Chapter- One: - Testing and Audit Sampling 1.1.Audit Sampling Concepts The use of sampling is common in auditing because of the need to gather evidence over large populations of client data in a cost-effective manner. Auditing standards define audit sampling as the application of an audit procedure to less than 100 percent of the items within an account balance or class of transactions for the purpose of evaluating some characteristic of the balance or class. Whenever auditors use sampling techniques, they face the risk that their sample is not representative of the population, referred to us sampling risk. Sampling Risk and Decision Error Due to sampling risk, the auditor faces the chance that sampling may lead to one of two possible types of decision errors: (I) deciding that the population tested is not acceptable when in reality it is i.e (incorrect rejection) and (II) deciding that the population tested is acceptable when in reality it is not i.e (incorrect Acceptance). I. Risk of incorrect rejection (Type I). In testing an internal control, this is the risk that the sample supports a conclusion that the control is not operating effectively when, in truth, it is operating effectively. This risk is also commonly referred to as the risk of under reliance or the risk of assessing control risk too high. In the case of substantive testing, this is the risk that the sample supports the conclusion that the recorded account balance is materially misstated when it is actually not materially misstated. The risk of incorrect rejection relates to the efficiency of the audit. This type of decision error can result in the auditor conducting more audit work than necessary in order to reach the correct conclusion. II. Risk of incorrect acceptance (Type II). In testing a control, this is the risk that the sample supports a conclusion that the control is operating effectively when, in truth, it is not operating effectively. This risk is also commonly referred to as the risk of overreliance or the risk of assessing control risk too low. In the case of substantive testing, this is the risk that the sample supports the conclusion that the recorded account balance is not materially misstated when it is actually materially misstated. The risk of incorrect acceptance relates to the effectiveness of the audit. It results that the auditor may fail to detect a material misstatement in the financial statements due to inadequate audit test performed. This can lead to litigation against the auditor by parties that 1 rely on the financial statements. Because of the potentially severe consequences of a Type II decision error, auditors design their sampling applications to keep this risk to an acceptably low level. Three Important Factors of Sample Size Determination The most important inputs to determine sample sizes for all types of audit sampling are (I) desired level of assurance in the results (or confidence level), (II) acceptable defect rate (or tolerable error), and (III) historical defect rate (or expected error). Confidence Level: The first input, confidence level, is the complement of sampling risk. The acceptable level of sampling risk determined by considering the amount of reliance to be placed on the tests and the consequences of a decision error. In general the larger the sample, the higher the confidence level and the lower the sampling risk. Acceptable Vs Expected Error: Once the desired confidence level is established, the appropriate sample size is determined largely by how much tolerable error exceeds expected error. The smaller the difference between these two variables, is the larger the sample size needed. For example assume that an apple buyers can accept up to 10 percent defective shipments. Due to poor weather this year the planned level of expected defect rate of 7 percent +/- 3 percent. Here there is less room to accommodate sampling risk in the interval between 7 and 10 percent. As a result larger sample is required in order to minimize sampling risk. Precision in Sampling: In typical statistical sampling terminology, the term precision relates to how close a sample estimate is to the population characteristic being estimated, given a specified sampling risk. Thus, precision at the planning stage of an audit sampling application is the difference between the expected and the tolerable deviation rate or misstatement. Auditing standards use the term allowance for sampling risk to reflect the concept of precision in a sampling application. For example, if an auditor expected that a control would have a 2 percent deviation (failure) rate and he or she was willing to tolerate a deviation rate of 5 percent, the allowance for sampling risk would be 3 percent. Technology Vs Sampling: Technology reduces the number of times/ situations auditors need to apply sampling techniques due to: First, companies have developed well-controlled, automated accounting systems that can process transactions with no or very few errors. Here auditors test the processing software control 2 configurations and general computer controls rather than rely on audit sampling to test transactions. Second, the advent of powerful audit software allows auditors, in some situations, to download and examine electronic client data rather than sample. On the contrary technology will never eliminate the need for auditors to rely on sampling to some degree because (1) many control processes require human involvement to operate effectively (e.g., reconciliations, review, and resolution of a system’s generated exception reports), (2) many testing procedures require the auditor to physically inspect an asset (e.g., inventory) or inspect characteristics of a transaction or balance (e.g., terms in a contract), and (3) in many cases auditors are required to obtain and evaluate evidence from third parties (e.g., letters confirming accounts receivable balances from client customers). Audit Evidence choice Vs Sampling Generally, the auditor applies a number of audit procedures in order to reach a conclusion. Some audit procedures involve sampling as defined by auditing standards, while others do not involve sampling. The following are some examples of typical sampling applications. Inspection of tangible assets:- An auditor typically attends a client’s yearend inventory count. Because the number of inventory items can be very large, the auditor may use audit sampling to select inventory items to physically inspect and count. Inspection of records or documents:- A control may require that before a check is written to a vendor, the payables clerk must match an approved purchase order to an approved receiving report and vendor invoice and indicate an acceptable match by initialing a copy of the check stapled to the other three documents. The auditors can gather evidence on the effectiveness of the control by testing a sample of the documentation packages. Re-performance:- In assessing the competence and objectivity of the client’s work, the auditor may re-performmance a sample of the tests performed by the client. Confirmation:- A common technique to gather evidence on existence and accuracy of accounts receivable records is to send letters to customers asking them to confirm their balance. Rather than send a letter to all customers, the auditor can select a sample of customers. Types of Sampling There are two general approaches to audit sampling: non-statistical (Judgmental) and statistical. 3 In non-statistical sampling application, the auditor relays on his or her professional judgment, in combination with audit firm guidance and knowledge of the underlying statistical sampling theories, to reach a conclusion about the audit test. In statistical sampling, on the other hand, uses the laws of probability to compute sample size and evaluate the sample results, thereby permitting the auditor to use the most efficient sample size and to quantify the sampling risk for the purpose of reaching a statistical conclusion about the population. Both approaches require the use of the auditor’s professional judgment to plan, perform, and evaluate the sample evidence. The major advantages of statistical sampling are that it helps the auditor (1) design an efficient sample, (2) measure the sufficiency of evidence obtained, and (3) quantify sampling risk. The disadvantages of statistical sampling include additional costs of (1) training auditors in the proper use of sampling techniques, (2) designing and conducting the sampling application, and (3) lack of consistent application across audit teams due to the complexity of the underlying concepts. Non-statistical audit sampling can be simpler to use and more consistently applied in audit sampling than statistical sampling method. As a result non-statistical sampling is used for the sake of the following discussion. 1.2. Audit Sampling for Control Testing The following are the Steps in conducting audit sampling for control testing Step 1. Determine the test objectives. The objective of sampling when used for tests of controls is to evaluate the operating effectiveness of the internal control and to determine the degree of reliance that can be placed on controls for a financial statement audit. Thus, the auditor assesses the deviation or error rate that exists for each control selected for testing. Audit sampling for tests of controls is generally appropriate when the completion of a control procedure leaves documentary evidence (e.g., initials of approval). Step 2. Define the population characteristics: The auditor must determine that the population from which the sample is selected is appropriate for the specific assertion, because sample results can be projected only to the population from which the sample was selected. Here the following activities are required to be undertaken. 4 i. Define the sampling population:- All or a subset of the items that constitute the class of transactions (or account balance when not testing controls) make up the sampling population. For example, suppose the auditor is interested in examining the effectiveness of a control designed to ensure that all shipments to customers are billed. If the auditor uses the population of sales invoices as the sampling population, he or she is not likely to detect goods shipped but not billed, because the population of sales invoices includes only sales that were billed. In this example, the correct sampling population for testing the completeness assertion would be the population of all shipped goods as documented by shipping records such as bills of lading. ii. Define the sampling unit:- The individual members of the sampling population are called the sampling units. In auditing, a sampling unit may be a document, an entry, or a line item. Each sampling unit makes up one item in the population. The sampling unit should be defined in relation to the control being tested. iii. Define the control deviation conditions:- For tests of controls, a deviation is a departure from adequate performance of the internal control. It is important for the auditor to define carefully what is considered a deviation. Step 3. Determine the sample size, Considerable judgment is required in determining the appropriate values for the inputs that are used to compute sample. The following inputs are required to determine the sample size. i. The desired confidence level:- the complement of the confidence level is the risk that the sample results will support a conclusion that the control is functioning effectively when in truth it is not (i.e., the risk of incorrect acceptance). In a financial statement audit, this can result in assessing control risk too low. This risk influences the effectiveness of the audit. If the auditor sets control risk too low and over relies on the controls, the level of substantive procedures may be too low to detect material misstatements that may be present in the financial statement account. This is because when control risk inappropriately decreases, the auditor increases the acceptable level of detection risk associated with substantive testing to compensate ii. The tolerable deviation rate:- The maximum deviation rate from a prescribed control that the auditor is willing to accept and still consider the control effective (i.e., the control procedure would be relied on). 5 iii. The expected population rate:- is the rate the auditor expects to exist in the population. The rate is developed based on prior years’ results or on a pilot sample. If the auditor believes that the expected population deviation rate exceeds the tolerable deviation rate, no amount of sampling can reduce the population deviation rate below the tolerable rate. Instead, the auditor should perform additional substantive procedures rather than relying on the control. The expected population deviation rate has a direct relationship to sample size: The larger the expected population deviation rate, the larger the sample size, all else equal. Step 4. Select sample items. When using audit sampling, the auditor should avoid distorting the sample by selecting only items that are unusual or large or items that are the first or last items in the frame, because the auditor needs a sample that represents the population in order to draw inferences about the population from the sample. This is not to say that selection of unusual, large, or risky events, transactions, or balances should be avoided in other audit procedures that do not involve audit sampling. To the contrary, the auditor should focus specific audit procedures on all such items and not turn the selection of these items over to chance (i.e., random or haphazard selection), which is required for audit sampling. Step 5. Perform the auditing procedures: (Guidance in audit firm’s policy) A number of public accounting firms establish guidelines for non-statistical sample sizes for tests of controls. Typically, accounting firms’ non-statistical guidelines are consistent with sampling theory and are designed to provide two primary benefits: (1) to simplify the judgments required by field auditors by having experts at firm headquarters make firm wide judgments and (2) to improve consistency in sampling applications within and across engagement teams. Personal judgment For example, a firm might establish guidelines as follows: Assume an auditor might consider each of the necessary factors and determine that a sample size of 30 is adequate. Desired Level of Controls Reliance Sample Size Low 15–20 Moderate 25–35 High 40–60 In developing non-statistical sampling guidelines like those above, the firm’s experts have decided what confidence levels achieve low, moderate, and high assurance (say, 70–75, 80–85, 6 and 90–95 percent confidence, respectively). The experts have decided reasonable levels of tolerable deviation rates (say, 5 to 10 percent), and they have decided to base an initial sample on zero expected deviations. Following this guidance, if one or more deviations are found in the sample, the auditor needs to expand the sample or increase the assessed level of control risk. Step 6. Calculate the sample deviation rate and the computed upper deviation rate. With a non-statistical sample, the auditor can calculate the sample deviation rate but cannot quantify the computed upper deviation rate and the sampling risk associated with the test. As per AICPA Audit Guide Audit Sampling the sample results do not support the planned assessed level of control risk if the rate of deviation identified in the sample exceeds the expected population deviation rate used in designing the sample. In that case, there is likely that the true deviation rate in the population exceeds the tolerable rate. Step 7. Draw final conclusions If the auditor concludes that there is an unacceptably high risk that the true population deviation rate could exceed the tolerable rate, it might be practical to expand the test to sufficient additional items to reduce the risk to an acceptable level. Rather than testing additional items, however, it is generally more efficient to increase the auditor’s assessed level of control risk to the level supported by the results of the original sample. NB: The above seven steps can be reclassified under three stages of the audit work. The first three steps are categorized under planning stage. The next two steps (i.e. Step 4 and 5) is categorized as performance stage. The last two steps are categorized under evaluation stage. 1.3. Audit Sampling for substantive tests The basic statistical concepts and steps discussed in above paragraphs are also applicable for sampling approaches used to test account balances. Three important determinants of sample size are desired confidence level, tolerable misstatement, and estimated misstatement. Misstatements discovered in the audit sample must be projected to the population, and there must be an allowance for sampling risk. In substantive testing sampling may be used for to (1) test the reasonableness of assertions about a financial statement amount (e.g., accuracy, existence) or (2) develop an estimate of some amount. The first use, which is the most frequent application of sampling as a substantive procedure in a financial statement audit, tests the assertion or hypothesis that a financial statement account is fairly stated. The second is less frequent but is occasionally used to develop 7 an estimate of an amount as part of a consulting engagement or in some cases to provide evidence on a client estimate (e.g., sales returns for a new product). The sampling unit for non-statistical sampling is normally a customer account, an individual transaction, or a line item on a transaction. In non-statistical sampling, the proper application of the following items are necessary ο· Identifying individually significant items ο· Determining the sample size ο· Selecting sample items ο· Calculating the sample results Identifying individually significant items It is the determination of which items should be tested individually and which items should be subjected to sampling. The items that will be tested individually are items that may contain potential misstatements that individually exceed the tolerable misstatement. These items are tested 100 percent because the auditor is not willing to accept any sampling risk. For example, an auditor using non-statistical sampling may be examining a client’s accounts receivable balance in which 10 customer account balances are greater than tolerable misstatement. The auditor would test all 10 large accounts, and apply sampling for the remaining. Determining the sample size When determining the sample size, the auditor should consider the level of desired confidence, the risk of material misstatement, the tolerable and expected misstatements, and the population size. While an auditor may determine a non-statistical sample size by using professional judgment, auditing standards indicate that the sample sizes for statistical and non-statistical sampling should be similar (AU 350.22). Thus, it is common for firms to develop guidance for non-statistical sampling based on statistical theory such as the formula provided below, which was adapted from the AICPA Audit Guide Audit Sampling: ππππππ π ππ§π = ( π ππππππππ ππππ’πππ‘πππ ππππ/πππππππππ − πΈπ₯ππππ‘ππ πππ π π‘ππ‘πππππ‘) ∗ π΄π π π’πππππ ππππ‘ππ The “sampling population book value” excludes the amount of items to be individually audited. The assurance factor is identified by determining the level of desired confidence (largely driven by the amount of other relevant audit evidence and the risk of material misstatement (i.e., 8 inherent and control risk). the following table contains the assurance factors for various combinations of desired confidence and risk assessment. Table 1 Assurance factor for non-statistical sampling Assessment of Risk of Material Desired Level of Confidence Misstatement Maximum Slightly Below Moderate Low Maximum Maximum 3.0 2.7 2.3 2.0 Slightly Below Maximum 2.7 2.4 2.0 1.6 Moderate 2.3 2.1 1.6 1.2 Low 2.0 1.6 1.2 1.0 Selecting the Sample Items When any form of audit sampling is used to gather evidence, auditing standards require that the sample items be selected in such a way that the sample can be expected to represent the population. While some form of random sample or systematic selection (e.g., probability proportional to size) is required for statistical sampling, auditing standards allow the use of these selection methods, as well as other selection methods including haphazard sampling when using non-statistical sampling. Haphazard selection allows the auditor to “randomly” select items judgmentally (i.e., with no conscious biases or reasons for including or omitting items from the sample). This does not imply that the items are selected in a careless manner; rather, the sampling units are selected such that they will be representative of the population. Calculating the Sample Results This illustration uses a non-statistical sampling design application to examine the accounts receivable balance of Calabro Wireless Services at December 31, 2007. As of December 31, there were 11,800 accounts receivable accounts with a balance of Br. 3,717,900, and the population is composed of the following strata: Number and Size of Accounts Book Value of Stratum 15 accounts > Br. 25,000 Br. 550,000 250 accounts > Br. 3,000 850,500 11,535 accounts < Br3,000 2,317,400 The Auditor has made the following decisions: 9 ο· Based on the results of the tests of controls, the risk of material misstatement is assessed as low. ο· The tolerable misstatement allocated to accounts receivable is Br. 55,000, and the expected misstatement is Br. 15,000. ο· The desired level of confidence is moderate based on the other audit evidence already gathered. ο· All customer account balances greater than Br. 25,000 will be audited. Based on these decisions, the sample size is determined as follows: First, individually significant items are deducted from the account balance, leaving a balance of Br. 3,167,900 (Br. 3,717,900 – Br. 550,000) to be sampled. Second, the sample size for the remaining balance is determined using the adapted AICPA sample size formula: Sample Size = Br.3,167,900 Br. 55,000 – Br. 15,000 * 1.2 = 95 The assurance factor of 1.2 is determined by using Table 1 and a “Low” assessment for risk of material misstatement and “Moderate” level of desired confidence. The 95 sample items are divided between the two strata based on the recorded amount for each stratum. Accordingly, 26= [(Br. 850,500 / Br. 3,167,900) *95] of the 95 are allocated to the stratum of accounts greater than $3,000 and 69 to the stratum of accounts less than Br. 3,000. The total number of items tested is 110, composed of 15 individually significant accounts tested 100 percent and a sample of 95 items. The auditor mailed positive confirmations to each of the 110 accounts selected for testing. Either the confirmations were returned to the auditor, or he was able to use alternative procedures to determine that the receivables were valid. Four customers indicated that their accounts were overstated, and the auditor determined that the misstatements had resulted from unintentional errors by client personnel. The results of the sample are summarized as follows: Stratum Book Value Book Value Audit Value Amount of of Stratum of Sample of Sample Overstatement > Br. 25,000 Br. 550,000 Br. 550,000 Br. 549,500 Br. 500 > Br. 3,000 850,500 425,000 423,000 2,000 < Br.3,000 2,317,400 92,000 91,750 250 10 Based on analysis of the misstatements found, the auditor concluded that the amount of misstatement in the population was likely to correlate to the total Birr amount of the items in the population and not to the number of items in the population. Thus, he decided to use ratio estimation (applying the ratio of misstatement in the sampling strata) to project his results. His projection of the misstatements follows: Stratum Amount of Ratio of Misstatements in Stratum Tested Misstatement Projected Misstatement > Br. 25,000 Br. 500 Not Applicable—100% Tested Br. 500 > Br. 3,000 2,000 (Br. 2,000/425,000)* Br. 850,500 4,002 <Br.3,000 250 (Br. 250/Br. 92,000)* Br. 2,317,400 6,298 Total projected misstatement 10,800 The total projected misstatement is Br. 10,800. The auditor should conclude that there is an acceptably low risk that the true misstatement exceeds the tolerable misstatement because the projected misstatement of Br. 10,800 is less than the expected misstatement of Br. 15,000. Before reaching a final conclusion on the fair presentation of Calabro’s accounts receivable balance, The Auditor would consider the qualitative characteristics of the misstatements detected and the results of other auditing procedures. If these steps are successfully completed, the auditor can conclude that the accounts receivable balance is fairly presented in conformity with IFRS. Summary of the Effect of Sample Selection Factors on Sample Size Factor Relationship to Sample Change in Factor Effect on Sample Size Size Desired confidence level Tolerable misstatement Expected misstatement Population size Direct Inverse Direct Direct Lower Decrease Higher Increase Lower Increase Higher Decrease Lower Decrease Higher Increase Lower Decrease Higher Increase 11