Management of Risks in Audit RISK ANALYSIS AND STATISTICAL SAMPLING IN AUDIT
Session Objectives To revisit the Audit Risk Model and Materiality concepts; To explain the Theory of Sampling as applied to audit To Explain the link between risk assessment and sampling
The Risk Model Theory and Assumptions Control Risk (CR) Risk that the internal control systems in an organization will not be able to detect an error or material misstatement Inherent Risk (IR) Susceptibility of a class of transactions to material misstatement or errors Risk of Occurrence of Error Detection Risk (DR) Risk that auditor’s substantive tests will not be able to detect a material misstatement in the audited transactions
Overall Audit Risk (OAR) Assurance required from audit procedures the maximum risk the auditor is willing to accept OAR = CR x IR x DR OAR defined by the audit institution A constant pre-determined quantity Objective of the auditor assess inherent and control risks in the entity design and perform compliance and substantive tests to provide sufficient assurance that the product of the risks identified ≤ overall audit risk solve the equation for DR assessing IR and CR
Detection Risk (DR) DR is actually a combination of: DR = AP X TD Analytical procedures risk (AP): Risk that analytical procedures will fail to detect material errors Tests of detail risk (TD): Risk that detailed test procedures will fail to detect the material errors DR = AP X TD OAR = IR X CR X AP X TD Auditor exercises professional judgment in assessing IR, CR and AP and solves the equation for TD.
Confidence Level Detection Risk is closely related to the confidence that the auditor wishes to obtain from his substantive tests. Increased confidence => Low DR => more transactions and balances need to be tested substantively Confidence Level = 100%-Detection Risk Detection Risk Only risk that the auditor has under his control Must be kept low
Materiality and Audit Risk-I Independent of OAR Related to VALUE, NATURE and CONTEXT of Error Materiality relates to the maximum possible misstatements/ error Risk -- concerned with the likelihood of error Materiality – concerned with extent to which we can tolerate error
Materiality and Audit Risk -II Auditor to ensure: Maximum possible error at the desired assurance level < Materiality IR + CR => Expected error rate in the population Materiality => Tolerable error rate in the population
Assessment of Risks-I Assessment of Inherent Risk Depends on nature, complexity and volume of transactions Inherent to these activities or sets of transactions Risk classified as high, moderate or low Possible to assign numerical values to the risk assessed
Assessment of Risks-II Assessment of Control Risk: Assesses adequacy of policies, procedures and systems in the organization Whether controls are adequate to detect errors Expressed either in numerical (%) or qualitative (high, medium, low) terms Assessment of Detection Risk Assurance about transactions required from audit procedures Risk Assurance Guide Sample Size
Detection Risk Assurance Guide Assurance from inherent risk evaluation internal control substantive analytical review procedures Required assurance from detailed substantive tests confidence level High (Excellent system) M ed Low Nil 60 70 75 Med (Good system) 65 80 (Fair system) 85 (Poor System/DST) 92 94 95
Risk Assessment and Sampling Statistical Sampling The population is a homogeneous group There is no bias in the selection of sample items Attribute Sampling, Variable Sampling and MUS Attribute sampling Estimates proportion of items in a population having a certain attribute or characteristic. In audit, estimates the existence or otherwise of an error. Used to derive assurance about prescribed procedures/ controls. Estimates % of error (say, vouchers that have been misclassified)
Attribute sampling Set upper limit of acceptable error, being still assured that systems are in place. Can only be used in assessment of control risk. The attribute : whether a specific control has been applied or not applied.
Types of Audit sampling Variables sampling estimates a quantity e.g. amount of sundry debtors shown in the balance sheet the underassessment in a tax circle.
Monetary Unit Sampling provides quantitative results and is suited to most audit situations More accurate in low level error situations with a relatively small population, where there are no negative or zero balances. ‘PPS’ or ‘Probability Proportional to Size’ the probability of selection becomes proportional to the size of a/c high value items tend to get more weight and therefore more probability of getting picked up in any random selection, since
Sampling Methods Simple random sampling Systematic random sampling Stratified sampling CAATs: IDEA => identified audit tests can directly be applied on the sample elements.
Audit Assumptions Audit works on the principle that higher the risk involved in the transactions, higher the need for more extensive checks. Audit through statistical sampling Assessment of Inherent Risk through auditor’s knowledge, judgment and application of specific auditing procedures like analytical reviews etc. Assessment of Control Risk through Compliance Testing, done through attribute sampling, analytical reviews etc. Design the Sampling Frame for Substantive Testing : determine sampling method, sample size. Evaluation of results of Substantive Tests and expression of audit opinion.
Compliance Testing and Substantive Testing Compliance Testing: review and evaluate the effectiveness of internal control systems Substantive Testing: gather evidence on completeness, accuracy and validity of data. Sampling Risks of an Auditor Sampling Risk in Compliance Testing: risk of over-reliance / under-reliance on controls Sampling Risk in Substantive Testing: risk of incorrect acceptance / rejection Selection of appropriate sample size of utmost importance in minimising risk
Designing a Sample Steps Define population and select an appropriate sampling method: attribute, variable, monetary unit etc. Determine sample size Identify sampling procedure, random, systematic, stratified etc. Perform substantive audit tests on the sample elements Estimate Population Value of Parameter Express audit opinion on the entire population
Determinants of Sample Size 1. Expected Error Rate in Population Error Rate /Amount in the Population: mistakes in vouchers /wrong entries in cash books/stores ledger unauthorized payments cash books not daily checked /physical verifications not done Areas of application sanctions / propriety / regularity / financial audit auditor only wants to confirm if the balance is correctly stated or not without estimating the correct balance The greater the expected error rate, the larger the sample size for the auditor to conclude: actual error rate < tolerate error rate.
2. Tolerate Error Rate in Population Tolerate error rate / amount the maximum error rate the auditor is prepared to accept when deciding whether his initial evaluation of the control risk is valid maximum error rate the auditor is willing to accept and still conclude that the auditee is following the procedures properly tolerable error is limited by the level of materiality set by the auditor The lower the tolerable error, the larger would be the sample size
3. Precision Level Precision level: Difference between the sample estimate and the actual population value The auditor to decide the precision to provide in his estimates Tolerable Error = maximum error the auditor is willing to accept = Maximum (sample estimate + precision level).
Confidence Level Confidence level =100%- DR (%) Confidence level: how certain the auditor is that the actual population measure is within the sample estimates and its associated precision level Occurrence rate Population proportion having the error that audit wishes to test
Acceptable risk of Over-Reliance Risk of under-reliance does not affect the correctness of the auditor’s opinion it only results in increasing his workload Over Reliance may lead to wrong audit opinion When the degree of reliance in controls is high, acceptable risk of over reliance is low and vice versa May be quantified as 5%, 10%, 15% etc.
Estimating Population Value If Computed tolerable error = Sample estimate + precision < tolerable error assurance can be placed by auditor on the system If Computed tolerable error > tolerable error, assurance derived from control has to be reduced assurance required from substantive tests has to be increased
To identify areas of applicability A Few Suggested Areas Checking correct accountal of expenditure/ receipts; Checking calculations of payment or receipts; Checking propriety and regularity of expenditure; Checking interpretation or application of rules /contract clauses /provisions of tax acts; Checking achievement of objective of expenditure / exemption of receipts. Any other areas to be identified
Summing Up Audit is primarily a judgmental process Statistical sampling cannot be a substitute for Auditor’s judgment At best the two are complementary
Nature of Population Distribution Is it necessary to estimate? Assumption of homogeneity-how true? Sampling distribution of mean normal for large sample What about smaller samples? For small samples- what distribution (t?). Testing for a single attribute (say classification mistake) - What distribution to assume?
Case Study