In this document, PwC refers to
PricewaterhouseCoopers LLP (a limited liability partnership in the United Kingdom) which is a
member firm of PricewaterhouseCoopers International Limited, each member firm of which is a
separate legal entity.