A question I often get asked is “what sample-size do I need”? A reasonable question you might think, but the answer is rarely straightforward. This is because deciding which sample-size to use involves taking three competing requirements into consideration: (i) risk (ii) time and (iii) cost.
For example, it stands to reason the more “riskier” a business process the more accurate you want your audit result. This means selecting a larger sample-size than for a “less riskier” process. This is the foundation of risk-based auditing.
This sounds simple enough, but a larger sample-size means more time and money is needed to collect, analyse and report audit results. Additional time and money most manager don’t have. So what is the answer?
One possible path is for managers to continue doing what they have done in the past, a path that brings with it higher auditing costs and an increase in probability that a major risk-event will occur at some point in the future.
Alternatively, they can choose to move beyond the conventional non-statistical approach to sample-size selection (e.g. fixed sample-size number, fixed percentage of the audit population, etc.) to create a new statistical, risk-based auditing paradigm.
The biggest weakness with non-statistical sampling is the accuracy of the audit result remains unknown. A situation which can often lead to costly over-auditing, suboptimal decision making or worse still, no decision making at all.
Interestingly, many managers still believe statistical auditing will force them to perform more audits than they can afford. In reality, nothing could be further from the truth.
While it’s true statistical auditing systems will calculate the sample-size needed to achieve a specified level of accuracy, neither of these parameters are set in stone. If the sample-size requirement doesn’t fit within a manager’s budget, the accuracy level can simply be reduced until it does. On the other hand if the final accuracy level is considered too low, this information can then be used to demonstrate the need for an increase in audit funding.
Ignoring the statistics behind sample-size selection doesn’t mean it will go away. What it does mean is managers are likely to end up spending more time and money monitoring low risk business processes that they have to. Time and money that could be better spent monitoring business processes that do.
Another reason why many managers continue to use conventional ad-hoc auditing methods is they believe it is too hard and expensive to implement statistical alternatives. This may have been the case in the past, but recent advancements in cloud-based auditing software means it’s never been easier or cheaper to establish a suitable system than now.
The dynamic nature of a statistical, risk-based auditing has a number of significant efficiency and effectiveness benefits compared to conventional, fixed non-statistical methods, including:
•It removes the guesswork surrounding how much auditing is needed to monitor and control business risks,
•It focuses an organisation’s limited auditing and improvement resources on areas that will generate maximum value (i.e. highest risk),
•It significantly improves an organisation’s ability to identify and correct ineffective business processes before they cause a major risk event,
•It reduces an organisation’s auditing costs with improvements in business control performance..
If you’d like to know more about how statistical, risk-based sampling methods can optimise your organisation’s auditing processes visit us at www.compliance-master.com.