TESTING PHASE

WORK PROGRAM

PROGRAM STEP TD CD CB
1. What is the overall focus of audit testing?
a. To validate that a well-designed process is operating as intended
b. To determine the impact, if any, that a sub-optimally designed
process may have on the achievement of process objectives

2. If attribute testing is appropriate, determine the following:
a. What are the primary attributes for each key control?
b. Which of those attributes are subject to audit testing?
c. Which attribute tests will provide the greatest assurance that the
key controls are effectively managing the risks to the desired level?

d. What type of sample should be used (i.e., statistical or no
statistical)?

(i) What is the population from which the sample should be drawn?
(ii) What sampling attributes are appropriate?
e. Will positive results from these tests in fact provide the level of
assurance needed to assess the effectiveness of process operation?

f. How will negative results from these tests provide the auditor with
sufficient information to analyze and evaluate the effectiveness of
process operation?

g. Are there any other tests (e.g., discussion and observation,
corroborative tests, etc.) that would prove to be more efficient and
effective in evaluating the effectiveness of process operation?

3. If quantitative testing is appropriate, determine the following:
a. What are the quantifiable impacts (e.g., financial, customer,
reputation, etc.) of the process not being designed to mitigate the
risks to an acceptable level?

b. What are the quantifiable impacts of the process not operating as
designed?

c. What type of substantive tests will provide quantifiable
information about the process?

d. What is the population from which the sample should be drawn?
(i) What sampling attributes are appropriate?

e. How will the results be extrapolated or otherwise evaluated?

f. Will the final results be meaningful to management in terms of the
exposure taken on by not having a properly designed and/or
operating process?

4. What gaps exist in the operation of the process?

a. Which key controls are not operating as intended?

b. What impacts might these operational shortcomings have?

c. Why do those shortcomings exist; i.e., what is the root cause of
the shortcomings (e.g., inadequate procedures, unclear policies,
inadequate training or supervision, intentional errors, etc.)?

d. What possible actions would address the shortcomings and
provide assurance that the operation of the controls can be improved

to manage the key risk to an acceptable level?
5. What are the overall conclusions regarding the operation of the
process?

a. Are key controls operating at such a level to provide assurance
that each key risk is managed to an acceptable level?

b. Are there other mitigating factors that would reduce the impact of
key risks that are not operating sufficiently to manage the risks to an
acceptable level?

c. Overall, do the key controls and other mitigating factors provide
assurance that the desired result of the process can be achieved?