# Audit Statistical Sample | Monetary Unit Sampling | Variable Sampling | Probability Proportion to Size | CPA Exam Auditing and Attestation

The page covers audit sampling including sampling risk, monetary unit sampling, attribute sampling, tolerable deviation rate, expected population deviation rate.

## Variable Sampling Mean Per Unit | Estimation Ratio estimation | Difference estimation

Auditors use sampling in order to make audit procedures feasible. Basically, an auditor has the option of examining 100% of a company’s financial evidence and records or looking at some subset of that information. Obtaining audit evidence based on a subset of the infor- mation often involves sampling. Thus, sampling is used on both the ICFR and financial state- ment phases of an integrated audit. Sampling is applying the audit procedure to less than 100% of a population. The targeted population may be all or a part of the items within an account balance or class of transactions (AU 350.01).

Sampling Risk When the auditor does not examine or test all of the items in the targeted population of the account balance or class of transactions, sampling risk is introduced into the audit processes. Sampling risk is defined as the possibility that the sample does not represent the population from which it is selected (AU 350.10). In ICFR tests of operating effectiveness, sampling risk is the risk that rate of failure of controls in the sample of transactions the auditor examines is different from the rate of control failure for the rest of the transactions. The transactions included in the sample might have a larger or smaller rate of control violations than the rest of the transactions. Consequently, if the auditor uses the percent of control errors in the sam- ple as an indicator of the percent of control errors in the entire population of transactions, he or she will come to the wrong conclusion about how well the control is operating. If an auditor concludes that a control is not working well when it really is, the auditor incorrectly concludes that the control is not functioning effectively. This audit error is serious but generally does not jeopardize the outcome of the audit. When audit tests indicate that a control is not functioning effectively, the auditor conducts more testing. The additional procedures may confirm that the initial findings are correct, and the auditor may explore for the source of the problem. In contrast, when additional procedures are performed, the auditor may discover that the control is functioning and the initial conclusion was wrong because of sampling error. This is an efficiency problem for the audit because more tests are performed than need to be. However, the auditor will catch the error and ultimately come to the correct conclusion that the control is functioning effectively.

Sampling error with a different result can have more serious effects for the audit. If, based on tests of a sample, the auditor concludes that controls are functioning effectively when they are not, the auditor has no hint that sampling error has led to an incorrect audit conclusion. In this situation, the auditor has no reason to think there is a need for more testing. Consequently, the error can go undetected during the ICFR stage of the integrated audit. This represents the real risk to an ICFR audit of using samples: the risk of concluding that controls are functioning effectively when they are not.

The risk that the auditor incorrectly concludes that the control is not effective is called “the risk of assessing control risk too high,” or incorrect rejection. Again, this occurs when the control is violated disproportionately more frequently in the sample than in the population. In other words, if the auditor could test the whole population (instead of just a sample), he or she would see that the control operates effectively. An incorrect rejection error is typically discovered through additional audit work. The biggest problem an incorrect rejection error presents is inefficiency because more audit work is performed than would have been necessary if a sample that was actually representative of the population had been used.

The sampling risk that the auditor incorrectly concludes that the control is effective is called “the risk of assessing control risk too low,” or incorrect acceptance. An incorrect acceptance error can damage the audit’s effectiveness. The control problem and audit error may still be caught – but if it is, it will be from other procedures of the integrated audit. Tests of details of balances and analytical procedures of the financial statement audit may reveal problems with the account balance. While investigating the account balance problems, the auditor may discover the control problem that was missed. When issuing an audit report on ICFR, or planning to rely on the operating effectiveness of a control during the financial statement audit, the auditor usually plans for a low risk of incorrect acceptance (AU 350.37). The concepts of incorrect rejection and incorrect acceptance also apply to sampling in the financial statement audit.

Planning the Sample The auditor identifies the important characteristic that is to be tested when planning a sam- ple. Important characteristics for financial statement audit samples include amounts, account classifications, and proper time period for reporting. The important control char- acteristic being tested in an audit of ICFR may be that a document exists, a document pack- age is complete, certain steps have been performed, calculations have been verified and are accurate, an authorization is noted, or a transaction is posted correctly. Based on the characteristic being tested the auditor identifies the physical population from which the sample will be selected, which is sometimes called the sampling frame. This physical population may be all the items in a computer file, a file of paper documents, or even the company’s physical inventory. For some tests the sampling frame may be days of the fiscal year. The auditor may decide that the population should be divided into subgroups before a sample is selected. For instance, if the auditor is testing whether voucher packages are complete and approved before they are paid, the population of transactions might be divided or stratified into two subgroups: the largest or most important transactions and all the rest. The auditor of a manufacturing company might decide that the most important pur- chase and payment transactions are: (1) those for amounts over \$100,000 and (2) those for items that are nonroutine and need to comply with engineering specifications. Those that deal with engineering specifications, would all require special review. Most likely, if the item purchased does not meet the engineering specifications, it cannot be used by the company, it has no value, and company policy is that the item should be rejected and not be paid for. In this example the auditor separates the total population of purchase and payment transactions into three subgroups: transactions over \$100,000; transactions for purchases with engineering specifications, and all other purchase and payment transactions. The auditor can then treat the three types of transactions differently in the testing process. For example, the auditor might examine 100% of the population of transactions over \$100,000 for completeness of the voucher package and approval for payment. The auditor might examine 100% of the nonroutine purchases with engineering specifications for approval by an authorized individual from the production department. Finally, the auditor might choose to sample the rest of the transactions and test them for a variety of characteristics such as com- pleteness, accuracy, approval, posting to the proper account and in the proper time period, and payment of the liability. In addition, since information from this audit step is useful for the financial statement audit, the auditor may combine the controls and substantive testing processes, called dual purpose testing. To combine the tests, the auditor examines all three subgroups for accuracy of amount, proper posting and classification, and financial report- ing in the proper time period. Knowing the important characteristics to be tested and the nature of the population is very important for designing an effective sample.

Approaches to Sampling.

A “big picture” way to classify sampling methods is as either statistical or nonstatistical. Statistical sampling is based on the laws of probability and has the advantage of enabling the auditor to quantify the level of sampling risk associated with the sample (AU 350.46). A statistical approach requires randomness in the selection process that can be accomplished with various selection methods. A sample may be randomly selected based on identifying document numbers produced by a random number generator computer program. A sample may be drawn using a systematic selection, meaning that a specified “skip inter- val” is used to identify the items included in the sample. When systematic selection is used, it needs random or multiple random starting points. Alternatively, a computer may generate random skip intervals to provide randomness to the sample selection method. Auditors use statistical sampling IT programs to assist them in determining the appropriate sample size and other sample selection specifics. In contrast to statistical sampling, nonstatistical sampling does not utilize laws of prob- ability. With nonstatistical sampling, the level of sampling risk cannot be quantified. If a nonstatistical approach is planned, the auditor may use the selection approaches already described (random selection, systematic selection) or simply select the items to be included in the sample and tests by picking out items in the population. This method was at one time called judgment sampling and is now referred to as haphazard sampling because there is no plan or justification for the items selected.

Nonsampling Risk

Both statistical and nonstatistical approaches to sampling carry with them certain risks. Sampling risk has already been mentioned as the risk that the sample is not representative of the population. All samples have sampling risk. All tests, whether applied to a sample or 100% of the population, also have nonsampling risk, or the risk of human error. Nonsampling risk includes: • The risk that the auditor will use an audit procedure that is not appropriate for what the test is intended to accomplish • Theriskthattheauditormayfailtodetectaproblemwhenapplyinganauditprocedure • The risk that the audit or may misinterpret an audit result Nonsampling risk exists in all audit test procedures and cannot be quantified. However, quality control procedures such as training, proper supervision, and review are all intended to reduce and control nonsampling risk (AU 350.11).

Attribute sampling is the term often used to describe the audit process when an auditor applies sampling methods to an ICFR sampling and testing procedure. The process is used to evaluate the frequency with which a characteristic, or “attribute” occurs in the underly- ing population based on a sample. In the case of ICFR testing, the attribute for which the auditor is looking is failure of the internal control. The question is, “Does the control fail to operate effectively in the population?” The control is not effective if it fails too frequently. After the auditor identifies the control to test, defines the failure of the control, and determines the physical population from which to select the sample, he or she determines the sample size. Several decisions must be made in order to determine the size of the sam- ple the auditor should use. The first decision is how much risk the auditor is willing to accept of concluding that the internal control is operating effectively when it is not. Using the terms defined earlier, we note that this is the risk the auditor is willing to take of making an incorrect acceptance error. The second decision involves determining the tolerable deviation rate. The tolerable rate of deviation is defined as the maximum deviation rate from a prescribed control that the auditor believes can occur in the sample and still permit a conclusion that the control is functioning effectively in the population (AU 350.31). In other words, what percent of the time can the control fail in the sample and the auditor still conclude that it is working effectively? The tolerable rate is based on the rate of deviation that the auditor believes is acceptable, with some added leeway built in to accommodate the fact that the decision is based on a sample.

The third decision deals with the likely rate of deviation in the population. Likely rate of deviation is also called the expected population deviation rate. The expected popula- tion deviation rate is the percentage of the time that the auditor expects the control to fail in the total population (AU 350.41). With these parameters the auditor can determine the required sample size. The sample size can be calculated based on the principles of statistics. The calculation guides the auditor to use a sample of appropriate size so that he or she can measure and control sampling risk based on statistical analyses. Mathematical calculation of sample size is presented in Appendix B to this chapter. The auditor may also use judgment and non- numeric descriptors of risk to decide on an appropriate sample size. The relationships between sample size and other characteristics for tests of controls are shown in Exhibit 8-5. These relationships are also reflected in statistical calculations of sam- ple sizes. The auditor considers the direction of the relationships when sample size is based on judgment. For example, if based on professional judgment, the auditor is willing to accept a larger risk of making an incorrect acceptance error, the sample size needed to provide the auditor with sufficient evidence becomes smaller. If the auditor is willing to accept a larger tolerable rate of deviation, the sample size needed becomes smaller. The logic for the inverse relationship between tolerable rate of deviation and sample size is that more audit evidence (i.e., a larger sample size) is needed to support an assertion that the controls “rarely” fail than to support an assertion that controls fail “no more than quite frequently.” The same logic applies to the expected population deviation rate, but the relationship is positive rather than inverse. If the expected rate of deviation in the population is larger—in other words, there is an expectation that the control may not work effectively—the auditor needs more evidence—and therefore a larger sample size—to support a conclusion that the control functions effectively. A larger sample is needed. Increases in the size of the population normally increase the sample size, but the impact is not important when the population is very large. The auditor’s next steps are to select the sample, perform the audit tests, identify the deviations (control failures), and analyze the meaning of the results. If the auditor calculates the sample size using principles of statistics and selects the sample using an approach that gives each item in the population an equal chance of being selected, the result may be analyzed statistically as presented in Appendix B.1 The auditor may also move through these various steps without statistical determination of the sample size or statistical analysis of the results. Regardless of the approach, the auditor basically uses the deviation rate in the sample as an estimate of the deviation rate in the population and allows for the likelihood that the sample does not exactly mirror the population’s characteristics. The auditor concludes that the control is functioning effectively in the population if the sample’s failure rate is no higher than the tolerable rate.