RISK ANALYSIS AND STATISTICAL SAMPLING IN AUDIT A brief overview of theory, assumptions and existing methodology 1. The risk model Making an audit assertion with absolute certainty would be vastly expensive. There would always be some risk that audit fails to discover all material errors, even when 100% of the transactions are audited. Recognizing this, the auditor defines an audit risk that he is willing to accept or conversely the assurance that he desires to provide that his audit assertions/ opinions are correct. This risk (or assurance) is usually defined as a matter of Departmental policy. Using this assurance as input, it is possible to define a sample, using statistical sampling methods, on which audit tests that are carried out give results that can be projected to the entire population. This approach prescribes a uniform audit scrutiny for all transactions in the population. However, all transactions are not equally risky and treating them as such will mean higher costs of audit in less risky transactions on the one hand and the threat that risky transactions will not be detected on the other. The risk model is an analytical tool for planning and execution. This approach detects highrisk areas where audit effort can be concentrated. Audit can thus focus on areas which are likely to generate better assurance instead of sampling and testing of larger but low risk areas. It structures the audit procedures and reorganises the audit work in terms of risk perception. Theory and Assumptions: In any risk assessment the auditor has to consider three kinds of risks: 1. Control Risk (CR) which is determined by the efficacy of internal control environment in the auditee organization; 2. Inherent Risk (IR) which is the determined by the susceptibility of the classes of transactions to be audited to material misstatement, irrespective of the related internal controls in the organization and 3. Detection Risk (DR) which is the risk that auditor’s substantive tests do not detect a material misstatement in the transactions audited by him. This is again independent of the other two risks. Since all the three risks are independent, Overall Audit Risk (AR) is defined as: OAR=CR x IR x DR,……………………………..(1) In other words OAR, the overall audit risk acceptable to the auditor will depend on IR is the inherent risk, i.e. the risk that an error will occur in the first place; CR is the control risk, i.e. the risk that internal controls will fail to detect the error, and DR is the detection risk, i.e. the risk that the audit procedures will fail to detect the error. The underlying assumption is that the individual risks are independent of each other. The overall audit risk is defined by the audit institution and hence is a constant predetermined quantity. The objective for the auditor is to first assess inherent and control risks in the entity, and then to design and perform appropriate compliance and substantive procedures that provide sufficient assurance that the product of the risks identified is less than or equal to the overall audit risk that the auditor is willing to accept. If the inherence risk and control risk are low, the auditor will be required to provide less assurance from substantive tests, while if the inherence risk and control risk are high, the amount of assurance required form substantive audit tests will also be high. In the risk model, thus, the auditor assesses the inherence risk and control risk and solves the equation for detection risk. The detection risk (DR) is actually a combination of two risks; analytical procedures risk (AP) which is the risk that analytical procedures will fail to detect material errors and tests of detail risk (TD) which is the risk that detailed test procedures will fail to detect the material errors. These two risks are again considered independent and thus a multiplicative model is suggested as follows: DR = AP X TD…………………………………………..(2) OAR = IR X CR X AP X TD………………………… (3) The auditors exercise professional judgment in assessing the IR, CR and AP. Then solve the model to arrive at the test of details risk (TD). Detection Risk thus is closely related to the confidence that the auditor wishes to obtain from his substantive testing procedures. It he wants to increase his level of confidence, he wants to make his detection risk low and then more transactions and balances need to be tested substantively than where the detection risk can be allowed to be high (because control risk is low, for instance). Thus Confidence Level can be defined as (100%-Detection Risk). Thus if detection risk is 10% and transactions and balances are selected on that basis, the confidence level will be 90% which means that the auditor wishes to be 90% confident that the sample of transactions or balances used in substantive testing will be representative of the total of such transactions and balances. The only risk that the auditor has under his control is the Detection Risk and he will have to ensure that it is kept low. 2. Materiality and Audit Risk While risk is concerned with the likelihood of error, materiality deals with the extent to which we can tolerate error. Materiality relates to the maximum possible misstatements/ error. The auditor needs to do just enough work to conclude that the maximum possible misstatement/ error at the desired level of assurance is less than the materiality. Materiality is determined from the user's point of view, and is independent of the overall audit assurance (risk). While making materiality judgements three main factors are considered; the value of the error, the nature of the error and context in which the transaction has occurred. It is normally sufficient to determine a single materiality level for different components/ areas of audit, but one can determine different materiality levels for different sets of transactions also. The auditor is concerned only with material errors. Risk assessment will thus focus on the likelihood of material error. To use the risk model, the auditor has thus to specify the materiality level along with the overall assurance required from the audit. While the IR and CR together will tell the auditor about the expected error rate in the population, materiality will tell him about the tolerable error rate in the population from his point of view. 3. Assessment of Different Kinds of Risks 3.1 Assessment of Inherent Risk Inherent risk assesses the nature, complexity, and volume of the activities and transactions that give rise to the possibility of error occurring in the first place. They are generally inherent to these activities or sets of transactions. For example, suspense transactions will naturally have a higher inherent risk than the transactions under the heads Salary and Allowances. The assessment of inherent risk factors would, to a large extent, be based on the knowledge and understanding of the business of the auditee based on our experience from previous audits and identification of events as well as from transactions and practices which may have a significant impact on the audit areas. The major factors that can be considered for assessment of inherent risk in a financial (certification) audit are listed in Annexure A. Different audits will have a different set of risk parameters for assessment of inherent risk. Inherent risk has to be assessed for each audit assertion/ opinion. Inherent risk factors impacting the audit assertion need to be documented. The risk associated with each individual factor is then assessed as high, moderate or low. The assessment is then consolidated for overall assessment of inherent risk. It is possible to assign numerical values to the risk assessed, or the assessment can be done quantitatively in terms of high, moderate and low. 3.2 Assessment of Control Risk Control risk assesses the adequacy of the policies and procedures in the auditee organization for detecting material error for identified functions or activities. For assessing the control risk, the auditor considers both the control environment and control systems together. Techniques used to evaluate internal control are narrative descriptions, questionnaires, check lists, flow charts, inspection, inquiries, observation and re-performance of internal controls. The factors that can be considered for assessment of control environment and control systems in a financial (certification) audit are listed in Annexure B. Different kinds of audit will have a different set of control factors to be considered. The auditor evaluates the control environment and systems (both manual and computerised) and places appropriate reliance on them. This evaluation is based on the preliminary systems examination and is designed to assess whether the activities undertaken by the audited body are in accordance with the statutory or other authorities, whether the audited body's structure is likely to ensure adequate internal control, the adequacy of general financial controls, whether the employees in areas critical to internal controls are competent and whether there are adequate other general controls in areas relevant to audit. The control risk is then assessed and expressed either in numerical (percentage terms) or qualitative (high, medium, low) terms. 3.3 Assessment of Detection Risk Having assessed the inherent and control risks, the risk equation can be solved for detection risk, i.e. the assurance required form audit procedures. An assurance about the transactions being audited is required from the audit procedures. An assurance guide is placed at annexure C where the required assurance from substantive audit tests can be found. This assurance level will be used as input in determining the sample size on which the audit tests need to be performed to arrive at the required overall assistance. 4 Risk Assessment and Stratification of Population Given the level of assurance required from audit testing of an area and the materiality of errors associated, audit processes are well-defined. A high likelihood or error in an audit area which requires a high level of assurance of the audit test along with a high significance would, for example, make the area a critical concern for audit and one may decide to conduct a 100% check on these kind of areas. Based on the perception of risk and the materiality along with the value of the set of transactions, the population is stratified. Each strata of the population will require a different level of substantive audit checks. The high risk, high materiality items will be subjected to a higher level of substantive audit test, while an area with lower materiality may be tested through analytical methods or test of controls and lesser substantive tests. As a rule it is prudent to examine all transactions that are individually material. The conclusions which can be drawn from a test of items selected on a high value basis will only relate to these items and provide better assurance to the auditor. Similarly, there could be key items which are especially prone to error or other risks, or those which merit special attention. The auditor may wish to examine these items 100% when forming an audit opinion. 5 Statistical sampling Sampling means testing less than 100% of the items in the population for some characteristic and then drawing a conclusion about that characteristic for the entire population. Traditionally, auditors use 'test check' (judgmental sampling or non-statistical sampling) approach. This means checking a pre-determined proportion of the transactions on the basis of the auditor's judgment. This sampling technique can be effective if properly designed. Hitherto audit has been based almost entirely on such judgmental sampling, which, as has been proved time and again, has been extremely effective in detecting errors. However, it does not have the ability to measure and integrate risk model in the audit procedure and the audit observations have to be limited only to the transactions actually checked in audit; audit conclusions so arrived cannot be projected over the entire population. For example, while certifying accounts balances or receipts of the Government, we cannot state the extent to which the accounts balances as depicted in the financial statements are reliable; all we can say is that they are subject to the audit observations made on the basis of test check of transactions. Thus the possibility remains that in his judgment the auditor may err and miss to check transactions containing substantial errors or misstatements. For statistical sampling techniques, there is a measurable and quantifiable relationship between the size of sample and the degree of risk. Statistical sampling procedure uses the laws of probability and provides a measurable degree of sampling risk. Accepting this level or risk, (or conversely at a definite assurance or ‘confidence’ level) the auditor can state his conclusions for the entire population. In sum, statistical sampling may provide much greater objectivity in sample selection as well as in the audit conclusion, besides enabling the auditor to express an opinion concerning the entire population. The basic hypotheses of statistical sampling theory are: (a) The population is a homogeneous group. (b) There is no bias in the selection of items of the sample. All items of the population have equal chance of being selected in the sample, in other words, the sample is representative of the population and retains all its characteristics. 6 Attribute Sampling, Variable Sampling and Monetary Unit Sampling Different statistical sampling methods may be used in different auditing situations. The auditor may wish to estimate how many departures have occurred form the prescribed procedures; or estimate a quantity, e.g. the value (amount) of errors in the population. Based on whether the audit objective is to determine a qualitative characteristic or a quantitative estimate of the population, the sampling is called an attribute or variable sampling. Attribute sampling estimates the proportion of items in a population having a certain attribute or characteristic. In an audit situation, attribute sampling would estimate the existence or otherwise of an error. Attribute sampling would be used when drawing assurance that prescribed procedures are being followed properly. For example, attribute sampling may be used to derive assurance that procedures for classification of vouchers have been followed properly. Here, the auditor estimates through attribute sampling the percentage of error (vouchers that have been misclassified) and sets an upper limit of error that he is willing to accept and still be assured that the systems are in place. It is thus obvious that attribute sampling can only be used in assessment of control risk, where the attribute is whether a specific control has been applied and there can only be two answer to this: Yes or No. Variables sampling estimates a quantity, e.g. amount of sundry debtors shown in the balance sheet or the underassessment in a tax circle. Variables sampling involves complex procedures and has certain drawbacks. Monetary Unit Sampling provides quantitative results and is suited to most audit situation, but theoretically it can be used in low level error situations with a relatively small population, where there are no negative or zero balances. In this sampling method, which is a variation of ‘PPS’ or ‘Probability Proportional to Size’ sampling methods the sampling units are defined not as individual transactions but as the progressive cumulative totals of all transactions which constitute the population. Since it takes monetary values as sampling units, the high value items tend to get more weight and therefore greater probability of getting picked up in any random selection, since the probability of selection becomes proportional to the values of transactions. 7 Sampling Methods There are different ways in which a statistical sampling can be selected. A simple random sampling ensures that every member of the population has an equal chance of selection. Through simple to administer, the underlying assumption is that the population is homogeneous. Instead of a simple random sampling, the auditor can choose to have a systematic random sampling in which the first member of the sample is determined by random sampling, while the others are picked up at fixed intervals from that first member. A similar procedure was earlier used in central auditing of accounts vouchers. In cases where the population is non-homogeneous, a stratified sampling would be a better option. Here the population is sub-divided into homogeneous groups and then a random sampling is done on the groups, ensuring a better representative sample. In the cell sampling method, the population is divided into a number of cells and one item is selected from each cell randomly. This method overcomes the drawback of systematic sampling when fixed numbers are given to various categories, but retains the advantage of systematic sampling of automatically selecting items bigger than the average sampling interval. The auditing softwares, e.g. Computer Assisted Audit Technique (CAAT) like IDEA is an efficient tool for sample selection. Once the sample is selected, identified audit tests can directly be applied on the sample. Each sampling method has its practical advantages and limitations. The auditor uses his judgment in determining which kind of sampling is best suited to his audit job. 8. Audit Assumptions Audit works on the principle that higher the risk involved in the transactions, higher the need for more extensive checks. Audit through statistical sampling is a systematic procedure based on the following stages: 1. Assessment of Inherent Risk through auditor’s knowledge, judgment and application of specific auditing procedures like analytical reviews etc. 2. Assessment of Control Risk through Compliance Testing, i.e. testing whether the prescribed/ required controls are operating or being complied with in the auditee organization. This can be done through attribute sampling, analytical reviews etc. 3. To Design the Sampling Frame for Substantive Testing based on the Inherent Risk Evaluation and Assessment of Control Risk through Compliance Testing. In this, the auditor has primarily to determine the sampling method (Attribute/ Variable/ Monetary Unit Sampling) as well as the sample size. 4. Evaluation of results of Substantive Tests and expression of audit opinion. Since for particular class of transactions, the Inherent Risk is constant, basically the auditor has to determine the extent and method of substantive testing based on his evaluation of the internal controls through Compliance Testing. Needless to say, the above steps follow each other and are closely interlinked and hence cannot be segregated into independent streams of audit. While Compliance Testing is needed to review and evaluate the effectiveness of the internal control systems in an organization, Substantive Testing procedures are applied to gather audit evidence regarding completeness, accuracy and validity of data. 9. Sampling Risks of an Auditor While suggesting an appropriate an appropriate theoretical frame work for the application of statistical sampling in audit, we need to consider the sampling risk from the point of view of an auditor and in designing the sampling frame, must provide for this in a way that minimizes or eliminates this risk. This risk is not to be confused with any of the risks involved in the risk model discussed earlier. Obviously sampling involves certain risk if the auditor has to express n opinion on the entire population based on his sample checks as he checks only a few items in order to express an opinion on the whole population. The possibility remains that his conclusions could be different if he had checked all transactions instead of a few selected items. This risk is inherent in both compliance as well as substantive testing which is decided on the basis of compliance testing only. (a) Sampling Risk in Compliance Testing Here the auditor undertakes the risk of over-reliance as well the risk of under-reliance on the controls operating in the auditee organization. The former may lead to the auditor reducing the extent of his substantive testing since he has placed reliance on a control that was otherwise weak, while the latter would lead to the auditor wasting his resources on additional substantive testing which may not be necessary as the controls in reality were adequate. Obviously the former is more dangerous of the two as it would lead to erroneous audit conclusions and therefore needs to be minimized. (b) Sampling Risk in Substantive Testing Similarly, in substantive testing also, there are two kinds of risks involved. We may call these as the risk of incorrect rejection and the risk of incorrect acceptance. Risk of incorrect rejection is the risk that the sample checks supports that the recorded account balances are materially incorrectly stated while they are actually correct. This again makes the auditor redefine his sampling frame so as to increase the extent of his substantive tests, leading to waste of resources. Risk of incorrect acceptance, which the more serious of the two, is the risk that the auditor’s sample checks lead to the conclusion that the account balances are correct while in reality they are incorrect, thereby leading to erroneous audit conclusion and expression of incorrect audit opinion. Selection of appropriate sample size, both in compliance as well as in substantive testing, thus becomes imperative for the auditor to arrive at the correct opinion and to minimise his sampling risks. 10 Designing a Sample In designing sampling frame, the auditor has to follow the stages as described below: (a) Define the population and select an appropriate sampling method: attribute, variable, monetary unit etc. (b) Determination of the sample size which is a crucial step to minimize the auditor’s risks; (c) Selection of the sample elements following an appropriate random sampling procedure; (d) Performance of substantive audit tests on the sample elements and (e) Projecting the sample results into the population and express an audit opinion on the population. 11. Determinants of Sample Size in Attribute Sampling In case of attribute sampling, the first step is to clearly define the target population and the errors/ exceptions (attributes) the audit wishes to test. The following quantities estimated by the auditor could be the determinants of his sample size: 1. In order to determine the sample size, the auditor next defines the expected error rate or amount in the population which is an important determinant of the sample size. In compliance testing, the auditor seeks to determine is the rate of non-occurrence of the internal controls being applied, e.g. mistakes in vouchers, wrong entries in cash books, stores ledger, unauthorized payments, cash books not being daily checked or physical verifications not being made. These techniques can be applied in sanctions audit, propriety audit or regularity audit or in financial audit, where, while testing an account balance, the auditor only wants to confirm if the balance is correctly stated or no without going into estimating the correct balance (for which variable sampling would be necessary). The greater the expected error rate or amount, the greater the sample size must be for the auditor to conclude that the actual error rate or amount is less than the tolerate error rate or amount. 2. Tolerate error rate or amount is the maximum error rate the auditor is prepared to accept when deciding whether his initial evaluation of the control risk is valid or whether the total recorded transactions or balances may be regarded as accurate and complete. It is the maximum error rate the auditor is willing to accept and still conclude that the auditee is following the procedures properly. When testing for amounts, the tolerable error is limited by the level of materiality set by the auditor. The lower the tolerable error, the larger would be the sample size. 3. Audit tests on the sample will throw up an estimate of error for the population. The true error of the population could be more than this estimate. The difference between the sample estimate and the actual population is the precision level. The auditor has to decide the precision he desires to provide in his estimates. Tolerable Error, being the maximum error that the auditor is willing to accept = Maximum (sample estimate + precision level). 4. The confidence level or the level of assurance that audit needs to provide is to be predefined by the auditor. When a risk assessment has preceded the sampling process, the confidence level would be (1- detection risk). Confidence level states how certain the auditor is that the actual population measure is within the sample estimates and its associated precision level. 5. The occurrence rate or population proportion which is the proportion of items in the population having the error/exception that audit wishes to test. 6. Acceptable risk of over reliance: As we have seen, the risk of under-reliance does not affect the correctness of the auditor’s opinion, it only results in increasing his workload. When the degree of reliance in controls is high, the acceptable risk of over reliance is low and vice versa. The auditor may try to quantify the risk (5%, 10%, 15% etc.) depending on whether the degree of reliance is high, moderate or low. An appropriate quantitative framework needs to be prepared based on the above factors. 12. Nature of Population Statistical sampling is based on the assumption of homogeneity of population. In reality this assumption may not always be true. Another problem is the nature of distribution in the population which may not always be known. However, in general the nature of population distribution is immaterial when the sample size is large, as, according to the Central Limit Theorem, for a large sample, the sample means would have a normal distribution irrespective of the error-proneness of the auditee. When the sample size is small, one may have to use the t-distribution. While testing the internal controls of the auditee organisation, we are interested in finding the proportion of a population having a single attribute (say a specific control parameter like a classification mistake). In this case since there are only two possible outcomes of each individual testing, the Binomial/ Poisson distribution could be more appropriate. We need to determine whether we should take into account the nature of population distribution of the parameter to be audited and if so, how best we can develop a framework simple enough for the average auditor to follow and apply in actual practice. 13 Projecting the Results into the Population and Estimating the Population Value Once the audit tests are performed on the sample, the test results need to be projected to the population. Following this, a conclusion has to be reached. In compliance testing this would concern whether the auditor can place an assurance on the systems, while in substantive testing this might be to estimate the account balance from the sample results and thereby express an opinion about the correctness or otherwise of the reported balance. From the actual number/amount of errors observed in the sample, the sample size and the confidence level desired by the auditor, the precision p can be determined. The maximum error estimate of the population would then be obtained after loading the sample estimate with the precision. This is the computed tolerable error. Instead of solving the mathematical formula, it is possible to locate the 'computed tolerable error' straightway from the statistical tables for the desired confidence (assurance levels). A sample of such a statistical table is placed at annexure D. In a case when the computed tolerable error is less than the tolerable error, the auditor can place the desired assurance on the systems. When the computed tolerable error is higher than the tolerable error, the auditor cannot derive assurance form the systems. The auditor may, in such situations reduce the assurance he derives form the control and increase the assurance required from substantive tests. A similar, though more complex, process can be prescribed for estimating the population value of a parameter through variable sampling also. 14. Problems and Decision Areas There cannot be any doubt that statistical sampling cannot be a substitute for judgmental sampling and audit is primarily a judgmental process. At best statistical sampling may supplement the judgmental sampling. A review of the existing methods available for audit through sampling is given in Appendix I. There are many gray areas and we are i the process of evolving techniques and methods, after which they can be modified based on our experiences of actual application of the techniques and evaluation of the results thereof. The following are some of the areas that merit attention in this regard: A. To identify the areas of applicability of sampling methodology within the Department. For example, whether each of the following areas (only an illustrative list) can be audited though sampling techniques with equal effectiveness or if there are areas which will more prone to statistical analyses than others.: Checking the correct accountal of expenditure or receipts; Checking calculations of payment or receipts; Checking propriety and regularity of expenditure; Checking interpretation or application of rules /contract clauses /provisions of tax acts; Checking achievement of objective of expenditure / exemption of receipts. B. To evolve a framework for the application of sampling techniques in the identified areas. This will involve the following issues: i. To integrate the risk model of audit with the assumptions and requirements of sampling theory; ii. To suggest a way to identify the distribution of audit parameter in the population of transactions being audited and to suggest the corresponding sampling frame for auditing purposes; iii. To suggest an appropriate sampling method for selection of the sample elements so as to optimally achieve the audit objectives, including identification of areas for application of attribute/ variable/ monetary unit sampling; iv. To suggest an appropriate formula for determination of sample size; v. To evolve an appropriate methodology as well as theoretical framework for projecting the sample results into the entire population and for estimating the population value of the parameter; vi. To suggest ways in which audit risks can be minimized through sampling, especially the risk of over reliance and the risk of incorrect acceptance; vii. To suggest a way to incorporate the concepts of Materiality and Detection Risk in Audit in a more rigorous objective manner in the sampling frame to be evolved; viii. To suggest a practical way to apply the theoretical frame so suggested in practical auditing situations which is simple enough for an average auditor to understand and apply without mistakes. Annexure – A Factors to consider the assessment of inherent risk in financial audit The number and significance of audit adjustments and difference waived during the audits of previous years. Complexity of underlying calculations of accounting principles The susceptibility of the asset to material fraud or misappropriation Experience and competence of accounting personnel responsible for the component Judgment involved in determining amount Mix and size of items subject to the audit test The degree to which the financial circumstances of the entity may motivate its management to misstate the component in regard to this assertion Integrity and behaviour of the management. Management turnover and reputation Annexure – B Factors to consider for assessment of control risk in financial audit Evaluate the control environment Management philosophy and operating style The functioning of the board of directors and its committees, particularly the audit committee Organizational structure Methods of assigning authority and responsibility. Systems development methods Systems development methodology Personnel policies and practices Management reaction to external influences Internal audit Evaluate the control systems Segregation of incompatible functions Controls to ensure completeness of transactions being recorded Controls to ensure that transactions are authorized Third party controls (e.g. confirmation of events) Control over accounting systems Controls over computer processing Restricted access to assets (only allow access to authorized personnel) Periodic count and comparison (ensure book amounts reconcile with actual inventory counts) Controls over computer operations Annexure D: Annexure E: Annexure F: Z score values Confidence Level (%) 75 80 85 90 92 94 95 96 97 99 Z score values 1.13 1.28 1.44 1.65 1.751 1.881 1.96 2.054 2.17 2.58 Annexure G Existing Audit Sampling Methods The existing literature in audit prescribes certain procedures for the application of sampling in audit, especially concerning the most crucial stage of selection of sample size. Some of these are listed below. All these methods are followed in different situations/ by different SAIs, but there has been no attempt so far to compare between the results obtained by the application of these different techniques. A. When testing for amounts, the tolerable error is limited by the level of materiality set by the auditor. The lower the tolerable error, the larger the sample size. The population size is immaterial for the sample size when the auditor is working normal populations. Sample size is determined as Sample size= Reliability Factor /Tolerable Error Rate …………………….(1) This approach is based on the Risk Model and takes into account the factors like Expected Errors in Population, Tolerable Error Rate (which should be less than the expected error rate) and the Confidence Level. We give below an example of the Reliability Factors based on the Poisson distribution: No of Sample Errors 0 1 2 3 80% 1.61 3.00 4.28 5.52 Confidence Levels 90% 95% 2.31 3.89 5.33 6.69 3.00 4.75 6.30 7.76 99% 4.61 6.64 8.41 10.05 Thus if the maximum risk the auditor is willing to accept is 20%, the expected number of errors =1 and tolerable error rate =4%, the sample size = 3.00/0.04=75. In case the auditor finds 2 errors in the sample of 75, the Upper Error rate =Reliability Factor/ Sample Size= 4.28/75=5.5> Tolerable Error. Thus the auditor has to adjust his confidence level which will then become 75% commensurate with 2 errors at the tolerable error level of 4%. He will the place less reliance on controls and may increase the scope of his substantive tests/ procedures etc. Alternatively, the sample size will go up if he is to retain 80% level of confidence. B. Another approach, which is very similar to the first approach, takes into account the following 3 factors 1 Acceptable Risk of Over- Reliance (ARO) / Acceptable Risk of Incorrect Acceptance (ARIA), as explained earlier. 2 Tolerable Deviation Rate (TDR): This is the maximum rate of deviation the auditor is willing to accept without altering his planned reliance on the controls and is the same thing as the Tolerable Error Rate. For example, he may decide that in cash book checking, if the deviation rate is not more than 1 in 30 days, i.e. if the cash book is checked in at least 29 out of 30 days in a month, he will accept that the internal control system in this regard is working satisfactorily. The TDR in this case is 3.3%. Establishing the TDR is a matter of the auditor’s professional judgment and will relate to the significance of the transactions and related balances affected by the relevant internal controls. The higher the significance, lower is the TDR. As an illustration, we may decide that if the internal controls affect highly significant balances, the TDR of the auditor would be 4%; if they affect moderately significant balances, TDR of the auditor would be 8% and in case these affect balances of low significance, the TDR of the auditor would be reckoned as 12%. 3 Estimated Population Deviation Rate (EPDR): This is the expected error in the population and can be determined by selecting a preliminary sample and using the sample results to estimate the population deviation rate by applying either the ChiSquare or the t-distribution as described above. Point estimate can also be used. Once these three quantities are known, the sample size is automatically determined which can be found out from the statistical tables. A sample of such table is placed at Annexure E. After determining the size of the sample, auditor's task is reduced to check the sample elements and find out the actual deviation rate in the sample. C. A third approach suggests the following formula for determination of the sample size n n= Z 2 p (1 p ) E2 where …………………………………………….(2) Z=score associated with confidence level, E= precision p=occurrence rate Z scores uses the Normal Distribution as shown in Annexure F. D. Monetary Unit Sampling: In this the Sample size is determined on the basis of the following four quantities: 1 Acceptable Risk of Incorrect Acceptance (ARIA): It correspondence of the ARO used in attributes sampling for compliance test. The substantive testing where the auditor tests transactions and balances, the same risk is expressed as ARIA. It is the risk of accepting a transaction or an account balance as correct on the basis of the results of sample whereas, in reality, the auditor should not have accepted the same. 2 Tolerable Error (TE): In trying to verify the balances under investment account, the auditor may state that he will accept the recorded amount as correct, if the amount estimated on the basis of his sample lies between Rs.31.0 lakh and the recorded amount. Here the TE has been defined as Rs.1.0 lakh (=32-31) 3 Expected Error (EE): This is analogous to the EDPR as in attribute sampling. Here the auditor has to estimate the ER in the population designing the sample applications. 4 Recorded Population Value (sample Size): This is the rupee value (or other quantitative value) of the population taken from the records of the enterprise under audit. Sample size is then calculated based on above four quantities as follows. Step-I: Given the level of ARIA, the Expected Error (EE) is multiplied by the expansion factor at the given level of ARIA found from the following table: Expansion Factors for Expected Errors: ARIA 1% 5% 10% 15% Expansion 1.9 1.6 1.5 1.5 Factor 20% 1.3 25% 1.25 30% 1.2 37% 1.15 50% 1.0 Step II: The product of the EE and the Expansion Factor is then subtracted from the tolerable error to arrive at the tolerable error adjusted for expanded error. Step III: Tolerable Error adjusted for expanded expected error is then divided by the reliability factor for the actual number of expected errors at the given level of ARIA from the following table to arrive at the sampling interval. Reliability Factors for Errors of Overstatement: Risk of Incorrect Acceptance Number of 5% 10% 30% Number of Overstatement Overstatement Errors Errors 0 3.00 2.31 1.21 1 4.75 3.89 2.44 11 2 6.30 5.33 3.62 12 3 7.76 6.69 4.77 13 4 9.16 8.00 5.90 14 5 10.52 9.28 7.01 15 6 11.85 10.54 8.12 16 7 13.15 11.78 9.21 17 8 14.44 13.00 10.31 18 9 15.71 14.21 11.39 19 10 16.97 15.41 12.47 20 Risk of Incorrect Acceptance 5% 10% 30% 18.21 19.45 20.67 21.89 23.10 24.31 25.50 26.70 27.88 29.07 16.60 17.79 18.96 20.13 21.30 22.46 23.61 24.76 25.91 27.05 13.55 14.63 15.70 16.77 17.84 18.0 19.97 21.03 22.09 23.15 Step IV: Sample size can then be determined by using the formula: Sample size = Size of Population (i.e., the recorded population value)/ Sampling interval as determined in step III………………………(3) Evaluation of the results: The risk inherent in sampling prohibits the auditor to draw the conclusion that the sample results can be applied to the population per se. In case there are no errors in the sample, sampling risk is calculated as equal to the sampling interval multiplied by the reliability factor from the above table. This gives the basic precision limit or the projected error. If this projected error is less than or equal to the tolerable error limit, the auditor can accept the population as correct. It should be noted that this method is basically deigned to detect overstatements, in case understatements need to be detected, the method has to be suitably modified. Where errors are detected in the sample items, the upper limit errors in the sample can be estimated by adding three quantities: 1. Basic precision limit of the sample i.e. sampling interval multiplied by the reliability factor. 2. Errors found in all items which are greater than or equal to the sampling interval (In monetary unit sampling, all large items which are greater than or equal to the sampling interval are automatically included in the sample). 3. Errors found in items which are smaller than the sampling interval. If the upper limit of errors in the population as estimated by the auditor is lower than the TE, the auditor can conclude that the sample results are as per ledger. In case the upper error limit exceeds the TE, the population cannot be accepted and in such cases, the sample size has to be increased and additional audit procedures have to be devised. D. Variables Sampling: It is relatively more complex and useful in performing substantive tests, especially where errors are expected to be large or where there are zero or negative balances. It requires the estimate of standard deviation. There are number of techniques of variable sampling, e.g. mean per unit estimation, estimation of differences, estimation of ratios etc. We shall briefly outline only the first method, i.e. the Mean Per Unit method. Here the auditor calculates the average audited amount for the sample and projects it into the population. The steps are: 1. Define the population. 2. Determine sample of a size corresponding to the sampling risk the auditor is wiling to undertake: The sample size is calculated for a desired precision, the desired confidence level and the standard deviation of the population. 3. From the sample tests performed, find out the Average Sample Value defined as Average Sample Value=Total value of all sample elements/Number of sample elements. 4. Multiply the total number of elements in the population with the average sample value. The resultant figure is the estimated value of the whole population X=xN, where x is the average sample value and N the population size. Determining the appropriate sample size is the most crucial part of the entire procedure. The sample size can be determined, once the confidence level and desired precision are know and the value of the population standard deviation is estimated form a study of a small pilot sample, by following the procedures described earlier. Once these three quantities are known, the sample size can be calculated using the formula. n ={SXJ x (UR) x (N/A)} 2 …………………………………(3) where n is the sample size, SXJ is the estimated standard deviation of the population, UR is the coefficient (e.g. 1.645 is the coefficient of confidence for 90% level of confidence. The coefficients can be directly found out from the normal distribution table annexed at Annexure – D), N is the population size and A is the accuracy or precision desired in the estimates. As a measure of safety, the sample size may be increased by 10% or so. In the estimation of differences, the auditor calculates the differences between the values found from the samples and the corresponding values found in the books of the auditee and the difference is then projected for the whole population. If the resultant figure is within the desired precision limits, the auditor accepts the recorded figure as correct. In the estimation of ratios, the auditor calculates the ratio between the sum of the recorded amounts of the sample items and projects the same to the population. E. Stratified Sampling Plan: The following steps are usually required in a sampling plan for stratified random sampling. 1. Establish the desired precision level and confidence level for the estimate for the overall population value (this step is the same as in variables sampling). 2. Define the strata clearly so that each element in the population is known in advance to belong to one and only one stratum. It is important that there is no confusion regarding whether an element falls into one stratum or another. The exact number of elements falling in each stratum should be known. 3. Using the regular random number table (not the illustrative table given in this chapter), a preliminary sample of at least 30 items for each stratum may be selected. It may be recalled that this sample is required to calculate the standard deviation of each stratum. Thus, if the population is divided into three strata, 30 items from each stratum will separately be selected and examined. In selecting a sample for stratified random sampling, usually the items are selected without replacement. This means that once an item has been elected, it will not be included again even though its number may appear again in the random number table. 4. The estimated standard deviation of each stratum is then to be computed. The steps for calculating the same are given in the section on variables sampling. 5. The next step is to determine the basis of allocating the total sample size among the strata, i.e. to determine the percentage of the total sample size which each stratum will contribute. There are two methods of determining the percentage of the total sample size which each stratum will contribute (this figure can be represented by the symbol Pi): (a) Proportional allocation Under this method the percentage of the total sample size allocated to each stratum is in proportion to the number of elements in each stratum. Suppose we have sub-divided a population into two strata, A and B. thus, if stratum A has 1,500 elements and stratum B has 500 elements, the percentage of the sample allocated to each stratum will be in the ratio of 3:1. The value of Pi for the first stratum would be 0.75 and for the second 0.25. (b) Optional allocation This method takes two factors into account —the number of elements in each stratum and the homogeneity of elements in each stratum. The percentage of sample size to tbe contributed buy each stratum (Pi) is calculated by taking a weighted average of both of these factors. The following illustrates this. 1. 2. Stratum High value items Low value items Ni 1,500 500 Si 36 205 NiSi 54,000 1,02,500 Pi 0.35 0.65 where Ni represents the number of elements in each sample, Si represents the estimated standard deviation and thus, the dispersion of elements in each stratum. NiSi is the product of Ni and Si and Pi is the proportion that NiSi of the one stratum bears to the total NiSi. Thus, Pi for stratum 1 is: NiSi 54,000 = 0.35. NiSi 1,56,500 Similarly Pi for Stratum 2 is: Pi = 0.65 It can be seen that the method of optimal allocation takes into account the standard deviation as well as the number of elements in each stratum. It is a better method than the proportional allocation method. 6. The next step is to compute the total sample size through the equation given below: n= NiSi 2 ( N i Pi n ) U R2 ∑ …………………………………………….(4) Pi A2 It would be noted that except for n, which represents the sample size and which we have to find out, all other quantities in this formula are know to us. Is the square of the coefficient of reliability; A2 is the square of the precision limit required; Ni is the number of elements in the population; Si is the square of the estimated standard deviation of each stratum; and Pi is the percentage of the total sample size that each stratum will contribute.) 7. From the solution of the sample size equation, the total sample size is known. The contribution of each stratum to the total can be calculated by multiplying the total sample size with Pi Thus, if the total sample size is 300, Stratum 1 will contribute 105 (300x0.35) items. To this, a 10 per cent addition many be made as a matter of precaution and 116 items (105+11) will, therefore, be selected from Stratum A. Similarly, Stratum B will contribute 215 (195+20) items. 8. From each stratum, select additional items for examination and record the individual values. 9. Compute the new sample mean for each stratum. 10. Estimate the total population value. The estimated value of each stratum can be reached by multiplying stratum sample mean by the number of elements in the population. ( x iNi,, where x i is sample mean o a stratum and Ni is the number of elements in the stratum.) The value of the various strata can then be added to each an estimate of the value of the population. There are other techniques available for sampling with the help of which the auditor looks for a characteristic, which, if discovered in his sample might be indicative or more widespread irregularities. Discovery of one such error will be indicative of the need to apply more extensive checks. This technique, called discovery sampling, is especially useful in unearthing frauds.