Chapter 8 Auditing
Due to sampling risk, the auditor faces the chance that the evaluation of a sample may lead to one of two possible types of decision errors:
(1) deciding that the population tested is not acceptable when in reality it is and (2) deciding that the population tested is acceptable when in reality it is not. In statistical terms, these errors are known as Type I and Type II errors, respectively.
Advantages of statistical sampling
(1) design an efficient sample, (2) measure the sufficiency of evidence obtained, and (3) quantify sampling risk.
3 important inputs to determine sample sizes
(1) desired level of assurance in the results of the sample (or confidence level), (2) acceptable defect rate (or tolerable error), and (3) historical defect rate (or expected error).
An approach is nonstatistical if
(1) judgment is used instead of a statistical formula to determine the sample size, (2) a haphazard sample selection technique is used, and/or (3) the sample results are evaluated judgmentally.
Why will technology never eliminate the need for auditors to rely on sampling?
(1) many control processes and data input procedures require HUMAN INVOLVEMENT (2) many testing procedures require the auditor to PHYSICALLY inspect an asset (e.g., inventory) or inspect characteristics of a transaction or balance (3) in many cases auditors are required to obtain and evaluate EVIDENCE from third parties (e.g., letters confirming accounts receivable balances from the entity's customers); (4) audit data analytics are only as good as the QUALITY OF the underlying DATA and often the completeness, accuracy, and validity of the underlying DATA NEEDS to be TESTED and sampling can be an effective and efficient technique; and (5) audit data analytics often identify a large number of notable items that the auditor may test using sampling. These situations require the auditor's "hands-on" attention. When the number of items or transactions in these populations is large, it may not be economical for auditors to test 100 percent of the population; instead they use sampling to GATHER SUFFICIENT AUDIT EVIDENCE
If the planned level of control risk is not supported by the sample results and other tests of controls, the auditor should either
(1) test other control procedures that could support the planned level of control risk or (2) increase the assessed level of control risk and modify the nature, extent, or timing of substantive procedures.
Typically, accounting firms' nonstatistical guidelines are consistent with sampling theory and are designed to provide two primary benefits:
(1) to SIMPLIFY the judgments required by field auditors by having experts at firm headquarters make firmwide judgments and (2) to IMPROVE consistency in sampling applications within and across engagement teams.
4. Select sample items
*all items must have an equal opportunity to be selected Selection methods: 1. Random number selection 2. Systematic selection
1. Determine the test objectives
- Auditing standards require that sampling applications be well planned and take into consideration the relationship of the sample to the objective(s) of the test. - The objective of attribute sampling when used for tests of controls is to evaluate the operating effectiveness of the internal control for purposes of the internal control audit for public companies determine the degree reliance that can be placed on controls for a financial statement audit. Answer: The auditor assesses the deviation or error rate that exists for each control selected for testing. Audit sampling for tests of controls is generally appropriate when the completion of a control procedure leaves documentary evidence
Random number selection
- The auditor may select a random sample using random numbers generated by a spreadsheet application or audit sampling software. - In this method of selection, every item in the population has the SAME PROBABILITY of being selected as every other sampling unit in the population.
Determine the sample size
- consider the desired confidence, the tolerable deviation rate, and the expected population deviation rate. - just bc it's Nonstatistical doesn't mean that you get to do whatever with your sample size
2. Define the population characteristics
- define the sampling population (determine that the population from which the sample is selected is appropriate for the specific assertion, because sample results can be projected only to the population from which the sample was selected) - determine that the physical representation, or frame, of the population is complete (compare the frame to the the general ledger or by examining and accounting for the numerical sequence of prenumbered sales invoice documents) - define the sampling unit (The sampling unit should be defined in relation to the control being tested.) - define control deviation conditions (a deviation is a departure from adequate performance of the internal control)
3. Determine the sample size (most difficult)
- desired confidence level - tolerable deviation rate - expected population deviation rate
To avoid the possibility that a systematic sample will miss systematic deviations in the population, the auditor can use ________________ random starting points.
Several
Statistical sampling permits the auditor to for the purpose of reaching a statistical conclusion about the population.
USE the most efficient sample size and to QUANTIFY the sampling risk
Accepting some ______________ is the trade-off between the cost of examining all the data and the cost of making an incorrect decision based on a sample of the data.
Uncertainty
Disadvantages of statistical sampling
additional costs of (1) training auditors in the proper use of sampling techniques, (2) designing and conducting the sampling application, and (3) lacking consistent application across audit teams due to the complexity of the underlying concepts.
The uncertainty related to nonsampling risk can be managed by
adequate training, proper planning, and effective supervision.
the key determinant of sample size is the
amount by which the tolerable deviation rate exceeds the expected deviation rate.
Selecting the Sample Sizes (nonstatistical) While random-sample or systematic-sample (with a random start) selection is required for statistical sampling, nonstatistical sampling allows the use of those selection methods as well as other selection methods such as
haphazard sampling.
Precision
how close a sample estimate is to the population characteristic being estimated, given a specified sampling risk; difference between the expected and the tolerable deviation rate or misstatement.
Tolerable error
how much error you can tolerate before rejecting the account or control
Expected error
how much error you expect to exist in the account or control).
Tolerable deviation rate
maximum deviation rate from a prescribed control that the auditor is willing to accept and still consider the control effective
If the auditor concludes that the evidence SUPPORTS the planned level of control risk,
no modifications of the planned substantive procedures are necessary.
Haphazard sampling
sampling units are selected without any conscious bias-that is, without a special reason for including or omitting items from the sample. This does not imply that the items are selected in a careless manner; rather, the sampling units are selected to represent the population.
Define audit sampling
selection and evaluation of less than 100 percent of the items in a population of audit relevance selected in such a way that the auditor expects the sample to be representative of the population and thus likely to provide a reasonable basis for conclusions about the population.
In setting the desired confidence level and acceptable level of risk, the auditor considers the
significance of the account, the importance of the assertion on which the control provides assurance, difficulty or complexity in applying the control, degree of reliance to be placed on the control. *The more significant the account, the more complex the process or policy, and the higher the "what could go wrong" impact if the control fails, the higher the desired confidence.
To properly apply nonstatistical sampling, auditors' judgment and their firm's sampling guidance must be grounded in
statistical sampling theory
In evaluating the results of testing a control, the auditor is normally concerned only with whether the Because the auditor does not know the true deviation rate, he or she calculates a computed
true deviation rate exceeds the tolerable deviation rate; upper deviation rate.
Determining the sample results for an attribute-sampling application can be accomplished by the: The auditor calculates the _______________ deviation rate and the _________________ upper deviation rate.
use of a computer program or attribute-sampling tables; sample and computed
Classical variables sampling
used to determine whether an account is materially misstated.
Attribute sampling
used to estimate the proportion of a population that possesses a specified characteristic
Monetary unit sampling
uses attribute-sampling theory and techniques to estimate the monetary amount of misstatement for a class of transactions or an account balance
Statistical sampling
uses the laws of probability to compute sample size and evaluate the sample results
Measurement of the deviation rate provides evidence about and therefore provides support for the auditor's set level of control risk.
whether the control is operating effectively to process accounting transactions properly
We have already covered the types of evidence in earlier chapters, but here are some examples of typical sampling applications.
1. Inspection of tangible assets: An auditor typically attends an entity's year-end inventory count. Because the number of inventory items can be very large, the auditor may use audit sampling to select inventory items to physically inspect and count. 2. Inspection of records or documents: A control may require that before a check is written to a vendor, the payables clerk must match an approved purchase order to an approved receiving report and vendor invoice and indicate an acceptable match by initialing a copy of the check stapled to the other three documents. For large companies, this sort of control would be performed many times a day. The auditors can gather evidence on the effectiveness of the control by testing a sample of the documentation packages. 3. Reperformance. As discussed in 4 Chapter 7, to comply with PCAOB standards, publicly traded entities must document and test controls over important assertions for significant accounts. In assessing the competence and objectivity of the entity's work, the auditor may reperform a sample of the tests performed by the entity. 4. Confirmation. A common technique to gather evidence that accounts receivable balances exist and are accurately recorded is to ask customers to confirm their balance. Rather than contact all customers, the auditor can select a sample of customers.
5. Perform the audit procedures In conducting the audit procedures for tests of controls, the auditor may encounter the following situations:
1. Voided documents, Unused or inapplicable documents, Inability to examine a sample item, Stopping the test before completion 2. Understand and analyze deviations observed
Understand and Analyze Deviations Observed The auditor should evaluate the qualitative aspects of the deviations identified. This involves two considerations.
1. nature of each deviation and its cause and consequences should be considered (accident or fraud, and if there is a monetary misstatement). determine whether a deviation resulted from a cause such as misunderstanding of instructions or carelessness. 2. consider how the deviations may impact the other phases of the audit.
There are two reasons auditors will tolerate deviations and still consider a control to be effective.
1. technical and relates to sampling risk. There must be an allowance for sampling risk. 2. relates to the purpose and application of controls. To be effective, most controls do not need to operate 100 percent of the time so long as the times the control fails to operate are not predictable and the person(s) performing the control investigate(s) processing exceptions observed during the proper application of the control.
Two advances have reduced the number of times auditors need to apply sampling techniques to gather audit evidence.
1. well-controlled, automated ACCOUNTING SYSTEMS that can process routine transactions with no or very few errors. Rather than rely on audit sampling to test routine transactions processed by these automated information systems, auditors can test the processing software control configurations and general computer controls associated with the automated controls. 2. audit software and audit data analytics techniques allow auditors to DOWNLOAD and EXAMINE ENTIRE populations of data rather than rely on a sample from the population.
5% sampling risk=
95% confidence level
Unused or inapplicable documents. Sometimes a selected item is not appropriate for the definition of the control. For example, the auditor may define a deviation for a purchase transaction as a vendor's bill not supported by a receiving report. If the auditor selects a telephone or utility bill there will not be a receiving report to examine. In such a case, the _________________of the receiving report would not be a deviation. The auditor would simply ________________ the item with another purchase transaction.
Absence; replacr
Why sampling?
Bc it's too expensive and not feasible to examine every single ****ing thing
If the evidence supports the planned level of control risk and the internal control is reliable, the auditor has made a _________________ decision. Similarly, if the evidence does not support the planned level of control risk and the internal control is not reliable, a ______________ decision has been made.
Both correct, the ****?
If the auditor observes a ______________ deviation rate than the _____________ rate used in the sample size calculation, this usually means the control is not operating effectively.
Higher; expected
Automated information systems process transactions _____________________ unless the system or programs are changed. When testing automated IT controls, the auditor may decide to test _______ or a ______ of each type of transactions at a point in time. In conjunction with that test of the automated controls, the auditor may test ____________ controls over ______________ to the system and program in order to provide evidence that the automated controls have been operating over the audit period. This type of test of automated IT control does not involve audit sampling.
Consistently; one; few; general; changes
For an audit of internal control over financial reporting, the ineffective control would be considered a ___________ _________________ unless the entity remediates the control and both the entity and the auditor retest to support the remediated control's effectiveness. For purposes of an audit of internal control, the auditor must evaluate the _______________ and ______________________ of a potential misstatement arising as a result of control deficiencies
Control deficiency; likelihood and magnitude
Because the auditor selects the sample from the frame, any conclusions __________ only to that physical representation of the population. If the frame and the population differ, the auditor might draw the ___________ conclusion about the population.
Relate; wrong
What is type II error
Risk of incorrect acceptance: supports a conclusion that it is operating well when it's not
What is the Type I error
Risk of incorrect rejection: the risk that the sample says that the control is not operating effectively when it is
The sample deviation rate is simply the number of __________________ found in the sample divided by the number of ___________ in the sample. This calculation ______________ the sample results to the population and is required by auditing standards.
Decorations, items; projects
Both sampling and non sampling risk make up
Detection risk
The differences between nonstatistical and statistical sampling occur in any or all of the following steps:
Determining the sample size. Selecting the sample items. Calculating the computed upper deviation rate.
For a financial statement audit, the final conclusion about control risk for the accounting system being tested is based on the auditor's ____________________ ______________________ of the sample results and other relevant tests of controls such as inquiry and observation.
Professional judgement
Inability to examine a sample item. Auditing standards require that the auditor consider the effect of not being able to apply a planned audit procedure to a sample item. For most tests of controls, the auditor examines documents for evidence of the performance of the control. If the auditor is unable to examine a document or to use an alternative procedure to test whether the control was adequately performed, the sample item is a ____________________ for purposes of evaluating the sample results.
Deviation
The auditor may occasionally select a voided document in a sample. If the transaction has been properly voided, it does not represent a __________________. The item should be ________________ with a new sample item.
Deviation; replaced
The sample size has a ____________ relationship to the expected population deviation rate; the larger the expected population deviation rate, the larger the sample size, all else equal.
Direct
there is a ______________ relationship between the confidence level and sample size:
Direct
When using audit sampling, the auditor should avoid ___________________ the sample by selecting only items that are unusual or large or items that are the first or last items in the frame, because the auditor needs a sample that represents the population in order to draw inferences about the population from the sample.
Distorting (This is not to say that selection of unusual, large, or risky events, transactions, or balances should be avoided in other audit procedures that do not involve audit sampling. To the contrary, the auditor should focus specific audit procedures on all such items, using 100 percent testing rather than audit sampling, because audit sampling requires selection of items in a population using chance)
The risk of incorrect rejection (a Tvpe I decision error) relates to the ________________ of the audit. This type of decision error can result in the auditor conducting: The risk of incorrect acceptance (a Type II decision error) relates to the ________________ of the audit. This type of decision error can result in the auditor failing to detect a material misstatement in the financial statements, which can lead to __________________. Because of the potentially severe consequences of a Type Il decision error, auditors design their sampling applications to keep this risk to an acceptably low level.
Efficiency; more audit work than necessary in order to reach the correct conclusion; effectiveness; litigation
The upper limit represents the upper one-sided confidence limit for the population deviation rate based on the sample size, the number of deviations, and the planned level of confidence. In evaluating the results of testing a control, the auditor is normally concerned only with whether the true deviation rate ______________________ the tolerable deviation rate. Therefore, the auditor is generally concerned only with how __________ the population deviation rate might be; it doesn't matter how low the population deviation rate might be.
Exceeds, high
if one or more deviations are found in the sample, the auditor needs to
Expand the sample or increase the assessed level of control risk.
T/F Research finds that the use of templates can decrease the proper application of audit sampling in practice.
False, increase
Which will auditors test all instead of using sampling!
Few large items, esp complex ones, and a small number of large transactions, testing IT controls
If control risk is mistakenly set at a low level, detection risk will be set too _________. This ____________________ the risk that the auditor will fail to detect a material misstatement if one exists in the account.
High; increases
Confidence level and sampling risk are related to sample size: the larger the sample, the _____________ the confidence level and the __________ the sampling risk.
Higher, lower
Once the desired confidence level is established, the appropriate sample size is determined largely by
How much the tolerable error exceeds the expected error
If the evidence supports the planned level of control risk but the internal control is not truly reliable, the auditor will have ________________ accepted the control as effective and ________________ on internal control (Type II error). This results in the auditor establishing detection risk too __________ and leads to a ________ level of evidence being gathered through substantive procedures. Thus, the auditor's risk of not detecting material misstatement is ________________. This can lead to a lawsuit against the auditor.
Incorrectly, overrelied, high, lower, increased
If the evidence does not support the planned level of control risk but the internal control is truly reliable, the auditor will have ______________ rejected the control and _________________ on internal control (Type I error). This results in the auditor establishing detection risk too ______ and leads to a ___________ level of evidence being gathered through substantive procedures than is necessary. Thus, the auditor is overauditing and performing an inefficient audit.
Incorrectly, underrelied, low, higher
That the auditor does not know the true population deviation rate (i.e., whether the control is reliable), because it is ____________ or in some cases not even ________________ to test the full population. That is why auditor decisions are made based on sample results, and errors are made unknowingly.
Inefficient; feasible
The sample size is _________________ related to the tolerable deviation rate. The lower the tolerable deviation rate, the larger the sample size.
Inversely
When tolerable and estimated deviation rates are too close together, sample sizes will become too ______________to be practical or are simply not ____________________ because there is insufficient allowance for sampling risk. Furthermore, in some instances where an asterisk appears in the tables, the expected population deviation rate is ________________ than the tolerable deviation rate; audit sampling obviously is not appropriate in such situations because there is no allowance for ____________________ ______________
Large; computable; greater; sampling risk
A good estimate of the expected population deviation rate is very important for attribute sampling because the statistical sample size will be just _______________ enough such that if the auditor observes the deviation rate she or he expects or lower, the sampling application will support a conclusion that the control is operating ______________________
Large; effectively
Statistical sampling requires that the auditor be able to __________________ the probability of selecting the sampling units selected.
Measure
When a control fails to operate, it usually does not result in a ___________________ misstatement to the financial statements, because most transactions are properly ____________ and ________________ and there are other compensating controls or processes that might detect a misstatement should one occur. And if the operator of the control investigates processing exceptions that are discovered, he or she can ________________ the cause and potential implications of the exception(s) and take __________________ actions if necessary.
Monetary, input, processed, research, corrective
Is the size of the population an important factor in determining sample?
No
What are the two approaches to audit sampling?
Nonstatistical and statistical
If the auditor believes that the expected population deviation rate exceeds the tolerable deviation rate, the statistical testing should ________ be performed, because in such a situation no amount of sampling can reduce the population deviation rate below the tolerable rate. Instead, the auditor should perform _____________________ _______________________ ______________________ rather than rely on the control.
Not; additional substantive procedures
Auditors often establish _______ sample size for all controls tested within a business process; this is particularly true when all the tests of controls are to be conducted on the ___________ sampling units. This is an acceptable practice because the auditor would use the _______________ of the computed sample sizes.
One; same; large
In attribute sampling, the sample deviation rate represents the auditor's best estimate of the ________________ __________________ ________. However, because this result is based on a sample, the auditor does not know the __________ population deviation rate and must consider an ___________________ for sampling risk before reaching any conclusions.
Population deviation rate; true; allowance
The smaller the difference between these two variables (tolerable and expected error) the more ________________ the sampling results must be, and therefore the _______________ the sample size needed.
Precise; larger
In systematic selection, a ______________ number is selected in the first interval, and then every _____ item is selected. When a _____________ starting point is used, systematic selection provides a sample where every sampling unit has an ____________ chance of being selected.
Starting, nth, random; equal
Stopping the test before completion. If a large number of deviations are detected early in the tests of controls, the auditor should consider __________________ the test as soon as it is clear that the results of the test will not support the ________________ assessed level of control risk. In the context of an audit of internal controls for a public company, the entity would be informed, and the exceptions would be considered a _______________ deficiency unless remediation and retesting are successful or there are other controls that adequately address the increased risk of misstatement. In the context of a financial statement audit, the auditor would rely on other _______________ _______________ or set control risk at the _________________ for the audit assertion affected, and appropriately enhance the related substantive tests.
Stopping; planned; control; internal controls; maximum
to apply sampling there must be _______________ margin for error.
Sufficient
What is the most common use of attribute sampling? Why?
Tests of controls; auditor wants to determine the proportion of the population for which a control is not effective, also known as the deviation rate.
6. Calculate the Sample Deviation and Computed Upper Deviation Rates
The auditor summarizes the deviations for each control tested and evaluates the results.
Expected population deviation rate
The deviation rate that the auditor expects to exist in the population.
The sample population should be restricted to the ________________________ and __________ _________________ under the same system of controls that are relevant to the assertions being tested.
Transactions; time period
T/F When using audit sampling to obtain evidence, the auditor must always accept some sampling risk simply because he or she is not examining all items in a population.
True
T/F the auditor must balance effectiveness concerns with efficiency concerns when setting the desired confidence level and acceptable risk of incorrect acceptance.
True
T/F Any randomly drawn sample can be statistically evaluated-even if the auditor labels the approach "nonstatistical" and even if the sample size was not statistically derived.
True- This is an important point because it highlights the need for auditors to understand the key concepts of sampling theory even if they are using a nonstatistical approach.
T/F If the auditor sets control risk too low and overrelies on the controls, the level of substantive procedures may be too low to detect material misstatements that may be present in the financial statement account. Why?
True; when control risk inappropriately decreases, the auditor increases the acceptable level of detection risk associated with substantive testing to compensate.
In statistical sampling, auditors typically use __________________________ random sampling without replacement for sampling applications. This means that once an item is selected, it is _______________ from the frame and cannot be selected a second time. Given the auditor's obiectives, it seems sensible for an auditor to include an item only once in the sample. Random numbers can be obtained from random-number tables or software such as MS Excel or IDEA.
Unrestricted; removed
If the computed upper deviation rate is less than or equal to the tolerable deviation rate, the auditor can conclude that the control tested ________ be relied upon. If the computed upper deviation rate exceeds the tolerable deviation rate, the auditor will normally conclude that the control is ________ operating at an acceptable level.
Upper<tolerable=good Upper>tolerable=bad
Auditors use three major types of statistical sampling techniques:
attribute sampling, monetary-unit sampling, and classical variables sampling.
Systematic selection
auditor determines a sampling INTERVAL by dividing the sampling population by the sample size. (Interval, population/sample size)
Nonstatistical Sampling
auditor does not strictly follow statistical techniques to determine the sample size, select the sample, and/or measure sampling risk when evaluating results.
Why can't haphazard sampling be used for statistical method?
because the auditor cannot measure the probability of an item being selected.
Firms that use nonstatistical audit sampling approaches build in their sampling experts' decisions into sampling tools and templates, which
can simplify the application of audit sampling, reduce mistakes that can occur in applying statistical sampling, and foster consistency in application across audit teams.
7. Draw final conclusions
compare the tolerable deviation rate determined in the planning phase to the computed upper deviation rate.
Calculating the computed upper deviation rate With a nonstatistical sample, the auditor can calculate the sample deviation rate but cannot quantify the _____________________________________________________ and the sampling risk associated with the test.
computed upper deviation rate
A disadvantage of nonstatistical sampling is that auditor judgment may How do audit firms that use nonstatistical sampling address this concern?
diverge significantly from sampling theory, resulting in testing that is not as effective as statistical sampling. by providing their auditors with nonstatistical sampling guidance procedures that are easy to use, encourage consistency in sampling applications across engagement teams, and are grounded in sampling theory.
Sampling unit
individual members of the sampling population
Why do auditors use monetary unit sampling?
it has a number of advantages over classical variables sampling. Monetary-unit sampling builds upon attribute-sampling theory to express a conclusion regarding the monetary amount of estimated misstatement in an account.
Define representative sample
one where the evaluation of the sample leads to the same conclusions that would be drawn if the same audit procedures were applied to the entire population.
If an auditor randomly selects a sample and then evaluates the results judgmentally, the quality of his or her judgment can be evaluated against statistical theory by
outside experts
Nonstatistical sample sizes are determined by applying
professional judgment and guidance in audit firm policy.
With nonstatistical sampling the auditor does not 1. And 2.
strictly apply statistical techniques and has the ability to apply some judgment to evaluate the results.
Confidence level
the desired level of assurance that the sample results will support a conclusion that the control is functioning effectively; complement to sampling risk so you can set either sampling risk or confidence level
Allowance for sampling risk
the difference between expected and tolerable deviation rate.
Define sampling risk
the possibility that the sample drawn is not representative of the population and that the auditor will reach an incorrect conclusion about the account balance or class of transactions based on the sample.
Nonsampling risk
the risk that the auditor reaches an erroneous conclusion for any reason that is not related to sampling risk; that auditors will make judgment errors caused by the use of inappropriate audit procedures or misinterpretation of audit evidence and failure to recognize a misstatement or deviation. JUST BAD JUDGMENT
Computed upper deviation rate
the sum of the sample deviation rate and an appropriate allowance for sampling risk. This sum represents an upper limit on how high the population deviation rate might actually be, at a controlled level of sampling risk *In other words, at the 95 percent confidence level, there is only a 5 percent chance that the true population deviation rate exceeds the computed upper deviation rate.