版权说明:本文档由用户提供并上传,收益归属内容提供方,若内容存在侵权,请进行举报或认领
文档简介
ITAF™Companion
PerformanceGuidelines2208
InformationTechnologyAuditSampling
2
AboutISACA
ISACA®(
)isaglobalcommunityadvancingindividualsandorganizationsintheirpursuitofdigital
trust.Formorethan50years,ISACAhasequippedindividualsandenterpriseswiththeknowledge,credentials,
education,trainingandcommunitytoprogresstheircareers,transformtheirorganizations,andbuildamoretrusted
andethicaldigitalworld.ISACAisaglobalprofessionalassociationandlearningorganizationthatleveragesthe
expertiseofits180,000+memberswhoworkindigitaltrustfieldssuchasinformationsecurity,governance,assurance,risk,privacyandquality.Ithasapresencein188countries,including225chaptersworldwide.ThroughtheISACA
Foundation,ISACAsupportsITeducationandcareerpathwaysforunderresourcedandunderrepresentedpopulations.
Disclaimer
ISACAhasdesignedandcreatedITAF™CompanionPerformanceGuidelines2208:InformationTechnologyAudit
Sampling(the“Work”)primarilyasaneducationalresourceforprofessionals.ISACAmakesnoclaimthatuseofanyoftheWorkwillassureasuccessfuloutcome.TheWorkshouldnotbeconsideredinclusiveofallproperinformation,proceduresandtestsorexclusiveofotherinformation,proceduresandteststhatarereasonablydirectedtoobtaining
thesameresults.Indeterminingtheproprietyofanyspecificinformation,procedureortest,professionalsshould
applytheirownprofessionaljudgmenttothespecificcircumstancespresentedbytheparticularsystemsorinformationtechnologyenvironment.
ReservationofRights
©2026ISACA.Allrightsreserved.Nopartofthispublicationmaybeused,copied,reproduced,modified,distributed,displayed,storedinaretrievalsystemortransmittedinanyformbyanymeans(electronic,mechanical,photocopying,recordingorotherwise)withoutthepriorwrittenauthorizationofISACA.
ISACA
1700E.GolfRoad,Suite400
Schaumburg,IL60173,USA
Phone:+1.847.660.5505
Fax:+1.847.253.1755
Support:
Website:
ParticipateintheISACAOnlineForums:
/onlineforums
X:
/ISACANews
LinkedIn:/company/isaca
Facebook:/ISACAGlobal
Instagram:/isacanews/
ITAF™CompanionPerformanceGuidelines2208:InformationTechnologyAuditSampling
ACKNOWLEDGMENTS
3
Acknowledgments
ISACAwishestorecognize:
LeadDeveloper
MaryCarmichael,CISA,CISM,CRISC,CPA,CFE,MomentumTechnology,Canada
ITAuditAdvisoryGroup
KananAliyev,CISA,CRISC,CDPSE,CISSP,NEQSOLHolding,Azerbaijan
DavidBerkelmans,CISA,AAIA,Anchoram,Australia
GabrielMarinoBrandi,CISA,CDPSE,CIA,DPO,EY,Brazil
AgekeCalvince,CISA,ISO/IEC27001:2022LeadAuditor,ISO/IEC42001:2023,GAInsuranceLtd.,KenyaSharadGupta,CISA,Canada
TinLatt,MohamedAhmedJamal,CISA,CISM,CGEIT,CIA,DBA,ISO/IEC27001LeadAuditor,PCIP,MyanmarMarkLedman,CISA,USA
EsanjuMaseka,CISA,KMPG,Australia
GabrielSanchez,CISA,Microsoft,USA
BoardofDirectors
JohnDeSantis,Chair,FormerChairmanandChiefExecutiveOfficer,HyTrust,Inc.,USA
NielHarper,Vice-Chair,CISA,CRISC,CDPSE,CISSP,NACD.DC,ChiefInformationSecurityOfficerandData
ProtectionOfficer,Doodle,FormerChiefInformationSecurityOfficer,UnitedNationsOfficeforProjectServices(UNOPS),USA
StephenGilfus,ManagingDirector,OversightVenturesLLC,Chairman,GilfusEducationGroupandFounder,BlackboardInc.,USA
GabrielaHernandez-Cardoso,NACD.DC,FormerPresidentandCEO,GEMexico,IndependentBoardMember,Mexico
JasonLau,CISA,CISM,CGEIT,CRISC,CDPSE,CIPM,CIPP/E,CIPT,CISSP,FIP,HCISPP,ChiefInformationSecurityOfficer,
C
,Singapore
MassimoMigliuolo,IndependentBoardMember,Malaysia
JamieNorton,CISA,CISM,CGEIT,CISSP,CIPM,Partner,McGrathNicol,Australia
MaureenO’Connell,NACD.DC,BoardChair,AcaciaResearch(NASDAQ),FormerChiefFinancialOfficerandChief
AdministrationOfficer,Scholastic,Inc.,USA
ErikPrusch,ChiefExecutiveOfficer,ISACA,USA
AsafWeisberg,CISA,CISM,CGEIT,CRISC,CDPSE,CSX-P,ChiefExecutiveOfficer,introSightLtd.,Israel
PamelaNigro,ISACABoardChair2022-2023,CISA,CGEIT,CRISC,CDPSE,CRMA,VicePresident,Security,Medecision,USA
TraceyDedrick,ISACABoardChair,2020-2021,FormerExecutiveVicePresidentandHeadofEnterpriseRiskManagement,SantanderHoldings,USA
BrennanP.Baybeck,ISACABoardChair,2019-2020,CISA,CISM,CRISC,CISSP,SeniorVicePresidentandChiefInformationSecurityOfficerforCustomerServices,OracleCorporation,USA
ITAF™COMPANIONPERFORMANCEGUIDELINES2208:INFORMATIONTECHNOLOGYAUDITSAMPLING
4
Pageintentionallyleftblank
TABLEOFCONTENTS
5
TABLEOFCONTENTS
Chapter1.Introduction 7
PurposeofInformationTechnologyAuditSamplingGuidelines(Guidelines2208) 7
RelationshiptoITAF 7
ApplicationandUse 7
ScopeandTechnologyUpdates 8
IntegrationWithISACA’sBroaderGuidance 8
TermsandDefinitions 8
Chapter2.PerformanceGuidelines2208:InformationTechnologyAudit
Sampling 9
2208.lIntroduction 9
2208.2Sampling 9
2208.3DesignoftheSample ll
2208.4SelectionoftheSample l9
2208.5EvaluationofSampleResults 23
2208.6Documentation 24
AppendixA.RelatedStandards 27
AppendixB.RelatedGuidelines 29
AppendixC.TermsandDefinitions 31
ITAF™COMPANIONPERFORMANCEGUIDELINES2208:INFORMATIONTECHNOLOGYAUDITSAMPLING
6
Pageintentionallyleftblank
CHAPTER1INTRODUCTION
7
Chapter1
Introduction
ISACA’sInformationTechnologyAuditFramework(ITAF™)isacomprehensiveframeworkthat:
•EstablishesstandardsthataddressITauditandassurancepractitioners’rolesandresponsibilities,ethics,expectedprofessionalbehavior,andrequiredknowledgeandskills
•DefinestermsandconceptsspecifictoITauditandassurance
•Providesguidanceandtechniquesforplanning,performing,andreportingofITauditandassuranceengagements
PurposeofInformationTechnologyAuditSamplingGuidelines(Guidelines2208)
TheInformationTechnologyAuditSamplingGuidelines(Guidelines2208)havebeendevelopedasacompaniontoITAF.Theseguidelines:
•SupportITauditandassurancepractitionersinapplyingsamplingmethodstodrawvalidconclusionsaboutapopulationwhenauditproceduresareappliedtolessthan100percentofthatpopulation
•Promoteaconsistent,risk-basedapproachtothedesign,selection,andevaluationofsamplesinITauditandassuranceengagements
•Strengthenthereliability,transparency,andefficiencyofauditevidencederivedfromsamplingtechniques
TheseguidelinessupportITauditandassurancepractitionersinapplyingeffective,technology-enabledsampling
techniquesthatareconsistentwithISACA’sITAFstandards.Theyareintendedtobeusedacrossarangeof
engagements,includingITgeneralcontrols,applicationcontrols,andcybersecurityreviewstoensurethatsampling
proceduresproducereliable,evidence-basedconclusions.ByapplyingGuidelines2208,practitionerscanenhancetheobjectivityandconsistencyofsamplingresultsandbetteraligntheirworkwithauditobjectivesandprofessional
standards.
RelationshiptoITAF
AlthoughthesecompanionguidelinesdonotcorrespondtoaspecificITAFstandard,theirnumberingalignswiththeITAFframeworkstructuretomaintainconsistencyamongrelatedguidance.Thegeneral,performance,and
reportingguidanceseriesarenumbered2000,2200,and2400,respectively.Guidelines2208followsthisschemeandcomplementsthestandardsthataddressITauditplanning,execution,andreporting.
ApplicationandUse
Adherencetotheseguidelinesisrecommendedbutnotmandatory.Practitioners:
•Mayexerciseprofessionaljudgmentandflexibilityintheirapplicationoftheguidelines,providedthatdeviationsareproperlyjustifiedanddocumented
•Considertheguidelinesasabest-practicereferencefortheplanning,design,execution,anddevelopmentofsampleconclusionsinauditsamplingactivities.
•Recognizethat,whiletheguidelinesmaynotapplyinallcircumstances,theyrepresentanauthoritativeframeworkforconductingeffective,technology-enabledauditsampling.
TheintentofGuidelines2208istopromotequality,consistency,andtransparencyinsamplingmethodologiesappliedduringITauditandassuranceengagements,enablingpractitionerstodeliverreliable,evidence-basedconclusionsinincreasinglydigitalanddata-drivenenvironments.
ITAF™COMPANIONPERFORMANCEGUIDELINES2208:INFORMATIONTECHNOLOGYAUDITSAMPLING
8
ScopeandTechnologyUpdates
Astechnologyevolves,itisimpactinghowITauditandassurancepractitionersplanandconducttheirwork.In
responsetothesedevelopments,ISACAhasupdatedGuidelines2208:InformationTechnologyAuditSamplingto
betterreflectdata-drivenandtechnology-enabledauditsamplingapproaches.TherevisedguidelinesincorporatetheseadvancementswhilemaintainingISACA’scoreprinciplesofprofessionaljudgment,sufficientevidence,andsound
auditdocumentation,ensuringthatauditsamplingremainsbothrelevantandalignedwithtoday’spractices.
IntegrationWithISACA’sBroaderGuidance
PractitionersareencouragedtouseISACA’sportfolioofprofessionalguidance,includingrelevantframeworks,auditprograms,whitepapers,publications,andtoolstoenhanceauditqualityandstaycurrentwithevolvingtechnologiesandtheirimpactonauditprocesses.
Byintegratingtheseresourcesintoauditsamplingpractices,practitionerscanstrengthentheirunderstandingof
emergingtechnologiesandmaintainconsistencywithrecognizedbestpractices.Thisholisticapproachsupports
effectiveauditplanning,execution,andevaluation,enablingthedeliveryofhigh-quality,technology-informedauditandassuranceengagements.
TermsandDefinitions
Throughouttheseguidelines,somecommonwordshavespecificmeaningsthatapplytothemostcommontypesofengagementsperformedbyITauditandassurancepractitioners.Fortheseinstances,adefinitionisprovidedinAppendixCtoensurethatthemeaningsofthesewords,withinthecontextoftheseguidelines,areunderstoodandconsistentlyapplied.
Wherepractical,ITAFtermsanddefinitionsgenerallyareconsistentwithcommonlyusedterminologyinthepracticeofprofessionalauditingandininformationtechnologyandsecurity;however,practitionersshouldconsultthecurrentoriginalsourcestandardsrelevanttothespecifictypeofengagementtobeperformed.Thiswillensurealignmentofterminologywiththeoriginalsourcestandardsthatarebeingfollowed.
CHAPTER2PERFORMANCEGUIDELINES2208:INFORMATIONTECHNOLOGYAUDITSAMPLING
9
Chapter2
PerformanceGuidelines2208:InformationTechnologyAuditSampling
ThepurposeoftheseguidelinesistoassistITauditandassurancepractitionersinthedesign,selection,andevaluationofauditsamplestoobtainsufficientandappropriateevidencesupportingauditconclusions.
Practitionersshouldconsidertheseguidelineswhendetermininghowtoimplementrelatedstandards(see
A
RelatedStandards)andrelatedguidelines(see
B
RelatedGuidelines),useprofessionaljudgmentintheirapplication,be
preparedtojustifyanydeparture,andseekadditionalguidanceifnecessary.
Whereuncertaintyorcomplexityarises,particularlyintechnology-drivenordata-intensiveenvironments,practitionersshouldseekadditionalguidanceorconsultsubjectmatterexpertstoensurethesamplingapproachremainsappropriateandreliable.
2208.1Introduction
Theguidelines’contentsectionsarestructuredtoprovideinformationonthefollowingkeyauditsamplingtopics:
•2208.2Sampling—Definesauditsampling,itsobjectives,andwhentoapplyoravoidit,includingguidanceonusingstatistical,nonstatistical,anddata-drivensamplingapproaches
•2208.3DesignoftheSample—Providesdirectiononplanningandstructuringsamplesusingvarioustools
tooptimizeefficiency,representativeness,andriskcoverage,whileensuringdatacompletenessandpopulationintegrity
•2208.4SelectionoftheSample—Explainshowtoselectrepresentativesamplesthroughcontrolled,unbiased,andreproduciblemethods,supportedbystatistical,nonstatistical,andautomatedselectiontechniques
•2208.5EvaluationofSampleResults—Describeshowtoanalyzeandinterpretsamplingresultstoassesserrorrates,identifytrends,andvalidateconclusions
•2208.6Documentation—Outlinesrequirementsforrecordingsamplingobjectives,parameters,tools,andresults,ensuringtransparency,reproducibility,andaudittraceability
2208.2Sampling
SamplingenablesITauditandassurancepractitionerstoobtainsufficientandappropriateevidencewithoutexaminingeveryiteminapopulation.Theapproachshouldalignwiththeaudit’sobjectives,riskassessment,anddata
characteristics,ensuringthatresultsarerepresentativeandreliable.Theseguidelinesoutlinewhenandhowsamplingshouldbeapplied,themethodsavailable,andthecircumstanceswherealternativeapproaches,suchasfull-populationtestingordata-drivenassurance,maybemoreeffective.
ITAF™COMPANIONPERFORMANCEGUIDELINES2208:INFORMATIONTECHNOLOGYAUDITSAMPLING
10
Guidelines
2208.2.1
RecognizetheLimitationsofReviewingAllInformation
Informinganauditopinionorconclusion,practitionersoftendonotexaminetheentirepopulationof
availableinformation,asdoingsomaybeimpracticalorinefficient.Whenafullreviewisnotfeasible
duetoconstraintssuchastime,resources,ordatavolume,practitionersshouldapplyappropriate
samplingtechniquestoobtainsufficientandappropriateevidencethatsupportsreliableanddefensibleconclusions.
Inselectingsamples,auditorsshouldalsoconsiderthetimelinessandrelevanceofthedata—for
example,focusingonrecenttransactionsandaccountingforanyseasonaloroperationalvariations.Usingoutdatedinformationmayresultinconclusionsthatdonotreflectcurrentprocessesorrisk,particularlyinrapidlyevolvingITenvironments.
2208.2.2
DetermineAuditSamplingMethodtoReachAppropriateConclusions
Practitionersshouldselectthesamplingmethod,statistical,nonstatistical,ordata-driven(analytics-
enabled),thatbestsupportstheauditobjectives,riskfocus,andcharacteristicsofthepopulationbeingtested.Samplingmethodsinclude:
•Statisticalsampling—Usesprobability-basedselection(e.g.,random,systematic,orstratified)andisappropriatewhenconclusionsmustrepresenttheentirepopulationorrequiremeasurable
confidencelevels.
■Forexample,selectingarandomsampleof200useraccesschangesfromafullyear’sactivitytoestimatecomplianceerrorrates.
•Nonstatisticalsampling—Reliesonprofessionaljudgmenttotargetitemsbasedonrisk,materiality,orcontrolsignificance.Suitableforfocusedorexploratorytestingwherepopulationvariabilityis
limitedorwellunderstood.
■Forexample,reviewingallprivilegedaccountchangesorhigh-valuefinancialtransactionsduringaspecificmonth.
•Data-drivensampling—Usesauditdataanalyticsorautomatedtoolstoselect,stratify,ortestlargedatasets,improvingcoverageandprecisionindata-richorcontinuousauditingenvironments.
■Forexample,applyingdataanalyticstoidentifyoutliersorunusualtransactionsacrossmillionsofsystemlogs.
•Hybridapproaches—Combineselementsofmultipleapproachestoimproveefficiency,consistency,andassurancecoverage.
■Forexample,apractitionermayusedata-drivensamplingtoidentifyhigh-risktransactions
withinalargedataset,thenapplystatisticalsamplingtotestarepresentativesubsetofthosetransactionsfordetailedevidence.
CHAPTER2PERFORMANCEGUIDELINES2208:INFORMATIONTECHNOLOGYAUDITSAMPLING
11
Guidelines
2208.2.3
IdentifySituationsWhereitisInappropriatetoUseSampling
Practitionersshouldassesswhethertheuseofsamplingsupportstheauditobjectives,considering
thecharacteristicsofthedata,systems,andcontrolenvironment.Incertaincircumstances,alternativetestingmethodsmayprovidemorereliableorefficientassurance.Circumstanceswheresamplingmaybeinappropriateinclude:
•Evidenceordatalimitationsexist:
■Controlsorevidencecannotbeobservedorverified,suchaswhensystemlogs,approvalworkflows,ortransactionrecordsareincomplete,inaccessible,ormissing.
■Dataquality,completeness,orpopulationintegritycannotbeconfirmed,includingcaseswhereextractionlogicisflawed,formatsareinconsistent,orsource-to-reportreconciliationcannotbeperformed.
•Automationoranalyticalalternativesareused:
■Automatedorcontinuousauditingtoolscanefficientlytest100%oftransactionsorcontrolactivities,providinggreaterassurancethansample-basedtesting.
■Targeteddataanalytics,riskmodeling,oranomalydetectioncanidentifyhigh-riskitemsorexceptionsmoreeffectivelythanrandomorrepresentativesampling.
■Systemconfigurations,automatedworkflows,orembeddedcontrolsalreadyprovide
comprehensiveassurancecoveragethateliminatestheneedfortransaction-levelsampling.
•Populationcharacteristicsdonotwarrantsampling:
■Thepopulationissmallorhomogeneous,makingfulltestingmoreefficientandpracticalthansampling.
■Thepopulationisunstableordynamic,suchascontinuouslyupdatingdatasetsorreal-timelogsthatcannotbereliablydefinedorfrozenforsamplingpurposes.
•Riskorcomplianceconsiderationsarepresent:
■High-riskorcriticalitemsmayrequirefulltestingbecauseevenasingleerrorcouldhavesignificantfinancial,operational,orsecurityconsequences.
■Regulatory,legal,orcontractualobligationsmandatecompletetestingorverificationofcertaintransactions,controls,orconfigurations.
Practitionersshouldapplyprofessionaljudgmenttodeterminewhetherfull-populationtesting,targeteddataanalytics,orembeddedcontrolevaluationprovidesamoreappropriatealternativetosampling.
Themostsuitableapproachshouldconsiderfactorssuchasauditobjectives,datareliability,systemcapabilities,andresourceavailability.
2208.3DesignoftheSample
Effectivesampledesignensuresthataudittestingisalignedwiththeauditobjectives,riskassessment,and
populationcharacteristics,allowingpractitionerstoobtainsufficientandappropriateevidenceefficiently.Thedesignprocessshouldconsiderthenatureofcontrols,expectederrors,andavailabledata,andusetechnologytoimprove
representativeness,efficiency,andassurancequality.
ITAF™COMPANIONPERFORMANCEGUIDELINES2208:INFORMATIONTECHNOLOGYAUDITSAMPLING
12
Guidelines
2208.3.1
DesignanAuditSampleAlignedwithObjectives,Risk,andPopulationCharacteristics
Whendesigningtheauditsample,practitionersshouldconsiderthefollowing:
•Definetheauditpurposeandapproach:
■Definetheauditobjectivesandidentifytheproceduresmostlikelytoachievethem.
■Considerthenatureofthecontrol—manual,automated,orhybrid—andhowitinfluencessamplingdesignandevidenceneeds.
•Understandthepopulation:
■Assesspopulationcharacteristicstoconfirmcompleteness,accuracy,andrelevancetotheauditobjectives.
■Identifysubgroupsorstratificationswithinthepopulationthatmayrequireseparateordifferentiatedsampling.
•Selectandvalidatethesamplingmethod:
■Selectthesamplingandselectionmethod(statistical,nonstatistical,data-driven,orhybrid)thatbestsupportstheauditobjectivesandriskassessment.
■Evaluatethereliabilityofavailableevidence,includingsystem-generateddata,reports,orconfigurationrecords.
■Assesspotentialerrorconditionsandrootcausesthatmayaffectcontrolperformanceorinterpretationofresults.
•Applytechnologyapproachesandmaintainquality:
■Usedataanalyticsorautomatedtestingtools,whereappropriate,todesignefficientandrepresentativesamplesthatenhanceassurancecoverage.
■AsauditdataenvironmentsevolvewithemergingtechnologiessuchasAI-enabledsystemsandadvancedanalyticstools,practitionersshouldevaluatehowthesedevelopmentsaffectdata
reliabilityandsamplingstrategies.e.g.,assessingdataprovenance,modeltransparency,andtheintegrityofautomatedprocessestoensurereliableauditconclusions.
■Maintainalignmentwithprofessionalstandardsandauditqualityrequirementsthroughoutthesamplingprocess.Forexample,samplingdesigndecisions,includingobjectives,parameters,
methods,andrationale,shouldbedocumentedtoensuretransparency,reproducibility,andaudittraceability.
CHAPTER2PERFORMANCEGUIDELINES2208:INFORMATIONTECHNOLOGYAUDITSAMPLING
13
Guidelines
2208.3.2
ConsiderKeyFactorsWhenDefiningtheSampleDesign
Whendefiningthesampledesign,ITauditpractitionersshouldconsiderfactorsthatensurethesampleisrepresentative,reliable,andalignedwiththeaudit’sobjectivesandriskfocus.
Thesefactorsinclude:
•Definethesamplingpurposeandunit:
■Clarifythepurposeofthesampleinrelationtotheauditobjectivesanddesiredlevelofassurance.
■Identifythesamplingunit(e.g.,transaction,configuration,user,systemevent)toensureconsistencyinpopulationdefinitionandtesting.
•Understandthepopulationanditsstructure:
■Definethepopulationclearly,confirmingcompleteness,accuracy,andrelevancetotheauditscope.
■Identifysubpopulationsornaturalgroupingsthatrequireseparateorstratifiedsamplingforoperationalrelevance.
■Considersmallorrarepopulations,includinglow-frequencyoradverseevents,thatmaywarrantcompletetesting.
■Accountforoutliersoranomaliesthatcoulddistortrepresentativenessorrequireadditionalanalysis.
•Evaluaterisk,error,anddistributionfactors:
■Determinetheacceptablelevelofsamplingriskandthecorrespondingsamplesizeneededtoachievesufficientassurance,consideringmanagement’sdefinedriskappetiteandauditmaterialitythresholds.
■Establishthetolerableerrorrateandassessitsimpactonauditconclusions.
■Considertheunderlyingexpecteddatadistribution(e.g.,normal,binomial,Poisson,orexponential)whendeterminingsamplingtechniques.
■Assessbehavioralorperformancetrendsovertime(e.g.,seasonality,systemdegradation)thatmayinfluencesamplerepresentativeness.
•Integratedatareliabilityandanalyticalsupport:
■Evaluatetheintegrityandreliabilityofsourcedata,includingdatalineageandtransformationprocesses.
■Usedatafromexternalorsupportingtoolstoconfirmorcomplementsamplingresults,ensuringalignmentwithauditevidencerequirements.
■Applydataanalyticsandautomationcapabilitiesincludingdatareconciliationscripts,predictivemodeling,andanomalydetection,totestpopulationcompleteness,stratifydatasets,and
validatesamplingparametersinrealtime.
ITAF™COMPANIONPERFORMANCEGUIDELINES2208:INFORMATIONTECHNOLOGYAUDITSAMPLING
14
Guidelines
2208.3.3
DeterminethePurposeoftheSample—Compliancevs.SubstantiveTesting
Whendesigningthesample,practitionersshoulddeterminewhetheritisintendedforcompliancetesting(toevaluatecontroleffectiveness)orsubstantivetesting(toverifydataaccuracyor
completeness).Thesamplingmethod,size,andevaluationcriteriashouldreflectthisdistinction.Compliancetestingisusedtoobtainauditevidenceonthedesignandoperatingeffectiveness
ofcontrolsduringtheauditperiod.Samplinghelpsdeterminewhethercontrolsarefunctioningasintended.Examplesofcompliancetestinginclude:
•Reviewofuseraccessmanagementcontrols(e.g.,appropriatenessofaccessrights,periodicaccessreviews)
•Examinationofchangemanagementactivities,suchasprogramchangeapprovalsortestingdocumentation
Substantivetestingisusedtoobtainauditevidenceonthecompleteness,accuracy,orexistenceof
specifictransactions,configurations,ordataelements.Samplingfocusesonverifyingindividualitemsordatarecords.Examplesofsubstantivetestinginclude:
•Re-performingautomatedorcomplexcalculations(e.g.,system-calculatedinterest,depreciation)onarepresentativesampleoftransactions
•Tracingasampleoftransactionstosupportingdocumentation(e.g.,invoices,approvals,orconfigurationevidence)
2208.3.4
SelecttheAppropriateSamplingUnitandMethod
Thesamplingunitdependsonthepurposeofthesample.Forcompliancetestingofcontrolsinwhichthesamplingunitisaneventortransaction(e.g.,acontrolsuchasauthorizationofaninvoice),
attributesamplingisusuallyused.Thismethodhelpsdeterminewhetherspecificcharacteristicsor
controlattributesarepresentwithinthepopulation.Forsubstantivetestinginwhichthesamplingunitisoftenmonetary(e.g.,dollars,balances,orquantities),variablesamplingisfrequentlyapplied.Thismethodhelpsmeasurethemonetaryorquantitativeimpactofanydifferencesormisstatementsinthepopulation.
2208.3.5
DefineandValidatethePopulationforSampling
Thepopulationcomprisesallitemsordataelementssubjecttothecontrolorprocessunderreview.Practitionersshouldensurethatthepopulationisaccuratelydefined,complete,andrelevanttotheauditobjectives.Aclearlydefinedandvalidatedpopulationisimportanttoobtainingreliableand
representativesamplingresults.
ForITaudits,validationproceduresmayincludereviewingdataextractionlogic,systemparameters,orreportfilterstoconfirmthatthepopulationfullyrepresentsthedefinedperiod,scope,andsystemenvironment.
CHAPTER2PERFORMANCEGUIDELINES2208:INFORMATIONTECHNOLOGYAUDITSAMPLING
15
Guidelines
2208.3.6
ApplyStratificationtoOptimizeSamplingDesign
Stratificationcanimprovetheefficiencyandeffectivenessofauditsamplingbydividingalargeor
diversepopulationintosubpopulations(strata)thatsharesimilarcharacteristics.Eachsamplingunit
shouldbelongtoonlyonestratum,ensuringclarityandconsistencyinselection.Stratificationcanallowpractitionerstofocusontestinghigher-riskormorevariableareas,whilereducingsamplesizeand
maintainingrepresentativenessacrossthepopulation.
ExamplesofstratificationinITauditsinclude:
•Groupinguseraccountsbyaccesslevel(e.g.,privileged,standard,serviceaccounts)
•Dividingchangemanagementrecordsbysystemtypeorapplicationcriticality
•Categorizingtransactionsbymonetaryvalue
温馨提示
- 1. 本站所有资源如无特殊说明,都需要本地电脑安装OFFICE2007和PDF阅读器。图纸软件为CAD,CAXA,PROE,UG,SolidWorks等.压缩文件请下载最新的WinRAR软件解压。
- 2. 本站的文档不包含任何第三方提供的附件图纸等,如果需要附件,请联系上传者。文件的所有权益归上传用户所有。
- 3. 本站RAR压缩包中若带图纸,网页内容里面会有图纸预览,若没有图纸预览就没有图纸。
- 4. 未经权益所有人同意不得将文件中的内容挪作商业或盈利用途。
- 5. 人人文库网仅提供信息存储空间,仅对用户上传内容的表现方式做保护处理,对用户上传分享的文档内容本身不做任何修改或编辑,并不能对任何下载内容负责。
- 6. 下载文件中如有侵权或不适当内容,请与我们联系,我们立即纠正。
- 7. 本站不保证下载资源的准确性、安全性和完整性, 同时也不承担用户因使用这些下载资源对自己和他人造成任何形式的伤害或损失。
最新文档
- 2.1数控车床系统面板操作
- 2026松江公交面试题及答案
- 2026唐山市妇联面试题及答案
- 2026头条网友面试题目及答案
- 《趣味学社区调查|让课堂告别枯燥 爱上学习》
- 儿童急性呼吸道感染诊疗共识2026
- 大数据通信技术应用与发展趋势分析报告
- 汇票中介合同范本
- 就2026年7月软件升级实施时间商定的回复函(8篇)
- 2026年武汉市江汉区社区工作者招聘考试模拟试题及答案详解
- (高清版)JTG 3810-2017 公路工程建设项目造价文件管理导则
- 人教版四年级数学下册期末试卷-
- 《民宿文化与运营》课件-第四章 民宿建设
- JC-T 2536-2019水泥-水玻璃灌浆材料
- 矿井瓦斯灾害防治
- 2024届新疆第二师华山中学高二化学第二学期期末质量检测试题含解析
- 英语48个国际音标课件(单词带声、附有声国际音标图)
- 北京中医药大学《701中药综合1》(含中药学、分析化学、中药化学)历年考研真题汇编
- GB/T 19831.3-2023石油天然气工业套管扶正器第3部分:刚性和半刚性扶正器
- 腹腔镜右半结肠切除术
- YS/T 95.1-2015空调器散热片用铝箔第1部分:基材
评论
0/150
提交评论