Related Posts
What’s an Engagement Manager?
Additional Posts in Risk Assurance
New to Fishbowl?
Download the Fishbowl app to
unlock all discussions on Fishbowl.
unlock all discussions on Fishbowl.
What’s an Engagement Manager?
This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
Download the Fishbowl app to unlock all discussions on Fishbowl.
Copy and paste embed code on your site

Scan your QR code to download
Fishbowl app on your mobile

I would recommend you ask your senior or any superior on the engagement instead of here. There are ways to say it’s both complete and accurate depending on how the listing is pulled, whether from a DB or an export from the application
Why do people use “listing” instead of “list” or “population”?
You should be able to say there is reasonable assurance that a population is complete and accurate. By inquiring of the evidence owner regarding how the population was generated, understanding what the population is and how it is generated, seeing screenshots of the process for creating the population if there isn’t necessarily a way to see the underlying code used to create the population (often happens with OTS software), and fully understanding what types of filters were applied to help ensure that the population has not omitted relevant items. These will widely vary depending on the data source, but if you can get a good grasp on how the population was generated, you should be able to say there is reasonable assurance that the population is complete and accurate. We do not opine that a population is 100% complete and accurate without a doubt because there is always a chance something could have been omitted, something may have been withheld, etc., we only say there is reasonable assurance that it is complete and accurate.
As a part of administrator testing, yes you would do this. With the system admins having the highest level of access, you want to make sure 1) they are an active employee, and 2) they are authorized to have that access. I have seen people in the past check the employee HR data provided by a client to see if each employee associated with an admin account has a job title that is commensurate with needing admin access, but at the end of the day the system owner is the one who determines who is authorized to have that access. Once I confirm they are all active employees (or authorized service accounts), I then check with the system owner so that I have explicit confirmation that the listed users are authorized for access. We as external auditors can’t judge the “appropriateness” of the access, only that it is authorized and not accessible by terminated/unauthorized users.
Probably should have observed management generating it
I have a generation/parameter screenshot
How was it generated? Query? Export button? Does screenshot include line item total? Can you tie back listing to screenshot?
Answer those and you are good