Chapter 8
Chapter 8
Audit Sampling: An Overview and Application to Tests of
Controls
McGraw-Hill/Irwin Copyright © 2008 by The McGraw-Hill Companies, Inc. All rights reserved.
Introduction
Auditing standards recognize and permit both statistical Auditing standards recognize and permit both statistical
and nonstatistical methods of audit sampling. and nonstatistical methods of audit sampling.
Two technological advances have reduced the number of times auditors need to apply sampling techniques to
8-2
pp y p g q gather audit evidence:
1 Development of
well-controlled, automated accounting systems.
2 Advent of powerful PC audit software to
download and examine client
data
Introduction
However, technology will never eliminate the need for auditors to rely on sampling to some degree because:
1. Many control processes require human involvement.
2 Many testing procedures require the auditor to 2. Many testing procedures require the auditor to
physically examine an asset.
Definitions and Key Concepts
On the following screens we will define:
On the following screens we will define:
1.
1.Sampling Risk
Sampling Risk
2
2 Confidence Le el
Confidence Le el
8-4
2.
2.Confidence Level
Confidence Level
3.
3.Tolerable and Expected Error
Tolerable and Expected Error
4.
4.Audit Sampling
Audit Sampling
Audit Sampling
Audit sampling is the application of an
Audit sampling is the application of an
audit procedure to less than 100 percent
audit procedure to less than 100 percent
of the items within an account balance or
of the items within an account balance or
class of transactions for the purpose of
class of transactions for the purpose of
LO# 1
8-5
evaluating some characteristic of the
evaluating some characteristic of the
balance or class.
balance or class.
Sampling Risk
Sampling risk is the element of uncertainty that enters into the auditor’s conclusions anytime sampling is
used. There are two types of sampling risk. Risk of incorrect rejection(Type I)– in a test of internal
LO# 2
Risk of incorrect rejection (Type I)– in a test of internal controls, it is the risk that the sample supports a conclusion that the control is not operating effectively when, in fact, it is operating effectively.
Sampling Risk
Three Important Factors in Determining Sample Size
1.
1.The desired level of assurance in the results
The desired level of assurance in the results
(or confidence level),
(or confidence level),
LO# 2
8-7
2.
2.Acceptable defect rate (or tolerable error), and
Acceptable defect rate (or tolerable error), and
3.
3.The historical defect rate (or estimated error).
The historical defect rate (or estimated error).
Confidence Level
Confidence level is the
complement
of sampling risk.
The auditor may set
li i k f
The auditor may set
li i k f
LO# 2
8-8
sampling risk for a particular sampling
application at
5 percent 5 percent, which
results in a confidence level of
95 percent 95 percent. sampling risk for a particular sampling
application at
5 percent 5 percent, which
results in a confidence level of
95 percent 95 percent.
Tolerable and Expected Error
Once the desired confidence level is established, the sample size is determine largely by how much the
tolerable error exceedsexpected error.
Precision Precision at theat the
LO# 2
Precision Precision, at the , at the planning stage of planning stage of audit sampling, is audit sampling, is the difference refer to Precision as the “Allowance for
Audit Evidence – To Sample or
Not?
Relationship between Evidence Types and Audit Sampling
Type of Evidence
Audit Sampling Commonly Used
Inspection of tangible assets Yes
LO# 3
8-10
Inspection of records or documents Yes
Reperformance Yes
Recalculation Yes
Confirmation Yes
Analytical procedures No
Scanning No
Inquiry No
Observation No
Audit Evidence – To Sample or
Not?
•
Inspection of tangible assets. Auditors typically attend the client’s year-end inventory count. When there are a large number of items in inventory, the auditor will select a sample to physically inspect and count.LO# 3
8-11
•
Inspection of records or documents. Certain controls may require the matching of documents. The procedure may take place many times a day. The auditor may gather evidence on the effectiveness of the control by testing a sample of the document packages.Audit Evidence – To Sample or
Not?
Reperformance.To comply with rule 404 of the Sarbanes-Oxley Act, publicly traded clients must document and test controls over important assertions for significant accounts. The auditor may reperform a sample of the tests
f d b th li t
LO# 3
performed by the client.
Testing All Items with a Particular
Characteristic
When an account or class of transactions is made up
of a few large items, the auditor may examine all the
items in the account or class of transaction. When a small number of large transactionsmake up
LO# 3
8-13
a relatively large percent of an account or class of transactions, auditors will typically test all the transactions greater than a particular dollar amount.
Testing Only One or a Few
Items
Highly automated information systems Highly automated information systems process transactions consistently unless the process transactions consistently unless the
system or programs are changed. system or programs are changed.
Th dit t t th Th dit t t th
LO# 3
8-14 The auditor may test the
The auditor may test the general controls over the general controls over the system and any program system and any program changes, but test only a few changes, but test only a few transactions processed by transactions processed by
the IT system. the IT system.
Types of Audit Sampling
Auditing standards recognize and permit both statistical Auditing standards recognize and permit both statistical
and nonstatistical methods of audit sampling. and nonstatistical methods of audit sampling.
In nonstatistical (or In nonstatistical (or judgmental) sampling, the judgmental) sampling, the
Statistical sampling uses Statistical sampling uses the laws of probability to the laws of probability to
LO# 4
j g ) p g
j g ) p g
auditor does not use auditor does not use statistical techniques to statistical techniques to determine sample size, determine sample size, select the sample items, select the sample items, or measure sampling risk. or measure sampling risk.
p y
p y
Types of Audit Sampling
Advantages of statistical sampling Advantages of statistical sampling
1.
1.Design an efficient sample.Design an efficient sample.
2.
2.Measure the sufficiency of Measure the sufficiency of evidence obtained. evidence obtained.
3.
3.Quantify sampling risk.Quantify sampling risk.
LO# 4
8-16 3.
3.Quantify sampling risk.Quantify sampling risk.
Disadvantages of statistical sampling Disadvantages of statistical sampling
1.
1. Training auditors in proper use.Training auditors in proper use.
2.
2. Time to design and conduct Time to design and conduct sampling application. sampling application.
3.
3. Lack of consistent application Lack of consistent application across audit teams.
across audit teams.
Statistical Sampling Techniques
1.Attribute Sampling.
2.Monetary-Unit Sampling.
LO# 4
8-17
3.Classical Variables Sampling.
Attribute Sampling
Used to estimate the proportion of a population that possess a specified characteristic. The most common use of
attribute sampling is for tests of controls.
LO# 4
Our client’s controls require that all checks have two independent
signatures. Yes, I know. We are
Monetary-Unit Sampling
Monetary-unit sampling uses attribute sampling theory to estimate the dollar amount of misstatement for a
class of transactions or an account balance.
LO# 4
8-19 This technique is used
extensively because it has a number of advantages
over classical variables sampling.
Classical Variables Sampling
Auditors sometimes use variables sampling to estimate the dollar value of a class of transactions or
account balance. It is more frequently used to determine whether an account is materially
misstated.
LO# 4
8-20
Attribute Sampling Applied to
Tests of Controls
In conducting a statistical sample for a
test of controls auditing standards require
the auditor to properly
plan
,
perform
, and
evaluate
the sampling application and to
LO# 5, 6, & 7
evaluate
the sampling application and to
adequately
document
each phase of the
sampling application.
Plan
Planning
Planning
1. Determine the test objectives. 2. Define the population characteristics. • Define the sampling population. • Define the sampling unit.
• Define the control deviation conditions. 3. Determine the sample size, using the following inputs:
Th d i d fid l l i k f i t t LO# 5, 6, & 7
8-22 • The desired confidence level or risk of incorrect acceptance. • The tolerable deviation rate.
• The expected population deviation rate.
The objective of attribute sampling when used for tests of controls is to evaluate the operating
effectiveness of the internal control.
Planning
Planning 2. Define the population characteristics. • Define the sampling population. • Define the sampling unit.
• Define the control deviation conditions. 3. Determine the sample size, using the following inputs:
• The desired confidence level or risk of incorrect acceptance. LO# 5, 6, & 7
8-23 The desired confidence level or risk of incorrect acceptance. • The tolerable deviation rate.
• The expected population deviation rate.
All or a subsetof the items that constitute the class of transactions make up the sampling population.
Planning
Planning 2. Define the population characteristics. • Define the sampling population. • Define the sampling unit.
• Define the control deviation conditions. 3. Determine the sample size, using the following inputs:
• The desired confidence level or risk of incorrect acceptance. LO# 5, 6, & 7
The desired confidence level or risk of incorrect acceptance. • The tolerable deviation rate.
• The expected population deviation rate.
Each sampling unit makes up one item in the population. The sampling unit should be defined in
Planning
Planning 2. Define the population characteristics. • Define the sampling population. • Define the sampling unit.
• Define the control deviation conditions. 3. Determine the sample size, using the following inputs:
• The desired confidence level or risk of incorrect acceptance. LO# 5, 6, & 7
8-25 The desired confidence level or risk of incorrect acceptance. • The tolerable deviation rate.
• The expected population deviation rate.
A deviation is a departurefrom adequate performanceof the internal control.
Planning
Planning
3. Determine the sample size, using the following inputs: • The desired confidence level or risk of incorrect acceptance. • The tolerable deviation rate.
• The expected population deviation rate.
LO# 5, 6, & 7
8-26 The confidence levelis the desired level of assurance that the sample results will support a
conclusion that the control is functioning effectively. Generally, when the auditor has decided to rely on controls, the confidence level
is set at 90% or 95%. The means the auditor is willing to accept a 10% or 5% risk of accepting
the control as effective when it is not.
Planning
Planning
3. Determine the sample size, using the following inputs: • The desired confidence level or risk of incorrect acceptance. • The tolerable deviation rate.
• The expected population deviation rate.
Th t l bl d i ti t i th i
LO# 5, 6, & 7
The tolerable deviation rateis the maximum deviation rate from a prescribed control that the auditor is willing to accept and still consider the
Planning
Planning
3. Determine the sample size, using the following inputs: • The desired confidence level or risk of incorrect acceptance. • The tolerable deviation rate.
• The expected population deviation rate.
Suggested Tolerable Deviation Rates
LO# 5, 6, & 7
8-28
Planned Assessed Level of Control Risk
Tolerable Deviation Rate
Low 3–5%
Moderate 6–10%
Slightly below maximum 11–20% Maximum Omit test Suggested Tolerable Deviation Rates
for Assessed Levels of Control Risk
Planning
Planning
3. Determine the sample size, using the following inputs: • The desired confidence level or risk of incorrect acceptance. • The tolerable deviation rate.
• The expected population deviation rate.
Theexpected population deviation
LO# 5, 6, & 7
8-29 The expected population deviation
rateis the rate the auditor expects to exist in the population. The larger the expected population deviation rate, the larger the sample size must be, all
else equal.
Planning
Planning
3. Determine the sample size, using the following inputs: • The desired confidence level or risk of incorrect acceptance. • The tolerable deviation rate.
• The expected population deviation rate.
Assume a desired confidence level of 95%, and a large population, the effect of
LO# 5, 6, & 7
95%, and a large population, the effect of the expected population deviation rate on
sample size is shown below: Expected Population
Deviation Rate Sample
Population Size: Attributes
Sampling
Population size is not an important factor in determining sample size for attributes sampling. The population size has little or no effect on the sample size, unless the population is relatively small, say less than 500 items.
Examples
LO# 5, 6, & 7
8-31
Factor
Relationship to Sample Size
Decreases sample size only when population is small (fewer than 500 items)
Desired confidence level
Tolerable deviation rate
Expected population deviation rate
Population size
4. Select sample items. • Random-Number Selection. • Systematic Selection. 5. Perform the Audit Procedures. • Voided documents.
6. Calculate the Sample Deviation and Upper Deviation Rates 7. Draw Final Conclusions
Every item in the population has the same probability of being selected as every other
sampling unit in the population.
Performance
Performance and Evaluation
4. Select sample items. • Random-Number Selection. • Systematic Selection. 5. Perform the Audit Procedures. • Voided documents.
6. Calculate the Sample Deviation and Upper Deviation Rates 7. Draw Final Conclusions
Performance
Performance and Evaluation
5. Perform the Audit Procedures. • Voided documents.
• Unused or inapplicable documents • Inability to examine a sample item. • Stopping the test before completion.
LO# 5, 6, & 7
8-34
pp g p
6. Calculate the Sample Deviation and Upper Deviation Rates 7. Draw Final Conclusions
For example, assume a sales invoice should not be prepared unless there is a related shipping document. If the shipping document is present, there is evidence the control is working properly. If the shipping document is not
present a control deviation exist.
Performance
Performance and Evaluation
5. Perform the Audit Procedures. • Voided documents.
• Unused or inapplicable documents • Inability to examine a sample item. • Stopping the test before completion.
LO# 5, 6, & 7
8-35
pp g p
6. Calculate the Sample Deviation and Upper Deviation Rates 7. Draw Final Conclusions
Unless the auditor finds something unusual about either of these items, they should be replaced with a new sample item.
Performance
Performance and Evaluation
5. Perform the Audit Procedures. • Voided documents.
• Unused or inapplicable documents • Inability to examine a sample item. • Stopping the test before completion.
LO# 5, 6, & 7
pp g p
6. Calculate the Sample Deviation and Upper Deviation Rates 7. Draw Final Conclusions
Performance
Performance and Evaluation
5. Perform the Audit Procedures. • Voided documents.
• Unused or inapplicable documents • Inability to examine a sample item. • Stopping the test before completion.
LO# 5, 6, & 7
8-37
pp g p
6. Calculate the Sample Deviation and Upper Deviation Rates 7. Draw Final Conclusions
If a large number of deviations are detected early in the tests of controls, the auditor should consider stopping the test, as soon as it is clear
that the results of the test will not support the planned assessed level of control risk.
Evaluation
Evaluation
6. Calculate the Sample Deviation and Upper Deviation Rates 7. Draw Final Conclusions
After completing the audit procedures, the LO# 5, 6, & 7
8-38 g
auditor summarizes the deviations for each control tested and evaluates the results. For example, if the auditor discovered two deviations in a sample of 50, the deviation rate
in the sample would be 4% (2 ÷ 50). The upper deviation rateis the sum of the
sample deviation rate and an appropriate allowance for sampling risk.
Evaluation
Evaluation
6. Calculate the Sample Deviation and Upper Deviation Rates 7. Draw Final Conclusions
The auditor compares the tolerable deviation rate to the computed upper deviation rate
LO# 5, 6, & 7
Auditor's Decision Based on
Sample Evidence Reliable Not Reliable True State of Internal Control
Correct decision
Risk of incorrect rejection (Type I)
Supports the planned level of control risk Does not support the planned level of control risk
Risk of incorrect acceptance (Type II)
Attribute Sampling Example
The auditor has decided to test a control at Calabro Wireless Services. The test is to determine the sales and service contracts are properly authorized for credit approval.
A deviation in this test is defined as the failure of the credit department personnel to follow proper credit approval
LO# 5, 6, & 7
8-40
p p p p pp
procedures for new and existing customers. Here is information relating to the test:
Desired confidence level 95%
Tolerable deviation rate 6%
Expected population deviation rate 1%
Sample size 78
Attribute Sampling Example
Expected
Population Tolerable Deviation Rate
Sample Size at 95% Desired Confidence Level
Part of the table used to determine sample size when the auditor specifies a 95% desired confidence level.
LO#
Attribute Sampling Example
The auditor examines each selected contract for credit approval and determines the following:
Number of deviations 2 Sample size 78 Sample deviation rate 2 6%
LO# 5, 6, & 7
8-43
Sample deviation rate 2.6% Computed upper deviation rate 8.2% Tolerable deviation rate 6.0%
Let’s see how we get the computed Let’s see how we get the computed
upper deviation rate. upper deviation rate.
Attribute Sampling Example
Part of the table used to determine the computed upper deviation rate at 95% desired confidence level:
Sample
Size 0 1 2 3
25
11.3 17.6 - -Actual Number of Deviations Found
LO#
Nonstatistical Sampling for Tests of
Control
Determining the Sample Size
Determining the Sample Size
Desired
An auditing firm may establish a nonstat sampling policy like the one below:
LO# 8
8-46
Desired Level of Controls Sample Reliance Size
Low 15–20
Moderate 25–35
High 40–60
Such a policy will promote consistency in sampling applications.
Nonstatistical Sampling for
Tests of Control
Selecting the Sample Items
Selecting the Sample Items
Nonstatistical sampling allows the use of random or systematic selection, but also permits the use of other methods such as
h h d li
LO# 8
8-47
haphazard sampling.
When haphazard sample selection is used, sampling units are selected without any
bias, that is to say, without a special reason for including or omitting the item in the
sample.
Nonstatistical Sampling for
Tests of Control
Calculating the Upper Deviation Rate
Calculating the Upper Deviation Rate
With a nonstatistical sample, the auditor can calculate the sample deviation rate, but cannotformallyquantify the computed upper
LO# 8
formally quantify the computed upper
Considering the Effect of
Population Size
Population Sample Size Size
This table assumes a desired confidence of 90%, a tolerable deviation rate of 10%, and an expected
population deviation rate of 1%:
LO# 8
8-49 100
31 500 38
1,000 39
5,000 39
Finite population
correction factor =