5 Steps on Testing Internal Controls

Posted by Teresa Bockwoldt on May 13, 2011

NotepadDetermining a correct sample size is an important first step in your internal controls testing efforts. Below is Vibato's approach to sample size determination, which we've used with great success for years.This approach has been vetted with all Big 4 and most regional external auditing firms. 

Share your comments on how this approach works for you!


The Control Language states, "As needed, purchase requisitions, expense reports, check requests, and all other payment requests are reviewed and approved according to the Grant of Signing Authority to ensure completeness, accuracy, and validity.  All approval documentation (emails, etc.) are forwarded to accounting as support for the payment request."

The Controls Testing Date is the end of Q3.

Testing Approach:

1. Obtain a system list of all payments made relating to this control since the beginning of the year. 

2. Annualize the number of samples from the system list to determine the estimated total annual population available for this control. For instance, the system list shows 195 payments have been made from 1/1 – 9/30.  This equals roughly 65 per quarter or 260 per year.

3. Determine how many samples you need to test based on your annualized population and based on an understanding with your external auditor. For instance say a range of 225-275 annual samples will require you to select 25 samples over the course of the year to test.  

4. Statistically select your test samples based on the total amount required. 

5. Write your testing down in a Word or Excel file for presentation to your external auditors.  The legislation requires you to keep this data for 7 years.

For example:

Annualized population



Required annual testing quantity



It’s only Q3 and you need to test the total samples over the course of the year so divide your total annual testing requirement by 4 to determine how many to test each quarter

(25/4 = 6.25 tests per quarter)

6 for Q1

6 for Q2

6 for Q3

7 for Q4

The split is subjective

Divide the total testing requirements by the total population (remember, it is Q3) to determine every Nth sample you should select to test

(195/18 = 11)


It is important to note here that people often select samples based on dollar value.  Our experience has shown that people often start committing fraud just below the designated amount.  Remember, the control should be working properly whether it is for $.01 or $10M.

Tags: Internal Controls, Controls Testing, audit scope