case, discovery sampling had more “power” in its sample size, because it recommended a larger sample
            size than attribute sampling.

            In choosing the sample, effect size is another important consideration. If the deviation is measured in
            dollars or units, then the sampler can determine the size of the deviation.

            For example, in a medical research statistical test studying the effects of smoking on males 40–50 years
            of age, it may be assumed that smoking reduces the life span of the user. The question is how much of a
            reduction is big enough to be considered important? Perhaps one year is not significant, but five years
            may be. The determination of that number of years is an example of effect size. Naturally, effect size is
            most influenced by materiality and tolerable misstatements.


            When examining ITGCs, the CITP will often rely on samples and review as the procedure of choice. For
            example, if the entity writes some of its own relevant applications, then the entity will need controls to
            ensure those applications are materially free of bugs, errors, and fraud. One way to provide this kind of
            control is to adhere to SDLC principles (basically, best practices). In order to gain an understanding of the
            entity’s controls over application development, the CITP could review a list of all relevant applications,
            eliminate those that are not relevant or are considered minor (impact, risk, size), and take a directed
            sample of what is left. Examination of the documentation on those relevant major IT projects should
            provide the CITP with evidence about whether application development controls are operating effectively
            or not. A relatively easy way to make that determination is to compare the documentation and processes
            described with the principles of SDLC.


            Other ITGCs could be sampled. For example, IT support operations (sample support tickets and audit
            them), logical access controls for terminated employees (sample terminated employees during the
            period), authorization and sound vendor management of IT change management (sample of IT
            purchases from the period), and proper testing procedures for change management or application
            development or systems development (sample changes in IT, review testing documentation). Some
            ITGCs are better suited for a full review (for example, minutes of the BoD, steering committee, change
            management committee, and PMO, which are few in number and therefore not too cumbersome).


            Computer-assisted audit techniques

            CAAT is the employment of computers and technologies to automate one or more audit procedures or
            processes. CAATs have the potential to change the audit from routine documentation of the audit trail
            (numbers and documents) to analysis of the evidence (in digital form). IT auditors make this switch often
            without realizing it.

            CAATs can be used for the following three basic purposes:

              To replace or supplement substantive procedures in an audit plan
              To gain audit efficiencies or effectiveness
              To obtain value-add recommendations for management or the client

            The primary advantage of CAATs is that it evaluates 100% of the transactions, and is not limited to
            examining samples of data or transactions.



            © 2019 Association of International Certified Professional Accountants. All rights reserved.    3-46