mcgraw-hill/irwin © the mcgraw-hill companies 2010 audit sampling: an overview and application to...
TRANSCRIPT
McGraw-Hill/Irwin © The McGraw-Hill Companies 2010
Audit Sampling: An Overview and
Application to Tests of Controls
Chapter Eight
McGraw-Hill/Irwin © The McGraw-Hill Companies 2010
Introduction
Auditing standards recognize and permit both statistical and non-statistical methods of audit sampling.
Auditing standards recognize and permit both statistical and non-statistical methods of audit sampling.
Two technological advances have reduced the number of times auditors need to apply sampling techniques to
gather audit evidence:
1Development ofwell-controlled,
automated accounting
systems.
1Development ofwell-controlled,
automated accounting
systems.
2Advent of powerful
PC audit software todownload andexamine client
data
2Advent of powerful
PC audit software todownload andexamine client
data
McGraw-Hill/Irwin © The McGraw-Hill Companies 2010
IntroductionHowever, technology will never eliminate the need for auditors to rely on sampling to some degree because:1. Many control processes require human involvement.
2. Many testing procedures require the auditor to physically examine an asset.
3. In many cases auditors are required to obtain and examine evidence from third parties.
McGraw-Hill/Irwin © The McGraw-Hill Companies 2010
Definitions and Key Concepts
On the following slides we will define:
1. Audit Sampling
2. Sampling Risk
3. Confidence Level
4. Tolerable and Expected Error
On the following slides we will define:
1. Audit Sampling
2. Sampling Risk
3. Confidence Level
4. Tolerable and Expected Error
McGraw-Hill/Irwin © The McGraw-Hill Companies 2010
Audit Sampling
The application of audit procedures to less than 100 per cent of items within a population of audit relevance such that
all sampling units have a chance of selection in order to provide the auditor
with a reasonable basis on which to draw conclusions about the entire
population.
The application of audit procedures to less than 100 per cent of items within a population of audit relevance such that
all sampling units have a chance of selection in order to provide the auditor
with a reasonable basis on which to draw conclusions about the entire
population.
McGraw-Hill/Irwin © The McGraw-Hill Companies 2010
Sampling RiskSampling risk is the element of uncertainty that enters
into the auditor’s conclusions anytime sampling is used. There are two types of sampling risk.
Risk of incorrect rejection (Type I) – in a test of internal controls, it is the risk that the sample supports a conclusion that the control is not operating effectively when, in fact, it is operating effectively. In substantive testing, it is the risk that the sample indicates that the recorded balance is materially misstated when, in fact, it is not.
Risk of incorrect rejection (Type I) – in a test of internal controls, it is the risk that the sample supports a conclusion that the control is not operating effectively when, in fact, it is operating effectively. In substantive testing, it is the risk that the sample indicates that the recorded balance is materially misstated when, in fact, it is not.
Risk of incorrect acceptance (Type II) – in a test of internal controls, it is the risk that the sample supports a conclusion that the control is operating effectively when, in fact, it is not operating effectively. In substantive testing, it is the risk that the sample supports the recorded balance when it is, in fact, materially misstated.
McGraw-Hill/Irwin © The McGraw-Hill Companies 2010
Sampling Risk
Three Important Factors in Determining Sample Size
1.1. The desired level of assurance in the results (or confidence level),
2. Acceptable defect rate (or tolerable error), and
3. The historical defect rate (or expected error).
1.1. The desired level of assurance in the results (or confidence level),
2. Acceptable defect rate (or tolerable error), and
3. The historical defect rate (or expected error).
McGraw-Hill/Irwin © The McGraw-Hill Companies 2010
Confidence Level
Confidence level is the complement of sampling risk.
The auditor may set sampling risk for a particular sampling
application at 5 per cent, which results in a
confidence level of 95 per cent.
The auditor may set sampling risk for a particular sampling
application at 5 per cent, which results in a
confidence level of 95 per cent.
McGraw-Hill/Irwin © The McGraw-Hill Companies 2010
Tolerable and Expected Error
Once the desired confidence level is established, the sample size is determine largely by how much
the tolerable error exceeds expected error.
PrecisionPrecision, at the , at the planning stage of planning stage of audit sampling, is audit sampling, is the difference the difference between the between the expected and expected and tolerable deviation tolerable deviation rates.rates.
PrecisionPrecision, at the , at the planning stage of planning stage of audit sampling, is audit sampling, is the difference the difference between the between the expected and expected and tolerable deviation tolerable deviation rates.rates.
The term allowance for sampling
riskis used to reflect theconcept of precision
in a sampling application.
McGraw-Hill/Irwin © The McGraw-Hill Companies 2010
Audit Evidence – To Sample or Not?
Relationship between Evidence Types and Audit Sampling
Type of Evidence Audit Sampling Commonly Used
Inspection of tangible assets YesInspection of records or documents YesReperformance YesRecalculation YesConfirmation YesAnalytical procedures NoScanning NoInquiry NoObservation No
McGraw-Hill/Irwin © The McGraw-Hill Companies 2010
Audit Evidence – To Sample or Not?
• Inspection of tangible assets. Auditors typically attend the client’s year-end inventory count. When there are a large number of items in inventory, the auditor will select a sample to physically inspect and count.
• Inspection of records or documents. Certain controls may require the matching of documents. The activity may take place many times a day. The auditor may gather evidence on the effectiveness of the control by testing a sample of the document packages.
• Inspection of tangible assets. Auditors typically attend the client’s year-end inventory count. When there are a large number of items in inventory, the auditor will select a sample to physically inspect and count.
• Inspection of records or documents. Certain controls may require the matching of documents. The activity may take place many times a day. The auditor may gather evidence on the effectiveness of the control by testing a sample of the document packages.
McGraw-Hill/Irwin © The McGraw-Hill Companies 2010
Audit Evidence – To Sample or Not?
Reperformance. The auditor may reperform a sample of the tests performed by the client.
Confirmation. Rather than confirm all customer account receivable balances, the auditor may select a sample of customers.
Reperformance. The auditor may reperform a sample of the tests performed by the client.
Confirmation. Rather than confirm all customer account receivable balances, the auditor may select a sample of customers.
McGraw-Hill/Irwin © The McGraw-Hill Companies 2010
Testing All Items with a Particular Characteristic
When an account or class of transactions is made up of a few large items, the auditor may examine all the items
in the account or class of transaction.
When a small number of large transactions make up a relatively large per cent of an account or class of
transactions, auditors will typically test all the transactions greater than a particular monetary amount.
McGraw-Hill/Irwin © The McGraw-Hill Companies 2010
Testing Only One or a Few Items
Highly automated information systems process transactions consistently unless the system or
programs are changed.
The auditor may test the The auditor may test the general controls over the general controls over the system and any program system and any program
changes, but test only a few changes, but test only a few transactions processed by transactions processed by
the IT system.the IT system.
The auditor may test the The auditor may test the general controls over the general controls over the system and any program system and any program
changes, but test only a few changes, but test only a few transactions processed by transactions processed by
the IT system.the IT system.
McGraw-Hill/Irwin © The McGraw-Hill Companies 2010
Types of Audit Sampling
Auditing standards recognize and permit both statistical Auditing standards recognize and permit both statistical and non-statistical methods of audit sampling.and non-statistical methods of audit sampling.
Auditing standards recognize and permit both statistical Auditing standards recognize and permit both statistical and non-statistical methods of audit sampling.and non-statistical methods of audit sampling.
In non-statistical sampling, the auditor does not use statistical techniques to determine sample size, select the sample items, or measure sampling risk.
Statistical sampling, uses Statistical sampling, uses the laws of probability to the laws of probability to compute sample size and compute sample size and evaluate the sample results. evaluate the sample results. The auditor is able to use The auditor is able to use the most efficient sample the most efficient sample size and quantify sampling size and quantify sampling risk.risk.
Statistical sampling, uses Statistical sampling, uses the laws of probability to the laws of probability to compute sample size and compute sample size and evaluate the sample results. evaluate the sample results. The auditor is able to use The auditor is able to use the most efficient sample the most efficient sample size and quantify sampling size and quantify sampling risk.risk.
McGraw-Hill/Irwin © The McGraw-Hill Companies 2010
Types of Audit Sampling
Advantages of statistical sampling
1. Design an efficient sample.
2. Measure the sufficiency of evidence obtained.
3. Quantify sampling risk.
Advantages of statistical sampling
1. Design an efficient sample.
2. Measure the sufficiency of evidence obtained.
3. Quantify sampling risk.Disadvantages of statistical sampling
1. Training auditors in proper use.
2. Time to design and conduct sampling application.
3. Lack of consistent application across audit engagement teams.
Disadvantages of statistical sampling
1. Training auditors in proper use.
2. Time to design and conduct sampling application.
3. Lack of consistent application across audit engagement teams.
McGraw-Hill/Irwin © The McGraw-Hill Companies 2010
Statistical Sampling Techniques
1. Attribute Sampling.
2. Monetary-Unit Sampling.
3. Classical Variables Sampling.
McGraw-Hill/Irwin © The McGraw-Hill Companies 2010
Attribute Sampling
Used to estimate the proportion of a population that possess a specified
characteristic. The most common use of attribute sampling is for tests of controls.
Our client’s controls require that sales are authorized for credit
approval.
Our client’s controls require that sales are authorized for credit
approval.
Yes, I know. We are planning a test of that control using attribute
sampling.
Yes, I know. We are planning a test of that control using attribute
sampling.
McGraw-Hill/Irwin © The McGraw-Hill Companies 2010
Monetary-Unit Sampling
Monetary-unit sampling uses attribute sampling theory to estimate the monetary (e.g. in €) amount of
misstatement for a class of transactions or an account balance.
This technique is used extensively because it has a number of advantages over classical variables
sampling
McGraw-Hill/Irwin © The McGraw-Hill Companies 2010
Classical Variables Sampling
Auditors sometimes use variables sampling to estimate the monetary value of a class of
transactions or account balance. It is more frequently used to determine whether an account is
materially misstated.
McGraw-Hill/Irwin © The McGraw-Hill Companies 2010
Attribute Sampling Applied to Tests of Controls
In conducting a statistical sample for a test of controls, auditing standards require the
auditor to properly plan, perform, and evaluate the sampling application and to adequately document each phase of the
sampling application.
PlanPlan PerformPerform EvaluateEvaluate DocumentDocument
McGraw-Hill/Irwin © The McGraw-Hill Companies 2010
Planning
Planning1. Determine the test objectives.2. Define the population characteristics. • Define the sampling population. • Define the sampling unit. • Define the control deviation conditions.3. Determine the sample size, using the following inputs: • The desired confidence level or risk of incorrect acceptance. • The tolerable deviation rate. • The expected population deviation rate.
The objective of attribute sampling when used for tests of controls is to evaluate the operating
effectiveness of the internal control.
McGraw-Hill/Irwin © The McGraw-Hill Companies 2010
Planning
Planning2. Define the population characteristics. • Define the sampling population. • Define the sampling unit. • Define the control deviation conditions.3. Determine the sample size, using the following inputs: • The desired confidence level or risk of incorrect acceptance. • The tolerable deviation rate. • The expected population deviation rate.
All of the items that constitute the class of transactions make up the sampling population.
McGraw-Hill/Irwin © The McGraw-Hill Companies 2010
Planning
Planning2. Define the population characteristics. • Define the sampling population. • Define the sampling unit. • Define the control deviation conditions.3. Determine the sample size, using the following inputs: • The desired confidence level or risk of incorrect acceptance. • The tolerable deviation rate. • The expected population deviation rate.
Each sampling unit makes up one item in the population. The sampling unit should be defined in relation to the specific control
being tested.
McGraw-Hill/Irwin © The McGraw-Hill Companies 2010
Planning
Planning2. Define the population characteristics. • Define the sampling population. • Define the sampling unit. • Define the control deviation conditions.3. Determine the sample size, using the following inputs: • The desired confidence level or risk of incorrect acceptance. • The tolerable deviation rate. • The expected population deviation rate.
A deviation is a departure from adequate performance of the internal control.
McGraw-Hill/Irwin © The McGraw-Hill Companies 2010
PlanningPlanning
3. Determine the sample size, using the following inputs: • The desired confidence level or risk of incorrect acceptance. • The tolerable deviation rate. • The expected population deviation rate.
The confidence level is the desired level of assurance that the sample results will support a conclusion that the control is functioning effectively. Generally, when
the auditor has decided to rely on controls, the confidence level is set at 90% or 95%. This means the auditor is willing to accept a 10% or 5% risk of accepting the control as effective when it is not.
McGraw-Hill/Irwin © The McGraw-Hill Companies 2010
PlanningPlanning
3. Determine the sample size, using the following inputs: • The desired confidence level or risk of incorrect acceptance. • The tolerable deviation rate. • The expected population deviation rate.
The tolerable deviation rate is the maximum deviation rate from a prescribed control that the auditor is willing
to accept and still consider the control effective.
Example Suggested Tolerable Deviation Rates:
Assessed Importance of a Control
Tolerable Deviation
Rate
Highly important 3–5%
Moderately important 6–10%
McGraw-Hill/Irwin © The McGraw-Hill Companies 2010
Planning
Planning3. Determine the sample size, using the following inputs: • The desired confidence level or risk of incorrect acceptance. • The tolerable deviation rate. • The expected population deviation rate.
The expected population deviation rate is the rate the auditor expects to exist in the
population. The larger the expected population deviation rate, the larger the sample size must
be, all else equal. Expected Population
Deviation Rate Sample
Size
1.0% 93
1.5% 124
2.0% 181
3.0% ‡
‡ Sample size too large to be cost-effective.
EXAMPLE: Assume a desired confidence level of 95%, and a large population, the effect of the expected population deviation rate on sample size is shown right:
McGraw-Hill/Irwin © The McGraw-Hill Companies 2010
Population Size: Attributes Sampling
Population size is not an important factor in determining sample size for attributes sampling. The population size has little or no effect on the sample size, unless the population is relatively small, say less than 500 items.
Factor Relationship to
Sample Size Change in
Factor Effect on
Sample Size Lower DecreaseHigher IncreaseLower IncreaseHigher DecreaseLower DecreaseHigher Increase
Decreases sample size only when populationis small (fewer than 500 items)
Population size
Direct
Inverse
Direct
Examples
Desired confidence level
Tolerable deviation rate
Expected population deviation rate
McGraw-Hill/Irwin © The McGraw-Hill Companies 2010
Performance
Performance and Evaluation4. Select sample items. • Random-Number Selection. • Systematic Selection.5. Perform the Audit Procedures. • Voided documents. • Unused or inapplicable documents • Inability to examine a sample item. • Stopping the test before completion.6. Calculate the Sample Deviation and Upper Deviation Rates7. Draw Final Conclusions
Every item in the population has the same probability of being selected as every other
sampling unit in the population.
McGraw-Hill/Irwin © The McGraw-Hill Companies 2010
Performance
Performance and Evaluation4. Select sample items. • Random-Number Selection. • Systematic Selection.5. Perform the Audit Procedures. • Voided documents. • Unused or inapplicable documents • Inability to examine a sample item. • Stopping the test before completion.6. Calculate the Sample Deviation and Upper Deviation Rates7. Draw Final Conclusions
The auditor determines the sampling interval by dividing the population by the sample size. A starting number is selected
in the first interval and every nth item is selected.
McGraw-Hill/Irwin © The McGraw-Hill Companies 2010
Performance
Performance and Evaluation5. Perform the Audit Procedures. • Voided documents. • Unused or inapplicable documents • Inability to examine a sample item. • Stopping the test before completion.6. Calculate the Sample Deviation and Upper Deviation Rates7. Draw Final Conclusions
For example, assume a sales invoice should not be prepared unless there is a related shipping document. If the shipping document is present, there is evidence the control is working properly. If the shipping document is
not present a control deviation exists.
McGraw-Hill/Irwin © The McGraw-Hill Companies 2010
Performance
Performance and Evaluation5. Perform the Audit Procedures. • Voided documents. • Unused or inapplicable documents • Inability to examine a sample item. • Stopping the test before completion.6. Calculate the Sample Deviation and Upper Deviation Rates7. Draw Final Conclusions
Unless the auditor finds something unusual about either of these items, they should be replaced with a new sample item.
McGraw-Hill/Irwin © The McGraw-Hill Companies 2010
Performance
Performance and Evaluation5. Perform the Audit Procedures. • Voided documents. • Unused or inapplicable documents • Inability to examine a sample item. • Stopping the test before completion.6. Calculate the Sample Deviation and Upper Deviation Rates.7. Draw Final Conclusions.
If the auditor is unable to examine a document or to use an alternative procedure to test the
control, the sample item is a deviation for purposes of evaluating the sample results.
McGraw-Hill/Irwin © The McGraw-Hill Companies 2010
Performance
Performance and Evaluation5. Perform the Audit Procedures. • Voided documents. • Unused or inapplicable documents • Inability to examine a sample item. • Stopping the test before completion.6. Calculate the Sample Deviation and Upper Deviation Rates7. Draw Final Conclusions
If a large number of deviations are detected early in the tests of controls, the auditor should consider stopping the test, as soon as it is clear
that the results of the test will not support the planned assessed level of control risk.
McGraw-Hill/Irwin © The McGraw-Hill Companies 2010
EvaluationEvaluation
6. Calculate the Sample Deviation and Upper Deviation Rates7. Draw Final Conclusions
After completing the audit procedures, the auditor summarizes the deviations for each control tested and evaluates the results. For
example, if the auditor discovered two deviations in a sample of 50, the deviation rate
in the sample would be 4% (2 ÷ 50).The upper deviation rate is the sum of the sample deviation rate and an appropriate
allowance for sampling risk.
McGraw-Hill/Irwin © The McGraw-Hill Companies 2010
Evaluation
Evaluation6. Calculate the Sample Deviation and Upper Deviation Rates7. Draw Final Conclusions
Auditor's Decision Based on Sample Evidence Reliable Not Reliable
True State of Internal Control
Correct decision
Risk of incorrect rejection (Type I)
Supports the planned level of control risk
Does not support the planned level of control risk
Risk of incorrect acceptance (Type II)
Correct decision
The auditor compares the tolerable deviation rate to the computed upper deviation rate.
McGraw-Hill/Irwin © The McGraw-Hill Companies 2010
Attribute Sampling Example
The auditor has decided to test a control at Calabro Wireless Services. The test is to determine the sales
and service contracts are properly authorized for credit approval. A deviation in this test is defined as the failure
of the credit department personnel to follow proper credit approval procedures for new and existing
customers. Here is information relating to the test:
Desired confidence level 95%Tolerable deviation rate 6%Expected population deviation rate 1%Sample size 78
McGraw-Hill/Irwin © The McGraw-Hill Companies 2010
Attribute Sampling Example
ExpectedPopulationDeviation
Rate 2% 3% 4% 5% 6% 7%0.00% 149 99 74 59 49 42 0.25% 236 157 117 93 78 66 0.50% 157 117 93 78 66 0.75% 208 117 93 78 66 1.00% 156 93 78 66 1.25% 156 124 78 66 1.50% 192 124 103 66
Tolerable Deviation Rate
Sample Size at 95% Desired Confidence Level
Part of the table used to determine sample size when the auditor specifies a 95% desired confidence level.
If there are 125,000 items in the population numbered from 1 to 125,000, the auditor can use Excel to generate random selections from the population for testing.
McGraw-Hill/Irwin © The McGraw-Hill Companies 2010
Attribute Sampling Example
The auditor examines each selected contract for credit approval and determines the following:
Number of deviations 2 Sample size 78 Sample deviation rate 2.6%Computed upper deviation rate 8.2%Tolerable deviation rate 6.0%
Let’s see how we get the computed Let’s see how we get the computed upper deviation rate.upper deviation rate.
Let’s see how we get the computed Let’s see how we get the computed upper deviation rate.upper deviation rate.
McGraw-Hill/Irwin © The McGraw-Hill Companies 2010
Attribute Sampling Example
Part of the table used to determine the computed upper deviation rate at 95% desired confidence level:
SampleSize 0 1 2 3
25 11.3 17.6 - - 30 9.5 14.9 19.6 - 35 8.3 12.9 17.0 - 40 7.3 11.4 15.0 18.3 45 6.5 10.2 13.4 16.4 50 5.9 9.2 12.1 14.8 55 5.4 8.4 11.1 13.5 60 4.9 7.7 10.2 12.5 65 4.6 7.1 9.4 11.5 70 4.2 6.6 8.8 10.8 75 4.0 6.2 8.2 10.1 80 3.7 5.8 7.7 9.5
Actual Number of Deviations Found
McGraw-Hill/Irwin © The McGraw-Hill Companies 2010
Attribute Sampling Example
TolerableDeviationRate (6%)
ComputedUpper DeviationRate (8.2%)
<
Auditor’s Decision:Auditor’s Decision:Does not support reliance on the control.Does not support reliance on the control.
Auditor’s Decision:Auditor’s Decision:Does not support reliance on the control.Does not support reliance on the control.
McGraw-Hill/Irwin © The McGraw-Hill Companies 2010
Non-Statistical Sampling for Tests of Control
Determining the Sample Size
An auditing firm may establish a non-statistical sampling policy like the one below:
Such a policy will promote consistency in sampling applications.
DesiredLevel ofControls SampleReliance SizeLow 15–20Moderate 25–35High 40–60
McGraw-Hill/Irwin © The McGraw-Hill Companies 2010
Non-Statistical Sampling for Tests of Control
Selecting the Sample Items
Non-statistical sampling allows the use of random or systematic selection, but also permits the use of
other methods such as haphazard sampling.
When haphazard sample selection is used, sampling
units are selected without any bias, that is to say, without a
special reason for including or omitting the item in the sample..
When haphazard sample selection is used, sampling
units are selected without any bias, that is to say, without a
special reason for including or omitting the item in the sample..
McGraw-Hill/Irwin © The McGraw-Hill Companies 2010
Non-Statistical Sampling for Tests of Control
Calculating the Upper Deviation Rate
With a non-statistical sample, the auditor can calculate the sample deviation rate, but cannot mathematically
quantify the computed upper deviation rate and sampling risk associated with the test.
McGraw-Hill/Irwin © The McGraw-Hill Companies 2010
Considering the Effect of Population Size
The sample size tables in the chapter assume a large population. Sample size can be adjusted using the
‘finite correction factor’ in the Advanced Module or by using the table below for very small populations:
Control Frequency and Population Size Sample Size
Quarterly (4)Quarterly (4) 22
Monthly (12)Monthly (12) 2-42-4
Semimonthly (24)Semimonthly (24) 3-83-8
Weekly (52)Weekly (52) 5-95-9
McGraw-Hill/Irwin © The McGraw-Hill Companies 2010
End of Chapter 8