CHAPTER ONE

AUDIT SAMPLING
 Nature of Audit Sampling
 Auditors frequently use sampling, usually in combinations with other
auditing procedures, in examining account balances or classes of
transactions.
 As a result, auditors conclusion reach about account balances & classes
of transactions are based on testing samples rather than entire
populations.
 Thus, w/n auditor decides to select less than 100 percent of
population for testing for purpose of making inferences about
population, it is called audit sampling.
 There is neither sufficient time nor sufficient reason to test all of
transactions underlying entity's account balances or classes of
 Why Do Auditors Use Sampling?
 Auditors use sampling
 To test controls (compliance tests) for assessing
control risk
 To test balances (substantive tests) for
determining whether balances are materially
misstated.
 Selecting A Representative Sample
 A representative sample is one in w/c characteristics in sample of
audit interests are approximately same as those of population.
 This means that sampled items are similar to items not sampled.
 But, it could be highly representative, reasonably representative,
& non-representative.
 Two things can cause a sample result to be non-representative:

 Sampling error, called Sampling Risk

 Non-Sampling error called Non- sampling Risk
Cont..

 Sampling risk (sampling error) is inherent part of

sampling that result from testing less than entire
population.
 Even with zero non-sampling error, there is always
chance that sample may not reasonably representative.
 For example, if a population has 3 percent exception
rate, auditor could select sample of 100 items
containing no or many exceptions.
Cont..

 There are two ways to control sampling risk:

 Adjusting sample size
 Using appropriate method of selecting sample items from
population.

 This does not eliminate or even reduce sampling risk ,

 But it does allow auditor to measure risk associated with
given sample size in reliable manner.
 Cont..
 Auditor is also concerned about non-sampling error.
 It arises from non-sampling risk, which occurs when:
 Auditor is not careful in examining sample & fails to
identify exception or error in selected sample item.
 Audit test is not appropriate (example, sample was
selected from inappropriate population for purposes of
assertion being tested).
 Auditor has misjudged relevant risks (i.e. inherent risk &
control risk).
 Auditor has made error in evaluation of sampling results.
 Audit Risk
 Audit risk is defined as likelihood that auditor may
unknowingly fail to modify his or her opinion on
materially misstated financial statements. Or
 Audit risk is risk that auditor issues ;
1. An unqualified opinion, w/n declaration of expenditure
contains material misstatements, or

2. Qualified or adverse opinion, w/n declaration of

expenditure is free from material misstatements .

 Audit Risk Model & Assurance Model

 Three components of audit risk:

 Inherent risk [IR]
 Control risk [CR]
 Detection risk [DR]
 This gives rise to audit risk model of:

AR = IR x CR x DR, where
 Assurance model is in fact opposite of Audit risk model.
 If audit risk is considered to be 5%, audit assurance is considered
 Inherent Risk
 It is perceived level of risk that material misstatement may
occur in client’s financial statements or underlying levels of
aggregation, in absence of internal control procedures.
 It is linked to kind of activities of audited entity & depend on

 External factors (cultural, political, economic, business

activities, clients and suppliers, etc)
 Internal factors (type of organization, procedures,
competence of staff, recent changes to processes or
management positions, etc).
 Control Risk
 CR is perceived level of risk that material misstatement
in client’s financial statements, or underlying levels of
aggregation, will not be prevented, detected & corrected
by management’s internal control procedures.
 Control risks are related to how well inherent risks are
managed (controlled)
 It will depend on internal control system including
application controls, IT controls & organizational
 Detection Risk
 DR, is perceived level of risk that material
misstatement in client’s financial statements, or
underlying levels of aggregation, will not be
detected by auditor.
 DR are related to how adequately audits are performed:

 Competence of staff
 Audit techniques

 Audit Planning and Audit Risk
 Use of audit risk/audit assurance model relates to planning &
underlying resource allocation for particular audit programmed
or several audit programmed & has two purposes:
 Providing high level of assurance: Assurance is provided at certain
level, e.g. for 95% assurance, audit risk is then 5%.
 Performing efficient audits: with given assurance level of for example
95%, auditor should develop audit procedures taking into
consideration IR & CR.
 This allows audit team to reduce audit effort in some areas & to focus
on more risky areas to be audited.
 Audit Planning And Audit Risk

 To plan audit work, sequence should be applied

in which different risk levels are assessed.
 First inherent risk needs to be assessed & control
risk needs to be reviewed.
 Based on these two factors detection risk can be
set by audit team & will involve choice of audit
procedures to be used during detailed tests.
 Assurance levels depend mainly on quality of internal
controls.
 Auditors evaluate risk components based on knowledge &
experience using terms such as Low, Moderate/Average or
High rather than using precise probabilities.
 If major weaknesses are identified during internal control
systems audit, control risk is high & assurance level would
be low.
 If no major weaknesses exist, control risk is low & if
 Audit Planning and Audit Risk, Illustration

 Low assurance: Given a desired & accepted audit risk of 5%,

& if inherent risk (=100%) & control risk (= 50%) are high,
 Meaning it is high risk entity where internal control
procedures are not adequate to manage risks,
 The auditor should strive for a very low detection risk at
10%.
 In order to obtain low detection risk amount of substantive
testing & therefore sample size need to be increased.

 In the formula= 1*0.5*0.1= 0.05 audit risk.

 Cont..
 High assurance: Where inherent risk is high (100%) but where

adequate controls are in place, one can assess control risk as 12.5%.

 To achieve 5% audit risk level, detection risk level can be at 40%,

latter meaning that auditor can take more risks by reducing sample

size.

 In end this will mean less detailed & less costly audit.

 In the formula= 1*0.125*0.40=0.05 audit risk.

 Note that both examples result in same achieved audit risk of 5%

within different environments.

Statistical Versus Non Statistical Sampling
 Similarities B/n Statistical Sampling and
Non-statistical Sampling Methods:
 Both involve three steps
Plan the sample
Select sample & perform tests
Evaluate the test results.
D/ce B/n Statistical Sampling & Non-statistical Sampling Methods:-
 D/c b/n two sampling methods lay on application of mathematical
rules in step 1 & step 3.
 Example, statistical sampling allows quantification
(measurement) of sampling risk in planning sample & evaluating
results.
 The 95 percent confidence level provides a 5 percent sampling
risk.
 Whereas, in non-statistical sampling selection of sample items
based on practitioner belief.
 The same is true with reaching of conclusions about populations
since it is based on professional judgment of practitioner.
 Types Of Sample & Sample Selection Methods

1) Non probabilistic (Judgmental)

2) Probabilistic sample selection methods
Non-probabilistic (Judgmental)
1) Directed sample selection:
 Commonly used approaches include:-
 Items most likely to contain misstatements
 Items containing selected population characteristics
 Large dollar coverage:
Cont..
2) Block sample selection
 In block sample selection auditors select first item in block &

remainder of block is chosen in sequence.

 Example, assume block sample will be sequence of 100 sales

transactions from sales journal for third week of March.

 Auditors can select total sample of 100 by taking 5 blocks of 20 items,

10 blocks of 10, 50 blocks of 2 or one block of 100.

 Should not be used for statistical or non-statistical sampling without

care in controlling sampling risk

 Cont..

3) Haphazard Sample Selection

 It is selection of items without any conscious bias by
auditor.
 Auditor selects population items without regard to their

size, source, or other distinguishing characteristics .

 Probabilistic Sample Selection Methods

1) Simple random sample selection/ Random Number

 Each sampling unit is given equal chance of being
selected.
 It is free from sampling bias.
 Usually it uses
 Computer generated random numbers.
 Random number tables
 2) Non- Random sample section
A. Systematic sample selection.
B. Probability proportional to size sample selection (PPS)
C. Stratified sample selection
Cont..
Cont..
Cont..
Application of Non-statistical Audit Sampling
 Application of non-statistical audit sampling in testing
transactions for control deviations & monetary misstatements.
 Auditors use 14 well-defined steps to apply audit sampling to
tests of controls and substantive tests of transactions.
 These steps are divided into three phases described earlier.
 Auditors should follow these steps carefully to ensure proper
application of both auditing and sampling requirements.
 Application of non-statistical audit sampling

I: Plan the Sample

Step 1: State objectives of audit test.
Step 2: Decide whether audit sampling applies.
Step 3: Define attributes & exception conditions.
Step 4: Define the population.

Step 5: Define the sampling unit.

Step 6: Specify tolerable exception rate

Step 7: Specify acceptable risk of assessing control risk too

Step 8: Estimate population exception rate.

Step 9: Determine initial sample size.

 II: Select Sample & Perform

Step 10: Select the sample.

Step 11: Perform the audit procedures.
 III: Evaluate Results
Step 12: Generalize from sample to population.
Step 13: Analyze exceptions.
Step 14: Decide acceptability of population.
Step 1. State objectives of audit
test
 Although test must be stated in terms of
transaction cycle being tested;
 Overall objectives of tests controls is to test
application of controls
 Overall objectives of substantive tests of transactions
is to determine whether transactions contain
monetary misstatements.
Step 2: Decide Whether Audit Sampling
Applies
 Audit sampling applies whenever auditor plans to reach conclusions
about population based on a sample.
 Assume following partial audit program.
A. Review sales transactions for large & unusual amounts (analytical
procedure).
B. Observe whether duties of accounts receivable clerk are separate
from handling cash (observation).
C. Examine a sample of duplicate sales invoice for
 Credit approval by the credit manager (test of control).
 Existence of an attached shipping documents (test of control).
 Inclusion of a chart of account’s number(test of control).
 Cont..
d) Select sample of shipping docs & trace each to related
duplicate sales invoices ( test of control)
e) Compare quantity on each duplicate sales invoice with
quantity on related shipping documents (substantive tests
of transactions).
 Audit sampling is inappropriate for first two procedures
in this audit program.
 The first is analytical procedure

Step 3: Define Attributes & Exceptions Conditions

 The auditor must carefully define characteristics

(attributes) being tested and exception
conditions.
 An attribute is characteristic of a control
 A deviation or exception is the absence of
attribute.
 Cont..

Attribute Exception Condition

Existence of sales invoice number No record of sales invoices number in
in sales journal
the sales journal.
Amount & other data in master The amount recorded in master file
file agree with sales journal entry
differs from amount recorded in the
sales journal.
Amount & other data on Customer name & account number
duplicate sales invoice agree with
on invoice differ from information
sales journal entry
recorded in sales journal.
 Step 4: Define the Population
 Auditor must carefully define population in advance,
consistent with objectives of audit tests.
 It is important to test population for completeness &
detail tie–in before sample is selected to ensure that all
population items will be properly subjected to sample
selection.
 Step 5: Define the Sampling Unit
 Definition of population & planned audit procedures
usually dictate appropriate sampling unit.
 For example
 The customer’s order
 The shipping document, or
 The duplicate sales invoice
 Would be appropriate sampling depending upon
circumstances.
Step 6: Specify tolerable exception rate/TER
 It requires professional Judgment on part of auditor.
 TER represents highest exception rate that auditor will
permit in population & still be willing to use assessed control
risk and/or amount of monetary misstatements in
transactions established during planning.
 Suitable TER is a question of materialize & is therefore
affected on both definition & importance of attribute in
audit plan.
 It has a significant impact on sample.
Step 7: Specify acceptable risk of assessing control risk too
low (ARACR)
 It is risk that auditor is willing to take of accepting a control as effective

(or a rate of monetary misstatements tolerable) when true population

exception rate is greater than TER.

 i.e. Risk of accepting control effective when it is not or a false positive.

 ARACR is the auditor’s measure of sampling risk.

 If auditor finds control effective, he or she will have over relied on system

if internal control (used a lower assessed control risk than justified).

 The lower the assessed control risk means,

 The lower will be the ARACR chosen

 The lower will be the planned extent of tests of details of balances.

Step 7: Specify Acceptable Risk Of Assessing Control
Risk Too Low (ARACR)
 For non-statistical sampling, it is common for auditors to use
ARACR of high, medium or low instead of percentages.
 A low ARACR implies that tests of controls are important
and would correspond to a low assessed control risk &
reduced substantive tests of details of balances.
 Auditor can establish different TER & ARACR levels for
different attributes of an audit test.
 E.g. tests of credit approval vs. tests of existence of duplicate
sales invoices and bills of lading.
 Step 7: Specify Acceptable Risk Of Assessing Control Risk Too
Low (ARACR)

 Assume that TER is 6 percent, ARACR is high, and the true population

exception rate is 8 percent. The control in this case is not acceptable

because the true exception rate of 8 percent exceeds TER.

 The auditor, of course, does not know the true population exception rate.

 The ARACR of high means that the auditor is willing to take a fairly

substantial risk of concluding that the control is effective after all testing is

completed, even when it is ineffective.

 If the control were found to be effective in this illustration, the auditor

would have over relied on the system of internal control (used a lower

assessed control risk than was justified).

Guidelines For ARACR & TER Tests Of Control

Factor
Assessed control risk. Consider:
 Nature, extent, & timing of substantive tests (extensive
planned substantive tests relate to higher ACR & Vice Versa)
 Quality of evidence available for tests of controls (lower quality
of evidence available results in a higher assessed CR & Vice Versa.)
Judgment Guideline
 ARACR of low
 Lowest assessed control risk
 ARACR of medium
 Moderate assessed control risk  ARACR of high
 Higher assessed control risk  ARACR not applicable


 Guidelines For ARACR And TER Tests Of
Control

Factor
 Significance of the transactions and related account balances that
Internal controls are intended to affect

Judgment Guideline

 Highly significant balances  TER of 4%

 Significant balances  TER of 5%
 Less significant balances  TER of 6%
Guidelines for ARACR and TER tests of
transactions

Results of understanding ARACR for

Planned reduction in substantive tests
substantive tests of internal control and
tests of controls of transactions
details of balances
Large Excellent High
Good Medium
Not good Low

Moderate Excellent High

Good Medium
Not good Medium-low

Small Excellent High

Good Medium-high
Not good Medium
Guidelines for ARACR and TER tests of
transactions

Planned reduction in
substantive tests of TER for substantive
details of balances tests of transactions

Large Percent or amount

based on materiality
considerations

Moderate Percent or amount

based on materiality
considerations

Small Percent or amount

based on materiality
considerations
Step 8: Estimate population exception rate /EPER/

 It is exception rate auditor expects to find in

population before testing begins.
 If EPER is low relatively small sample size will
satisfy auditor’s tolerable exception rate.
 It is common to use results of preceding year’s
audit to make this estimate.
Step 9: Determine the initial sample size

 Initial sample size is sample size determined by

professional judgment (non-statistical sampling) or by
statistical tables (attributes sampling).
 Four factors determine initial sample size for audit
sampling: population size, TER, ARACR, and EPER.
 Once three major factors affecting sample size have
been determined except insignificant one, population
size, auditor can decide initial sample size.
Effect on sample size of changing factors

Effect on initial
Type of change sample size

Increase acceptable risk of

assessing control risk too low Decrease
Increase tolerable risk rate Decrease
Increase estimated population
exception rate Increase
Increase population size Increase (minor)
 Step 10: Select the Sample

 After auditors determine initial sample size for

audit sampling application, they must choose
items in population to include in sample.
 Auditors can choose sample using any of probabilistic
or non-probabilistic methods we discussed earlier in this
chapter
Step 11: Perform the audit procedures
 Auditor performs audit procedures by examining
each item in sample to determine whether it is
consistent with definition of attribute & by
maintaining a record of all exceptions found.
 When audit procedures have been completed for
a sampling application, auditor will have sample
size and number of exceptions for each attribute.
Step 12: Generalize from sample to population

 Sample exception rate (SER) can be easily

calculated from actual sample results.

SER = Actual Number of Exceptions

Actual Sample Size

 For non-statistical methods, auditors use two ways to
generalize from sample to population.
Step 12: Generalize from the Sample to Population

1. Add an estimate of sampling error to SER to arrive at a

computed upper exception rate (CUER) for a given
ARACR. But,
 It is extremely difficult for auditors to make sampling
error estimates using non-statistical sampling because of
 the judgment required to do so; therefore, they usually
do not use this approach
 CUER= SER + an allowance for sampling risk
 Step 12: Generalize from Sample to
Population
2. TER – SER to find calculated sampling error (TER – SER), & evaluate

whether it is sufficiently large to conclude that true PER is acceptable.

 Under this approach, auditor does not make estimate of computed upper

exception rate.
 Most auditors using non-statistical sampling follow this approach.
 Example, if auditor takes a sample of 100 items for attribute and finds no

exceptions (SER = 0) and TER is 5 percent, calculated sampling error is 5

percent (TER of 5 percent – SER of 0 = 5 percent).

 If the auditors had found four exceptions, calculated sampling error would have

been 1 percent (TER of 5 percent – SER of 4 percent).

 It is much more likely that the true PER is less than or equal to the TER in the

first case than in the second one.

 Therefore, most auditors would probably find the population acceptable based

on the first sample result and not acceptable based on the second.

 When SER exceeds the EPER used in designing the sample, auditors usually

conclude that the sample results do not support the preliminary assessed control

risk.

 In that case, auditors are likely to conclude that there is an unacceptably high
 Step 13: Analyze exceptions
 In addition to determining SER for each attribute &
evaluating whether true (but unknown) exception rate is
likely to exceed TER,
 Auditors must analyze individual exceptions to determine
breakdown in internal controls that allowed them to happen.
 Exceptions can be caused by many factors, such as
carelessness of employees, misunderstood instructions, or
intentional failure to perform procedures.
 Step 14: decide acceptability of
population
 When generalizing from sample to population,
most auditors using non -statistical sampling
subtract SER from TER & evaluate whether
difference (calculated sampling error) is
sufficiently large.
 If auditor concludes difference is sufficiently large,
the control being tested can be used to reduce
assessed control risk as planned.
Cont...

 When auditor concludes that TER – SER is too small

to conclude that population is acceptable, or when
SER exceeds TER, auditor must follow one of four
courses of action:
 Revise TER or ARACR
 Expand the Sample Size
 Revise Assessed Control Risk
 Communicate with the Audit Committee or Management
 Statistical Audit Sampling

 Statistical sampling method most commonly

used
for tests of control & substantive tests of
transactions
is attributes sampling.
 What is an Attribute?
 An attribute is a characteristic in which the auditor is
interested,
 Attribute of interest in testing controls is whether or not a
deviation from the specified controls has occurred.
 An attribute supporting control objective of validity, for
example, is existence of a matching shipping document for each
invoice.
 Other examples of attributes include department supervisor’s
initials on each invoice payable (authorization)

 Sampling Distribution

Attributes (statistical) sampling is based on the

binomial distribution (think 2 columns). And since
we quantify sampling risk and use
only representative samples, we can use
tables (like the normal distribution table you have
used for z or t-tests in stat classes)!
Thank You…the End