08 Audit Sampling to Test of Controls[CompatibilityMode]

(1)

Chapter 8

Audit Sampling: An Overview and Application to Tests of

Controls

Introduction

Auditing standards recognize and permit both statistical Auditing standards recognize and permit both statistical

and nonstatistical methods of audit sampling. and nonstatistical methods of audit sampling.

Two technological advances have reduced the number of times auditors need to apply sampling techniques to

8-2

pp y p g q gather audit evidence:

1 Development of

well-controlled, automated accounting systems.

2 Advent of powerful PC audit software to

download and examine client

data

Introduction

However, technology will never eliminate the need for auditors to rely on sampling to some degree because:

1. Many control processes require human involvement.

2 Many testing procedures require the auditor to 2. Many testing procedures require the auditor to

physically examine an asset.

(2)

Definitions and Key Concepts

On the following screens we will define:

1. 1.Sampling Risk

Sampling Risk

2 2 Confidence Le el

Confidence Le el

8-4

2. 2.Confidence Level

Confidence Level

3. 3.Tolerable and Expected Error

Tolerable and Expected Error

4. 4.Audit Sampling

Audit Sampling

Audit sampling is the application of an

audit procedure to less than 100 percent

of the items within an account balance or

class of transactions for the purpose of

LO# 1

8-5

evaluating some characteristic of the

balance or class.

Sampling Risk

Sampling risk is the element of uncertainty that enters into the auditor’s conclusions anytime sampling is

used. There are two types of sampling risk. Risk of incorrect rejection(Type I)– in a test of internal

LO# 2

Risk of incorrect rejection (Type I)– in a test of internal controls, it is the risk that the sample supports a conclusion that the control is not operating effectively when, in fact, it is operating effectively.

(3)

Sampling Risk

Three Important Factors in Determining Sample Size

1. 1.The desired level of assurance in the results

The desired level of assurance in the results

(or confidence level),

LO# 2

8-7

2. 2.Acceptable defect rate (or tolerable error), and

Acceptable defect rate (or tolerable error), and

3. 3.The historical defect rate (or estimated error).

The historical defect rate (or estimated error).

Confidence Level

Confidence level is the

complement

of sampling risk.

The auditor may set

li i k f

The auditor may set

li i k f

LO# 2

8-8

sampling risk for a particular sampling

application at

5 percent 5 percent, which

results in a confidence level of

95 percent 95 percent. sampling risk for a particular sampling

application at

5 percent 5 percent, which

results in a confidence level of

95 percent 95 percent.

Tolerable and Expected Error

Once the desired confidence level is established, the sample size is determine largely by how much the

tolerable error exceedsexpected error.

Precision Precision at theat the

LO# 2

Precision Precision, at the , at the planning stage of planning stage of audit sampling, is audit sampling, is the difference refer to Precision as the “Allowance for

(4)

Audit Evidence – To Sample or

Not?

Relationship between Evidence Types and Audit Sampling

Type of Evidence

Audit Sampling Commonly Used

Inspection of tangible assets Yes

LO# 3

8-10

Inspection of records or documents Yes

Reperformance Yes

Recalculation Yes

Confirmation Yes

Analytical procedures No

Scanning No

Inquiry No

Observation No

Audit Evidence – To Sample or

Not?

•

Inspection of tangible assets. Auditors typically attend the client’s year-end inventory count. When there are a large number of items in inventory, the auditor will select a sample to physically inspect and count.

LO# 3

8-11

•

Inspection of records or documents. Certain controls may require the matching of documents. The procedure may take place many times a day. The auditor may gather evidence on the effectiveness of the control by testing a sample of the document packages.

Audit Evidence – To Sample or

Not?

Reperformance.To comply with rule 404 of the Sarbanes-Oxley Act, publicly traded clients must document and test controls over important assertions for significant accounts. The auditor may reperform a sample of the tests

f d b th li t

LO# 3

performed by the client.

(5)

Testing All Items with a Particular

Characteristic

When an account or class of transactions is made up

of a few large items, the auditor may examine all the

items in the account or class of transaction. When a small number of large transactionsmake up

LO# 3

8-13

a relatively large percent of an account or class of transactions, auditors will typically test all the transactions greater than a particular dollar amount.

Testing Only One or a Few

Items

Highly automated information systems Highly automated information systems process transactions consistently unless the process transactions consistently unless the

system or programs are changed. system or programs are changed.

Th dit t t th Th dit t t th

LO# 3

8-14 The auditor may test the

The auditor may test the general controls over the general controls over the system and any program system and any program changes, but test only a few changes, but test only a few transactions processed by transactions processed by

the IT system. the IT system.

Types of Audit Sampling

Auditing standards recognize and permit both statistical Auditing standards recognize and permit both statistical

and nonstatistical methods of audit sampling. and nonstatistical methods of audit sampling.

In nonstatistical (or In nonstatistical (or judgmental) sampling, the judgmental) sampling, the

Statistical sampling uses Statistical sampling uses the laws of probability to the laws of probability to

LO# 4

j g ) p g

auditor does not use auditor does not use statistical techniques to statistical techniques to determine sample size, determine sample size, select the sample items, select the sample items, or measure sampling risk. or measure sampling risk.

p y

(6)

Types of Audit Sampling

Advantages of statistical sampling Advantages of statistical sampling

1.

1.Design an efficient sample.Design an efficient sample.

2.

2.Measure the sufficiency of Measure the sufficiency of evidence obtained. evidence obtained.

3.

3.Quantify sampling risk.Quantify sampling risk.

LO# 4

8-16 3.

3.Quantify sampling risk.Quantify sampling risk.

Disadvantages of statistical sampling Disadvantages of statistical sampling

1.

1. Training auditors in proper use.Training auditors in proper use.

2.

2. Time to design and conduct Time to design and conduct sampling application. sampling application.

3.

3. Lack of consistent application Lack of consistent application across audit teams.

across audit teams.

Statistical Sampling Techniques

1.Attribute Sampling.

2.Monetary-Unit Sampling.

LO# 4

8-17

3.Classical Variables Sampling.

Attribute Sampling

Used to estimate the proportion of a population that possess a specified characteristic. The most common use of

attribute sampling is for tests of controls.

LO# 4

Our client’s controls require that all checks have two independent

signatures. Yes, I know. We are

(7)

Monetary-Unit Sampling

Monetary-unit sampling uses attribute sampling theory to estimate the dollar amount of misstatement for a

class of transactions or an account balance.

LO# 4

8-19 This technique is used

extensively because it has a number of advantages

over classical variables sampling.

Classical Variables Sampling

Auditors sometimes use variables sampling to estimate the dollar value of a class of transactions or

account balance. It is more frequently used to determine whether an account is materially

misstated.

LO# 4

8-20

Attribute Sampling Applied to

Tests of Controls

In conducting a statistical sample for a

test of controls auditing standards require

the auditor to properly

plan

,

perform

, and

evaluate

the sampling application and to

LO# 5, 6, & 7

evaluate

the sampling application and to

adequately

document

each phase of the

sampling application.

Plan

(8)

Planning

Planning

1. Determine the test objectives. 2. Define the population characteristics. • Define the sampling population. • Define the sampling unit.

• Define the control deviation conditions. 3. Determine the sample size, using the following inputs:

Th d i d fid l l i k f i t t LO# 5, 6, & 7

8-22 • The desired confidence level or risk of incorrect acceptance. • The tolerable deviation rate.

• The expected population deviation rate.

The objective of attribute sampling when used for tests of controls is to evaluate the operating

effectiveness of the internal control.

Planning

Planning 2. Define the population characteristics. • Define the sampling population. • Define the sampling unit.

• The desired confidence level or risk of incorrect acceptance. LO# 5, 6, & 7

8-23 The desired confidence level or risk of incorrect acceptance. • The tolerable deviation rate.

All or a subsetof the items that constitute the class of transactions make up the sampling population.

Planning

The desired confidence level or risk of incorrect acceptance. • The tolerable deviation rate.

Each sampling unit makes up one item in the population. The sampling unit should be defined in

(9)

Planning

8-25 The desired confidence level or risk of incorrect acceptance. • The tolerable deviation rate.

A deviation is a departurefrom adequate performanceof the internal control.

Planning

Planning

3. Determine the sample size, using the following inputs: • The desired confidence level or risk of incorrect acceptance. • The tolerable deviation rate.

LO# 5, 6, & 7

8-26 The confidence levelis the desired level of assurance that the sample results will support a

conclusion that the control is functioning effectively. Generally, when the auditor has decided to rely on controls, the confidence level

is set at 90% or 95%. The means the auditor is willing to accept a 10% or 5% risk of accepting

the control as effective when it is not.

Planning

Planning

Th t l bl d i ti t i th i

LO# 5, 6, & 7

The tolerable deviation rateis the maximum deviation rate from a prescribed control that the auditor is willing to accept and still consider the

(10)

Planning

Planning

Suggested Tolerable Deviation Rates

LO# 5, 6, & 7

8-28

Planned Assessed Level of Control Risk

Tolerable Deviation Rate

Low 3–5%

Moderate 6–10%

Slightly below maximum 11–20% Maximum Omit test Suggested Tolerable Deviation Rates

for Assessed Levels of Control Risk

Planning

Planning

Theexpected population deviation

LO# 5, 6, & 7

8-29 The expected population deviation

rateis the rate the auditor expects to exist in the population. The larger the expected population deviation rate, the larger the sample size must be, all

else equal.

Planning

Planning

Assume a desired confidence level of 95%, and a large population, the effect of

LO# 5, 6, & 7

95%, and a large population, the effect of the expected population deviation rate on

sample size is shown below: Expected Population

Deviation Rate Sample

(11)

Population Size: Attributes

Sampling

Population size is not an important factor in determining sample size for attributes sampling. The population size has little or no effect on the sample size, unless the population is relatively small, say less than 500 items.

Examples

LO# 5, 6, & 7

8-31

Factor

Relationship to Sample Size

Decreases sample size only when population is small (fewer than 500 items)

Desired confidence level

Tolerable deviation rate

Expected population deviation rate

Population size

4. Select sample items. • Random-Number Selection. • Systematic Selection. 5. Perform the Audit Procedures. • Voided documents.

6. Calculate the Sample Deviation and Upper Deviation Rates 7. Draw Final Conclusions

Every item in the population has the same probability of being selected as every other

sampling unit in the population.

Performance

Performance and Evaluation

4. Select sample items. • Random-Number Selection. • Systematic Selection. 5. Perform the Audit Procedures. • Voided documents.

(12)

Performance

5. Perform the Audit Procedures. • Voided documents.

• Unused or inapplicable documents • Inability to examine a sample item. • Stopping the test before completion.

LO# 5, 6, & 7

8-34

pp g p

For example, assume a sales invoice should not be prepared unless there is a related shipping document. If the shipping document is present, there is evidence the control is working properly. If the shipping document is not

present a control deviation exist.

Performance

LO# 5, 6, & 7

8-35

pp g p

Unless the auditor finds something unusual about either of these items, they should be replaced with a new sample item.

Performance

LO# 5, 6, & 7

pp g p

(13)

Performance

LO# 5, 6, & 7

8-37

pp g p

If a large number of deviations are detected early in the tests of controls, the auditor should consider stopping the test, as soon as it is clear

that the results of the test will not support the planned assessed level of control risk.

Evaluation

Evaluation

After completing the audit procedures, the LO# 5, 6, & 7

8-38 g

auditor summarizes the deviations for each control tested and evaluates the results. For example, if the auditor discovered two deviations in a sample of 50, the deviation rate

in the sample would be 4% (2 ÷ 50). The upper deviation rateis the sum of the

sample deviation rate and an appropriate allowance for sampling risk.

Evaluation

Evaluation

The auditor compares the tolerable deviation rate to the computed upper deviation rate

LO# 5, 6, & 7

Auditor's Decision Based on

Sample Evidence Reliable Not Reliable True State of Internal Control

Correct decision

Risk of incorrect rejection (Type I)

Supports the planned level of control risk Does not support the planned level of control risk

Risk of incorrect acceptance (Type II)

(14)

Attribute Sampling Example

The auditor has decided to test a control at Calabro Wireless Services. The test is to determine the sales and service contracts are properly authorized for credit approval.

A deviation in this test is defined as the failure of the credit department personnel to follow proper credit approval

LO# 5, 6, & 7

8-40

p p p p pp

procedures for new and existing customers. Here is information relating to the test:

Desired confidence level 95%

Tolerable deviation rate 6%

Expected population deviation rate 1%

Sample size 78

Attribute Sampling Example

Expected

Population Tolerable Deviation Rate

Sample Size at 95% Desired Confidence Level

Part of the table used to determine sample size when the auditor specifies a 95% desired confidence level.

LO#

(15)

Attribute Sampling Example

The auditor examines each selected contract for credit approval and determines the following:

Number of deviations 2 Sample size 78 Sample deviation rate 2 6%

LO# 5, 6, & 7

8-43

Sample deviation rate 2.6% Computed upper deviation rate 8.2% Tolerable deviation rate 6.0%

Let’s see how we get the computed Let’s see how we get the computed

upper deviation rate. upper deviation rate.

Attribute Sampling Example

Part of the table used to determine the computed upper deviation rate at 95% desired confidence level:

Sample

Size 0 1 2 3

25

11.3 17.6 - -Actual Number of Deviations Found

LO#

(16)

Nonstatistical Sampling for Tests of

Control

Determining the Sample Size

Desired

An auditing firm may establish a nonstat sampling policy like the one below:

LO# 8

8-46

Desired Level of Controls Sample Reliance Size

Low 15–20

Moderate 25–35

High 40–60

Such a policy will promote consistency in sampling applications.

Nonstatistical Sampling for

Tests of Control

Selecting the Sample Items

Nonstatistical sampling allows the use of random or systematic selection, but also permits the use of other methods such as

h h d li

LO# 8

8-47

haphazard sampling.

When haphazard sample selection is used, sampling units are selected without any

bias, that is to say, without a special reason for including or omitting the item in the

sample.

Nonstatistical Sampling for

Tests of Control

Calculating the Upper Deviation Rate

With a nonstatistical sample, the auditor can calculate the sample deviation rate, but cannot

formallyquantify the computed upper

LO# 8

formally quantify the computed upper

(17)

Considering the Effect of

Population Size

Population Sample Size Size

This table assumes a desired confidence of 90%, a tolerable deviation rate of 10%, and an expected

population deviation rate of 1%:

LO# 8

8-49 100

31 500 38

1,000 39

5,000 39

Finite population

correction factor =

√

1 – (n/N) n = sample size from tables N = number of units in the population