My video lectures about tolerable deviation rate, sample deviation rate, audit sampling monetary unit sampling, attribute sampling and expected population deviation rate are covered in my auditing course and CPA lessons. Or browse from menu above.
The term deviation refers specifically to a departure from prescribed controls; the terms deviation rate and tolerable deviation rate are often used instead of exception rate when referring to tests of controls.
Knowing the exception rate is particularly helpful for the first two types of exceptions, which involve transactions. Therefore, auditors make extensive use of audit sampling that measures the exception rate in performing tests of controls and substantive tests of transactions. With the third type of exception, auditors usually need to estimate the total dollar amount of the exceptions because they must decide whether the mis-statements are material. When auditors want to know the total amount of a misstatement, they use methods that measure dollars, not the exception rate.
The exception rate in a sample is used to estimate the exception rate in the entire population, meaning it is the auditor’s “best estimate” of the population exception rate. The term exception should be understood to refer to both deviations from the client’s con-trol procedures and amounts that are not monetarily correct, whether because of an un-intentional accounting error or any other cause.
Auditors use sampling in order to make audit procedures feasible. Basically, an auditor has the option of examining 100% of a company’s financial evidence and records or looking at some subset of that information. Obtaining audit evidence based on a subset of the infor- mation often involves sampling. Thus, sampling is used on both the ICFR and financial state- ment phases of an integrated audit. Sampling is applying the audit procedure to less than 100% of a population. The targeted population may be all or a part of the items within an account balance or class of transactions (AU 350.01).
Attribute sampling is the term often used to describe the audit process when an auditor applies sampling methods to an ICFR sampling and testing procedure. The process is used to evaluate the frequency with which a characteristic, or “attribute” occurs in the underlying population based on a sample. In the case of ICFR testing, the attribute for which the auditor is looking is failure of the internal control. The question is, “Does the control fail to operate effectively in the population?” The control is not effective if it fails too frequently. After the auditor identifies the control to test, defines the failure of the control, and determines the physical population from which to select the sample, he or she determines the sample size. Several decisions must be made in order to determine the size of the sam- ple the auditor should use. The first decision is how much risk the auditor is willing to accept of concluding that the internal control is operating effectively when it is not. Using the terms defined earlier, we note that this is the risk the auditor is willing to take of making an incorrect acceptance error. The second decision involves determining the tolerable deviation rate. The tolerable rate of deviation is defined as the maximum deviation rate from a prescribed control that the auditor believes can occur in the sample and still permit a conclusion that the control is functioning effectively in the population (AU 350.31). In other words, what percent of the time can the control fail in the sample and the auditor still conclude that it is working effectively? The tolerable rate is based on the rate of deviation that the auditor believes is acceptable, with some added leeway built in to accommodate the fact that the decision is based on a sample.
The third decision deals with the likely rate of deviation in the population. Likely rate of deviation is also called the expected population deviation rate. The expected popula- tion deviation rate is the percentage of the time that the auditor expects the control to fail in the total population (AU 350.41). With these parameters the auditor can determine the required sample size. The sample size can be calculated based on the principles of statistics. The calculation guides the auditor to use a sample of appropriate size so that he or she can measure and control sampling risk based on statistical analyses. Mathematical calculation of sample size is presented in Appendix B to this chapter. The auditor may also use judgment and non- numeric descriptors of risk to decide on an appropriate sample size. The relationships between sample size and other characteristics for tests of controls are shown in Exhibit 8-5. These relationships are also reflected in statistical calculations of sam- ple sizes. The auditor considers the direction of the relationships when sample size is based on judgment. For example, if based on professional judgment, the auditor is willing to accept a larger risk of making an incorrect acceptance error, the sample size needed to provide the auditor with sufficient evidence becomes smaller. If the auditor is willing to accept a larger tolerable rate of deviation, the sample size needed becomes smaller. The logic for the inverse relationship between tolerable rate of deviation and sample size is that more audit evidence (i.e., a larger sample size) is needed to support an assertion that the controls “rarely” fail than to support an assertion that controls fail “no more than quite frequently.” The same logic applies to the expected population deviation rate, but the relationship is positive rather than inverse. If the expected rate of deviation in the population is larger—in other words, there is an expectation that the control may not work effectively—the auditor needs more evidence—and therefore a larger sample size—to support a conclusion that the control functions effectively. A larger sample is needed. Increases in the size of the population normally increase the sample size, but the impact is not important when the population is very large. The auditor’s next steps are to select the sample, perform the audit tests, identify the deviations (control failures), and analyze the meaning of the results. If the auditor calculates the sample size using principles of statistics and selects the sample using an approach that gives each item in the population an equal chance of being selected, the result may be analyzed statistically as presented in Appendix B.1 The auditor may also move through these various steps without statistical determination of the sample size or statistical analysis of the results. Regardless of the approach, the auditor basically uses the deviation rate in the sample as an estimate of the deviation rate in the population and allows for the likelihood that the sample does not exactly mirror the population’s characteristics. The auditor concludes that the control is functioning effectively in the population if the sample’s failure rate is no higher than the tolerable rate.