Chapter 13: Audit Sampling Spring 2007
Overview of Sampling
Basic Sampling Concepts Definition of Audit Sampling Audit sampling is the application of an audit procedure to less than 100% of the items within an account balance or class of transactions for the purpose of evaluating some characteristic of the balance or class. (SAS No. 39) Why do we use sampling? What are the two primary uses of sampling? Test of Controls Substantive Detail Tests Less often used with inquiring, observing or analytical procedures unless dealing w/ multiple locations
Intuitiveness of Sampling Skydiving How many parachutes would you want to have tested before you jumped out of a plane with one? Odwalla How would Odwalla ensure that their juice is good (in terms of health quality)?
Basic Steps for all sampling Basic Steps Planning: start to develop an idea of how much comfort is necessary and how a sample of transactions can satisfy the relevant specific audit or internal control objective taking into consideration factors affecting sample size & audit efficiency Selection: Select items so that they are representative of the population. Evaluation: Interpret the results of the sample and what to the items from which the sample was selected and consider the “sampling risk” Reliability of steps depends on: Type of sampling plan used Professional judgment
Sampling Risks (p.555) Correct Decision Risk of Assessing CR too high Risk of Incorrect Rejection Risk of Assessing CR too low Risk of Incorrect Acceptance Effective/Correct Ineffective/Incorrect True State of what is being tested Sample = clean results Sample ≠ clean results Results of Testing Combined for both control and balance/transaction sampling
Sampling & Non-sampling errors Sampling risks – inherent risk of sampling Effectiveness: assess CR too low or think bal is ok when not (beta risk) Efficiency: assess CR too high or think bal is not ok when is (alpha risk) In stat sampling sampling risk can be quantified as: one minus reliability. Non-sampling risks – operator error Select from pop that is not appropriate for objective Failure to recognize deviations Failure to evaluate findings properly
Two primary uses of sampling Test of Controls Test of Details
Control Testing Testing of an attribute – does it work or not? To determine the rate of deviation from a control operating effectively Control environment control Computer general control Preventative control Manual follow-up control When does sampling not apply? Inquiry & observation Computer application controls
Attributes Sampling and the Assessment of Control Risk Attributes sampling appropriate when: Want to support CR below maximum Documentary evidence of control procedure Controls performed by individuals on transaction-by-transaction basis Generally controls involve authorization, documents and records or independent checks Doesn’t work for segregation of duties
Test of Details Sampling Testing that an assertion is materially correct – is the “number” right or not? Completeness Existence Accuracy Rights & Obligations (?) Presentation & Disclosure (?) When does sampling not apply? When significant judgment is involved When it is more efficient & effective to test 100% of the population (CAAT)
“Coverage” testing What is it? (p nd paragraph) Is it “sampling”?
Judgment Based Sampling (non-statistical) Judgmental or Non-Statistical Requirements Need to have subjective criteria and auditor experience – target the risk or higher $ amount Sample results are evaluated and a conclusion is made regarding the entire population Auditor’s judgment must be supported by documentation – fully explained
Statistical Sampling Statistical (Probability based): Requirements Homogonous population Sample items should have a known probability of selection (i.e. generally random) Sample results are evaluated mathematically in accordance with probability theory Advantages Can calculate the sample reliability and risk of reliance Permits optimizing sample size given the mathematically measured risk they are willing to accept Enables making objective statements about the population
Question Does Statistical sampling enable the auditor to quantify and control sampling risk? How and how not?
Selecting a Representative Sample Systematic Sampling Select every nth item Often used with random start, but this is still not ok for statistical sampling What is random sample selection? Must use for statistical sampling, can use for non- statistical sampling Use a random number table or random number generator Generally sample without replacement
To ensure a simple random sample: Define the population and items included: All y/e AR Accts w/ zero, negative and positive balances All checks written for year all checks including voided and unrecorded checks Define sampling frame: listing or other physical representation of items in the population – specific name of report you selected from 12/31/0X AR Aging report Check register for 1/1/0X to 12/31/0X Selecting a Representative Sample cont…
What if an item can’t be found? Ok to pick another? No, usually not okay. This is a deviation for purposes of evaluating the sample
Sampling in Tests of Controls
Attributes Sampling and the Assessment of Control Risk Recall: For F/S audit, auditors must “obtain an understanding of internal control sufficient to plan the audit and to assess control risk” Components of internal control are: Control environment Risk assessment Information & communication Control activities Monitoring Which component(s) of internal control can be sampled?
1.Determine the audit objectives. 2.Define the population and sampling unit. 3.Specify the attributes of interest. 4.Determine the sample size. 5.Determine the sample selection method. 6.Execute the sampling plan. 7.Evaluate the sample results. Steps in Statistical Sampling for Controls
Attributes Sampling: Initial Planning Steps Step 1. Determining Audit Objective Ensure you understand audit objectives the controls are addressing May have to design different tests to ensure controls over all objectives are tested Step 2. Define Population and Sampling Unit Population: the class of transactions being tested Sampling Frame: where the selections were made from Sampling unit: what is actually being tested Step 3. Specify Attributes of Interest Attribute: evidence control is present or not
For each attribute or control to be tested, the auditor must specify a numerical value for: 1. Risk of assessing control risk too low (1-reliability) Inverse relationship w/ sample size 2. Tolerable deviation rate Inverse relationship w/ sample size 3. Expected population deviation rate Direct relationship w/ sample size Note: Pop size has direct effect only if pop < Select sample size based on tables or sampling program (PCAOB set minimums) Attributes Sampling: Determining Sample Size (step 4)
Attributes Sampling: Determining Sample Selection (step 5) Must use random method To use, need to have way of associating a unique number with each item in population (i.e., use document sequence, etc) Methods Random number generator
Attributes Sampling: Execute Sampling Plan (step 6) Examine selected items to determine the nature and frequency of deviations from prescribed controls. Deviations include missing documents absence of initials indicating performance of a control discrepancies in the details of related documents and records unauthorized values and mathematical errors found through reperformance of controls by the auditor.
Attributes Sampling: Evaluate Sampling Results (step 7) Calculate the sample deviation rate (which is the best estimate of the true deviation rate in pop) # deviations found / sample size examined Determine the upper deviation or precision limit given your risk of assessing CR too low (use tables) Why do the sample deviation rate and upper deviation limit differ???? If sample deviation rate < UDL then can conclude at x% reliability that the true deviation rate is below the tolerable rate.
Statistical Sampling for Test of Details How does it differ from statistical sampling for controls?
Non-Statistical Sampling for Tests of Controls Programmed controls can be tested with a very small sample (appx 2) IF General controls are strong) AND There is comfort over program changes
Steps in Non-Stat Sampling for Controls 1.Determine audit objectives and procedures 2.Determine population and sampling unit 3.Specify control of interest & evidence that control was effective or not 4.Judgmentally determine sample size Risk of assessing CR too low => inverse Tolerable deviation rate (TDR) =>inverse Expected pop deviation rate => direct 5.Judgmentally select sample (gen haphazard) 6.Apply audit procedures for tests of controls 7.Evaluate sample results w/ comparison to TDR
Non-stat sampling for controls: Sample size (firm “x” guidelines) Assuming NO errors Frequency of ControlSample size > 1 per day25 Daily15 Weekly5 Monthly2 Quarterly1 Annually1 What happens to sample size if expect errors?