Chapter 8
Audit Sampling: An Overview and Application to Tests of
Controls
McGraw-Hill/Irwin
2008 The McGraw-Hill Companies, All Rights Reserved
Sampling
Primary purpose is to draw inferences about
the whole population based on the results
of testing of a subset of the population
Introduction
Auditing standards recognize and permit both statistical
and nonstatistical methods of audit sampling.
Two technological advances have reduced the number
of times auditors need to apply sampling techniques to
gather audit evidence:
1
Development of
well-controlled,
automated
accounting
systems.
2
Advent of powerful
PC audit software to
download and
examine client
data
8-3
Introduction
However, technology will never eliminate the need for
auditors to rely on sampling to some degree because:
1. Many control processes require human involvement.
2. Many testing procedures require the auditor to
physically examine an asset.
3. In many cases auditors are required to obtain and
examine evidence from third parties.
8-4
Definitions and Key Concepts
On the following screens we will define:
1.Sampling Risk
2.Confidence Level
3.Tolerable and Expected Error
4.Audit Sampling
8-5
LO# 1
Audit Sampling
Audit sampling is the application of an
audit procedure to less than 100 percent
of the items within an account balance or
class of transactions for the purpose of
evaluating some characteristic of the
balance or class.
8-6
Sampling Risk
Risk that the results of the sample are not
representative of the population
Reduce this by taking larger sample
8-7
LO# 2
Sampling Risk
Sampling risk is the element of uncertainty that enters
into the auditor’s conclusions anytime sampling is
used. There are two types of sampling risk.
Risk of incorrect rejection (Type I) – in a test of internal
controls, it is the risk that the sample supports a
conclusion that the control is not operating effectively
when, in fact, it is operating effectively.
Risk of incorrect acceptance (Type II) – in a test of
internal controls, it is the risk that the sample supports
a conclusion that the control is operating effectively
when, in fact, it is not operating effectively.
8-8
Non sampling Risk
Sampling the wrong populations
Misinterpreting the audit results
8-9
LO# 2
Sampling Risk
Three Important Factors in Determining Sample Size
1.The desired level of assurance in the results (or
confidence level),
2.Acceptable defect rate (or tolerable error), and
3.The historical defect rate (or estimated error).
8-10
LO# 2
Confidence Level
Confidence level is the
complement of sampling risk.
The auditor may set
sampling risk for a
particular sampling
application at
5 percent, which
results in a
confidence level of
95 percent.
8-11
Confidence Level
The larger the sample, the higher the
confidence level and the lower the
sampling risk.
8-12
LO# 2
Tolerable and Expected Error
Once the desired confidence level is established, the
sample size is determine largely by how much the
tolerable error exceeds expected error.
Precision, at the
planning stage of
audit sampling, is
the difference
between the
expected and
tolerable deviation
rates.
Auditing Standards
refer to Precision
as the “Allowance for
sampling risk”
8-13
Tolerable Error
The smaller the difference between
tolerable error and expected error, the
more precise the measurements and
the larger the sample size.
8-14
LO# 3
Audit Evidence – To Sample or
Not?
Relationship between Evidence Types and Audit Sampling
Audit Sampling
Commonly Used
Type of Evidence
Yes
Inspection of tangible assets
Yes
Inspection of records or documents
Yes
Reperformance
Yes
Recalculation
Yes
Confirmation
No
Analytical procedures
No
Scanning
No
Inquiry
No
Observation
8-15
LO# 3
Audit Evidence – To Sample or
Not?
• Inspection of tangible assets. Auditors typically attend
the client’s year-end inventory count. When there are a
large number of items in inventory, the auditor will select a
sample to physically inspect and count.
• Inspection of records or documents. Certain controls
may require the matching of documents. The procedure
may take place many times a day. The auditor may gather
evidence on the effectiveness of the control by testing a
sample of the document packages.
8-16
LO# 3
Audit Evidence – To Sample or
Not?
 Reperformance. To comply with rule 404 of the
Sarbanes-Oxley Act, publicly traded clients must document
and test controls over important assertions for significant
accounts. The auditor may reperform a sample of the tests
performed by the client.
 Confirmation. Rather than confirm all customer account
receivable balances, the auditor may select a sample of
customers.
8-17
LO# 3
Testing All Items with a Particular
Characteristic
When an account or class of transactions is made up
of a few large items, the auditor may examine all the
items in the account or class of transaction.
When a small number of large transactions make up
a relatively large percent of an account or class of
transactions, auditors will typically test all the
transactions greater than a particular dollar amount.
8-18
LO# 3
Testing Only One or a Few
Items
Highly automated information systems
process transactions consistently unless the
system or programs are changed.
The auditor may test the
general controls over the
system and any program
changes, but test only a few
transactions processed by
the IT system.
8-19
LO# 4
Types of Audit Sampling
Auditing standards recognize and permit both statistical
and nonstatistical methods of audit sampling.
In nonstatistical (or
judgmental) sampling, the
auditor does not use
statistical techniques to
determine sample size,
select the sample items,
or measure sampling risk.
Statistical sampling uses
the laws of probability to
compute sample size and
evaluate results. The
auditor is able to use the
most efficient sample size
and quantify sampling risk.
8-20
LO# 4
Types of Audit Sampling
Advantages of statistical sampling
1. Design an efficient sample.
2. Measure the sufficiency of
evidence obtained.
3. Quantify sampling risk.
Disadvantages of statistical sampling
1. Training auditors in proper use.
2. Time to design and conduct
sampling application.
3. Lack of consistent application
across audit teams.
8-21
Non statistical sampling
Professional judgment
Firm guidance
Knowledge about the underlying
statistical theories.
8-22
LO# 4
Statistical Sampling Techniques
1.Attribute Sampling.
2.Monetary-Unit Sampling.
3.Classical Variables Sampling.
8-23
LO# 4
Attribute Sampling
Used to estimate the proportion of a
population that possess a specified
characteristic. The most common use of
attribute sampling is for tests of controls.
Yes, I know. We are
planning a test of that
control using
attribute sampling.
Our client’s controls
require that all checks
have two independent
signatures.
8-24
LO# 4
Monetary-Unit Sampling
Monetary-unit sampling uses attribute sampling theory
to estimate the dollar amount of misstatement for a
class of transactions or an account balance.
This technique is used
extensively because it has
a number of advantages
over classical variables
sampling.
8-25
LO# 4
Classical Variables Sampling
Auditors sometimes use variables sampling to
estimate the dollar value of a class of transactions or
account balance. It is more frequently used to
determine whether an account is materially
misstated.
8-26
LO#
Attribute Sampling Applied to
Tests of Controls
5, 6, & 7
In conducting a statistical sample for a
test of controls auditing standards require
the auditor to properly plan, perform, and
evaluate the sampling application and to
adequately document each phase of the
sampling application.
Plan
Perform
Evaluate
Document
8-27
LO#
5, 6, & 7
Planning
Planning
1. Determine the test objectives.
2. Define the population characteristics.
• Define the sampling population.
• Define the sampling unit.
• Define the control deviation conditions.
3. Determine the sample size, using the following inputs:
• The desired confidence level or risk of incorrect acceptance.
• The tolerable deviation rate.
• The expected population deviation rate.
The objective of attribute sampling when used for
tests of controls is to evaluate the operating
effectiveness of the internal control.
8-28
LO#
5, 6, & 7
Planning
Planning
2. Define the population characteristics.
• Define the sampling population.
• Define the sampling unit.
• Define the control deviation conditions.
3. Determine the sample size, using the following inputs:
• The desired confidence level or risk of incorrect acceptance.
• The tolerable deviation rate.
• The expected population deviation rate.
All or a subset of the items that constitute the class
of transactions make up the sampling population.
8-29
LO#
5, 6, & 7
Planning
Planning
2. Define the population characteristics.
• Define the sampling population.
• Define the sampling unit.
• Define the control deviation conditions.
3. Determine the sample size, using the following inputs:
• The desired confidence level or risk of incorrect acceptance.
• The tolerable deviation rate.
• The expected population deviation rate.
Each sampling unit makes up one item in the
population. The sampling unit should be defined in
relation to the specific control being tested.
8-30
LO#
5, 6, & 7
Planning
Planning
2. Define the population characteristics.
• Define the sampling population.
• Define the sampling unit.
• Define the control deviation conditions.
3. Determine the sample size, using the following inputs:
• The desired confidence level or risk of incorrect acceptance.
• The tolerable deviation rate.
• The expected population deviation rate.
A deviation is a departure from adequate
performance of the internal control.
8-31
LO#
5, 6, & 7
Planning
Planning
3. Determine the sample size, using the following inputs:
• The desired confidence level or risk of incorrect acceptance.
• The tolerable deviation rate.
• The expected population deviation rate.
The confidence level is the desired level of
assurance that the sample results will support a
conclusion that the control is functioning
effectively. Generally, when the auditor has
decided to rely on controls, the confidence level
is set at 90% or 95%. The means the auditor is
willing to accept a 10% or 5% risk of accepting
the control as effective when it is not.
8-32
LO#
5, 6, & 7
Planning
Planning
3. Determine the sample size, using the following inputs:
• The desired confidence level or risk of incorrect acceptance.
• The tolerable deviation rate.
• The expected population deviation rate.
The tolerable deviation rate is the maximum
deviation rate from a prescribed control that the
auditor is willing to accept and still consider the
control effective.
8-33
LO#
5, 6, & 7
Planning
Planning
3. Determine the sample size, using the following inputs:
• The desired confidence level or risk of incorrect acceptance.
• The tolerable deviation rate.
• The expected population deviation rate.
Suggested Tolerable Deviation Rates
for Assessed Levels of Control Risk
Planned Assessed Level
of Control Risk
Low
Moderate
Slightly below maximum
Maximum
Tolerable
Deviation
Rate
3–5%
6–10%
11–20%
Omit test
8-34
LO#
5, 6, & 7
Planning
Planning
3. Determine the sample size, using the following inputs:
• The desired confidence level or risk of incorrect acceptance.
• The tolerable deviation rate.
• The expected population deviation rate.
The expected population deviation
rate is the rate the auditor expects to
exist in the population. The larger the
expected population deviation rate,
the larger the sample size must be, all
else equal.
8-35
LO#
5, 6, & 7
Planning
Planning
3. Determine the sample size, using the following inputs:
• The desired confidence level or risk of incorrect acceptance.
• The tolerable deviation rate.
• The expected population deviation rate.
Assume a desired confidence level of
95%, and a large population, the effect of
the expected population deviation rate on
sample size is shown below:
Expected Population
Deviation Rate
Sample
Size
1.0%
93
1.5%
124
2.0%
181
3.0%
‡
‡ Sam ple size too large to be cost-effective.
8-36
LO#
Population Size: Attributes
Sampling
5, 6, & 7
Population size is not an important factor in determining
sample size for attributes sampling. The population size
has little or no effect on the sample size, unless the
population is relatively small, say less than 500 items.
Factor
Desired confidence level
Tolerable deviation rate
Expected population deviation rate
Population size
Examples
Relationship to
Change in
Effect on
Sample Size
Factor
Sample
Lower
Decrease
Direct
Higher
Increase
Lower
Increase
Inverse
Higher
Decrease
Lower
Decrease
Direct
Higher
Increase
Decreases sample size only when population
is small (fewer than 500 items)
8-37
LO#
5, 6, & 7
Performance
Performance and Evaluation
4. Select sample items.
• Random-Number Selection.
• Systematic Selection.
5. Perform the Audit Procedures.
• Voided documents.
• Unused or inapplicable documents
• Inability to examine a sample item.
• Stopping the test before completion.
6. Calculate the Sample Deviation and Upper Deviation Rates
7. Draw Final Conclusions
Every item in the population has the same
probability of being selected as every other
sampling unit in the population.
8-38
LO#
5, 6, & 7
Performance
Performance and Evaluation
4. Select sample items.
• Random-Number Selection.
• Systematic Selection.
5. Perform the Audit Procedures.
• Voided documents.
• Unused or inapplicable documents
• Inability to examine a sample item.
• Stopping the test before completion.
6. Calculate the Sample Deviation and Upper Deviation Rates
7. Draw Final Conclusions
The auditor determines the sampling interval by dividing
the population by the sample size. A starting number is
randomly selected in the first interval and every nth item is
8-39
selected thereafter.
LO#
5, 6, & 7
Performance
Performance and Evaluation
5. Perform the Audit Procedures.
• Voided documents.
• Unused or inapplicable documents
• Inability to examine a sample item.
• Stopping the test before completion.
6. Calculate the Sample Deviation and Upper Deviation Rates
7. Draw Final Conclusions
For example, assume a sales invoice should not be
prepared unless there is a related shipping document. If
the shipping document is present, there is evidence the
control is working properly. If the shipping document is not
present a control deviation exist.
8-40
LO#
5, 6, & 7
Performance
Performance and Evaluation
5. Perform the Audit Procedures.
• Voided documents.
• Unused or inapplicable documents
• Inability to examine a sample item.
• Stopping the test before completion.
6. Calculate the Sample Deviation and Upper Deviation Rates
7. Draw Final Conclusions
Unless the auditor finds something unusual about
either of these items, they should be replaced with a
new sample item.
8-41
LO#
5, 6, & 7
Performance
Performance and Evaluation
5. Perform the Audit Procedures.
• Voided documents.
• Unused or inapplicable documents
• Inability to examine a sample item.
• Stopping the test before completion.
6. Calculate the Sample Deviation and Upper Deviation Rates
7. Draw Final Conclusions
If the auditor is unable to examine a document or to
use an alternative procedure to test the control, the
sample item is a deviation for purposes of evaluating
the sample results.
8-42
LO#
5, 6, & 7
Performance
Performance and Evaluation
5. Perform the Audit Procedures.
• Voided documents.
• Unused or inapplicable documents
• Inability to examine a sample item.
• Stopping the test before completion.
6. Calculate the Sample Deviation and Upper Deviation Rates
7. Draw Final Conclusions
If a large number of deviations are detected
early in the tests of controls, the auditor should
consider stopping the test, as soon as it is clear
that the results of the test will not support the
planned assessed level of control risk.
8-43
LO#
5, 6, & 7
Evaluation
Evaluation
6. Calculate the Sample Deviation and Upper Deviation Rates
7. Draw Final Conclusions
After completing the audit procedures, the
auditor summarizes the deviations for each
control tested and evaluates the results. For
example, if the auditor discovered two
deviations in a sample of 50, the deviation rate
in the sample would be 4% (2 ÷ 50).
The upper deviation rate is the sum of the
sample deviation rate and an appropriate
allowance for sampling risk.
8-44
Computed Upper Deviation Rate
True deviation rate unknown
Sum of sample deviation rate plus an
appropriate allowance for sampling risk
8-45
LO#
5, 6, & 7
Evaluation
Evaluation
6. Calculate the Sample Deviation and Upper Deviation Rates
7. Draw Final Conclusions
The auditor compares the tolerable deviation rate
to the computed upper deviation rate.
True State of Internal Control
Auditor's Decision Based on
Sample Evidence
Supports the planned level
of control risk
Does not support the
planned level of control risk
Reliable
Correct decision
Risk of incorrect
rejection (Type I)
Not Reliable
Risk of incorrect
acceptance (Type II)
Correct decision
8-46
LO#
5, 6, & 7
Attribute Sampling Example
The auditor has decided to test a control at Calabro
Wireless Services. The test is to determine the sales and
service contracts are properly authorized for credit approval.
A deviation in this test is defined as the failure of the credit
department personnel to follow proper credit approval
procedures for new and existing customers. Here is
information relating to the test:
Desired confidence level
Tolerable deviation rate
Expected population deviation rate
Sample size
95%
6%
1%
78
8-47
LO#
5, 6, & 7
Attribute Sampling Example
Part of the table used to determine sample size when
the auditor specifies a 95% desired confidence level.
Sample Size at 95% Desired Confidence Level
Expected
Population
Tolerable Deviation Rate
Deviation
Rate
2%
3%
4%
5%
6%
0.00%
149
99
74
59
49
0.25%
236
157
117
93
78
0.50%
157
117
93
78
0.75%
208
117
93
78
1.00%
156
93
78
1.25%
156
124
78
1.50%
192
124
103
7%
42
66
66
66
66
66
66
8-48
LO#
5, 6, & 7
Attribute Sampling Example
17,063
59,096
89,904
42,970
74,184
1,755
37,285
92,096
22,113
59,304
34,989
34,027
18,965
30,393
27,951
38,383
30,521
96,603
42,914
24,423
32,014
44,994
25,484
3,475
1,986
19,308
35,744
10,350
6,937
96,813
12,104
37,183
67,965
52,597
66,533
87,003
54,109
6,184
65,785
11,531
64,036
95,084
11,027
67,454
97,613
39,602
52,705
45,839
50,006
91,083
52,496
40,817
34,783
92,628
81,175
93,234
13,350
77,035
45,594
37,490
96,213
28,664
62,828
42,756
67,446
71,586
60,481
24,202
66,805
80,382
60,169
8,210
10,374
50,282
72,563
72,886
57,267
80,027
31,130
62,333
44,899
23,758
There are 125,000
audit items in the
population numbered
from 1 to 125,000. The
auditor generates
these random
numbers using Excel.
Each number
represents a contract
that was to be
reviewed for credit
approval.
8-49
LO#
5, 6, & 7
Attribute Sampling Example
The auditor examines each selected contract for credit
approval and determines the following:
Number of deviations
Sample size
Sample deviation rate
Computed upper deviation rate
Tolerable deviation rate
2
78
2.6%
8.2%
6.0%
Let’s see how we get the computed
upper deviation rate.
8-50
LO#
5, 6, & 7
Attribute Sampling Example
Part of the table used to determine the computed upper
deviation rate at 95% desired confidence level:
Sample
Size
25
30
35
40
45
50
55
60
65
70
75
80
Actual Number of Deviations Found
0
1
2
3
11.3
17.6
9.5
14.9
19.6
8.3
12.9
17.0
7.3
11.4
15.0
18.3
6.5
10.2
13.4
16.4
5.9
9.2
12.1
14.8
5.4
8.4
11.1
13.5
4.9
7.7
10.2
12.5
4.6
7.1
9.4
11.5
4.2
6.6
8.8
10.8
4.0
6.2
8.2
10.1
3.7
5.8
7.7
9.5
8-51
LO#
5, 6, & 7
Attribute Sampling Example
Tolerable
Deviation
Rate (6%)
<
Computed
Upper Deviation
Rate (8.2%)
Auditor’s Decision:
Does not support reliance on the control.
8-52
LO# 8
Nonstatistical Sampling for Tests of
Control
Determining the Sample Size
An auditing firm may establish a nonstat sampling
policy like the one below:
Desired
Level of
Controls
Reliance
Low
Moderate
High
Sample
Size
15–20
25–35
40–60
Such a policy will promote consistency in sampling
applications.
8-53
LO# 8
Nonstatistical Sampling for
Tests of Control
Selecting the Sample Items
Nonstatistical sampling allows the use of
random or systematic selection, but also
permits the use of other methods such as
haphazard sampling.
When haphazard sample
selection is used, sampling
units are selected without any
bias, that is to say, without a
special reason for including
or omitting the item in the
sample.
8-54
LO# 8
Nonstatistical Sampling for
Tests of Control
Calculating the Upper Deviation Rate
With a nonstatistical sample, the auditor can
calculate the sample deviation rate, but cannot
formally quantify the computed upper
deviation rate and sampling risk associated
with the test.
8-55
LO# 8
Considering the Effect of
Population Size
This table assumes a desired confidence of 90%, a
tolerable deviation rate of 10%, and an expected
population deviation rate of 1%:
Population
Size
100
500
1,000
5,000
Sample
Size
31
38
39
39
Finite population
=
correction factor
√
1 – (n/N)
n = sample size from tables
N = number of units in the population
8-56
Questions
8-57
End of Chapter 8
8-58