GIVEN THE IMPORTANCE of testing in supporting assertions and objectives for controls, one would expect significant official guidance on such matters as the nature, timing, and extent of evidence gathering to meet the needs of the engagement or COSO project. However, the official guidance is somewhat scarce. COSO provides little concrete guidance on testing specifics, and while the Securities and Exchange Commission (SEC) and Public Company Accounting Oversight Board (PCAOB) identify some factors for scoping the assessment and testing, little concrete guidance is provided. The American Institute of Certified Public Accountants (AICPA) Audit and Accounting Guide Audit Sampling (AAG-S)¹ does provide some guidance on sample sizes and benchmarks that are in use in current audit practice. While not officially authoritative for public company audits, the AAG was crafted to consider Sarbanes-Oxley (SOX) applications, public company practice and corporate needs for sample size guidance.

SUFFICIENT EVIDENCE

A common inspection and peer review criticism of auditors is whether sufficient, appropriate evidence was obtained to support the degree of asserted reliance on the controls or on the overall assertions and accounts when considering all tests and procedures. This criticism can apply to all audits, public company or otherwise. While not publicly disclosed, ...