Chapter 13: Audit Sampling

Spring 2007

Overview of Sampling

Basic Sampling Concepts Definition of Audit Sampling

Audit sampling is the application of an audit procedure to less than 100% of the items within an account balance or class of transactions for the purpose of evaluating some characteristic of the balance or class. (SAS No. 39)

Why do we use sampling? What are the two primary uses of sampling?

Test of Controls Substantive Detail Tests Less often used with inquiring, observing or

analytical procedures unless dealing w/ multiple locations

Intuitiveness of Sampling Skydiving

How many parachutes would you want to have tested before you jumped out of a plane with one?

Odwalla How would Odwalla ensure that their

juice is good (in terms of health quality)?

Basic Steps for all sampling Basic Steps

Planning: start to develop an idea of how much comfort is necessary and how a sample of transactions can satisfy the relevant specific audit or internal control objective taking into consideration factors affecting sample size & audit efficiency

Selection: Select items so that they are representative of the population.

Evaluation: Interpret the results of the sample and what to the items from which the sample was selected and consider the “sampling risk”

Reliability of steps depends on: Type of sampling plan used Professional judgment

Sampling Risks (p.555)

Correct Decision

Correct Decision

• Risk of Assessing CR too high

• Risk of Incorrect Rejection

• Risk of Assessing CR too low

• Risk of Incorrect Acceptance

Effective/Correct

Ineffective/Incorrect

True State of what is being tested

Sample = clean results

Sample ≠ clean results

Results of Testing

Combined for both control and

balance/transaction sampling

Sampling & Non-sampling errors

Sampling risks – inherent risk of sampling Effectiveness: assess CR too low or think bal is ok

when not (beta risk) Efficiency: assess CR too high or think bal is not

ok when is (alpha risk) In stat sampling sampling risk can be quantified

as: one minus reliability. Non-sampling risks – operator error

Select from pop that is not appropriate for objective

Failure to recognize deviations Failure to evaluate findings properly

Two primary uses of sampling Test of Controls Test of Details

Control Testing Testing of an attribute – does it work or

not? To determine the rate of deviation from a control

operating effectively Control environment control Computer general control Preventative control Manual follow-up control

When does sampling not apply? Inquiry & observation Computer application controls

Attributes Sampling and the Assessment of Control Risk

Attributes sampling appropriate when: Want to support CR below maximum Documentary evidence of control

procedure Controls performed by individuals on

transaction-by-transaction basis Generally controls involve authorization,

documents and records or independent checks

Doesn’t work for segregation of duties

Test of Details Sampling Testing that an assertion is

materially correct – is the “number” right or not? Completeness Existence Accuracy Rights & Obligations (?) Presentation & Disclosure (?)

When does sampling not apply? When significant judgment is involved When it is more efficient & effective to test

100% of the population (CAAT)

“Coverage” testing What is it? (p.567 2nd paragraph)

Is it “sampling”?

Judgment Based Sampling (non-statistical)

Judgmental or Non-Statistical Requirements

Need to have subjective criteria and auditor experience – target the risk or higher $ amount

Sample results are evaluated and a conclusion is made regarding the entire population

Auditor’s judgment must be supported by documentation – fully explained

Statistical Sampling Statistical (Probability based):

Requirements Homogonous population Sample items should have a known probability of

selection (i.e. generally random) Sample results are evaluated mathematically in

accordance with probability theory Advantages

Can calculate the sample reliability and risk of reliance

Permits optimizing sample size given the mathematically measured risk they are willing to accept

Enables making objective statements about the population

Question Does Statistical sampling enable

the auditor to quantify and control sampling risk? How and how not?

Selecting a Representative Sample

Systematic Sampling Select every nth item Often used with random start, but this is still not

ok for statistical sampling What is random sample selection?

Must use for statistical sampling, can use for non-statistical sampling

Use a random number table or random number generator

Generally sample without replacement

To ensure a simple random sample: Define the population and items included:

All y/e AR Accts w/ zero, negative and positive balances

All checks written for year all checks including voided and unrecorded checks

Define sampling frame: listing or other physical representation of items in the population – specific name of report you selected from

12/31/0X AR Aging report Check register for 1/1/0X to 12/31/0X

Selecting a Representative Sample cont…

What if an item can’t be found?

Ok to pick another? No, usually not okay. This is a

deviation for purposes of evaluating the sample

Sampling in Tests of Controls

Attributes Sampling and the Assessment of Control Risk

Recall: For F/S audit, auditors must “obtain an

understanding of internal control sufficient to plan the audit and to assess control risk”

Components of internal control are: Control environment Risk assessment Information & communication Control activities Monitoring

Which component(s) of internal control can be sampled?

1. Determine the audit objectives.2. Define the population and sampling unit.3. Specify the attributes of interest.4. Determine the sample size.5. Determine the sample selection method.6. Execute the sampling plan.7. Evaluate the sample results.

Steps in Statistical Sampling for Controls

Attributes Sampling: Initial Planning Steps

Step 1. Determining Audit Objective Ensure you understand audit objectives the

controls are addressing May have to design different tests to ensure

controls over all objectives are tested

Step 2. Define Population and Sampling Unit Population: the class of transactions being tested Sampling Frame: where the selections were

made from Sampling unit: what is actually being tested

Step 3. Specify Attributes of Interest Attribute: evidence control is present or not

For each attribute or control to be tested, the auditor must specify a numerical value for:1. Risk of assessing control risk too low (1-reliability)

Inverse relationship w/ sample size

2. Tolerable deviation rate Inverse relationship w/ sample size

3. Expected population deviation rate Direct relationship w/ sample size Note: Pop size has direct effect only if pop < 5000

4. Select sample size based on tables or sampling program (PCAOB set minimums)

Attributes Sampling: Determining Sample Size (step 4)

Attributes Sampling: Determining Sample Selection (step 5)

Must use random method To use, need to have way of

associating a unique number with each item in population (i.e., use document sequence, etc)

Methods Random number generator

Attributes Sampling: Execute Sampling Plan (step 6)

Examine selected items to determine the nature and frequency of deviations from prescribed controls.

Deviations include missing documents absence of initials indicating performance of a

control discrepancies in the details of related documents

and records unauthorized values and mathematical errors found

through reperformance of controls by the auditor.

Attributes Sampling: Evaluate Sampling Results (step 7)

Calculate the sample deviation rate (which is the best estimate of the true deviation rate in pop)

# deviations found / sample size examined Determine the upper deviation or precision

limit given your risk of assessing CR too low (use tables) Why do the sample deviation rate and upper

deviation limit differ???? If sample deviation rate < UDL then can conclude

at x% reliability that the true deviation rate is below the tolerable rate.

Statistical Sampling for Test of Details

How does it differ from statistical sampling for controls?

Non-Statistical Sampling for Tests of Controls

Programmed controls can be tested with a very small sample (appx 2) IF General controls are strong) AND There is comfort over program changes

Steps in Non-Stat Sampling for Controls

1. Determine audit objectives and procedures2. Determine population and sampling unit3. Specify control of interest & evidence that

control was effective or not4. Judgmentally determine sample size

Risk of assessing CR too low => inverse Tolerable deviation rate (TDR) =>inverse Expected pop deviation rate => direct

5. Judgmentally select sample (gen haphazard)6. Apply audit procedures for tests of controls7. Evaluate sample results w/ comparison to

TDR

Non-stat sampling for controls: Sample size (firm “x” guidelines)

Assuming NO errorsFrequency of Control Sample size> 1 per day 25Daily 15Weekly 5Monthly 2Quarterly 1Annually 1

What happens to sample size if expect errors?