Chapter 8 Audit Sampling: An Overview and Application to Tests of Controls...

Chapter 8Audit Sampling: An Overview and

Application to Tests of Controls

McGraw-Hill/Irwin Copyright © 2012 by The McGraw-Hill Companies, Inc. All rights reserved.

IntroductionAuditors need to rely on sampling to some degree because it’s not always possible to analyze the entire population:

1. Many control processes require human involvement.

2. Many testing procedures require the auditor to physically examine an asset.

3. In many cases auditors are required to obtain and evaluate evidence from third parties.

LO# 1

8-2

Definitions and Key Concepts

On the following slides we will define:

1. Audit Sampling.

2. Sampling Risk.

3. Confidence Level.

4. Tolerable and Expected Error.

On the following slides we will define:

1. Audit Sampling.

2. Sampling Risk.

3. Confidence Level.

4. Tolerable and Expected Error.

LO# 1 and 2

8-3

Audit Sampling

• Here are at least two ways (there are more) to define Audit Sampling:

• Analysis of part of a population, instead of the entire population

• Using inferential statistics in an audit

• Here are at least two ways (there are more) to define Audit Sampling:

• Analysis of part of a population, instead of the entire population

• Using inferential statistics in an audit

LO# 1

8-4

Why is this (not terribly accurate description) phrase “Audit Sampling” used?Custom and tradition.

Sampling RiskSampling risk exists whenever inferential statistics

are used. There are two types of sampling risk. We worry more about Type II risk, as that can cause an

audit failure

Risk of incorrect rejection (Type I) – in a test of internal controls, it is the risk that the sample indicates the control is not operating effectively when, in fact, it is operating effectively. In substantive testing, it is the risk that the sample indicates that the recorded balance is materially misstated when, in fact, it is not.

Risk of incorrect rejection (Type I) – in a test of internal controls, it is the risk that the sample indicates the control is not operating effectively when, in fact, it is operating effectively. In substantive testing, it is the risk that the sample indicates that the recorded balance is materially misstated when, in fact, it is not.

Risk of incorrect acceptance (Type II) – in a test of internal controls, it is the risk that the sample indicates the control is operating effectively when, in fact, it is not operating effectively. In substantive testing, it is the risk that the sample indicates the recorded balance is correct when it is, in fact, materially misstated.

LO# 2

8-5

Determining the “right” sample size in attribute sampling and substantive sampling Because sampling risk is always present,

the auditor must decide how much to expose himself to.

The auditor would like to avoid any significant sampling risk, but that would cost him a huge amount of time and effort– He’d have to draw huge samples– He’d lose the benefit of small samples– Bottom line: this is a cost/benefit decision

Factors to Determine right Sample Size in Attribute (ACL calls it “Record”) Sampling (compare text

Table 8-5 to ACL GUI)

1.Desired confidence level or risk of incorrect acceptance

The ACL GUI calls this Confidence

2.Tolerable deviation rate (or tolerable error)

ACL calls this Upper Error Limit %

3.Expected population deviation rate

ACL calls this Expected Error Rate %

1.Desired confidence level or risk of incorrect acceptance

The ACL GUI calls this Confidence

2.Tolerable deviation rate (or tolerable error)

ACL calls this Upper Error Limit %

3.Expected population deviation rate

ACL calls this Expected Error Rate %

LO# 2

8-7

Evaluation of Results of Attribute (“Record” in ACL) Sampling Terms: Text Table 8-8 vs. ACL

Desired Confidence Level– ACL calls this Confidence

Sample Size– ACL also calls this Sample Size

Actual Number of Deviations Found– ACL calls this Number of Errors

Computed Upper Deviation Rate– ACL calls it upper error limit frequency

Confidence Level

Confidence level is the complement of sampling risk.

The auditor may set sampling risk for a particular sampling application at 5%, which results in a confidence level of 95%.

Thus, these 2 phrases are substantively the same thing.

The auditor may set sampling risk for a particular sampling application at 5%, which results in a confidence level of 95%.

Thus, these 2 phrases are substantively the same thing.

LO# 2

8-9

Sometimes we use Audit Sampling and sometimes not…Relationship between Evidence Types and Audit Sampling

Type of Evidence Audit Sampling Commonly Used

Inspection of tangible assets YesInspection of records or documents YesReperformance YesRecalculation YesConfirmation YesAnalytical procedures NoScanning NoInquiry NoObservation No

LO# 3

8-10

Audit Evidence – To Sample or Not?

• Inspection of tangible assets. Auditors typically attend the client’s year-end inventory count. When there are a large number of items in inventory, the auditor will select a sample to physically inspect and count.

• Inspection of records or documents. Certain controls may require the matching of documents. The procedure may take place many times a day. The auditor may gather evidence on the effectiveness of the control by testing a sample of the document packages.

• Inspection of tangible assets. Auditors typically attend the client’s year-end inventory count. When there are a large number of items in inventory, the auditor will select a sample to physically inspect and count.

• Inspection of records or documents. Certain controls may require the matching of documents. The procedure may take place many times a day. The auditor may gather evidence on the effectiveness of the control by testing a sample of the document packages.

LO# 3

8-11

Audit Evidence – To Sample or Not?

Reperformance. To comply with PCAOB standards, publicly traded clients must document and test controls over important assertions for significant accounts. The auditor may reperform a sample of the tests performed by the client.

Confirmation. Rather than confirm all customer account receivable balances, the auditor may select a sample of customers.

Reperformance. To comply with PCAOB standards, publicly traded clients must document and test controls over important assertions for significant accounts. The auditor may reperform a sample of the tests performed by the client.

Confirmation. Rather than confirm all customer account receivable balances, the auditor may select a sample of customers.

LO# 3

8-12

Testing All Items with a Particular Characteristic

When an account or class of transactions is made up of a few large items, the auditor may examine all the items in the account or class of transaction.

When a small number of large transactions make up a relatively large percent of an account or class of transactions, auditors will typically test all the transactions greater than a particular dollar amount.

LO# 3

8-13

Types of Audit Sampling

Auditing standards recognize and permit both statistical and nonstatistical methods of audit sampling.

Auditing standards recognize and permit both statistical and nonstatistical methods of audit sampling.

Statistical sampling uses the laws of probability to 1) compute sample size and 2) evaluate results. The auditor is able to use the most efficient sample size and quantify sampling risk.

In nonstatistical sampling, the auditor does not use the laws of probability in one or both of these tasks

Statistical sampling uses the laws of probability to 1) compute sample size and 2) evaluate results. The auditor is able to use the most efficient sample size and quantify sampling risk.

In nonstatistical sampling, the auditor does not use the laws of probability in one or both of these tasks

LO# 4

8-14

Types of Audit SamplingAdvantages of statistical sampling:

1. Design an efficient sample.

2. Measure the sufficiency of evidence obtained.

3. Quantify sampling risk.

Advantages of statistical sampling:

1. Design an efficient sample.

2. Measure the sufficiency of evidence obtained.

3. Quantify sampling risk.

Disadvantage of statistical sampling:

It has been found, as a practical matter, in litigation, to be harder for the CPA firm to defend itself, if it used statistical sampling rather than nonstatistical sampling.

Disadvantage of statistical sampling:

It has been found, as a practical matter, in litigation, to be harder for the CPA firm to defend itself, if it used statistical sampling rather than nonstatistical sampling.

LO# 4

8-15

Statistical Sampling Techniques

1.Attribute Sampling (used for IC testing – Ch. 8).

2.Monetary-Unit Sampling (used to decide if auditor can accept as materially correct $$ in a Balance Sheet or IS account – Ch. 9).

3.Classical Variables Sampling (ditto MUS)

LO# 4

Attribute Sampling Applied to Tests of Controls

In conducting a statistical sample for a test of controls, auditing standards require the auditor to properly plan, perform, and evaluate the sampling

application and to adequately document each phase of the sampling application.

Plan Perform Evaluate Document

LO#

5, 6, & 7

8-17

PlanningPlanning

1. Determine the test objectives.2. Define the population characteristics: • Define the sampling population. • Define the sampling unit. • Define the control deviation conditions.3. Determine the sample size, using the following inputs: • The desired confidence level or risk of incorrect acceptance. • The tolerable deviation rate. • The expected population deviation rate.

The objective of attribute sampling when used for tests of controls is to evaluate the operating

effectiveness of the internal control.

LO#

5, 6, & 7

8-18

PlanningPlanning

2. Define the population characteristics: • Define the sampling population. • Define the sampling unit. • Define the control deviation conditions.3. Determine the sample size, using the following inputs: • The desired confidence level or risk of incorrect acceptance. • The tolerable deviation rate. • The expected population deviation rate.

All of the items that constitute the class of transactions make up the sampling population.

LO#

5, 6, & 7

8-19

PlanningPlanning


Each sampling unit makes up one item in the population. The sampling unit should be defined in relation to the specific control being tested.

In the Calabro audit the sampling unit is the sales or lease contract (p. 282)

LO#

5, 6, & 7

8-20

PlanningPlanning


A deviation is a departure from adequate performance of the internal control.

LO#

5, 6, & 7

8-21

PlanningPlanning

3. Determine the sample size, using the following inputs: • The desired confidence level or risk of incorrect acceptance. • The tolerable deviation rate. • The expected population deviation rate.

Confidence level is the desired level of assurance that the sample results will support a

conclusion that the control is functioning effectively. When the auditor has decided to rely on controls, the confidence level is traditionally set at 90% or 95%. This means the auditor is

willing to accept a 10% or 5% risk of accepting the control as effective when it is not.

LO#

5, 6, & 7

8-22

PlanningPlanning


The tolerable deviation rate is the maximum deviation rate from a prescribed control that the auditor is willing to

accept and still consider the control effective.

Example Suggested Tolerable Deviation Rates:

LO#

5, 6, & 7

Assessed Improtance of a Control

Tolerable Deviation

Rate

Highly important 3–5%

Moderately important 6–10%8-23

PlanningPlanning


The expected population deviation rate is the rate the auditor expects to exist in the

population. The larger the expected population deviation rate, the larger the

sample size must be, all else equal.

LO#

5, 6, & 7

Expected Population Deviation Rate

Sample Size

1.0% 93

1.5% 124

2.0% 181

3.0% ‡

‡ Sample size too large to be cost-effective.

EXAMPLE: Assume a desired confidence level of 95%, and a large population, the effect of the expected population deviation rate on sample size is shown right:

8-24

Population Size: Attributes Sampling

Population size is not often important in determining sample sizes for attributes sampling, so we skip Advanced Module 1. Below is shown the impact of the 3 factors that matter.

Factor Relationship to

Sample Size Change in

Factor Effect on

Sample Size Lower DecreaseHigher IncreaseLower IncreaseHigher DecreaseLower DecreaseHigher Increase

Direct

Inverse

Direct

Examples

Desired confidence level

Tolerable deviation rate

Expected population deviation rate

LO#

5, 6, & 7

8-25

PerformancePerformance and Evaluation

4. Select sample items: • Random-Number Selection.5. Perform the Audit Procedures: • Voided documents. • Unused or inapplicable documents. • Inability to examine a sample item. • Stopping the test before completion.6. Calculate the Sample Deviation and Upper Deviation Rates.7. Draw Final Conclusions.

This is the preferred method. Every item in the population has the same probability of

being selected as every other item.

LO#

5, 6, & 7

8-26


5. Perform the Audit Procedures: • Voided documents. • Unused or inapplicable documents. • Inability to examine a sample item. • Stopping the test before completion.6. Calculate the Sample Deviation and Upper Deviation Rates.7. Draw Final Conclusions.

For example, assume a sales invoice should not be prepared unless there is a related shipping document. If the shipping document is present, there is evidence the

control is working properly. If the shipping document is not present, a control deviation exists.

LO#

5, 6, & 7

8-27



Unless the auditor finds something unusual about either of these items, they should be replaced with a new sample item.

LO#

5, 6, & 7

8-28



If the auditor is unable to examine a document or to use an alternative procedure to test the control, the

sample item is a deviation for purposes of evaluating the sample results.

LO#

5, 6, & 7

8-29



If a large number of deviations are detected early in the tests of controls, the auditor should consider stopping the test, as soon as it is clear

that the results of the test will not support the planned assessed level of control risk.

LO#

5, 6, & 7

8-30

Evaluation

Evaluation6. Calculate the Sample Deviation and Upper Deviation Rates.7. Draw Final Conclusions.

The auditor summarizes the deviations and evaluates the results. For example, if the auditor discovered two deviations in a sample of 50, the

sample deviation rate is 4% (2 ÷ 50). But what matters is the computed upper

deviation rate (CUDR), the sum of the sample deviation rate plus an allowance for sampling risk. You get this from ACL or text Table 8-8.

LO#

5, 6, & 7

8-31

EvaluationEvaluation

6. Calculate the Sample Deviation and Upper Deviation Rates.7. Draw Final Conclusions.

The auditor compares the tolerable deviation rate (TDR) to the computed upper deviation rate (CUDR).

If the CUDR > TDR the results indicate IC is not as effective as planned and cannot be relied upon to the extent planned.

If the CUDR <= TDR the results indicate IC is as effective as planned and can be relied upon.

LO#

5, 6, & 7

8-32

Attribute Sampling Example

The auditor has decided to test a control at Calabro Wireless Services. The test is to determine that the sales and service contracts are properly authorized for credit

approval. A deviation in this test is defined as the failure of the credit department personnel to follow proper credit

approval procedures for new and existing customers. Here is information relating to the test:

Desired confidence level 95%Tolerable deviation rate 6%Expected population deviation rate 1%Sample size 78

LO#

5, 6, & 7

8-33

Attribute Sampling ExamplePart of the table used to determine sample size when the auditor specifies a 95% desired confidence level.

LO#

5, 6, & 7

If there are 125,000 items in the population numbered from 1 to 125,000, the auditor can use Excel to generate random selections from the population for testing. 8-34


The auditor examines each selected contract for credit approval and determines the following:

Number of deviations 2 Sample size 78 Sample deviation rate 2.6%Computed upper deviation rate 8.2%Tolerable deviation rate 6.0%

Let’s see how we get the computed upper deviation rate.

Let’s see how we get the computed upper deviation rate.

LO#

5, 6, & 7

8-35


Part of the table used to determine the computed upper deviation rate at 95% desired confidence level:

SampleSize 0 1 2 3

25 11.3 17.6 - - 30 9.5 14.9 19.6 - 35 8.3 12.9 17.0 - 40 7.3 11.4 15.0 18.3 45 6.5 10.2 13.4 16.4 50 5.9 9.2 12.1 14.8 55 5.4 8.4 11.1 13.5 60 4.9 7.7 10.2 12.5 65 4.6 7.1 9.4 11.5 70 4.2 6.6 8.8 10.8 75 4.0 6.2 8.2 10.1 80 3.7 5.8 7.7 9.5

Actual Number of Deviations Found

LO#

5, 6, & 7

8-36


TolerableDeviationRate (6%)

ComputedUpper DeviationRate (8.2%)

<

Auditor’s Decision:Does not support reliance on the control.

Auditor’s Decision:Does not support reliance on the control.

LO#

5, 6, & 7

8-37

End of Chapter 8

8-38

Chapter 8 Audit Sampling: An Overview and Application to Tests of Controls...

Documents

Transcript of Chapter 8 Audit Sampling: An Overview and Application to Tests of Controls...