“Audit Sampling 101”

BY: Christopher L. Mitchell, MBA, CIA, CISA, CCSA

Cmitchell@KBAGroupLLP.com
BIO
► Principal KBA’s Risk Advisory Services Team
► 15 years of internal controls experience within
the following industries: telecommunications,
government, manufacturing, financial
services, public accounting, and information
technology.
► BA in Accounting / MBA in Information
Technology
► Certified Information Systems Auditor
► Certified Internal Auditor
► Certified Controls Self-Assessor
Presentation Outline
► What is sampling and when is it used?
► Audit / Sampling / Non-Sampling Risks
► Statistical vs. Non-Statistical Sampling
► Attribute / Variable Sampling
► Steps in the sampling process
► Terms used in sample planning
► Terms used in evaluating results
► Computer Assisted Auditing Techniques
► Questions
What is Sampling?
Audit sampling is the application of an audit procedure
(test of control or substantive testing) to less than
100% of the items within an account balance or class
of transactions for the purpose of drawing a general
conclusion about the account balance or the entire
group of transactions based on the characteristics
detected in the sample. Sampling allows an auditor
to draw conclusions about transactions or balances
without incurring the time and cost of examining
every transaction.
When is sampling used?

Sampling is generally used in field audits

when it is not efficient to review 100% of
the records. Sampling may also be
used if records are missing or other
circumstances make reviewing all of the
records difficult.
Representative Sample

A representative sample is one in which the

characteristics in the sample of audit interest
are approximately the same as those of the
population. Two things cause a sample to be
non-representative:
► Non-sampling risk
► Sampling risk
Non-Sampling Risk
Non-sampling risk is the risk
that the audit tests do not
uncover existing exceptions
in the sample. The two
causes are:
► Auditor failure to recognize
exceptions
► Inappropriate or ineffective
audit procedures
Sampling Risk
Sampling risk is the risk
that an auditor reaches
an incorrect conclusion
because the sample is
not representative of
the population. This
can be controlled by:
► Adjusting the sample size
► Using an appropriate
method of selecting
sample items
 Audit Risk
Risk Models

Audit Risk = Inherent Risk X Control Risk X Detection Risk

Audit Risk = Sampling Risk + Non-Sampling Risk

Statistical vs. Non-Statistical Sampling

Statistical Sampling Non-Statistical Sampling

_________________ ___________________
Applies the laws of __
probability theory to Is solely based on the
assist the auditor in auditor’s judgment.
designing a sampling
plan and subsequently
evaluating the results of
the sample.
Statistical Sampling
Statistical sampling
provides a means of
mathematically
evaluating the outcome
of the sampling plan by
applying the laws of
probability to measure
the likelihood that
sample results are
representative of the
population.
 Probabilistic Sample Selection
Probabilistic sample selection selects a sample in a way
that each population item has a known probability of
being included in the sample and the sample is
randomly selected.

► Simple Random Number Selection – all items of the population

have an equal chance of being selected. Can use random number
tables and random number generators.
► Systematic Sample Selection – auditor determines an interval and
selects items on the basis of the interval.
► Probability Proportional to Size – probability of selecting an item is
proportional to its recorded amount.
► Stratified Sample – divided population into subpopulations and use
different selection criteria for each subpopulation.
 Stratification Illustrated
The process of dividing a population into subpopulations that have similar
characteristics. Strata must be defined so that each sampling unit can
only be in one stratum

Accounts Receivable Stratification

Stratum Size Composition of Stratum Sample Selection

All accounts over $5,000 100%
2 22 examination
All accounts between $1,000 and Random-number
3 121 $5,000 table
All accounts under $1,000 Systematic
4 85 selection
All accounts with credit balances 100%
5 14 examination
Disadvantages of Statistical Sampling

► Overvalue the evidence it provides

► Reduces auditor skepticism
► Increased cost
► Train auditors
► Design samples
Nonstatistical Sampling
In nonstatistical sampling,
the auditor does not
quantify sampling risk.
Instead, those sample
items that the auditor
believes will provide the
most useful information
are selected. Since
conclusions are based
on a judgmental basis,
nonprobabilistic sample
selection is normally
conducted.
 Nonprobabilistic Sample Selection

Nonprobabilistic sample selection is a method of

selecting a sample where the auditor uses
professional judgment rather than probabilistic
methods to select sample items.
► Direct sample selection – auditor selects items based on
judgmental criteria such as likelihood of misstatement,
characteristics such as different time periods, or large dollar
amounts.
► Block sample selection – selection of a number of items in
sequence. Auditor must use several blocks to obtain a
representative sample.
► Haphazard sample selection – selection of items without any
conscious bias on the part of the auditor.
Rule #1
When designing the size and structure of an audit
sample, Auditors should consider the specific audit
objectives, the nature of the population and the
sampling and selection methods. The auditor should
consider the need to involve appropriate specialist in
the design and analysis of samples.
Applications of Sampling in the audit

Attribute Sampling Variables Sampling

(Test of Controls) (Test of Account
Balances)
The use of sampling for
compliance testing The use of sample for
(qualitative characteristic) substantive test on the
client’s account balances
(quantitative characteristic)
Sampling Risk in Attribute Sampling

Risk of Underreliance Risk of Overreliance

Control Risk Too High Control Risk Too Low

Not relying on the Relying on internal

internal controls controls when it is
when, in fact, the not appropriate.
auditor should rely
on internal control.
Sampling Risk in Variables Sampling

Risk of Incorrect Rejection Risk of Incorrect Acceptance

Auditor’s sample indicates that Auditor’s sample indicates that

the account balance is the account balance is fairly
materially misstated even stated even though the
though it is fairly stated. account balance is materially
misstated.
 Sample Characteristics
► Precision – Represents the closeness of the
auditor’s sample estimate to the true (but
unknown) population value.
► Reliability – is the probability that the auditor’s
sample provides a sample estimate that is of
a specified precision.
Steps in the Sampling Process
► Planning the Sample (Steps 1-9)
► Select the Sample and Perform the Tests (Steps 10-11)
► Evaluate the Results (Steps 12-14)
 Planning the Sample
1. State the objectives of the audit test.
2. Decide whether audit sampling
applies.
3. Define attributes and exception
conditions.
4. Define the population.
5. Define the sampling unit.
Planning the Sample Cont.
6. Specify the tolerable exception rate.
7. Specify the acceptable risk of
assessing control risk too low.
8. Estimate the population exception
rate.
9. Determine the initial sample size.
Select the Sample and Perform the Tests

10. Select the sample

11. Perform the audit procedures
Evaluate the Results
12. Generalize from the sample to
population.
13. Analyze exceptions.
14. Decide the acceptability of the
population.
Terms Used in Sample Planning
► Characteristics or ► Sample Size
Attribute Sampling ► Sampling Risk
► Variable Sampling ► Risk of Incorrect
► Audit Objectives Acceptance
► Risk of Incorrect
► Sampling Unit Rejection
► Population ► Level of Sampling Risk
► Stratification
► Tolerable Error
► Expected Error
Terms Related to Evaluation Results

► Exception
► SampleException Rate
► Computed Upper Exception Rate
Computer Assisted Audit Techniques (CAATS)

CAATS is the practice of using computers to automate or simplify

the audit process. Examples:
► Audit Command Language (ACL)
► Interactive Data Extraction (IDEA)
► SAS
► Excel
► Access
► Crystal Reports
► Business Objectives
CAATS vs. Traditional Audit
► Sample 100% percent of the data
► Test for Specific Risks
► Automated Process
► Easier to Target Sample
► More precise error rate
► Less time / more productive
Questions?