AUDIT SAMPLING

McGraw-Hill/Irwin Copyright © 2012 by The McGraw-Hill Companies, Inc., All right reversed
 TESTS OF
CONTROLS

8-2
 What is Audit Sampling?

It is the selection and evaluation of a

representative sample of items from a
population

When a sample is representative,

representative it is likely to
provide a reasonable basis for arriving at
conclusions about the population.

8-3
 What is Audit Sampling? (Cont’d)
TERM EXPLANATION
Sample Items selected for examination
Population All items in the account balance or class of
transactions
Random sample Each item in the population has an equal chance
of being selected thus ensuring that the sample
is representative of the population

8-4
 Why Sampling?

The auditor uses sampling techniques because it is impossible to

review 100% of the controls applied during the year.

Sampling techniques for internal control testing are referred to as

attribute sampling.

In attribute sampling, the auditor determines whether a

characteristic of interest in the population (the internal control) is
present by looking at a sample from the population.

Attribute testing is used to test the rate of deviation from the

prescribed control (how often is the control missing?)

8-5
 Audit Sampling for Tests of Controls
Internal control tests are designed to provide information
about the effectiveness of a control. With internal control
tests, the auditor asks:

Probing question Yes No

Is the control working √

No. Probing question High Medium Low

1. What is the risk of the control 70% 50% 30%
not working?

Reliance level 30% 50% 70%

8-6
 Audit Sampling for Tests of Controls

A control risk of 70% corresponds to a 30% reliance level

A control risk of 50% corresponds to a 50% reliance level
A control risk of 30% corresponds to a 70% reliance level

The reliance level tells auditors how often they can rely on
the control

8-7
 Sampling and Non-sampling Risk
Audit risk is the risk that material misstatements occur in the financial
statements and the auditor does not detect them.

Audit
Risk
Non-
Sampling
sampling
Risk
Risk

Risk that the sample is not representative

of the population;

For tests of controls, includes the risk of Other aspects of audit risk not
assessing control risk too high (which related to sampling
affects the efficiency of the audit);

The risk of assessing control risk too low

(which affects the effectiveness of the audit
8-8
 Sampling and Non-sampling Risk
Statistical Sampling Non-statistical Sampling
Sampling risk can be Controlled by selecting
quantified appropriate sample sizes
(sampling risk decreases as
sample size increases)

Can be controlled Taking a random sample,

so it is representative of the
population
Correctly evaluating sample
results

8-9
 Statistical and Non-statistical Sampling

Both statistical and non-statistical sampling require

professional judgment for:
 planning the sample,
performing the procedures, and
evaluating the evidence.

8-10
 Statistical and Non-statistical Sampling

 The audit procedures performed under either statistical or

non-statistical sampling are the same
 A statistical sample is a sample for which sampling risk can
be calculated
 A non-statistical sample is a sample for which sampling risk
cannot be calculated

8-11
 Statistical and Non-statistical Sampling

Accounting firms use both statistical and non-

statistical sampling
• Sample sizes for non-statistical sampling can be larger
than those for statistical samples because sampling risk
cannot be measured
• Non-statistical samples can be a less efficient way to
gather evidence but should not be viewed as a less
effective way

8-12
 Statistical and Non-statistical Sampling

An auditor should consider the following factors in selecting the

correct sample size:
• More testing will be required for manual controls than for
automated controls because the manual controls are more
prone to human error.
• The more frequently the control is performed, the more items
are tested.
• More internal control tests are performed for controls that are
performed daily than for those performed monthly
• The more assurance the auditor receives from other audit
procedures (for example, external confirmations, vouching,
tracing), the less the control is tested
• The more susceptible the control is to management override,
the more the control is tested

8-13
 The Use of Sampling to Determine the
Effectiveness of Internal Controls

The auditor can choose to:

rely on internal controls or
not rely on internal controls and perform a substantive
audit for audits of financial statements.
The purpose of an internal control test is to gather evidence
about the control’s operating effectiveness. When deciding
to test internal controls, a sampling plan is developed to
test controls .

8-14
 Tests of Controls Sampling Plan
STEP ACTION
1 Describe the internal control being tested
2 Determine the control objectives including the relevant
assertion.
3 Define the population and the sampling unit
4 Define the deviation condition
5 Determine the desired level of assurance, the tolerable
deviation rate, and the expected population deviation rate
6 Select the method for determining sample size
7 Determine the method of sample selection
8 List the selected sample items
9 Describe how the sampling procedure was performed
10 Evaluate the sample results and make a decision

8-15
 Step 1: Describe the Internal Control Being Tested

Physical
Segregation
control to
of duties
assets

Independent Authorization
reconciliation procedures
Documente
d
transaction
trails

8-16
 Step 2: Determine the Control Objective

The test objective is to determine whether the control is

present, for example, a signature from management as
required authorization or approval.
The test would be to determine if the required
signatures are present on the documents selected for
sample.

8-17
 Step 3: Define the Population and the
Sampling Unit

Over Financial Statements:

The population for internal control testing related
to a financial statement audit is usually all items in
the class of transactions or account balance for
the year

8-18
 Step 3a: Define the Population and the
Sampling Unit

Over the Financial Statement Process:

The population is usually all items in the class of
transactions or account balance that the auditor
believes are necessary to determine whether
controls were effective at the end of the year

8-19
 Step 4: Define the Deviation Condition

 A deviation condition occurs when there is no

indication that the control has been
performed.
 Defining the deviation before testing begins is
important so that the auditor has a clear
understanding of the conditions necessary for
the control to be working.

8-20
 Step 5: Determine the Desired Level of Assurance, the Tolerable
Deviation Rate, and the Expected Population Deviation Rate

Desired Level of Assurance:

Assurance based on the extent to which the
auditor’s risk assessment takes relevant controls into account,
in practice, the desired level of assurance is 95% or 90%

Tolerable Deviation Rate:

Rate the auditor sets the rate of deviation
from prescribed internal control procedures related to the level
assurance the auditor expects to obtain, in practice, the
tolerable deviation rate is 2-20%

Expected Rate of Deviation:

Deviation the rate of deviation expected in
the population based on the auditor’s understanding of relevant
controls or on the examination of a small number of items from
the population, in practice, the expected rate of deviation is 0-
15%

8-21
 Step 5: Determine the Desired Level of Assurance, the
Tolerable Deviation Rate, and the Expected Population
Deviation Rate

As Factor Affect on Explanation

Increases Sample Size

Desired level of Sample size The higher the auditor’s desired level of
assurance increases assurance that the results of the sample are
representative of the population, the larger the
sample size needs to be
Tolerable rate of Sample size The lower the tolerable rate of deviation, the
deviation decreases larger the sample size needs to be

Expected rate of Sample size The higher the expected rate of deviation, the
deviation increases larger the sample size needs to be so that the
auditor can make an accurate estimate of the
actual rate of deviation
Population Negligible For large populations (>500) , the size of the
population has little or no effect on sample size
8-22
 Step 6: Determine the Method of Sample Size
Determination

The method of determining the sample size can be

statistical or non-statistical.
It is determined after the auditor has specified:
The Tolerable Deviation Rate,
The Expected Rate of Deviation, and
The Desired Level of Assurance.
It may be determined with the use of a sampling
program.

8-23
 Step 7: Determine the Method of Selecting the
Sample
Systematic Random
Simple Random Sampling Haphazard Sampling
Sampling
Dividing the number of units in the
population by the number in the
Generating random numbers from a
sample size to calculate a sampling
random number table or a computer Selecting the sample without any
interval and then generates a
program and then selects the conscious bias.
random number in the sampling
document number corresponding to May be used when the items in the
interval.
the random number generated. population pre-numbered
The random number is the first item
Can be used only when the sampling documents.
chosen, and the following items are
units are pre-numbered. Appropriate Cannot be used for statistical
determined by adding the sampling
for statistical and non-statistical sampling.
interval to the random number.
sampling
Appropriate for statistical and non-
statistical sampling

8-24
 Step 8: List the Selected Sample Items

Listing specific items sampled in the work papers or to

describe the sampling method in such a way that another
auditor could go back and pull the same sample.

8-25
 Step 9: Describe How the Audit Procedure
Was Performed

The auditor performs the audit procedure to

determine whether the sample items contain
deviations from the documented control.
The only possible evidence from an internal
control test is an answer to the question:

Is the control working; or

Is the control working to the extent expected?
8-26
 Step 9a: Describe How the Audit Procedure
Was Performed

If the internal control test is a dual-purpose test:

the auditor examines the item to determine whether it
contains a deviation from the documented control, and
then the auditor reperforms the control.

8-27
 Evaluating the Results of Tests of Controls

Probing question Yes Comment/Action

Is the control √
working
Results of the internal
control test would indicate
that :
Actual Control deviations +
Allowance for sampling risk
< Tolerable deviations
Reduce the level of
substantive testing
based on their
reliance on
internal control.

8-28
 Evaluating the Results of Tests of Controls

Probing question NO Comment/Action

Is the control √
working
Results of the internal Increase the
control test would indicate amount of
that :
Actual Control deviations + substantive
Allowance for sampling risk testing.
> Tolerable deviations

8-29
 Step 10: Evaluate the Sample Results and Reach
Conclusions

The auditor uses professional judgment to evaluate the sample

results and reach an overall conclusion.
• The auditor will review the deviations to determine whether the
control can be relied upon.
• If the number of deviations found in the sample is less than the
tolerable deviation rate, the auditor relies on the effectiveness of
internal controls to reduce the extent of substantive testing.
• If it is higher, than the auditor cannot rely on the effectiveness of
internal control and increases their assessment of control risk
and the extent of substantive testing.

In addition, the auditor needs to consider the qualitative aspects of

any control deviations. These include the nature and cause of the
misstatement (misunderstanding or carelessness) and the possible
relationship of the misstatement to the other parts of the audit.

8-30
 Sampling
Sampling is crucial to the audit process. Sampling for tests
of controls allows the auditor to determine control risk for
relevant assertions for significant accounts.
This information is used to determine the amount of
substantive testing needed to keep audit risk to an
acceptably low level.
The auditor should understand basic sampling principles:
random samples, selecting representative samples, how to
evaluate control risk based on the results of a sample.
The accounting firm often establishes guidelines to
determine sample size, so the auditor does not need to be a
statistician.

8-31