INFORMATION SYSTEM AUDIT

Chapter 8: Audit Risk, Audit Sampling

8.1. Introduction
Audit risk is defined as
• the risk that the auditor expresses an inappropriate audit opinion when the
financial statements are materially misstated. Audit risk is a function of the risks
of material misstatement and detection risk’.
• the risk that the information/financial report may contain material error that may
go undetected during the audit.

The Business Risk is defined as:

“the threat that an event or action will adversely affect an organization’s ability
to achieve its business objectives and execute its strategies successfully.”

Audit Risks are classified according to two criteria:

1. the probability for a certain risk to appear in reality;
2. its impact
The risks can be grouped as either;
• Low – there is a low probability that the identified risks will have a negative impact on the
audited body;
• Medium – there is a medium probability that the identified risks will have a negative
impact on the audited body;
• High – it is probable that the identified risks have a negative impact on the audited body.

8.2. Types of Audit Risks

There are three basic components of audit risk:
a) inherent risk,
b) control risk, and
c) detection risk.

Audit Risk = Inherent Risk x Control Risk x Detection Risk

Inherent Risk: Inherent Risk is the risk of a material misstatement in the financial statements
arising due to error or omission as a result of factors other than the failure of controls (factors that
may cause a misstatement due to absence or lapse of controls are considered separately in the
assessment of control risk). Inherent risk is generally considered to be higher where a high degree
of judgment and estimation is involved or where transactions of the entity are highly complex.

Control Risk; Control Risk is the risk of a material misstatement in the financial statements
arising due to absence or failure in the operation of relevant controls of the entity.
Risk of material misstatement is defined as ‘the risk that the financial statements
are materially misstated prior to audit.

It is the risk that a misstatement that could occur in an assertion about a class of transaction,
account balance or disclosure and that could be material, either individually or when aggregated

Chapter 8: Audit Risk, and Audit Sampling Page 1

with other misstatements, will not be prevented, or detected and corrected, on a timely basis by
the entity’s internal control.

Organizations must have adequate internal controls in place to prevent and detect instances of
fraud and error. Control risk is considered to be high where the audit entity does not have
adequate internal controls to prevent and detect instances of fraud and error in the financial
statements. Assessment of control risk may be higher for example in case of a small sized entity
in which segregation of duties is not well defined and the financial statements are prepared by
individuals who do not have the necessary technical knowledge of accounting and finance.

Detection Risk: Detection Risk is the risk that the auditors fail to detect a material misstatement
in the financial statements. It is the risk that the procedures performed by the auditor to reduce
audit risk to an acceptably low level will not detect a misstatement that exists and that could be
material, either individually or when aggregated with other misstatements.

An auditor must apply audit procedures to detect material misstatements in the financial
statements whether due to fraud or error. Misapplication or omission of critical audit procedures
may result in a material misstatement remaining undetected by the auditor. Some detection risk is
always present due to the inherent limitations of the audit such as the use of sampling for the
selection of transactions.

Detection risk can be reduced by auditors by increasing the number of sampled transactions for
detailed testing.

Some typical risk categories are:

a) Error – is there a possibility an error could occur during the process in question or that
information held in a key data file or store (ex. details of supplier; employee records) could
contain errors.
b) Fraud – could the process or information be deliberately manipulated for personal gain which
might go undetected.
c) Theft – in the delivery of the systems objectives and the performance of the activity under
review are there physical assets which someone could remove for personal benefit.
d) Regulatory – could the process or system not be compatible to international, national and any
rules and regulations laid down by the central government or the municipality.
e) Disclosure – is there a possibility of unauthorized disclosure of information or of the way in
which the system or process operates which might lead to loss, embarrassment or other
disadvantage.
f) Disruption – is there a possibility of loss or disruption which would make it difficult or
impossible to operate the system or process or could lead to the loss or corruption of data.
g) Value for Money (VFM) – is there the possibility of uneconomic, inefficient or ineffective
use of resources in the performance of the process or system.

8.2.1. Audit Risk Model

Chapter 8: Audit Risk, and Audit Sampling Page 2

Audit risk model is used by the auditors to manage the overall risk of an audit engagement.
Auditors proceed by examining the inherent and control risks pertaining to an audit engagement
while gaining an understanding of the entity and its environment. Detection risk forms the
residual risk after taking into consideration the inherent and control risks pertaining to the audit
engagement and the overall audit risk that the auditor is willing to accept.

Where the auditor's assessment of inherent and control risk is high, the detection risk is set at a
lower level to keep the audit risk at an acceptable level. Lower detection risk may be achieved by
increasing the sample size for audit testing. Conversely, where the auditor believes the inherent
and control risks of an engagement to be low, detection risk is allowed to be set at a relatively
higher level

8.3. Conducting a Risk-Based Information Systems Audit

A risk-based information systems audit includes, in addition to testing of logic and transaction, an
evaluation of risk engrained in management systems and control procedures established in various
operations. Under a risk-based information systems audit, the focus shifts from exhaustive testing
to a system guided by risk identification, prioritization of audit objects based on identified risks,
and allocation of audit resources in line with risk assessment. Thus, the criteria for selecting an
audit object shifts from the functionality of such an object to the risk associated with its failure.
An information systems audit under a risk-based approach results in greater assurance that the
entity is adequately geared to face the risks its information systems is exposed to.

A risk-based information systems audit consists of the following five steps:

1. Profiling of risks: The information systems auditor starts the audit process with risk-profiling
various functional areas of the auditee. The profiling is based on available records and
information from various sources including, but not limited to, the following:
1) External and internal audit reports.
2) Industry trend and other environmental factors.
3) Amount of time lapsed since the last audit.
4) Proposed changes in business line that may introduce new risks that the auditee has not yet
encountered.
The auditor would evaluate the probability and exposure to risks the auditee is facing by
looking into the following:
1) Previous audit reports.
2) Prior audit findings and action taken on them.
3) Volume of business.
4) Internal controls and control environment.
5) Quality and experience of the management.
6) Complexity of business handled by the auditee.
2. Conducting risk assessment: The risk-based information systems auditor would undertake risk
assessment essentially to develop the plan for a risk-based information systems audit. The risk
assessment function would otherwise, as an independent activity, review various processes in
place to identify, measure, monitor, and decide on acceptable level of risks. The auditee
should internally devise a risk assessment methodology, with approval of the board of

Chapter 8: Audit Risk, and Audit Sampling Page 3

 directors, keeping in mind the size and complexity of the business undertaken by the
organization. The risk assessment process would include, at minimum, the following:
a. Identification of inherent risks in various systems and activities undertaken by the auditee.
Inherent risks are those risks that the organization must accept in order to carry on the line
of business or service.
b. Evaluation of effectiveness of control systems designed to monitor and manage the
identified inherent risks. All business formulates an internal strategy to face the risk,
which includes the establishment of control mechanisms to keep the risk exposure within a
defined limit.
c. Populating a risk matrix: The risk matrix is a visual tool for risk classification based on
the relationship between the magnitude of related inherent business and control risks.

Risk Matrix

3. Audit prioritization:
Audit prioritization of risk areas based on the level and direction of risk. The direction of risk
is assessed by comparing the risk matrix of two different periods and reviewing their
movement from one cell to another.
4. Conducting detailed information systems audit of selected areas: The information systems
auditor will conduct substantive testing for all high-risk areas. The auditor should note the
details of the findings in each area of audit and maintain working papers describing the tests
conducted and results observed.
5. Reporting: The risk-based information systems audit report will generally contain auditor’s
findings and observations regarding deviations from standard guidelines. The highlight of the
report of risk-based information systems audit will be an assessment of the impact of the audit
findings on risk exposure of the auditee. The auditor, in addition to bringing to the fore the
errors and deviations observed, will comment on the impact of those findings on the risk
matrix.

8.4. IS Audit Risk Assessment

An IS audit risk assessment should take into account the following types of risks:
1) Inherent Risks These are natural or built-in risks that always exist. Driving your automobile
holds the inherent risk of an automobile accident or a flat tire. Theft is an inherent risk for
items of high value.

Chapter 8: Audit Risk, and Audit Sampling Page 4

2) Detection Risks These are the risks that an auditor will not be able to detect what is being
sought. It would be terrible to report no negative results when material conditions (faults)
actually exist. Detection risks include sampling and non sampling risks:
3) Sampling Risks These are the risks that an auditor will falsely accept or erroneously reject an
audit sample (evidence).
4) Non sampling Risks These are the risks that an auditor will fail to detect a condition because
of not applying the appropriate procedure or using procedures inconsistent with the audit
objective (detection fault).
5) Control Risks These are the risks that an auditor could lose control, errors could be
introduced, or errors may not be corrected in a timely manner (if ever).
6) Business Risks These are risks that are inherent in the business or industry itself. They may
be regulatory, contractual, or financial.
7) Technological Risks These are inherent risks of using automated technology. Systems do
fail.
8) Operational Risks These are the risks that a process or procedure will not perform correctly.
9) Residual Risks These are the risks that remain after all mitigation and control efforts are
performed.
10) Audit Risks These are the combination of inherent, detection, control, and residual risks.
Will your audit be able to accurately prove or disprove the target objective? Is the audit scope,
time allotted, sponsor’s political strength, priorities, and available technical abilities
sufficient?

8.5. Audit Sampling

In many cases the auditor can gain adequate assurance regarding the mitigation of risk without
having to examine every single record or transaction. Under such circumstances, the auditor may
choose to use a variety of sampling techniques in order to obtain evidence that is satisfactory and
competent. The auditor may choose to use either non-statistical or statistical sampling techniques.
a) Non-statistical sampling involves the auditor making a judgment call as to the number of
items to be selected and which items. The sampling technique is valid where the auditor
wishes to examine a few examples without necessarily drawing conclusions about the whole
population.
b) Statistical sampling itself is the process of testing a portion of a group of items to evaluate and
draw conclusions about the population as a whole.

8.5.1. Terms used in Statistics & Sampling

a) population mean: the average value of a variable, where the reference class is a
population of interest. E.g. the average high of all persons owning a Louisiana driver's
license. This is a parameter.
b) sample mean: the average value of a variable, where the reference class is a sample from
the population. This is a statistic. It is also a variable that has as its reference class all
possible samples.
c) population proportion: the proportion of a population with a given property. E.g., the
proportion of registered voters in East Baton Rouge who are republican. This is a
parameter.

Chapter 8: Audit Risk, and Audit Sampling Page 5

 d) sample proportion: the proportion of a sample with the property. This is a statistic. It is
also a variable that has as its reference class all possible samples.
e) Sample distribution: the distribution of a variable whose reference class consists of all
samples (of some fixed size) drawn from some population.
f) Example: Consider the population of all LSU students, and consider drawing samples of
size 100. The variable is the average height of the people in the sample. (Here we are
looking at the distribution of the sample mean.)
g) Example: Use the same population and the same sample size, but now consider the
variable "percent male". This is again a something that can measured in each sample. The
sampling distribution tells us the relative frequency of each possible sample percent in the
reference class of all samples.
h) Margin of error: a bound that we can confidently place on the difference between an
estimate of something and the true value.
i) Level of confidence/ Coefficient confidence: a measure of how confident we are in a
given margin of error. It is a measure of the accuracy and repeatability of a statistical test.
j) Statistical precision, that is, how precisely the statistics from a sample represent the
parameters in a population. It is the closeness with which it can be expected to
approximate the relevant population value. Precision is a measure of how close an
estimator is expected to be to the true value of a parameter.

8.5.2. Sampling Methodologies

There are four basic sampling methodologies:
1. Attribute sampling: This type of sampling enables the auditor to estimate the rate of
occurrence of certain characteristics of the population (e.g., deviations from performance of a
control). It is most often used in performing tests of controls. A deviation would be the failure
of a control to function properly (i.e., an error).
2. Discovery sampling: This type of sampling is designed to locate a small number of
deviations or exceptions in the population. It is most often used to detect a fraudulent
transaction. If there is one deviation (i.e., one fraudulent transaction) in the sample, the auditor
must examine the population. A deviation in discovery sampling, however, is not the same as
a deviation in other sampling methods. In the former, it refers to fraud; in the latter, it refers to
an error. Discovery sampling is used primarily to detect critical deviations. Because they are
considered critical, the discovery of a single deviation (e.g., fraud) is intolerable.
Consequently, if a critical deviation is discovered, the auditor may abandon the sampling
procedures and investigate the population, rather than relying on the sample.
3. Classical variables sampling (CVS): This method is used to provide auditors with an
estimate of a numerical quantity, such as the balance of an account. It is primarily used by
auditors to perform substantive tests. It includes mean-per-unit estimation, ratio estimation
and difference estimation. For example, this method would be used to confirm accounts
receivable.
4. Probability-proportional-to-size sampling (PPS): This method develops an estimate of the
total monetary amount of misstatement in a population. PPS uses dollar-unit sampling or
monetary-unit sampling (MUS). Other methods are based on instances or occurrences, but
this method is based on monetary values, where higher monetary value transactions have a
higher likelihood of being chosen in a sample thus the name PPS.

Chapter 8: Audit Risk, and Audit Sampling Page 6

8.5.3. Choice of Sampling Methodology
The choice of a method depends on the primary purpose of the sample and substantive test. If the
auditor needs to perform a test of control, the best choice is attribute sampling. If the purpose of
the audit procedure is to detect fraud, then discovery sampling is the best choice, but MUS is a
good choice, too. If the purpose is to look for material misstatements in an account balance or
class of transactions, CVS is a good choice. CVS does tend to require larger samples than other
methods and is, therefore, costly. PPS requires smaller samples. PPS is designed to be especially
effective in the audit of accounts receivable and inventory, with a few exceptions, and thus is
usually a better choice than classical variables for account balances such as these. However, PPS
is prone to trigger false positives, and the auditor must be aware of this possibility.

8.5.4. Sampling Risk

All auditing involves a certain amount of risk or uncertainties. When auditors choose to use
statistical sampling, they face the possibility that, due to the fact that there is less than 100 percent
certainty, the conclusions drawn about the population may contain some material error. This audit
risk comprises two specific subsets.

Sampling risk is the risk that the sample chosen does not appropriately reflect the population as a
whole, ie risk that the auditors’ conclusions based on a sample may be different from the
conclusion they would reach if they examined every item in the population

Audit Sampling risk” arises from the possibility that the auditor’s conclusion, based on a sample
may be different from the conclusion reached if the entire population were subjected to the same
audit procedure. There are two types of Audit sampling risk:
1) The risk the auditor will conclude, in the case of a test of controls, that controls are more
effective than they actually are, or in the case of a test of details, that a material error does not
exist when in fact it does. This type of risk affects audit effectiveness and is more likely to
lead to an inappropriate audit opinion; and
2) The risk the auditor will conclude, in the case of a test of controls, that controls are less
effective than they actually are, or in the case of a test of details, that a material error exists
when in fact it does not. This type of risk affects audit efficiency as it would usually lead to
additional work to establish that initial conclusions were incorrect.

Non-sampling risk
 risk pertaining to non-sampling errors
 Can be reduced to low levels through effective planning and supervisions of audit
engagements

Audit Sampling Steps for Tests of Controls

 Determine the objective of the test
 Define the attributes and deviation conditions
 Define the population to be sampled
 Specify:
 The risk of assessing control risk too low
Chapter 8: Audit Risk, and Audit Sampling Page 7
  The tolerable deviation rate
 Estimate the population deviation rate
 Determine the sample size
 Select the sample
 Test the sample items
 Evaluate the sample results
 Document the sampling procedure

Chapter 8: Audit Risk, and Audit Sampling Page 8