Audit Sampling

AUDIT SAMPLING

McGraw-Hill/Irwin

Copyright © 2012 by The McGraw-Hill Companies, Inc., All right reversed

TESTS OF CONTROLS

8-2

What is Audit Sampling? It is the selection and evaluation of a representative sample of items from a population When a sample is representative, it is likely to provide a reasonable basis for arriving at conclusions about the population.

8-3

What is Audit Sampling? (Cont’d)

8-4

TERM Sample Population

EXPLANATION Items selected for examination

Random sample

Each item in the population has an equal chance of being selected thus ensuring that the sample is representative of the population

All items in the account balance or class of transactions

Why Sampling? The auditor uses sampling techniques because it is impossible to review 100% of the controls applied during the year. Sampling techniques for internal control testing are referred to as attribute sampling. In attribute sampling, the auditor determines whether a characteristic of interest in the population (the internal control) is present by looking at a sample from the population. Attribute testing is used to test the rate of deviation from the prescribed control (how often is the control missing?)

8-5

Audit Sampling for Tests of Controls Internal control tests are designed to provide information about the effectiveness of a control. With internal control tests, the auditor asks: Probing question

Yes

Is the control working

√

No.

Probing question

High

Medium

Low

1.

What is the risk of the control not working?

70%

50%

30%

30%

50%

70%

Reliance level

8-6

No

Audit Sampling for Tests of Controls

A control risk of 70% corresponds to a 30% reliance level A control risk of 50% corresponds to a 50% reliance level A control risk of 30% corresponds to a 70% reliance level The reliance level tells auditors how often they can rely on the control

8-7

Sampling and Non-sampling Risk Audit risk is the risk that material misstatements occur in the financial statements and the auditor does not detect them.

Audit Risk Sampling Risk

Nonsampling Risk

Risk that the sample is not representative of the population; For tests of controls, includes the risk of assessing control risk too high (which affects the efficiency of the audit); The risk of assessing control risk too low (which affects the effectiveness of the audit 8-8

Other aspects of audit risk not related to sampling

Sampling and Non-sampling Risk Statistical Sampling

Non-statistical Sampling

Sampling risk can be quantified

Controlled by selecting appropriate sample sizes (sampling risk decreases as sample size increases)

Can be controlled

Taking a random sample, so it is representative of the population Correctly evaluating sample results

8-9

Statistical and Non-statistical Sampling Both statistical and non-statistical sampling require professional judgment for:

ďƒź planning the sample, ďƒźperforming the procedures, and ďƒźevaluating the evidence.

8-10

Statistical and Non-statistical Sampling

ď ą The audit procedures performed under either statistical or non-statistical sampling are the same

ď ą A statistical sample is a sample for which sampling risk can be calculated

ď ą A non-statistical sample is a sample for which sampling risk cannot be calculated

8-11

Statistical and Non-statistical Sampling

Accounting firms use both statistical and nonstatistical sampling

8-12

•

Sample sizes for non-statistical sampling can be larger than those for statistical samples because sampling risk cannot be measured

•

Non-statistical samples can be a less efficient way to gather evidence but should not be viewed as a less effective way

Statistical and Non-statistical Sampling An auditor should consider the following factors in selecting the correct sample size: • More testing will be required for manual controls than for automated controls because the manual controls are more prone to human error. • The more frequently the control is performed, the more items are tested. • More internal control tests are performed for controls that are performed daily than for those performed monthly • The more assurance the auditor receives from other audit procedures (for example, external confirmations, vouching, tracing), the less the control is tested • The more susceptible the control is to management override, the more the control is tested

8-13

The Use of Sampling to Determine the Effectiveness of Internal Controls

The auditor can choose to: ďƒź rely on internal controls or ďƒź not rely on internal controls and perform a substantive audit for audits of financial statements. The purpose of an internal control test is to gather evidence about the control’s operating effectiveness. When deciding to test internal controls, a sampling plan is developed to test controls .

8-14

Tests of Controls Sampling Plan STEP 1 2 3 4 5 6 7 8 9 10

8-15

ACTION Describe the internal control being tested Determine the control objectives including the relevant assertion. Define the population and the sampling unit Define the deviation condition Determine the desired level of assurance, the tolerable deviation rate, and the expected population deviation rate Select the method for determining sample size Determine the method of sample selection List the selected sample items Describe how the sampling procedure was performed Evaluate the sample results and make a decision

Step 1: Describe the Internal Control Being Tested

Physical control to assets

Segregation of duties

Independent reconciliation

Authorization procedures Documented transaction trails

8-16

Step 2: Determine the Control Objective The test objective is to determine whether the control is present, for example, a signature from management as required authorization or approval. The test would be to determine if the required signatures are present on the documents selected for sample.

8-17

Step 3: Define the Population and the Sampling Unit

Over Financial Statements:

ďƒźThe population for internal control testing related

to a financial statement audit is usually all items in the class of transactions or account balance for the year

8-18

Step 3a: Define the Population and the Sampling Unit Over the Financial Statement Process:

ďƒźThe population is usually all items in the class of transactions or account balance that the auditor believes are necessary to determine whether controls were effective at the end of the year

8-19

Step 4: Define the Deviation Condition

8-20



A deviation condition occurs when there is no indication that the control has been performed.



Defining the deviation before testing begins is important so that the auditor has a clear understanding of the conditions necessary for the control to be working.

Step 5: Determine the Desired Level of Assurance, the Tolerable Deviation Rate, and the Expected Population Deviation Rate

Desired Level of Assurance: based on the extent to which the auditor’s risk assessment takes relevant controls into account, in practice, the desired level of assurance is 95% or 90% Tolerable Deviation Rate: the auditor sets the rate of deviation from prescribed internal control procedures related to the level assurance the auditor expects to obtain, in practice, the tolerable deviation rate is 2-20% Expected Rate of Deviation: the rate of deviation expected in the population based on the auditor’s understanding of relevant controls or on the examination of a small number of items from the population, in practice, the expected rate of deviation is 0-15% 8-21

Step 5: Determine the Desired Level of Assurance, the Tolerable Deviation Rate, and the Expected Population Deviation Rate

As Factor Increases

8-22

Affect on Sample Size

Explanation

Desired level of assurance

Sample size increases

The higher the auditor’s desired level of assurance that the results of the sample are representative of the population, the larger the sample size needs to be

Tolerable rate of deviation

Sample size decreases

The lower the tolerable rate of deviation, the

Expected rate of deviation

Sample size increases

The higher the expected rate of deviation, the

Population

Negligible

For large populations (>500) , the size of the population has little or no effect on sample size

larger the sample size needs to be

larger the sample size needs to be so that the auditor can make an accurate estimate of the actual rate of deviation

Step 6: Determine the Method of Sample Size Determination The method of determining the sample size can be statistical or non-statistical. It is determined after the auditor has specified:

The Tolerable Deviation Rate, The Expected Rate of Deviation, and The Desired Level of Assurance. It may be determined with the use of a sampling program. 8-23

Step 7: Determine the Method of Selecting the Sample Simple Random Sampling Generating random numbers from a random number table or a computer program and then selects the document number corresponding to the random number generated. Can be used only when the sampling units are pre-numbered. Appropriate for statistical and non-statistical sampling

8-24

Systematic Random Sampling Dividing the number of units in the population by the number in the sample size to calculate a sampling interval and then generates a random number in the sampling interval. The random number is the first item chosen, and the following items are determined by adding the sampling interval to the random number. Appropriate for statistical and nonstatistical sampling

Haphazard Sampling

Selecting the sample without any conscious bias. May be used when the items in the population pre-numbered documents. Cannot be used for statistical sampling.

Step 8: List the Selected Sample Items

Listing specific items sampled in the work papers or to describe the sampling method in such a way that another auditor could go back and pull the same sample.

8-25

Step 9: Describe How the Audit Procedure Was Performed The auditor performs the audit procedure to determine whether the sample items contain deviations from the documented control. The only possible evidence from an internal control test is an answer to the question:

ďƒź Is the control working; or ďƒź Is the control working to the extent expected? 8-26

Step 9a: Describe How the Audit Procedure Was Performed

If the internal control test is a dual-purpose test:

ďƒźthe auditor examines the item to determine whether it

contains a deviation from the documented control, and

ďƒźthen the auditor reperforms the control.

8-27

Evaluating the Results of Tests of Controls Probing question Is the control working

Yes √ Results of the internal control test would indicate that : Actual Control deviations + Allowance for sampling risk < Tolerable deviations

8-28

Comment/Action

Reduce the level of substantive testing based on their reliance on internal control.

Evaluating the Results of Tests of Controls Probing question Is the control working

NO √ Results of the internal control test would indicate that : Actual Control deviations + Allowance for sampling risk > Tolerable deviations

8-29

Comment/Action

Increase the amount of substantive testing.

Step 10: Evaluate the Sample Results and Reach Conclusions The auditor uses professional judgment to evaluate the sample results and reach an overall conclusion. • The auditor will review the deviations to determine whether the control can be relied upon. • If the number of deviations found in the sample is less than the tolerable deviation rate, the auditor relies on the effectiveness of internal controls to reduce the extent of substantive testing. • If it is higher, than the auditor cannot rely on the effectiveness of internal control and increases their assessment of control risk and the extent of substantive testing. In addition, the auditor needs to consider the qualitative aspects of any control deviations. These include the nature and cause of the misstatement (misunderstanding or carelessness) and the possible relationship of the misstatement to the other parts of the audit.

8-30

Sampling Sampling is crucial to the audit process. Sampling for tests of controls allows the auditor to determine control risk for relevant assertions for significant accounts. This information is used to determine the amount of substantive testing needed to keep audit risk to an acceptably low level. The auditor should understand basic sampling principles: random samples, selecting representative samples, how to evaluate control risk based on the results of a sample. The accounting firm often establishes guidelines to determine sample size, so the auditor does not need to be a statistician.

8-31