MIS 5201-IT Audit Process

This session was all about Audit Sampling – “the application of an Audit Procedure to less than 100% of the target population, for the purpose of drawing general conclusions about the entire population based on the characteristics detected in the sample“.

We learned about two types of Sampling approaches

• Statistical – good for when you need to consider sampling risk, confidence level, and precision but costly and complex.
• Non-Statistical – good because its flexibility, its greater reliance on auditor’s experience and judgement, and it allows reasonable reliability at a reasonable cost. Unfortunately the results are not statistically valid, they have a greater chance of resulting in wrong sample sizes, and do not provide an objective measure of sampling risk.

To illustrate a few points we evaluated an access management control with the intent of assessing compliance with approval requirements. We selected a sample of 103 new access or change to existing access requests, out of a population of 650. Testing the sample yielded 4 requests that were granted without proper approval (i.e. they failed the tests). Four (4) deviations out of a randomly selected sample of 103 exceeded our deviation rate tolerance of 6% demonstrating how the control was not working as intended.

We will revisit the subject of Sampling again next week running through a few more examples during our first half of our class. The second half will be dedicated to testing.

You will find a link to a video recording of this week’s session – including additional information regarding our project – and a copy of the slides. I also included a copy of the sampling tables we used during class.

Class Video: Week 10 – Sampling

Class Slides:Week 10 – Sampling

Statistical Sample Size for Test of Control – to determine sample size (95% confidence interval)

Statistical Sampling Results Evaluation Table for Test of Controls – to evaluate the results from testing samples.