Report

Chapter 8 Audit Sampling: An Overview and Application to Tests of Controls McGraw-Hill/Irwin 2008 The McGraw-Hill Companies, All Rights Reserved Sampling Primary purpose is to draw inferences about the whole population based on the results of testing of a subset of the population Introduction Auditing standards recognize and permit both statistical and nonstatistical methods of audit sampling. Two technological advances have reduced the number of times auditors need to apply sampling techniques to gather audit evidence: 1 Development of well-controlled, automated accounting systems. 2 Advent of powerful PC audit software to download and examine client data 8-3 Introduction However, technology will never eliminate the need for auditors to rely on sampling to some degree because: 1. Many control processes require human involvement. 2. Many testing procedures require the auditor to physically examine an asset. 3. In many cases auditors are required to obtain and examine evidence from third parties. 8-4 Definitions and Key Concepts On the following screens we will define: 1.Sampling Risk 2.Confidence Level 3.Tolerable and Expected Error 4.Audit Sampling 8-5 LO# 1 Audit Sampling Audit sampling is the application of an audit procedure to less than 100 percent of the items within an account balance or class of transactions for the purpose of evaluating some characteristic of the balance or class. 8-6 Sampling Risk Risk that the results of the sample are not representative of the population Reduce this by taking larger sample 8-7 LO# 2 Sampling Risk Sampling risk is the element of uncertainty that enters into the auditor’s conclusions anytime sampling is used. There are two types of sampling risk. Risk of incorrect rejection (Type I) – in a test of internal controls, it is the risk that the sample supports a conclusion that the control is not operating effectively when, in fact, it is operating effectively. Risk of incorrect acceptance (Type II) – in a test of internal controls, it is the risk that the sample supports a conclusion that the control is operating effectively when, in fact, it is not operating effectively. 8-8 Non sampling Risk Sampling the wrong populations Misinterpreting the audit results 8-9 LO# 2 Sampling Risk Three Important Factors in Determining Sample Size 1.The desired level of assurance in the results (or confidence level), 2.Acceptable defect rate (or tolerable error), and 3.The historical defect rate (or estimated error). 8-10 LO# 2 Confidence Level Confidence level is the complement of sampling risk. The auditor may set sampling risk for a particular sampling application at 5 percent, which results in a confidence level of 95 percent. 8-11 Confidence Level The larger the sample, the higher the confidence level and the lower the sampling risk. 8-12 LO# 2 Tolerable and Expected Error Once the desired confidence level is established, the sample size is determine largely by how much the tolerable error exceeds expected error. Precision, at the planning stage of audit sampling, is the difference between the expected and tolerable deviation rates. Auditing Standards refer to Precision as the “Allowance for sampling risk” 8-13 Tolerable Error The smaller the difference between tolerable error and expected error, the more precise the measurements and the larger the sample size. 8-14 LO# 3 Audit Evidence – To Sample or Not? Relationship between Evidence Types and Audit Sampling Audit Sampling Commonly Used Type of Evidence Yes Inspection of tangible assets Yes Inspection of records or documents Yes Reperformance Yes Recalculation Yes Confirmation No Analytical procedures No Scanning No Inquiry No Observation 8-15 LO# 3 Audit Evidence – To Sample or Not? • Inspection of tangible assets. Auditors typically attend the client’s year-end inventory count. When there are a large number of items in inventory, the auditor will select a sample to physically inspect and count. • Inspection of records or documents. Certain controls may require the matching of documents. The procedure may take place many times a day. The auditor may gather evidence on the effectiveness of the control by testing a sample of the document packages. 8-16 LO# 3 Audit Evidence – To Sample or Not? Reperformance. To comply with rule 404 of the Sarbanes-Oxley Act, publicly traded clients must document and test controls over important assertions for significant accounts. The auditor may reperform a sample of the tests performed by the client. Confirmation. Rather than confirm all customer account receivable balances, the auditor may select a sample of customers. 8-17 LO# 3 Testing All Items with a Particular Characteristic When an account or class of transactions is made up of a few large items, the auditor may examine all the items in the account or class of transaction. When a small number of large transactions make up a relatively large percent of an account or class of transactions, auditors will typically test all the transactions greater than a particular dollar amount. 8-18 LO# 3 Testing Only One or a Few Items Highly automated information systems process transactions consistently unless the system or programs are changed. The auditor may test the general controls over the system and any program changes, but test only a few transactions processed by the IT system. 8-19 LO# 4 Types of Audit Sampling Auditing standards recognize and permit both statistical and nonstatistical methods of audit sampling. In nonstatistical (or judgmental) sampling, the auditor does not use statistical techniques to determine sample size, select the sample items, or measure sampling risk. Statistical sampling uses the laws of probability to compute sample size and evaluate results. The auditor is able to use the most efficient sample size and quantify sampling risk. 8-20 LO# 4 Types of Audit Sampling Advantages of statistical sampling 1. Design an efficient sample. 2. Measure the sufficiency of evidence obtained. 3. Quantify sampling risk. Disadvantages of statistical sampling 1. Training auditors in proper use. 2. Time to design and conduct sampling application. 3. Lack of consistent application across audit teams. 8-21 Non statistical sampling Professional judgment Firm guidance Knowledge about the underlying statistical theories. 8-22 LO# 4 Statistical Sampling Techniques 1.Attribute Sampling. 2.Monetary-Unit Sampling. 3.Classical Variables Sampling. 8-23 LO# 4 Attribute Sampling Used to estimate the proportion of a population that possess a specified characteristic. The most common use of attribute sampling is for tests of controls. Yes, I know. We are planning a test of that control using attribute sampling. Our client’s controls require that all checks have two independent signatures. 8-24 LO# 4 Monetary-Unit Sampling Monetary-unit sampling uses attribute sampling theory to estimate the dollar amount of misstatement for a class of transactions or an account balance. This technique is used extensively because it has a number of advantages over classical variables sampling. 8-25 LO# 4 Classical Variables Sampling Auditors sometimes use variables sampling to estimate the dollar value of a class of transactions or account balance. It is more frequently used to determine whether an account is materially misstated. 8-26 LO# Attribute Sampling Applied to Tests of Controls 5, 6, & 7 In conducting a statistical sample for a test of controls auditing standards require the auditor to properly plan, perform, and evaluate the sampling application and to adequately document each phase of the sampling application. Plan Perform Evaluate Document 8-27 LO# 5, 6, & 7 Planning Planning 1. Determine the test objectives. 2. Define the population characteristics. • Define the sampling population. • Define the sampling unit. • Define the control deviation conditions. 3. Determine the sample size, using the following inputs: • The desired confidence level or risk of incorrect acceptance. • The tolerable deviation rate. • The expected population deviation rate. The objective of attribute sampling when used for tests of controls is to evaluate the operating effectiveness of the internal control. 8-28 LO# 5, 6, & 7 Planning Planning 2. Define the population characteristics. • Define the sampling population. • Define the sampling unit. • Define the control deviation conditions. 3. Determine the sample size, using the following inputs: • The desired confidence level or risk of incorrect acceptance. • The tolerable deviation rate. • The expected population deviation rate. All or a subset of the items that constitute the class of transactions make up the sampling population. 8-29 LO# 5, 6, & 7 Planning Planning 2. Define the population characteristics. • Define the sampling population. • Define the sampling unit. • Define the control deviation conditions. 3. Determine the sample size, using the following inputs: • The desired confidence level or risk of incorrect acceptance. • The tolerable deviation rate. • The expected population deviation rate. Each sampling unit makes up one item in the population. The sampling unit should be defined in relation to the specific control being tested. 8-30 LO# 5, 6, & 7 Planning Planning 2. Define the population characteristics. • Define the sampling population. • Define the sampling unit. • Define the control deviation conditions. 3. Determine the sample size, using the following inputs: • The desired confidence level or risk of incorrect acceptance. • The tolerable deviation rate. • The expected population deviation rate. A deviation is a departure from adequate performance of the internal control. 8-31 LO# 5, 6, & 7 Planning Planning 3. Determine the sample size, using the following inputs: • The desired confidence level or risk of incorrect acceptance. • The tolerable deviation rate. • The expected population deviation rate. The confidence level is the desired level of assurance that the sample results will support a conclusion that the control is functioning effectively. Generally, when the auditor has decided to rely on controls, the confidence level is set at 90% or 95%. The means the auditor is willing to accept a 10% or 5% risk of accepting the control as effective when it is not. 8-32 LO# 5, 6, & 7 Planning Planning 3. Determine the sample size, using the following inputs: • The desired confidence level or risk of incorrect acceptance. • The tolerable deviation rate. • The expected population deviation rate. The tolerable deviation rate is the maximum deviation rate from a prescribed control that the auditor is willing to accept and still consider the control effective. 8-33 LO# 5, 6, & 7 Planning Planning 3. Determine the sample size, using the following inputs: • The desired confidence level or risk of incorrect acceptance. • The tolerable deviation rate. • The expected population deviation rate. Suggested Tolerable Deviation Rates for Assessed Levels of Control Risk Planned Assessed Level of Control Risk Low Moderate Slightly below maximum Maximum Tolerable Deviation Rate 3–5% 6–10% 11–20% Omit test 8-34 LO# 5, 6, & 7 Planning Planning 3. Determine the sample size, using the following inputs: • The desired confidence level or risk of incorrect acceptance. • The tolerable deviation rate. • The expected population deviation rate. The expected population deviation rate is the rate the auditor expects to exist in the population. The larger the expected population deviation rate, the larger the sample size must be, all else equal. 8-35 LO# 5, 6, & 7 Planning Planning 3. Determine the sample size, using the following inputs: • The desired confidence level or risk of incorrect acceptance. • The tolerable deviation rate. • The expected population deviation rate. Assume a desired confidence level of 95%, and a large population, the effect of the expected population deviation rate on sample size is shown below: Expected Population Deviation Rate Sample Size 1.0% 93 1.5% 124 2.0% 181 3.0% ‡ ‡ Sam ple size too large to be cost-effective. 8-36 LO# Population Size: Attributes Sampling 5, 6, & 7 Population size is not an important factor in determining sample size for attributes sampling. The population size has little or no effect on the sample size, unless the population is relatively small, say less than 500 items. Factor Desired confidence level Tolerable deviation rate Expected population deviation rate Population size Examples Relationship to Change in Effect on Sample Size Factor Sample Lower Decrease Direct Higher Increase Lower Increase Inverse Higher Decrease Lower Decrease Direct Higher Increase Decreases sample size only when population is small (fewer than 500 items) 8-37 LO# 5, 6, & 7 Performance Performance and Evaluation 4. Select sample items. • Random-Number Selection. • Systematic Selection. 5. Perform the Audit Procedures. • Voided documents. • Unused or inapplicable documents • Inability to examine a sample item. • Stopping the test before completion. 6. Calculate the Sample Deviation and Upper Deviation Rates 7. Draw Final Conclusions Every item in the population has the same probability of being selected as every other sampling unit in the population. 8-38 LO# 5, 6, & 7 Performance Performance and Evaluation 4. Select sample items. • Random-Number Selection. • Systematic Selection. 5. Perform the Audit Procedures. • Voided documents. • Unused or inapplicable documents • Inability to examine a sample item. • Stopping the test before completion. 6. Calculate the Sample Deviation and Upper Deviation Rates 7. Draw Final Conclusions The auditor determines the sampling interval by dividing the population by the sample size. A starting number is randomly selected in the first interval and every nth item is 8-39 selected thereafter. LO# 5, 6, & 7 Performance Performance and Evaluation 5. Perform the Audit Procedures. • Voided documents. • Unused or inapplicable documents • Inability to examine a sample item. • Stopping the test before completion. 6. Calculate the Sample Deviation and Upper Deviation Rates 7. Draw Final Conclusions For example, assume a sales invoice should not be prepared unless there is a related shipping document. If the shipping document is present, there is evidence the control is working properly. If the shipping document is not present a control deviation exist. 8-40 LO# 5, 6, & 7 Performance Performance and Evaluation 5. Perform the Audit Procedures. • Voided documents. • Unused or inapplicable documents • Inability to examine a sample item. • Stopping the test before completion. 6. Calculate the Sample Deviation and Upper Deviation Rates 7. Draw Final Conclusions Unless the auditor finds something unusual about either of these items, they should be replaced with a new sample item. 8-41 LO# 5, 6, & 7 Performance Performance and Evaluation 5. Perform the Audit Procedures. • Voided documents. • Unused or inapplicable documents • Inability to examine a sample item. • Stopping the test before completion. 6. Calculate the Sample Deviation and Upper Deviation Rates 7. Draw Final Conclusions If the auditor is unable to examine a document or to use an alternative procedure to test the control, the sample item is a deviation for purposes of evaluating the sample results. 8-42 LO# 5, 6, & 7 Performance Performance and Evaluation 5. Perform the Audit Procedures. • Voided documents. • Unused or inapplicable documents • Inability to examine a sample item. • Stopping the test before completion. 6. Calculate the Sample Deviation and Upper Deviation Rates 7. Draw Final Conclusions If a large number of deviations are detected early in the tests of controls, the auditor should consider stopping the test, as soon as it is clear that the results of the test will not support the planned assessed level of control risk. 8-43 LO# 5, 6, & 7 Evaluation Evaluation 6. Calculate the Sample Deviation and Upper Deviation Rates 7. Draw Final Conclusions After completing the audit procedures, the auditor summarizes the deviations for each control tested and evaluates the results. For example, if the auditor discovered two deviations in a sample of 50, the deviation rate in the sample would be 4% (2 ÷ 50). The upper deviation rate is the sum of the sample deviation rate and an appropriate allowance for sampling risk. 8-44 Computed Upper Deviation Rate True deviation rate unknown Sum of sample deviation rate plus an appropriate allowance for sampling risk 8-45 LO# 5, 6, & 7 Evaluation Evaluation 6. Calculate the Sample Deviation and Upper Deviation Rates 7. Draw Final Conclusions The auditor compares the tolerable deviation rate to the computed upper deviation rate. True State of Internal Control Auditor's Decision Based on Sample Evidence Supports the planned level of control risk Does not support the planned level of control risk Reliable Correct decision Risk of incorrect rejection (Type I) Not Reliable Risk of incorrect acceptance (Type II) Correct decision 8-46 LO# 5, 6, & 7 Attribute Sampling Example The auditor has decided to test a control at Calabro Wireless Services. The test is to determine the sales and service contracts are properly authorized for credit approval. A deviation in this test is defined as the failure of the credit department personnel to follow proper credit approval procedures for new and existing customers. Here is information relating to the test: Desired confidence level Tolerable deviation rate Expected population deviation rate Sample size 95% 6% 1% 78 8-47 LO# 5, 6, & 7 Attribute Sampling Example Part of the table used to determine sample size when the auditor specifies a 95% desired confidence level. Sample Size at 95% Desired Confidence Level Expected Population Tolerable Deviation Rate Deviation Rate 2% 3% 4% 5% 6% 0.00% 149 99 74 59 49 0.25% 236 157 117 93 78 0.50% 157 117 93 78 0.75% 208 117 93 78 1.00% 156 93 78 1.25% 156 124 78 1.50% 192 124 103 7% 42 66 66 66 66 66 66 8-48 LO# 5, 6, & 7 Attribute Sampling Example 17,063 59,096 89,904 42,970 74,184 1,755 37,285 92,096 22,113 59,304 34,989 34,027 18,965 30,393 27,951 38,383 30,521 96,603 42,914 24,423 32,014 44,994 25,484 3,475 1,986 19,308 35,744 10,350 6,937 96,813 12,104 37,183 67,965 52,597 66,533 87,003 54,109 6,184 65,785 11,531 64,036 95,084 11,027 67,454 97,613 39,602 52,705 45,839 50,006 91,083 52,496 40,817 34,783 92,628 81,175 93,234 13,350 77,035 45,594 37,490 96,213 28,664 62,828 42,756 67,446 71,586 60,481 24,202 66,805 80,382 60,169 8,210 10,374 50,282 72,563 72,886 57,267 80,027 31,130 62,333 44,899 23,758 There are 125,000 audit items in the population numbered from 1 to 125,000. The auditor generates these random numbers using Excel. Each number represents a contract that was to be reviewed for credit approval. 8-49 LO# 5, 6, & 7 Attribute Sampling Example The auditor examines each selected contract for credit approval and determines the following: Number of deviations Sample size Sample deviation rate Computed upper deviation rate Tolerable deviation rate 2 78 2.6% 8.2% 6.0% Let’s see how we get the computed upper deviation rate. 8-50 LO# 5, 6, & 7 Attribute Sampling Example Part of the table used to determine the computed upper deviation rate at 95% desired confidence level: Sample Size 25 30 35 40 45 50 55 60 65 70 75 80 Actual Number of Deviations Found 0 1 2 3 11.3 17.6 9.5 14.9 19.6 8.3 12.9 17.0 7.3 11.4 15.0 18.3 6.5 10.2 13.4 16.4 5.9 9.2 12.1 14.8 5.4 8.4 11.1 13.5 4.9 7.7 10.2 12.5 4.6 7.1 9.4 11.5 4.2 6.6 8.8 10.8 4.0 6.2 8.2 10.1 3.7 5.8 7.7 9.5 8-51 LO# 5, 6, & 7 Attribute Sampling Example Tolerable Deviation Rate (6%) < Computed Upper Deviation Rate (8.2%) Auditor’s Decision: Does not support reliance on the control. 8-52 LO# 8 Nonstatistical Sampling for Tests of Control Determining the Sample Size An auditing firm may establish a nonstat sampling policy like the one below: Desired Level of Controls Reliance Low Moderate High Sample Size 15–20 25–35 40–60 Such a policy will promote consistency in sampling applications. 8-53 LO# 8 Nonstatistical Sampling for Tests of Control Selecting the Sample Items Nonstatistical sampling allows the use of random or systematic selection, but also permits the use of other methods such as haphazard sampling. When haphazard sample selection is used, sampling units are selected without any bias, that is to say, without a special reason for including or omitting the item in the sample. 8-54 LO# 8 Nonstatistical Sampling for Tests of Control Calculating the Upper Deviation Rate With a nonstatistical sample, the auditor can calculate the sample deviation rate, but cannot formally quantify the computed upper deviation rate and sampling risk associated with the test. 8-55 LO# 8 Considering the Effect of Population Size This table assumes a desired confidence of 90%, a tolerable deviation rate of 10%, and an expected population deviation rate of 1%: Population Size 100 500 1,000 5,000 Sample Size 31 38 39 39 Finite population = correction factor √ 1 – (n/N) n = sample size from tables N = number of units in the population 8-56 Questions 8-57 End of Chapter 8 8-58