CLASS 8 MANAGING THE INTERNAL AUDIT FUNCTION c

- Roles in managing the IA function (CAE) – 2000

- Just like other C-level (CFO, CEO, CIO) → we also have CAE for audit
- Planning (& communication and approval) – 2010, 2020
- Resource mgt (& external service provider and org responsibility for IA – 2030, 2070
- We may request specialities from external parties
- Policies and procedures – 2040
- Coordination – 2050 → coordinating w/ ext/int
- Reporting to senior mgt and the board – 2060

CAE’s responsibilities
2000 – managing the IA acty
The CAE must effectively manage the IA acty to ensure it adds value to
the org

Interpretation:
IA acty is effectively managed when:
- It achieves the purpose and responsibility included in the IA charter
- It conforms with the standards
- Its individual members conform with the codes of ethics and the standards
- It considers Trends and emerging issues that could impact the organization

The internal auditor activity adds value to the organization and its stakeholders when it considers
their strategies, objectives, and risks; strives to offer ways to enhance governance, risk
management, and control processes; in objectively provides relevant assurance
xCLASS 9 AUDIT EVIDENCE AND WORKING PAPERxx
- Audit evidence
- Audit procedures
- Audit working paper

AUDIT EVIDENCE
Professional skepticism and reasonable assurance
- Professional skepticism = IA take nothing for granted; they continuously question what they
hear and see and critically assess audit evidence
- IA strives to obtain sufficient evidence to provide a reasonable basis for formulating their
conclusions and advice. This concept is referred to as reasonable assurance ≠ absolute
assurance (100%) ⇒ we can only assure to reasonable level (not 100%)

Definition
- Represent the fact the IA collected from their audit operations
- Used to prove or confirm with the criteria to summarize audit results and provide advice in
the IA report
- May come from internal or external sources

Characteristics

1. Sufficiency
a. Data or evidence that confirms or support the same conclusions
b. Evidence is considered sufficient if the evidence can exhibit facts and persuade a
prudent, informed person to believe and rely on the fact
c. Sufficiency depends on judgement
→ so it’s difficult to conclude (sometimes use stat record)
→ give to s/o who has enough knowledge to evaluate it

Criteria
● Importance of the audit matter: diff value → diff materiality
● Risks and probability of error: If comp made a lot of error → larger audit sample
● Costs to obtain the evidence: we may have many types of audit procedure
บางทีเลือก 2nd best ก็พอเพราะถ ้าเราเลือกอันทีด
่ ท
ี ส
ี่ ด
ุ อาจจะแพงเกิน benefit ไป
● larger/smaller sample sizes
● corroborated / contradictory: if 2 tests give diff result → may have another test

2. Reliability
“WHERE does evidence come from/ HOW you get it”
a. Data or evidence that is obtained from reliable source and through appropriate audit
procedures
 Criteria
● Source of evidence
○ internal/ external ⇒ internal more likely to manipulate
○ general/ expert ⇒ ex. Operational staff vs land appraiser

● form/ characteristics of evidence

○ doc/ verbal ⇒ มีเอกสารดีกว่า เพราะถ ้าปากเปล่า วันนีก ้ บ
ั พรุง่ นีอ
้ าจจะพูดไม่เหมือนกันแล ้ว
○ original/ photocopy
● Route it takes
○ direct/indirect ⇒ external directly to aud is the best ex. Confirmation from bank
○ Timeliness ⇒ in the past, more timely = more reliable เพราะถ ้าขอเอกสารแล ้วเค ้าให ้
รอ เค ้าอาจจะmanipulate อยู่ แต่ปัจจุบน
ั ต ้องดูแหล่งด ้วย ถ ้าtimelyแต่เอามาจากเฟสก ้ไม่โอเค
○ Internal control system ⇒ more IC = more validation
● Appropriate audit techniques
○ Obtain docs ดีกว่า just interview/observe
○ *try to use the best attainable evidence*
เดีย
๋ วเรียนaudit procedure to obtain evidence ทีหลัง

3. Relevance
a. Data or evidence that can confirm or support the audit conclusion, findings or
recommendation and conform with the audit objective ( relevance, accuracy,...)
b. Some evidence may be relevant to only one audit objectives
ex. Observation of assets count vs existence
c. Some evidence may be relevant to >1 audit objectives
Ex. confirmation of AR vs accuracy and existence
 4. Usefulness (อันนีเ้ ป็ น comp goal ทีเ่ หลือเป็ น audit goal)
a. Data or evidence that helps provide assurance that the org will meet its goal
⇒ strat, operations, reporting, compliance, safeguarding assets**

Factor to consider
● Materiality ⇒ use mat to measure usefulness

Exercise on characteristics
Assume IA wants to determine whether a particular vehicle included in the comp’s FA ledger EXISTS
and is OWNED (audit obj) by the comp. Therefore, IA locates the vehicle in the comp’s parking lots
1. Relevant?
○ Existence VS locate vehicle ⇒ yes
○ Ownership VS locate vehicle ⇒ NO ต ้องไปดูทdี่ ocs (registration info/ car owner)

3rd page = 3rd hand

โฉนดทีด
่ น
ิ ก็เหมือนกัน

มี ownership transfer

2. Reliable?
○ Source of info: aud go to see by themselves = reliable
○ if docs photocopied ⇒ not so reliable

3. Sufficient?
○ Existence VS locate vehicle ⇒ yes
○ Ownership VS locate vehicle ⇒ NO ต ้องไปดู regis no./ engine no. ด ้วย
 4. Useful?
○ Useful for reporting
○ ถ ้าดูวธิ เี ก็บรถด ้วยก็ also safeguarding assets

Exercise on reliability – origin and route

A. Docs created by org, sent to 3rd party, returned to org, and requested by IA [in → ex]
B. Docs prepared by IA [IA]
C. Docs created by org and requested by IA [in → IA]
D. Docs created by 3rd party, sent to ord, requested by IA [ex → in → IA]
E. Docs sent directly from a 3rd party to IA [ex → IA]

เรียง most reliable + B E D A C - least reliable

Evidence
1. Risk and control matrices
○ B – risk-based plan → need documented risk assessment process at least annually
So IA have to prepare this
○ C – comp มี risk mgt department (แต่ต ้องออดิทอีกที IA เลยไปขอ matrices มาจากบอ)
2. Deposits slips ใบนำฝากธนาคาร
○ D – if have 1: bring check to tellers → they do everything for you
○ A – if have many: บอออก plain(?) slip → bank stamp → send back to comp
3. Bank statements
○ D – monthly statement
○ E – aud request from bank
4. Receiving reports = you order materials
○ A – receiving dept prepare this ตอนได ้รับของ
○ C – ask คนส่งให ้เซ็นด ้วย
5. Confirmations
○ E – mostly E
○ D

AUDIT PROCEDURES
Definition and objectives
= tasks performed to obtain evidence
● Aud procedures = specific tasks performed by the IA to gather evidence required to achieve
the prescribed audit objectives
● objectives:
○ Obtain a thorough understanding of the auditee, including the auditee’s obj, risks, and
controls ⇒ observe what they do, interview personnel, see docs
○ Test the design adequacy and operating effectiveness of the targeted area’s system of
IC ⇒ when we want to evaluate control, there are 2 aspects:
■ Adequacy: whether the control is enough to bring risk to acceptable level
■ Effectiveness: those controls really work + is performed
(perform test of control)
○ Analyze plausible relationships among different elements of data
⇒ compare data whether they are reasonable or not – มี fraud, error มัย
้
○ Directly test recorded fin and non-fin info for errors and fraud
⇒ similar to substantive test of external auditor
● สรุป ส่วนใหญ่เป็ น test of controls แล ้วก็ม ี substantive test บ ้าง
Standards

Sufficient appropriate evidence

● Obtaining sufficient appropriate evidence to achieve the prescribed audit objective involves
determining:
○ Nature: type of audit procedures
○ Extent: Coverage → Sample คาบหน ้า
○ Timing: spread throughout, cutoff?
■ If test control which is performed throughout the year → spread sample ทัง้ ปี
■ See whether transactions recorded in right period or not → emphasize on few
transac before and after year-end

Type of audit procedures

1. Manual audit procedures
○ Inquiry – ใช ้ใน understanding ได ้ but not to test control มันอาจจะอ ้างได ้ว่าทำแล ้วแต่จริงๆยัง
Observation สังเกตการณ์ – สิบปากว่าไม่เท่าตาเห็น ask is not enough ไปดูเอง
Bad: if you want to observe production process ถ ้าเค ้ารู ้ตัว อาจจะผักชีโรยหน ้า
Inspection – สิบตาเห็นไม่เท่ามือทำ use with assets, docs, certificate of ownership
Vouching – backward
Tracing – forward
Re-performing – use with process that
we want to try and see if we get the
same results : valid

○ Analytical procedures:
Common-size – use number in FS as a base ex. I/Sเทียบกับ net sales ออกมาเป็ น %
Ratio-analysis
Trend analysis – compare many years → see trend whether it conforms with
economic condition
Analysis of future-oriented information – check budget in the future
External benchmarking – compare with competitors
Internal benchmarking – compare among branch
○ Confirmation:
Positive – recipients have to answer in every case
Negative – answer only when not correct

2. Computer-assisted audit techniques (CAATs)

○ To directly test:
i. Controls built into computerized information systems (process)
ii. Data contained in computer files (output/ input)
○ Common CAATs include:
i. Generalized audit software (GAS) – ACL, WinIDEA
⇒ download data from committee and put into this program to analyze
ii. Utility software ex. Log files
⇒ already come with computer – see who log in from log files ดูวา่ มีใครพยย
break control or not
 iii. Test data ⇒ come up with sample data for different scenario
Put data into the system and see whether you get appropriate result or not
If yes, then the program is written appropriately
iv. Application software tracing and mapping ⇒ check system written appropriately
v. Audit expert system ⇒ get knowledge
ex. List all red flags and use system to detect regularity
vi. Continuous auditing ⇒ mini program – audit every transactions and send alert
to IA when something wrong

Exercise audit procedures

A division of your company purchased a large quantity of new desktop computers during the
current fiscal year. An internal audit manager has asked you to audit the process used to acquire the
computers. He also wants you to determine whether the computers have been used properly and
accounted for correctly. The manager specified a set of audit objectives to guide your tests.

​Describe the procedures you might use to gain an understanding of how the computers were
acquired, used, and accounted for. อจพูดไม่คอ
่ ยรู ้เรือ
่ งเลยอันนี้

# Audit objective Applicable audit procedures

1 The purchases of the computers - Start with PO, purchase transactions

were properly authorized - If you are big comp ทีม ่ ี purchasing dept
แต่ละdivision จะต ้องมี purchase requisition signed by
their supervisors and ส่งให ้ purchasing dept
- VOUCH PO back to PR

2 Responsibilities regarding the - If big comp, check คนใน job description or interview
computers are properly personnel
segregated.

3 The computers, as well as the - Observation for physical

software and information they
contain, are properly safeguarded.
Consider both physical and logical
access.
Ex. observe whether they really lock the room
ห ้ามตอบแค่วา่ lock room มันคือcontrol not procedure
- Password for logical
Ex. observe how they put password and go into sys
Or re-perform (get mock user and see whether I
can access confidential data or not)

4 Laws and regulations on software - Inspect original license

usage have been complied with. - See the contract letter/ payment/ invoice

5 The computers recorded as being - Vouch from..

purchased actually exist. - Check G/L or FA register then check with real com

6 All of the computers that were - Trace from...

purchased have been recorded. - See whether receiving report of com are recorded
(completeness)

7 The amounts at which the - Vouch from G/L to invoice or receipts

computers are recorded are
correct.

8 The estimated useful lives and - Salvage: Ask expert or check market value of com
salvage values of the computers ว่าถ ้าเวลาผ่านไป 5 ปี ราคาเหลือเท่าไหร่
are reasonable. - Useful lives: Check records of the comp ว่าปกติใช ้
คอมกันนานแค่ไหน
 9 Depreciation expense was - Inspect formulas
calculated correctly. - recalculate

Case

Summary: จดว่ามีการซือ้ รถ 501 คันแต่จริงๆ only 8 exists เงินออกตลอดแต่ไม่เคยเห็นรถ เงินเข ้ากระเป๋ า chairman
หมด โดนจับได ้เพราะ SEC สังเกตว่าถ ้ามีรถเยอะขนาดนีก
้ ต
็ ้องมีตก
ึ หรือเช่าทีไ่ ว ้เก็บรถ → ask for special audit
⇒ Check ration เทียบ inventory กับ rent expense
Summary: try to advertise that he has a way to invest and promise really high return พอคนให ้เงินเค ้า เค ้า
ก็pay return ให ้ investor กลุม
่ แรก ด ้วยเงินของ investor กลุม ่ สองไปเรือ่ ยๆ: He make up all investment stm
มี fund manager try to win this ว่าreturn สูงขนาดนีม ้ น
ั เป็ นไปไม่ได ้ แต่มน ่ เพราะเค ้าเป็ นคนมีตำแหน่งใหญ่
ั ไม่มใี ครเชือ
่ ถือ (director of NASDAQ)
โตน่าเชือ
⇒ สรุปโดนจับได ้เพราะ proudกับแผนมากเลยเล่าให ้ลูกฟั ง ลูกแจ ้งตำรวจ

Summary: อาจารย์วศ ิ วะจฬ เป็ นประธานสหกรณ์ออมทรัพย์

อ ้างว่า know how to invest in สลากกินแบ่งรัฐ
Can get lottery and resell at higher price + Return 12% per year
He could not pay back เลยโดยจับได ้
WORKING PAPERS
Standards

Purpose and contents

Purpose
- Backup audit result, recommendation, and report
- Aid in planning and performing the engagement
- Facilitate supervision of the engagement and review of the work completed.
⇒ tell what have we done
- Indicate whether engagement objectives were achieved.
- Provide the principal support for the internal auditors’ communications to the auditee, senior
management, the board of directors, and appropriate third parties
- Serve as a basis for evaluating the internal audit function’s quality assurance program.
- Contribute to the professional development of the internal audit staff.
⇒ evaluate staff ว่ามี development มัย
้
- Demonstrate the internal audit function’s compliance with The Standards
⇒ no standard format for every firm

Contents
- Depends on nature of engagement

Quality of good working paper

1. Complete
2. Concise – no need to include EVERYthing in working paper
3. Uniform – talk with team จะได ้มีแพทเทินเดียวกัน
4. Neat

Preparation guideline
Appropriate working paper standardization may include:
● A uniform cross-referencing system for all engagements

When you have risk -> you come up

w/ how to audit เรียก audit program

X-1, x-2 คือ reference

 ● Consistent working paper layouts

● Standardized “tick-marks” (symbols used to represent specific audit procedures)

● A prescription for the types of info to store in permanent or carry-forward files

Each working paper should:

- Contain an appropriate index or reference number.
- Identify the engagement and describe the purpose or contents of the working paper.
- Be signed (or initialed) and dated by both preparer and reviewer
- Clearly identify the sources of auditee data
- Include clear explanations of the specific procedures performed.
- Be clearly written and easy to understand

Sample Audit Program

CLASS 10 AUDIT SAMPLING
- Intro
- Audit risk concept associated with sampling
- Audit sampling approach in tests of controls (stat/ non-stat) **focus**
- Audit sampling approaches in test of monetary values ≈ substantive test
Prove whether value in FS is fairly stated

INTRO
What and why
● Audit sampling is the application of an audit procedure to less than 100 percent of the items
in a population for the purpose of drawing an inference about the entire population.
● Economic and time constraints generally preclude internal auditors from testing 100% of
everything they would like to test.
● Sampling is used most commonly by internal auditors to test the operating effectiveness of
controls. (really work? is performed?) ไม่ใช่ test adequacy นะ !!

Vocab

Concept
1. How much is the sample
2. Apply audit procedure to the sample chosen (vouching, tracing,..)
3. Find stat
4. Estimate population parameter
AUDIT RISK IN CONTEXT OF SAMPLING
Audit risk = risk of reaching invalid conclusions and/or providing faulty advice based on the audit
work conducted.

Two Types of audit risk in the context of sampling

1. Sampling risk → related to sampling
= risk that the internal auditor’s conclusion based on sample testing may be different than the
conclusion reached if the audit procedure was applied to all items in the population. (sample
≠ population)
There are two aspects of sampling risk:
1. The risk of assessing control risk is too low (type II risk, beta risk).
○ Select samples that are less risky
○ Assessed control risk from examining sample < control risk from examining population
○ ่ ว่าดีแล ้วเลยไม่ recommend anything **scary**
Result: Over reliance on IC เชือ
2. The risk of assessing control risk too high (type I risk, alpha risk)
○ Select all problematic samples เกิดมาเพือ่ เป็ น auditor
○ Assessed control risk from examining sample > control risk from examining population
○ Result: Under reliance on IC เช็คมันทุกอย่าง อาจทำให ้เสียเวลากับอันนึงมากไปจน omit อีกอันที่
risky เหมือนกัน + bad relationship with auditee bc you always complain

2. Nonsampling risk → not about sampling

= not associated with testing less than 100% of the items in the population. Instead, it occurs
when an IA fails to perform his or her work correctly (procedure)
● Performing inappropriate auditing procedures
○ ใช ้ trace to test existence WRONG!! → lead to wrong conclusion
● Misapplying an appropriate procedure
○ Not apply professional care
○ Vouch from PO to purchase requisition CORRECT
BUT PR has to signed by authorized person แต่ออดิทไม่ได ้เช็คว่าลายเซ็นถูกคนมัย
้
หรือถ ้า amount ต ้องมีลายเซ็นจากสองคน แต่ออดิท ignore ก็คอ
ื misapply
● Misinterpreting sampling results.
○ Look at wrong number

​Nonsampling risk can be reduced by..

- appropriate audit planning,
- supervision of individual audit engagements,
- the overall application of appropriate quality assurance procedures.

APPROACHES TO AUDIT SAMPLING

2 general approaches
1. Statistical sampling
○ Is a tool that can help the internal auditor measure the sufficiency of evidence
obtained and quantitatively evaluate the sampling results.
■ Use stats to come up with “how much”
○ Allows the internal auditor to quantify, measure, and control sampling risk. (e.g. 95%
confident = 5% risk of error)

2. Nonstatistical sampling
○ Use sample size based on our convenience: we gonna audit this much, don’t care stat
○ Save costs and time
○ Appropriate for experienced auditors so they can target on more risky part
⇒ เลือกว่าจะใช ้อันไหนจาก cost-benefit decision ex. ถ ้าเกินล ้านใช ้stat ส่วนทีเ่ หลือใช ้ non-stat

REVIEWING STATS
What is the difference between a test of control and a test of monetary value?

Population distribution
⇒ for audit purpose, each item in a pop is associated w/ a variable of interest to the auditor
● Discrete variables การสุม่ ตัวอย่างเชิงคุณลักษณะ, such as the YES/NO decision whether to authorize
pmt of invoices, are tested using attribute sampling **focus**
○ Ex. authorize or not? Comply or not?
● Continuous variables, such as the monetary amounts of accounts receivable, are tested using
variable sampling

Statistical Audit Sampling in Tests of Controls: Attribute Sampling Approaches

Attribute Sampling : is a statistical sampling approach, based on binomial (2) distribution theory, that
enables the user to reach a conclusion about a population in terms of a rate of occurrence. (rate of
YES → rate of following IC)
The most common use is to evaluate the effectiveness of a particular control.
The internal auditor tests the rate of deviation from a prescribed control to determine
whether the occurrence rate is “acceptable” and, accordingly, whether reliance on that
control is appropriate.

Exercise
For which of the following would an IA most likely use attribute sampling?
a. Determining whether the year-end inventory balance is overstated
b. Selecting FA additions to inspect
c. Choosing inventory items to test count
d. Inspecting employee timecards for proper approval ⇒ just approve or not

9 steps of attribute sampling

1. Identify a specific internal control objective and the prescribed control(s) aimed at achieving
that objective.
○ Help minimize the risk of performing inappropriate audit procedures and, consequently,
drawing inappropriate conclusions

2. Identify criteria and define control deviation

○ Help minimize the risk of not recognizing a deviation
○ Ex. of deviation: a missing docs, no evidence of control, control executed by authorized
person, difference btw the docs

For all these deviations, there should be sth that help us say that this wrong ⇒ criteria
 Internal ––––––––– Example of criteria ––––––––– External

- Code of conduct - Laws, Revenue Code, Regulatory

- Policies, notifications, rules, authority, requirements
board resolutions - Conditions agreed with the
- Goals external parties, e.g. with Board of
- Standards ex. Spoilage not >2% Investment
- Contracts - Good business practice, e.g. to
- Acctg system and IC require collateral for borrowing
- Budgets - Normal trading practice
- If no good criteria, may adopt normal/ - GAAP
common practice
ใช ้เป็ น reference for deviations เพือ
่ บอกว่าเราทำเพราะ code of conduct, … blah blah

3. Define the population and sampling unit

4. Determine the appropriate values of the parameters affecting sample size (table 1 or Formula)
○ The acceptable risk of assessing control risk too low
⇒ risk that IA will incorrectly conclude that a specified control is more effective than it
really is (risk of marking wrong conclusion)
■ Ex. 100% - confidence level 95%
= 5% → เปอเซนทีอ่ อดิทจะ conclude ผิด

○ The tolerable deviation rate/ precision อัตราความผิดพลาดทีย ่ อมรับได ้

⇒ max rate of deviation that IA is willing to accept and still conclude that control is
effective ถ ้าเกินไปกว่านีค
้ อ
ื ไม่effective
■ There might be human error in performance
→ so ถ ้าพลาดไม่เกิน xx % จะถือว่า effective อยู่ : ยอมให ้บอผิดได ้เท่าไหร่
■ The level chose depend on the obj of the test and how the results are used
● ถ ้าอันไหนซีเรียส จะเซท lower tolerable deviation rate

○ The expected population deviation rate

⇒ IA’s best estimate of the actual deviation rate in pop of items being examined
ถ ้าได ้ตรวจ 100% คิดว่าเค ้าจะผิดเท่าไหร่ ส่วนใหญ่ใช ้ 5%
■ Ex. ถ ้าตรวจจาก sample แล ้วผิดไม่เกิน 5% ก็คอ ื ว่า โอเค
■ The rate is determined by the auditor and is based on pilot studies, discussions
with mgt, and the results of previous audit
 Factors affecting attributes sampling’s sample size

Sample size factor Impact on sample size

Population size (use formula) Direct

Acceptable risk of assessing control risk too low (beta risk) Inverse
= accept error more in making audit decision, lower confidence = smaller sample

Tolerable deviation rate (precision) Inverse

Expected population deviation rate Direct

มีแค่อน
ั แรก use formula ทีเ่ หลือ use stats table
If we use stats table, there will be only 3 factor affecting sample size

5. Determine the appropriate sample size

○ Refer to readily available sample-size tables [table 1], [table 2]
○ Use formula (ไม่เรียน)

6. Randomly select the sample

1) Simple random sampling: use random number table or computerized random number
generator program ให ้กูเกิล ่ ให ้
้ สุม
○ Good: all have the same chance being picked
○ Consideration:
i) Where to start
ii) The direction to move
iii) What to do if outside range
iv) Which digits to use

Documenting the sample selection in working papers

2) Systematic sampling/ interval sampling

⇒ อยากให ้มัน spread period กว่าอันแรก
○ Good: spread throughout the period, good with pop with similar characteristics
○ Bad: auditee may guess and manipulate the evidence
 ่ ตัวอย่างโดยชัน
3) Stratified attribute sampling สุม ้ ภูม ิ
○ For items with different characteristics/ diff IC/ diff authorization
○ Items can be easily distinguished
○ Similar items will be grouped tgt and samples will be drawn from each group
according to proportion of each group

4) Cluster (block) sampling:

⇒ ​randomly selects groups of items as the sampling units rather than individual items
○ **location** for convenience
○ ​used in case that there’re problems with storage of data or docs and it’s not
convenient to use other selection approaches
○ Different from stratified in that clusters are similar groups of items
○ Classified groups by location or storage ex. Items with same location or same
month are in the same group
○ Ex. ข ้อมูลอยูใ่ นห ้องฟรีซ ถ ้าอยูต
่ ้องหาข ้อมูลไปรอบๆนานๆคงแข็งตาย ก็ต ้องตรวจเป็ น shelf

7. Audit the sample items selected and count the number of deviations from the prescribed
control

8. Determine the achieved upper deviation limit

○ Refer to the attribute sampling evaluation tables [table 2]
 9. Evaluate the sample results
○ Formulating a statistical conclusion:
■ ​I am [100 – Type II risk]% confident that the true, but unknown, population
deviation rate is less than or equal to [Upper deviation Limit]%
○ Making an audit decision based on the quantitative sample results:
■ If the achieved upper deviation limit <= tolerable deviation rate, the tested
control is effective
○ Considering qualitative aspects of the sample results
■ think about deviation that we found ⇒ เป็ น result of error or fraud?
● ต่อให ้เปอเซนมันไม่เกิน แต่ถ ้ามันเป็ น fraud ก็คอ
ื ไม่effective

Case of missing or voided docs

Discovery Sampling
⇒ ​Use to specify the sample that is big enough to find at least 1 deviation if it exists
พยยหาให ้ได ้อย่างน ้อย 1 devถ ้ามี – เอาไว ้หาfraud, non-compliance
● Discovery sampling is the easiest of all statistical sampling variations to understand.
● It deals with the probability of discovering at least one error in a given sample size if the
population error rate is a certain percentage.

2 ways [Table 3]
1. Not much time → เลือก sample มา สมมติวา่ 300
○ เจอ 1 fraud = 100% fraud exists
○ ไม่เจอ fraud ก็ดต
ู าราง ว่าเราอยากให ้ confident เท่าไหร่ในการเกิด fraud เท่าไหร่ base from 300
■ 95 % confident that the true population fraud rate did not exceed 1 percent.
■ 78 % confident that no more than 0.5 percent of the checks were fraudulent
2. Lots of time → ทำย ้อนกลับ
○ ถ ้าเราอยาก 95% confident that no more than 0.2% were fraud → ก็ต ้องcheck 1500 sample
○ For serious non-compliance
Nonstatistical Audit Sampling in Tests of Controls
**convenient + use judgement**
Selecting and evaluating a non-stat sample
● specific/ purpose sampling may include
○ Items with potential errors ex. High risk, past errors, or related party transactions
○ Items with high values or importance ex. Amount over threshold or special
procurement method
⇒ this method is highly effective, however, the results cannot be extrapolated to the whole
population. Therefore, internal auditors need to consider the need to obtain evidence for the
rest of the population. บอกไม่ได ้ว่า confidentกีเ่ ปอเซน
● Haphazard sampling ตามวิจารณญาณ
= is a nonrandom selection technique that is used by internal auditors to select a sample that
is expected to be representative of the population. **judmental**
○ The internal auditor’s conclusion about the population from which the sample is drawn
is strictly judgmental instead of being based on probability theory.
○ It is important for the internal auditors to determine whether they can reach valid
conclusions using nonstatistical sampling

2 commonly used approaches

1. Select a relatively small sample haphazardly, such as 25 items for all sampling
applications based on a presumption of no control deviations in the population, and to
conclude that the control is not acceptably effective if one or more deviations are
found.
+ convenient
- Does not take into consideration the risk of assessing control risk too low and
tolerable deviation rate

● Stop-or-go sampling
An initial, relatively small, sample is drawn and analyzed. The internal auditor then decides,
based on the results of this initial sample, whether the sample size should be increased.
⇒ if find not much error: stop and conclude
But if find many error: extend test

ใช ้ n = 25 or 30 bc of central limit theorem

2. Slightly more conservative approach used by some internal auditors

Some firm may come up with sth like this. But if you want to use in practice → be careful
Documenting sample selection

Statistical Sampling in Tests of Monetary Values

​ hen performing tests of monetary values, the internal auditor is concerned with two aspects of
W
sampling risk:
1. The risk of incorrect acceptance (type II risk, beta risk).
○ The risk that the sample supports the conclusion that a recorded value is not
materially misstated when it is.
2. The risk of incorrect rejection (type I risk, alpha risk).
○ The risk that the sample supports the conclusion that a recorded amount is materially
misstated when it is not.

Two statistical sampling approaches:

1. Classical Variables Sampling
2. Probability-Proportional-to-Size Sampling (PPS) **focus**
⇒ modified form of attribute sampling to test monetary value
● Also called “monetary-unit sampling” (MUS) or “dollar-unit” sampling” (DUS)
● A modified form of attribute sampling that is used to reach a conclusion in monetary
amounts rather than rates of occurrence.
● PPS sampling is primarily applicable for testing recorded monetary amounts for
overstatement (test existence มากกว่า completeness)
● The population in a PPS sampling application is the population of individual monetary
units contained in the particular account being tested. The sampling unit is the
individual monetary unit.
● The internal auditor uses a systematic sampling approach to select every nth monetary
unit in the population after a random start. The items of interest are the “logical units”
containing the individual monetary units, e.g. a specific item of inventory recorded.

จะเห็นว่ามี 4 items from 10000 and 8 items from 20000 ก็จะ proportionate กันกับ value
พอดี