CH 8 Specialized Audit Tools: Attributes Sampling, Monetary Unit Sampling, and Data Analytics Tools

Business Intelligence Platforms The powerful computer platforms that decision makers rely on to conduct data analytics are known as business intelligence (BI) platforms. Auditors will be using these platforms more and more as the technology advances. BI platforms enable organizations to bring together data analytics tools across three categories:

(1) online analytical processing, (2) information delivery, e.g., dashboards, and (3) platform integration that allows for the management of big data.

Using Sampling and Data Analytics Tools for Gathering and Evaluating Audit Evidence This chapter describes two broad types of tools that auditors use to efficiently gather and evaluate evidence:

(1) sampling for either testing the effectiveness of controls (attributes sampling) or direct tests of account balances and assertions (monetary unit sampling), and (2) data analytics tools that the auditor can use for obtaining, analyzing, visualizing, and evaluating client data.

Step 3. Determine the Sample Size An optimal sample size minimizes sampling risk and promotes audit efficiency. The following audit judgments affect sample size:

(1) sampling risk, (2) the tolerable rate of deviation, and (3) the expected population deviation rate.

Qualitative Evaluation When the auditor finds control deviations, the auditor should analyze them qualitatively as well as quantitatively. The auditor should try to determine whether the failures:

(1) were intentional or unintentional, (2) were random or systematic, (3) had a direct dollar effect on the account balance, or (4) were of such magnitude that a material misstatement could occur and not be detected.

Nonsampling and Sampling Risks When making inferences about a population from a sample, the auditor could make an error about the underlying population because either:

(a) the auditor did not appropriately carry out the audit procedures or inappropriately diagnosed problems (nonsampling risk), or (b) the auditor used a sample that was not representative of the population (sampling risk). Fortunately, audit firms can control both of these risks through adequate planning and effective quality control.

Steps in Attributes Sampling Attributes sampling is used to test the operating effectiveness of controls. It is used to gather evidence to answer questions such as "Was credit properly approved?" or "Was the customer's order shipped before it was billed?" or "Were the expenses claimed by the CEO consistent with company policies?" The steps to implement an attributes sampling plan include:

1. Define the attributes of interest and what constitutes failure(s). 2. Define the population from which the auditor takes the sample. 3. Determine the sample size. 4. Determine the method of selecting the sample. 5. Select the sample items and perform the test of control. 6. Evaluate the sample results and consider the effect on planned substantive procedures and the opinion on internal control effectiveness. 7. Document all phases of the sampling process.

In general, the number of items in the population has relatively little effect on the sample size, unless the population is very small. The tables in Exhibit 8.5 assume large populations and give sample sizes for several combinations of these factors and for both 5% and 10% levels of sampling risk. Using these tables for small populations is a conservative approach because the sample size will be overstated. The determination of sample size using the tables is straightforward. The auditor:

1. Selects the allowable sampling risk (risk of overreliance of 5% or 10%) based on factors such as audit risk, and whether the auditor will be issuing a separate opinion on internal control (Note: we use the term risk of overreliance because that is the term used in the AICPA's sample size tables. Recall that the terms risk of incorrect acceptance of internal control reliability or risk of assessing control risk too low are also used to refer to the same concept.) 2. Determines the tolerable rate of deviation. The tolerable rate of deviation would be lower for more important controls, such as controls over more significant accounts and for controls over accounts that are more susceptible to misstatement. 3. Uses past knowledge to determine the expected population deviation rate. 4. Determines sample size by looking at the intersection of the expected population deviation rate and the tolerable rate of deviation in the appropriate table.

Basic Steps in Sampling Account Balances and Assertions: A Nonstatisical Sampling Application Basic Steps in Sampling Account Balances and Assertions The basic steps in sampling for substantive tests of details are the same for both nonstatistical and statistical sampling approaches:

1. Specify the audit objective of the test and define a misstatement. 2. Define the population from which the auditor takes the sample. 3. Choose an appropriate sampling method. 4. Determine the sample size. 5. Select sample items and perform the substantive procedure. 6. Evaluate the sample results. 7. Document all phases of the sampling process.

Sampling units refer to the individual items making up the population. The population is a group of transactions or items for which the auditor wants to estimate some characteristic, such as the effectiveness of a control procedure or the extent of misstatement in an account. An example of sampling units might be the sales orders processed during the year that relate to the recognition of rev- enue. The auditor needs to answer four questions when sampling:

1. Which population and sampling unit should be tested, and what characteristics should be examined (population)? 2. How many items should be selected for audit testing (sample size)? 3. Which items should be included in the sample (sample selection)? 4. What inferences can be made about the overall population from the sample (sample evaluation)?

Step 1. Define the Attributes of Interest and What Constitutes Failure(s) A number of attributes could be tested, but the auditor tests only important controls. Control failures should be precisely defined to make sure that the auditor clearly understands what to look for, thereby reducing nonsampling risk. For example, a failure to seek credit approval for a new account, when such approval is required by company policy, would be considered a control failure.

A control failure does not mean that a misstatement has occurred. For example, most companies require a credit approval process before issuing credit. When pressed for time, a marketing manager may approve a sale without obtain- ing proper credit approval. The control requiring credit approval has failed, but it is not known whether the: (a) credit would have been granted if the process had been completed, or (b) customer is less likely to pay. Finally, the failure of this control does not affect the proper recording of the initial transaction. It may, however, affect the valuation of receivables at year-end.

This feature highlights various terms that you might encounter when using data analytics tools during an audit. Data architecture includes organizational procedures that articulate how users collect, store, organize, and use data. A data bank is a repository for data that enables users to categorize and store any type of data. A data center is an organization that manages hardware, software, air conditioning, backup systems, communication, and security equipment for multiple organizations; data centers allow organizations to store data "off-site" to prevent misuse, manipulation, or destruction.

A data dictionary helps users understand the structure and content of a database, including the name of the data, its description, relationships among various related data, and access rights. A data driven attack is electronic in nature and involves the perpetrator embedding seemingly valid data that enables malicious computer codes to exploit weaknesses in the computer system. Data science is an interdisciplinary field about scientific methods, processes, and information systems that aims to help users gain insights from complex, and often unstructured data.

Software companies are aggressively developing and marketing business intelligence platforms that enable organizations to use data analytics and big data by providing online analytical processing, information transformation (e.g., dashboards that display key performance indicators), and data management and security.

A key performance indicator (KPI) is an individual unit in an overall performance measurement system that organizations use. Organizations define success in achieving performance goals relating to business strategy. Organizations must develop and employ appropriate KPIs to effectively use them. KPIs will differ based upon the area in the organization that deploys them. For example, KPIs relating to implementing the sales strategy will differ from those relating to supply chain management. Managers often use KPIs in performance enhancement initiatives.

The tainting percentage is the percentage of misstatement present in a logical unit, such as the sample item's book value. The tainting percentage equals the amount of misstatement in the item divided by the item's recorded amount (in other words, the book value).

A tainting percentage is calculated for all sample items with misstatement in the lower stratum. The auditor multiplies the tainting percentage by the sampling interval to calculate the projected misstatement for each misstated item.

The auditor faces the challenge of gathering sufficient appropriate evidence as efficiently as possible. And, the auditor must reach conclusions about the accuracy of the underlying populations that make up an account balance, and generally must do so without examining 100% of the transactions during the audit period.

Accordingly, audits involve sampling. Audit sampling is used to test the operation of controls and accuracy of account balances. Samples should be representative of the population if the auditor is going to minimize the risk of reaching an incorrect conclusion about the population. To increase the likelihood that samples will be representative, they must be of sufficient size and must be selected from the appropriate underlying population.

The auditor's main concern when using sampling to test controls is the risk of incorrect acceptance. With incorrect acceptance, control failures in the population are more common than the sample indicates; the sample results lead the auditor to conclude that control risk is low when in fact it is high.

Accordingly, the auditor will incorrectly conclude that the internal controls are effective and will not perform as much substantive testing as necessary or will issue an incorrect opinion on internal control effectiveness. Alternatively, if the auditor incorrectly concludes that the controls are ineffective, the auditor will not rely on internal controls and will perform more substantive testing than necessary.

The auditor's main concern when using sampling to perform substantive tests of details is the risk of incorrect acceptance of book value. With incorrect acceptance, the account balance contains a material misstatement, but the sample results lead the auditor to conclude the account does not contain a material misstatement. No additional audit work would be performed, and the financial statements will be issued with a material misstatement.

Alternatively, if the auditor incorrectly rejects a population that does not contain a material misstatement, the client will usually object and encourage the auditor to perform additional work. The additional audit work should lead to a correction of the inappropriate inference. The risk of incorrect rejection of book value thus affects the efficiency of the audit, but it should not affect the auditor's overall conclusion about the fairness of the financial statements.

Attributes sampling is a statistical sampling method used to estimate the rate of control procedure failures based on selecting a sample and performing the appropriate audit procedure.

An attribute is a characteristic of the population of interest to the auditor. Typically, the attribute the auditor wishes to examine is the effective operation of a control, for example, evidence that the client has matched vendor invoice details with the purchase order and receiving report before payment approval, and noting that they match before authorizing a payment for the goods received.

When planning a sample for a test of details, the auditor should identify the maximum monetary misstatement in the account balance that, when combined with misstatements found in other tests, would cause the financial statements to be materially misstated. As discussed in Chapter 7, tolerable misstatement is based on planning materiality.

An expected misstatement is the level of misstatement that the auditor expects to detect, and it is based on projected misstatements in prior-year audits, results of other substantive tests, professional judgment, and knowledge of changes in personnel and the accounting system. It is usually desirable to be conservative and use a slightly larger expected misstatement than is actually anticipated. This conservative approach may marginally increase the sample size, but it minimizes sampling risk. If expected misstatement is greater than tolerable misstatement, sampling is not appropriate unless it is used to estimate the size of the required adjustment to the account balance.

Using Data Analytics Tools in the Audit Auditors can use data analytics tools to assist in testing internal controls and virtually every assertion related to financial statement account balances—as well as supporting testing of assertions through other means, such as selecting samples to send confirmations on accounts receivable balances.

Analyze a File Before performing tests of details, the auditor often wants to gain an understand- ing of the composition of items making up a population. For example, the auditor might want a graphical analysis of the dollar amounts of individual account balances, such as those that are above or below a certain dollar amount. Alternatively, the auditor might want to develop a graph of the account balance by deciles. In many cases, the auditor wants to know some combination, such as the number of items past due profiled by dollar amount.

Auditors are increasing their use of data mining, which is the process of sorting through large data sets to identify patterns, measure and predict trends, and establish relationships to solve problems through data analytics.

As we note in Exhibit 8.13, the processes involved in data mining include data capture and cleaning, data exploration, data modeling, and deploying models.

Auditors use data analytics tools to import a client's data; then the auditor can employ these tools in various ways. For example, the auditor can scan the data, sort and summarize it, stratify it, and transform it into visual representations.

Auditors can also use data analytics tools to identify duplicate items (e.g., duplicate invoices), gaps in data (e.g., gap in a check sequence), and outliers in a population (e.g., invoices that exceed two times the average for a particular customer). You can think of data analytics tools as an enhanced Excel spreadsheet with easy-to- customize applications, often including advanced visualization tools.

Step 2. Define the Population from Which the Auditor Takes the Sample The population is that group of items in an account balance that the auditor wants to test. The population, as defined for sampling purposes, does not include any items that the auditor has decided to examine 100% or items that will be tested separately.

Because sample results can be projected to only that group of items from which the sample is selected, it is important to properly define the population. For example, a sample selected from the inventory at one location can be used to estimate the amount of misstatement only at that location, not at other locations.

Step 4. Determine the Method of Selecting the Sample Once the sample size has been determined, the auditor selects sample items so the sample will be representative of the population and thus the results can be projected to the population.

Common sampling approaches included simple random sampling, systematic sampling, haphazard sampling, or block sampling.

Adding all four components together (see Exhibit 8.11), we see that the total estimated misstatement equals $26,772. The statistical conclusion is that the auditor is 90% confident that this population is not overstated by more than $26,772.

Because the total estimated misstatement is less than the tolerable misstatement ($40,000), the auditor can conclude that, at the desired level of risk of incorrect acceptance, the population does not contain a material amount of overstatement. If the total estimated misstatement had exceeded the tolerable misstatement, additional audit analysis would have been required (see Unacceptable Sample Results, earlier in this section). In addition to evaluating the quantitative amounts of monetary misstatements, the auditor should consider the qualitative aspects of these misstatements.

Data analytics tools include qualitative and quantitative techniques and processes that auditors use to enhance their productivity and effectiveness. For example, auditors use these tools to extract, categorize, identify, and analyze patterns or trends in the data.

Data analytics tools are software programs that facilitate testing 100% of a population when appropriate and help focus the auditor's attention on specific risk areas or transactions, often involving sophisticated data visualization tools, e.g., https://www.tableau.com/. Data analytics tools also include platforms such as Excel, ACL, and IDEA; the landscape is changing dramatically and quickly in this space, so you should be prepared to be flexible and adaptive to change in utilizing data analytics tools as you complete audit (and other accounting) tasks.

Data capture involves activities that users complete to retrieve data, for example, bar coding. Data cleaning includes activities that users complete to correct or remove erroneous data, for example, contradictory data, input key- ing mistakes, duplicate data, missing information, and inappropriate changes to the data.

Data exploration involves gaining an understanding of the data by using techniques such as path analysis, classification, and visualization. Path analysis involves looking for instances in which one construct or measure predicts one that follows another. Classification analyses include investigating new patterns in data that might change the way that the organization organizes and uses its data.

Data modeling is a process by which data scientists define and analyze data requirements that they need to support the business processes through data-producing information systems within organizations. Data modeling involves documenting a complex software system in a visual diagram, using text and symbols to express the logical underpinnings of how the data flow through the system.

Deploying models includes integrating the data and models to solve problems or make decisions. For example, the data modeling might produce a model that decision makers use to predict sales volume and profitability for the organization's portfolio of products. Then, users can also employ a model to predict and track bad debt expense by various categories.

Step 6. Evaluate the Sample Results and Consider the Effect on Planned Substantive Procedures and the Opinion on Internal Control Effectiveness

Evaluation of sample results requires the auditor to project the sample results to the population before drawing a conclusion about the population.

Example 1: (More Important Control, Integrated Audit): The auditor sets the risk of overreliance at 5% (implying that the auditor is willing to accept a 5% chance that inferences from the sample will be incorrect), sets the tolerable rate of deviation at 5%, and anticipates that the expected population deviation rate will be 1%. The auditor refers to Table 1 in Exhibit 8.5 and finds a sample size of 93.

Example 2: (Less Important Control, No Separate Opinion on Internal Control): The auditor sets the risk of overreliance at 10% (implying that the auditor is willing to accept more risk than in Example 1), sets the tolerable rate of deviation at 10% (suggesting that the control is less important than in Example 1), and anticipates that the expected population deviation rate is 1%. The auditor uses Table 2 in Exhibit 8.5 and finds a sample size of 38. Also note that the number in parentheses after each sample size represents the number of errors the auditor can find without concluding that the control is not working correctly (1 in a sample of 93 for the more important control, and 1 in a sample of 38 for the less important control).

Nonstatistical sampling does not allow the auditor to statistically measure sampling risk. Exhibit 8.4 compares nonstatistical and statistical sampling on relevant dimensions.

For both sampling approaches, the auditor considers the nature of control deficiencies or misstatements detected in the sample, projects the sample findings to the population, and concludes on the overall population. In addition to evaluating the results of a sample quantitatively, the auditor should consider the qualitative aspects of control failures and misstatements. Are the sample results caused by errors, or do they indicate the possibility of fraud, and how do the control deficiencies affect other phases of the audit?

Sampling Risks Related to Tests of Details of Account Balances Auditors use sampling to estimate the amount of misstatement in an account balance.

The auditor can, for example, select a sample of inventory items and perform a price test. If the sample contains pricing errors, the auditor projects these errors in the sample to the population to determine whether the population is materially misstated because inventory is priced incorrectly.

Analyze Overall File Validity Data analytics tools contain edit controls to detect and prevent transactions from being erroneously recorded. Although the auditor can test the correct functioning of these controls by other means, audit software can assist in evaluating the effectiveness of the controls by reading the computer file and comparing individual items with control parameters to determine whether edit controls were overridden.

For example, assume the auditor has tested a control procedure that limits credit to individual customers in accordance with the credit department's rating of the customer. The credit department rates each customer on a l-to-5 scale, with a 5 representing the least credit risk. A rating of 1 might indicate that shipments can be made only on a prepayment basis, and a rating of 2 might indicate that the total credit cannot exceed $5,000. The auditor data analytics tools to compare customers' account balances with the maximum specified by the credit policy and generates a printout of each account balance that exceeds the specified credit limit.

In terms of evaluating the sample results, the auditor projects misstatements found in the sample to the population. There is no way to mathematically measure sampling risk in a nonstatistical sample; the auditor can project only the detected misstatements and make a professional judgment as to whether the account is likely to be materially misstated and then decide whether more audit work is needed.

For example, assume the auditor is using nonstatistical sampling to confirm accounts receivable to test the existence assertion. The auditor confirmed all twenty-one customer balances equal to or greater than $50,000. These items comprise the top stratum. The auditor confirmed a random sample of the lower stratum of 190 balances less than $50,000. The details are presented in the following table:

Perform Numerical Analyses One of the more interesting features of data analytics tools is the ability of these tools to perform complex statistical analyses. A mathematician named Benford studied the nature of numerical patterns and observed that the patterns of numbers across many different applications are consistent.

For example, if sales invoices or payroll checks have five-digit numbers, Benford's Law would predict the first digit to be the number 1 about 30% of the time. His analysis also predicts the expected frequency of specific numbers occurring as the second number, and so forth, in a five-digit number. The predictive ability of Benford's Law is extremely high.

Linkage of Test of Controls to Substantive Procedures In addition to being the basis of a report on internal controls, the tests of controls are used to determine whether the nature, timing, or extent of the planned substantive procedures needs to be modified.

For example, if the tests of controls indicate that the client is not careful about assuring that shipment has taken place before billing and recording a sale, the auditor may need to increase sales cutoff testing and/or concentrate on sales recorded just before the balance sheet date.

SelectTransactions Based on Logical Identifiers Auditors often need to review transactions or the details that make up account balances and may be interested in those that meet specific criteria.

For example, the auditor may want to confirm all customer balances above a specific dollar limit and all those that are past due by a specific period of time. Data analytics tools can easily accomplish these types of tasks, even including visual representations of items near important thresholds and any outliers.

One complexity that you will encounter when using Exhibit 8.7 is that sometimes the ratio of expected to tolerable misstatement or tolerable misstatement as a percentage of the population will not be even numbers that appear in the table. For example, the ratio of expected to tolerable misstatement may be 24.5%, and the ratio of tolerable misstatement to the population may be 3.5%. To address this complexity, you can round the numbers in either case to ensure that an adequate sample size is obtained.

For the ratio of expected to tolerable misstatement, you can round up to 30% because that will yield a larger sample size than if you had rounded down to 20%. For the tolerable misstatement as a percentage of the population, you can round down to 3% because that will yield a larger sample size than if you had rounded up to 4%.

The auditor is much more concerned if the control failures appear to be intentional, which might indicate fraud. If the failures are systematic, the auditor should be cautious in deciding to isolate the problem and reducing substantive testing. For example, if all of the failures were related to pricing errors—and all were connected to one sales associate—the auditor may expand audit testing to review all of the transactions related to that one sales associate.

However, the auditor should not typically reduce substantive testing in other areas because the identified errors appear to be isolated to the one sales associate. The sampling evidence may be signaling that there are other isolated failures that did not happen to appear in the sample. Often, a failure in a control does not lead directly to dollar misstatements in the accounting records. Lack of proper approval for payment of a vendor's invoice, for example, does not necessarily mean that the invoice should not have been paid. While it may have been an appropriate invoice, it might also have been a fictitious invoice.

Testing Multiple Attributes Auditors frequently test several controls or attributes using the same source documents. When doing so, the auditor should use the same sampling risk for all the tests.

However, the tolerable rates of deviation and expected population deviation rates for these attributes are likely to be different, resulting in different sample sizes.

For example, if the auditor specified a 10% risk of incorrect acceptance, used a $11,000 sampling interval, and detected no misstatements, the total estimated misstatement equals $25,410 (2.31 3 $11,000). Note that "2.31" is the confidence factor obtained from Exhibit 8.9 and can be found at the intersection of Number of Overstatement Misstatements Overstatement Misstatements = 0 and Risk of Incorrect Acceptance = 10%.

If no misstatements are found, the auditor will conclude that the recorded value of the population is not overstated by more than the tolerable misstatement at the specified risk of incorrect acceptance.

Steps 4, 5, and 6. Determine the Sample Size, Select the Sample Items, Perform the Substantive Procedure, and Evaluate the Sample Results Determining the sample size, the method of selecting the sample, and the approach to evaluating the sample results depend on the sampling method used. Whatever sampling method is chosen, the auditor must consider the risk of misstatement in the account, sampling risk, and the auditor's assessment of tolerable and expected misstatement.

If the auditor uses a statistical sampling method, the sample must be selected randomly to give each item in the population an equal chance to be included in the sample.

Step 1. Specify the Audit Objective of the Test and Define a Misstatement The auditor designs a sampling plan for tests of details to provide assurance regarding one or more financial statement assertions (e.g., existence of accounts receivable). Specifying the audit objective determines the population to test. For example, if the objective is to determine the existence of customer balances, the sample should be selected from the recorded balances.

If the objective is to deter- mine the completeness of accounts payable, the sample should be selected from a complementary population, such as cash disbursements made after the balance sheet date. The auditor looks for payments for goods and services received by the balance sheet date that should be payable at year-end, but were not recorded until after year-end. Populations involving the testing of the existence assertion are generally easy to define because they include all recorded transactions. On the other hand, populations involving the completeness assertion are more difficult to define because some of those transactions may not yet be recorded.

Quantitative Evaluation The auditor needs to determine whether the upper limit of the possible deviation rate exceeds the tolerable deviation rate. To make this assessment, the auditor should use a statistical evaluation approach. Tables such as those in Exhibit 8.6 help the auditor determine the upper limit of the possible deviation rate.

If the upper limit of the possible deviation rate exceeds the tolerable deviation rate, the auditor should: (1) test a different control designed to mitigate the same risk, or (2) adjust the nature, timing, and/or extent of the related substantive testing of the accounts affected by the control. The change in substantive testing will be necessary because the auditor will need to increase the assessed level of control risk and, thus, decrease the level of detection risk. If the auditor is performing an integrated audit, the auditor will need to consider whether the results will affect the opinion on internal control effectiveness.

If credit approvals are not working correctly, the auditor will have to take more time to determine whether the allowance for doubtful accounts is reasonable. Additional testing of subsequent collections and follow-up on old, uncollected balances may be needed.

In general, if controls are not operating effectively, the auditor will increase the assessment of control risk and will likely choose to rely less on substantive analytical procedures and more on tests of details for those accounts related to identified control failures.

Auditors also need to define tolerable misstatement and expected misstatement. The AICPA's 2012 Audit Sampling formally defines a tolerable misstatement as a monetary amount set by the auditor in respect of which the auditor seeks to obtain an appropriate level of assurance that the monetary amount set by the auditor is not exceeded by the actual misstatement in the population.

In more practical terms, a tolerable misstatement is the maximum amount of misstatement the auditor can accept in the population without requiring an audit adjustment or a qualified audit opinion.

An organization's KPIs are relevant to auditors because they can evaluate them in data analytics as they engage in more general analytical procedures; KPIs serve as a reasonable benchmark against which the auditor can compare expected to actual results. Further, auditors might construct their own KPIs about the client.

In other words, auditors are not limited to evaluating a given client's KPIs; they can go beyond them to make more sophisticated, predictive KPIs and then compare them against the actual performance assertions that management makes. One way that auditors who specialize in a particular industry accomplish this is by transferring their knowledge about KPIs for one client to KPIs for another client in the same industry; differences might yield interesting inferences.

Statistical Sampling for Substantive Tests of Account Balances and Assertions: Monetary Unit Sampling (MUS) Monetary unit sampling (MUS) is a sampling method based on attributes sampling, but involving dollar misstatements rather than control failure rates. MUS is a widely used statistical sampling method because it results in an efficient sample size and concentrates on the dollar value of the account balances.

It has been developed especially for use in auditing and has been given various names, including dollar-unit sampling, PPS, and combined attributes-variables sampling. MUS was designed to be especially effective in testing for overstatements in situations when few or no misstatements are expected.

Interestingly, most people committing fraud go to great lengths in perpetrating and covering up the fraud. However, they usually have to assign numbers to documents and, not surprisingly, those numbers often do not follow the patterns of numbers naturally occurring in practice.

It is not surprising, because the person who is perpetrating the fraud makes up the numbers, and it is extremely difficult to anticipate the occurrence of every digit in a five-, eight-, or even ten-digit number. Data analytics tools can help auditors find such non-routine patterns.

Step 3. Choose an Appropriate Sampling Method Once the auditor has decided to use audit sampling, either nonstatistical or statistical sampling is appropriate for substantive tests of details. The most common statistical approaches for substantive testing are classical variables sampling (beyond the scope of this text) and monetary unit sampling (MUS).

MUS, which is discussed in the next section, is a subset of a broader class of procedures, sometimes referred to as probability proportional to size (PPS) sampling. The term PPS describes a method of sample selection where the probability of an item's selection for the sample is proportional to its recorded amount; MUS is a specific method of PPS that has been developed for auditors. As is common, we use the terms MUS and PPS interchangeably.

Sampling Unit The sampling unit is the item identified in the population as the basis for testing. It could be a document, an entry in the computer system, or a line item on a document.

One company may require supervisory approval with initials to authorize payment of several invoices; the sampling unit would be the document authorizing the invoices. Another company may require written authorization for each invoice; the sampling unit would be the individual invoices processed for payment.

Audit sampling involves looking at less than 100% of the transactions that occurred during the audit period. Sampling techniques would be appropriate when an auditor wants to perform procedures such as examining documents, reperforming calculations, or sending confirmations.

Other types of audit procedures such as inquiry, observation, and analytical procedures would not involve sampling.

Zero and Negative Balances Population items with zero balances have no chance of being selected using PPS sampling. If evaluation of sampling units with zero balances is necessary to achieve the audit objective of the test, they should be segregated and audited as a different population.

Population items with negative balances require special consideration. For example, credit balances in customer accounts represent liabilities; the client owes money, merchandise, or service. An approach to dealing with negative items is to exclude them from the selection process and test them as a separate population; this should be done when a significant number of such items are included in the population. Another approach is to change the sign of the negative items and add them to the population before selection. This approach is generally used only when there are few negative items and few or no misstatements are expected.

Misstatements are categorized as factual misstatements or projected misstatements. Factual misstatements are those that have been specifically identified and about which there is no doubt, such as a difference identified in a sample item or an item in a population examined 100%. Factual misstatements are also referred to as known misstatements.

Projected misstatements are developed by extrapolation from the factual mis- statements in sample items to the population. Projected misstatements are those that are the auditor's best estimate of the misstatements in a given population based on the sample results. Projected misstatements are also referred to as likely misstatements. The total factual and projected misstatement (can be referred to as total estimated misstatement) is compared with the tolerable misstatement when evaluating the sample results.

Haphazard Sampling Haphazard sampling is a nonstatistical sample selection method that attempts to approximate a random selection. The word hap- hazard is not intended to convey that that the sampled items are selected in a careless manner.

Rather, the auditor chooses the sample items, trying to select items that are representative of the population. However, it does not usually work, because of selection bias: knowingly or unknowingly creating unrepresentative samples. In order to create a true random selection, it is more appropriate to use random selection method, such as simple random sampling.

Evaluating a MUS Sample PPS sampling is designed to determine the likelihood that the account balance may exceed tolerable misstatement. In other words, if the auditor designs the sample with a 10% risk of incorrect acceptance and a tolerable misstatement of 5% of population dollars ($807,906), thereby yielding $40,395 (and round down to $40,000), the auditor is testing the hypothesis that there is no more than a 10% probability that misstatements related to the assertion being tested can cause the account balance to be overstated by more than $40,000.

Recall that our example's assumptions are: • the risk of incorrect acceptance is 10% • tolerable misstatement is 5% of population dollars, rounded down to $40,000 • and expected misstatement is 20% of tolerable misstatement, yielding $8,000.

Sampling techniques are not used for all tests of controls. For example, when effective general computer controls are present, tests of automated application controls are generally performed with just one or a few items.

Sampling generally is not applicable for determining the appropriate segregation of duties and may not apply to tests of operating effectiveness of the control environment.

Sampling Risk There is always a risk that any inferences made from a sample might not be correct. There is uncertainty about the projected results because the sampling results are based on only a portion of the population. The smaller the sample, the more uncertainty; the larger the sample, the less uncertainty

Sampling risk is the risk that the auditor's conclusion based on a sample might be different from the conclusion that would be reached if the audit procedure were applied in the same way to the entire population.

The lower stratum contained two misstatements. The first lower-stratum misstatement was the result of a book value of $2,000 that had an audited value of $1,940, thus yielding an overstatement of $60. The tainting percentage is $60 divided by $2,000 or 3%. Because this item was selected from an interval of $11,000, it is projected that the overstatement is 3% or $330.

Similarly, the second misstatement was $83 (book value of $8,300; audit value of $8,217), resulting in a 1% tainting or a projected amount of $110 for the interval. The sum of the projected lower-stratum misstatements is therefore $440. This same result can be obtained by multiplying the sampling interval by the sum of the tainting percentages $11,00 3 4% 5 $440. Exhibit 8.11 summarizes the sample evaluation calculations.

Define the Sampling Unit Sampling units are the individual auditable items and often are made up of individual account balances. However, a sampling unit for confirming accounts receivable could be the individual customer's balance, individual unpaid invoices, or a combination of these two. The choice depends on effectiveness and efficiency of the process and the manner in which the client has recorded the individual items.

Some customers are more likely to return a confirmation when asked to confirm one unpaid invoice rather than verify the correctness of an entire account balance. If a customer does not return a positive confirmation, alternative procedures must be performed, including identifying subsequent payments and/or vouching the sales transactions to support- ing documents. If customers typically pay by invoice, it will be more efficient to perform alternative procedures on individual invoices than on total balances.

Statistical sampling involves a probability sampling method, which provides an objective method of determining sample size and selected items.

Statistical sampling also provides a means of quantitatively assessing sampling risk.

Period Covered by the Test In most instances, the period covered by the test is the time period covered by the audited financial statements. As a practical matter, tests of controls are often performed prior to the balance sheet date and may cover the first 10 or 11 months of the year. If the controls are found to be effective, the auditor should take additional steps to assure that the controls continue to be effective during the remainder of the year.

The additional steps may include making inquiries, further testing of the controls, or gathering evidence of control effectiveness as part of dual purpose tests performed later in the audit. If the auditor is issuing an opinion on internal controls over financial reporting, the auditor needs reasonable assurance that the controls are effective as of the client's balance sheet date.

• Expected population deviation rate—The expected population deviation rate is an anticipation of the deviation rate in the entire population. This term is sometimes referred to as the expected failure rate. Failures occur when personnel are in a hurry or careless, are not competent, or are not properly trained.

The auditor likely has evidence on the rate at which a particular control fails, based on past experience as modified by any changes in the system or personnel. The expected failure rate should be less than the tolerable failure rate; otherwise the auditor should not test controls.

The validity of a systematic sampling is based on the assumption that the items in the population are randomly distributed.

The auditor must be knowledgeable about the nature of the population to be sure that no repeating or coinciding pattern in the population would cause the sample to not be representative. Many auditors try to increase the chances that the systematically selected samples are representative of the population by using multiple random starts.

Completeness of the Population A sample is selected from a physical representation of the population, such as a list of customer balances or a computer file.

The auditor needs assurance that the list accurately represents the population. A common procedure is to foot the list and reconcile it with the general ledger. The auditor can use data analytics tools to complete this procedure.

Completeness of Population The auditor should take steps to help assure that the population sampled is the total population of interest.

The auditor normally performs some procedures, such as footing the file and reconciling the balance to the general ledger or reviewing the completeness of prenumbered documents, to assure that the population is complete.

No Misstatements in the Sample If the auditor finds no misstatements in the sample, the misstatement projection is zero dollars, and the total estimated misstatement will equal basic precision.

The basic precision is the amount of error you are confident of not exceeding if no errors are reported for the sample. It is determined by multiplying the sampling interval by the confidence factor for the specified risk of incorrect acceptance (assuming no errors).

Blockchain: A Revolution in Auditing What is blockchain? It is a digital accounting ledger of transactions that can be programmed to record financial transactions among multiple parties. We traditionally think of recording transactions using double-entry accounting. So, each transaction is recorded twice, for example, a debit to Cash and a credit to Revenue. Blockchain extends this to triple-entry accounting, whereby the debit and credit still occur, but they are accompanied by a cryptographic signature verifying that the transaction did, indeed, occur at the recorded amount.

The figure below visually aids in understanding the various concepts involved in blockchain and digital currency.

The following are common categorical indicators of KPIs: • Quantitative (numbers-based) • Qualitative (visual or narrative • Leading (predictive) • Lagging (backward looking or after the fact) • Input-based (measures of resources that the organization uses) • Process-based (measures of efficiency or productivity) • Output-based (measures of organizational outcomes) • Directional (measures that reveal whether the organization is moving toward its strategic goals) • Financial (measures that relate to the ongoing and future financial viability of the organization

The following are KPIs that might be applicable to revenue cycle activities in an organization: • Number of new customers • Credit history profile of new customers • Demographics of new, continuing, and past customers • Reasons for customer attrition • Revenue by segments or geographic regions • Accounts receivable balances and trends over time • Bad debt expenses and trends over time • Credit term policies and changes therein • Profitability and trends over time

Using Data Analytics Tools to Obtain and Evaluate Evidence Today, auditors use many data analytics tools, and you can expect this trend to increase during your time in the profession. We note that any one particular data analytics tool is not necessarily superior to others, and these tools are evolving rapidly.

The implication is that it is not necessarily a specific tool that is critical for students to learn; rather, it is an understanding of the existence, application, and flexible use of such tools that matters in terms of achieving audit quality and efficiency.

When sampling is appropriate, the auditor uses a sample to infer whether the control in the population is operating effectively.

The most commonly used statistical sampling approach for tests of controls is attributes sampling.

Objectives of Sampling and Risks Associated with Sampling The objective of sampling when testing controls is to determine whether the controls are operating effectively. If they are not operating effectively, the auditor needs to consider this when deciding on the opinion for internal controls and when designing the substantive procedures.

The objective of sampling when testing account balances is to estimate the amount of misstatement in an account balance. If there are large misstatements, the auditor wants to know about them so that the auditor can determine whether the account balance is materially misstated. However, sampling always contains some risk. For example, the auditor might not look at enough items (recall the examples from the Why It Matters feature at the beginning of the chapter), or the sample might not be representative of the population. Thus, auditors must consider how to obtain and evaluate samples that minimize the likelihood they will reach an incorrect conclusion.

All items with a book value equal to or greater than the interval will be selected for auditor evaluation. As we previously note, these items are referred to as top-stratum items. The balance for Customer 7 has four selection points, but it will be examined only once. Thus, the number of logical units (customer balances) will be less than the sample size of dollar units.

The population has effectively been divided into two groups: the top-stratum items and the lower-stratum items. The sample selection process uses dollar-based stratification and focuses the auditor on large-dollar coverage with relatively small sample sizes. This selection method also tests the mathematical accuracy of the population. Note in Exhibit 8.8 that the last cumulative amount is $817,169. This represents the population total of $807,906 plus the random start of $9,263.

Simple Random Sampling A simple random sample is chosen in such a way that every item in the population has an equal chance of being selected for the sample. It is appropriate for both nonstatistical and statistical sampling applications. An auditor using this approach will use a random number generator such as the one included in Excel.

The random number generator uses information on population size and sample size to generate random numbers. Assume that the population is 500 invoices (numbered 1 to 500) and the sample size is 50. The application will generate 50 random numbers between 1 and 500. The random numbers represent the document numbers on the invoices that you will select for your sample.

Again, in our example the sampling interval is $11,708. If the sample is to be selected manually, it will be easier if a rounded interval is used, such as $11,000. Rounding the interval down (rather than up) assures that the sample size will be adequate.

The random start should be between 1 and the sampling interval (1 to 11,000 in our example). This random start number can be obtained from a variety of sources, including the serial number of a dollar bill, a random number table, or a computer-generated random number. To illustrate using a dollar bill, the auditor could use the image below as evidence of a random start at $9,263.

One point to notice when examining Exhibit 8.6 is that the upper limit of deviations is greater than zero even when no deviations are detected in the sample. For example, consider the case where risk of overreliance is 5%, sample size is 20, and no deviations are detected. In this case, the upper limit of deviations from Exhibit 8.6 is 14%.

The reason for this result is that the sample size is very low, so there is a strong possibility that even though the auditor detected no deviations in the sample of 20 items, deviations exist that the auditor failed to detect. Taking this case a bit further, assume the same facts, but move down Exhibit 8.6 to the row where sample size is doubled to 40. In this case, notice that the upper limit of deviations when no deviations are detected falls dramatically to just 7.3%.

The risk of incorrect acceptance of internal control reliability (also referred to as the risk of assessing control risk too low or the risk of overreliance) is the risk that the auditor will conclude that internal controls are effective (i.e., control risk is low) when internal controls are actually not effective.

The risk of incorrect rejection of internal control reliability (also referred to as the risk of assessing control risk too high or the risk of underreliance) is the risk that the auditor will conclude that the internal controls are not effective (i.e., control risk is high) when internal controls are actually effective.

Designing and Selecting a MUS Sample The population for MUS is defined as the number of dollars in the population being tested. Each dollar in the population has an equal chance of being chosen, but each dollar chosen is associated with a tangible item such as a customer's balance or an inventory item, so items with more dollars have a greater likelihood of being selected.

The sample size in a MUS sample depends on the: (1) risk of incorrect acceptance, (2) ratio of expected misstatement to tolerable misstatement, and (3) ratio of tolerable misstatement to the total population value.

Nonstatistical Sampling for SubstantiveTests of Account Balances and Assertions In determining sample size, all significant items should be tested. The auditor should select all items over a specific dollar amount, and then, depending on audit objectives, select items with other characteristics, such as sales billed in the last week or billed to specific parties.

The sample size of the other items to be tested should be based on the same factors used in statistical sampling. In terms of selecting the sample, the auditor should take steps to increase the likelihood that the sample is representative of the population. The auditor may obtain a representative sample using a random-based sampling method.

The auditor often uses judgment to determine the cutoff point for top-stratum items. The division of the population into two or more subgroups is referred to as stratification. Stratification of the population into several homogeneous subpopulations generally creates audit efficiency.

The stratification process can be enhanced with the use of data analytics tools that have the capability of creating a profile of the population of book values, e.g., sorted by dollar value, size of customer, and customer credit rating.

Nonstatistical and Statistical Sampling Auditors use both nonstatistical and statistical sampling; however, the use of statistical sampling in practice is limited. When properly used, either sampling approach can be effective in providing sufficient appropriate audit evidence. Both sampling approaches require the exercise of auditor judgment during the planning, implementation, and evaluation of the sampling plan.

The use of statistical methods does not eliminate the need for professional judgment. Furthermore, the audit procedures performed on the items in the sample will be the same, whether the auditor uses a statistical or nonstatistical approach.

Illustration with Overstatements in the Sample Using the example in Exhibit 8.8 with a sampling interval of $11,000 and the risk of incorrect acceptance of 10%, assume the auditor detects the following misstatements:

There was only one top-stratum misstatement. An item with a book value of $45,023 had an audited value of $44,340—resulting in a $683 top-stratum overstatement. For the top-stratum item, there is no need to obtain a tainting percentage or to project the misstatement because all of the items in the top stratum were audited.

The factual misstatement of $1,500 in the top stratum needs no projection to the population because all of these items in the stratum were tested. However, the auditor would project factual misstatements in the lower stratum to the rest of the lower stratum as follows: $900 / $310,000 3 2,2500,00 5 $7,258.

Therefore, the total factual and projected misstatement is estimated to be $8,758 ($1,500 1 $7,258). The $8,758 is the auditor's best estimate, but of course there is some probability that the actual amount may be higher. Assume tolerable misstatement is $150,000. Because $8,758 is so much smaller than the tolerable misstatement, there is an ample cushion between the tolerable misstatement and the factual and projected misstatement. Therefore, the auditor would be reason- able in concluding that there is a low risk of material misstatement related to the existence of accounts receivable.

Nonsampling Risk Auditors should carefully examine all items in the sample and use appropriate procedures to test and evaluate the accuracy of an account balance or the effectiveness of an internal control. However, there may be cases when this does not occur. For example, the auditor may not have the appropriate knowledge to perform the test or may be fatigued or may be facing time pressure when performing the test.

These examples illustrate the concept of nonsampling risk, that is, the risk that the auditor reaches an erroneous conclusion for any reason not related to sampling risk. The audit firm controls nonsampling risk through proper training and adequate supervision of the auditors, well-designed sampling programs, and carefully designed and executed audit programs.

Identify Individually Significant Items Many account balances are composed of a few relatively large items and many smaller items. A significant portion of the total value of many accounting populations is concentrated in a relatively few large-dollar items. Because of this, the auditor often will examine all the large- dollar items.

These large-dollar items are often referred to as the top stratum. Top-stratum items are population items whose book values exceed the sampling interval and are therefore included in the sample. Because the auditor knows the amount of errors in the top stratum (all items were evaluated), no estimate or projection of errors is required. The remaining items are then sampled using an appropriate sampling method. Lower-stratum items are those that are not in the top stratum. The audit results reflect the sum of top-stratum misstatements and the projected misstatement based on lower-stratum items.

Next, the auditor calculates incremental allowance for sampling risk for the lower-stratum items by completing the following steps, which are summarized in Exhibit 8.12. First, list the dollar value of the projected misstatements in descending order and calculate their sum. Second, calculate incremental changes in the confidence factors for each misstatement at the relevant risk of incorrect acceptance. Recall that Exhibit 8.9 contains the confidence factors. To calculate the incremental changes, subtract the value related to overstatement 0 (in our example, 1.90) from the value related to overstatement 1 (in our example, 3.38), and so on., depending on the number of misstatements detected

Third, multiply the projected misstatements by the incremental change in the confidence. Fourth, sum these values. Fifth, subtract the total projected misstatement from the total value of projected misstatement multiplied by the incremental change in confidence factor.

Sampling Risks Related to Tests of Controls In many audits, the auditor uses sampling to gather and evaluate evidence regarding the effectiveness of internal controls. The auditor wants an accurate estimate of control failures; for example, if a control does not operate effectively 4% of the time in the sample examined by the auditor, the auditor uses this information to reach a conclusion about the effectiveness of the control in the population.

This conclusion will affect the extent of substantive testing to be performed or the opinion to issue on internal controls. Because sampling always involves some uncertainty, the auditor usually wants to control for the worst possible scenario that is, concluding that the control is effective, when it is actually ineffective. For example, the auditor may want to be 95% confident that the control does not fail more than 3% of the time. The auditor is always challenged to manage the risks of making incorrect inferences when using a sample.

Systematic Sampling Systematic sampling is a statistical sampling method that involves dividing the number of physical units in the population by the sample size to determine a uniform interval; a random starting point is selected in the first interval, and one item is selected throughout the population at each of the uniform intervals after the starting point.

This interval, called the sampling interval, is calculated by dividing the population size by the desired sample size. In order to use systematic selection, the auditor must be sure that there is not a systematic pattern in the population.

Block Sampling Block sampling is a nonstatistical sampling selection method that involves selecting a sample that consists of contiguous population items, such as selecting transactions by day or week.

This is an efficient approach, but the risk is that the way the transactions were processed on these days or weeks may not be representative of how they were processed the other 364 days or 51 weeks. This judgmental decision is subject to second guessing that such a sample could not be representative. Block sampling is most appropriate for performing year-end cutoff tests.

• Tolerable rate of deviation—The AICPA's 2012 Audit Sampling formally defines the tolerable rate of deviation as a rate of deviation set by the auditor in respect of which the auditor seeks to obtain an appropriate level of assurance that the rate of deviation set by the auditor is not exceeded by the actual rate of deviation in the population.

This term is sometimes referred to as the tolerable failure rate. In more practical terms, the auditor's tolerable rate of deviation is the level at which the control's failure to operate would cause the auditor to conclude that the control is not effective and would likely change the auditor's planned assessment of control risk in performing tests of account balances.

Once the auditor has determined the appropriate sample size, a sampling interval is calculated by dividing the population size by the sample size.

Thus, Sampling Interval = Population Size / Sample Size So, in our example, Sampling Interval = $807,906 / 69; thereby yielding a sampling interval of $11,708. The sample is then selected using the fixed-interval approach—every nth dollar is selected after choosing a random start, which is required to give every dollar in the population an equal chance of being included in the sample. Each selected dollar acts as a hook for the entire physical unit in which it occurs, such as a customer's account balance or the extended cost of an inventory item.

Exhibit 8.7 provides a table that auditors can use to determine the appropriate sample size for MUS. Note that the AICPA's 2012 Audit Sampling also presents other alternative methods of sample selection; we use one method for simplicity.

To illustrate the use of Exhibit 8.7, consider a setting where the risk of incorrect acceptance is 10%, tolerable misstatement is 5% of population dollars, and expected misstatement is 20% of tolerable misstatement (in other words, 1% of the population dollars), the auditor identifies a sample size of 69 units.

Assume that the auditor selects a sample of 80 from a population of 100,000 sales transactions and detects three control deviations (a deviation rate of 3.75%, calculated as 3/80). The auditor might conclude that 3.75% is less than 6%, and so the control is working effectively. But this conclusion is incorrect. Remember, the auditor's decision is whether there is more than a 5% risk (95% confidence level) that the control deviation rate could be more than 6% in the population—not just in the sample.

To make the correct evaluation, the auditor uses Table 1 of Exhibit 8.6, moves down the first column to find 80 as the sample size, and moves to the right under the column of three failures, and finds a figure of 9.5. What does that 9.5 mean? It means that the auditor is 95% confident that the upper limit of the real deviation rate in the population does not exceed 9.5%. Stated another way, there is a 5% chance that the real deviation rate exceeds 9.5%. The auditor had set an upper limit of 6%, and this 9.5% clearly exceeds that limit. The control testing does not support a conclusion that the control is operating effectively. The auditor needs to assess control risk as higher than was originally set and, further, must perform a qualitative evaluation of the deviations detected.

For example, assume that the population consists of payroll transactions in a payroll journal that are listed in employee number order. These numbers are not in sequence because of employee turnover. There are 1,300 payroll transactions, and the auditor has determined a sample size of 26. Every 50th transaction (1, 300 / 26 5 50) should be selected for testing.

To randomize the selection process, a random number from 1 to 50 should be used to identify the first sample item. This could be done, for example, by using the last two digits of a serial number on a dollar bill. If those digits were 87, subtract 50, leaving 37 as the first sample item. Every 50th transaction thereafter would also be included in the sample. When the first item is selected randomly from the interval, this sampling technique is called systematic random sampling.

Visualization includes the process of understanding the significance of and pat- terns in data by placing it in a visual context. By using visualization, users can detect patterns, trends, and inter-relationships that might otherwise remain undetected.

Today's data visualization tools go far beyond typical charts and graphs that software such as Excel produces. The visualizations also include interactive capabilities that enable users to drill down further into interesting features of the data that they observe.

Defining Data Analytics and Associated Terms Data analytics is a broad construct referring to both qualitative and quantitative analysis tools that enable a decision maker to extract data, categorize it, identify patterns within it, and use it to enhance efficiency and effectiveness in decision making.

Users of data analytics are increasingly using big data, which includes extremely large and complex datasets that users can analyze to reveal patterns and associations. Big data is often so large that users cannot efficiently analyze it using tools such as Excel because the data overloads the tool.

The auditor can use a calculator or data analytics tool to select the sample. If you are using a calculator, clear the calculator, enter the random start, add each customer book value, and subtotal after each entry, giving a cumulative total for each item.

We illustrate this process in Exhibit 8.8 using a random start of 9,263. The first sample item is the one that first causes the cumulative total to equal or exceed the sampling interval of $11,000. (Customer 3 in Exhibit 8.8). Successive sample items are those first causing the cumulative total to equal or exceed multiples of the intervals ($22,000, $33,000, $44,000, and so forth). As we noted previously, the probability of selecting any particular item is proportional to the number of dollars in it. For example, if the sampling interval is $11,000, a customer's balance of $220 would have a 2% chance (220/11,000) of being included in the sample. A customer with a book value of $2,200 has a 20% chance of being selected. There is a 100% chance of including the balance of a customer whose book value is $11,000 or greater.

Understatements in the Sample The preceding example assumes that only overstatements were found in the audit sample. However, the auditor may encounter situations in which the account balance may be understated. For example, in addition to the two overstatement misstatements, the auditor might discover that an accounts receivable balance may be understated because the client did not include a freight charge on the invoice. Assume, for example, that an account balance of $500 had omitted a $50 freight charge, yielding a 10% understatement tainting.

When an understatement is encountered, the auditor has two possible courses of action. First, the understatement can be ignored for purposes of this sample valuation and if there are other audit tests for understatements, this understatement can be included as part of other tests. Alternatively, the auditor can perform a separate analysis specifically for understatements. Although the auditor may use this evaluation approach when there are both over and understatements, the auditor should use caution in drawing any definitive conclusions regarding the amount of under- statement in the account. MUS is not designed to test for the understatement of a population. If the auditor has concerns about the understatement of an account, an alternative approach, such as classical variables approach, may be more appropriate.

Overstatements in the Sample When the auditor detects misstatements, the evaluation process is more involved because in addition to calculating basic precision, the auditor must also calculate the projected misstatement and the incremental allowance for sampling risk.

When evaluating the MUS sample where overstatements have been detected, the auditor begins by identifying the percent- age that the book value of each misstated sample item is overstated or understated (referred to as the tainting percentage).

The auditor should define misstatements before beginning the sampling application to preclude the client or auditor from rationalizing away misstatements as isolated events and provide guidance to the audit team. A misstatement is a dollar amount of misstatement, either intentional or unintentional, that exists in a transaction or financial statement account balance.

When sampling for substantive tests of details, a misstatement involves differences between recorded values and audited values. For example, if a cash payment were posted to the wrong customer's subsidiary account, the overall account balance would still be correct and should not be considered a misstatement. Even so, the auditor should care- fully follow up on this finding to be sure it is not evidence of a cover-up of an employee's misappropriation of cash. If, however, the client inappropriately billed a customer before the end of the period, the premature billing would be considered a misstatement because the overall receivable balance would be overstated at the end of the period.

Step 5. Select the Sample Items and Perform theTest of Control When selecting the sample, the auditor decides how to handle inapplicable, voided, or unused documents. An example of an inapplicable document would be a telephone bill when testing for an error defined as "cash disbursement transactions not supported by a receiving report." If the inapplicable document does not represent the control being tested, it should be replaced by another randomly selected item.

When selected items cannot be located, and the auditor is not able to perform appropriate alternative procedures for those items, the auditor should consider the reasons for this limitation, and should ordinarily consider those selected items to be control deviations for the purpose of evaluating the sample.

Exhibit 8.6 Continued Table 2 Statistical Sampling Results Evaluation Table for Tests of Controls—Upper Limits at 10 Percent Risk of Overreliance In determining what changes to make in substantive audit procedures, the auditor should consider the nature of control deviation (pattern of errors) and determine the effect of such deviations on potential material misstatements in the financial statements.

When the upper limit of the possible deviation rate exceeds the tolerable deviation rate, the auditor has to decide whether the control failure, in conjunction with other control failures, leads to a conclusion that there are either significant deficiencies or material weaknesses regarding internal control over financial reporting.

Nonstatistical Sampling Approach to Testing Controls If the auditor chooses to use nonstatistical sampling procedures to test the operating effectiveness of controls, the auditor may not quantify the planning factors. Instead, the auditor addresses deviation rates through the more global concepts of none, few, and many. Sampling risk is often set as low, moderate, or high. The effect of these factors on sample size follows:

With these subjective judgments, the auditor cannot quantitatively assess the risk of making an incorrect inference based on the sample results. For this reason, many auditors who use nonstatistical sampling should review the factors and select a sample size consistent with a statistically determined sample.

The auditor should also be aware of difficulties in using MUS:

• MUS is not designed to test for the understatement of a population. • If an auditor identifies understatements in a MUS sample, evaluation of the sample requires special considerations. • Selection of zero or negative balances requires special design considerations.

Nonstatistical sampling is the selection of sample items based on the auditor's judgment, rather than on a formal statistical method. If the auditor uses judgment to determine one of more of the following, the sampling approach is nonstatistical:

• Sample size •Items selected for the sample • Evaluation of the sample

Sample Evaluation—An Illustration To illustrate the use of the tables in Exhibit 8.6, assume that the auditor tested the controls designed to make sure that sales were not billed until shipped, using a 5% risk of overreliance, a tolerable population deviation rate of 6%, and an expected population deviation rate of 1%. Recall what these judgments mean:

• A 5% risk of overreliance means the auditor wants to limit the risk to 5% that the actual deviation rate in the population will not exceed the tolerable population deviation rate of 6%. This is equivalent to using a 95% confidence level. • The tolerable deviation rate is 6%; if there is more than a 5% chance that the actual deviation rate is greater than 6%, the auditor must conclude that the control is not operating at an acceptable level. • The auditor did not expect many errors; the auditor expects the control to not be operating effectively only about 1% of the time; this expectation is based on good past experience with the control and the client's careful monitoring practices. • If the upper limit of the possible deviation rate in the appropriate table exceeds the tolerable deviation rate set by the auditor, then the auditor's tests of controls do not support the original control assessment, and control risk must be increased. The remainder of the audit needs to be adjusted accordingly.

When the auditor concludes that a control is not operating effectively based on attributes sampling, the auditor can pursue the following alternative courses of action:

• A compensating control could be identified and tested. The decision to test the compensating control will depend on the perceived effectiveness of the control and the additional cost to test the control procedure. • A larger sample could be taken, but this is not likely to be cost-beneficial unless the auditor has reason to believe the original sample was not representative. • The assessment of control risk can be set higher than originally planned and the nature, timing, and/or the extent of the related substantive tests can be modified. If the upper limit of the possible deviation rate does not exceed the tolerable failure rate by very much, this modification could be very slight. For example, if the upper limit was 5.4% and the tolerable rate was 5%, very little modification is needed. • The auditor will analyze the nature of the control deviations and determine the implications on the type of misstatements, or causes of misstatements, that might occur in the financial statements and adjust the nature, timing, and/or extent of the planned substantive testing.

Attributes Sampling forTests of Controls The auditor tests the operating effectiveness of important controls over financial reporting. The auditor will only perform such tests if the auditor has determined that the design and implementation of the controls are effective in minimizing the likelihood of material misstatements in the account balances. Control testing provides the auditor with evidence necessary to issue an opinion on internal control effectiveness and to assess the client's control risk. The assessment of control effectiveness may be based on:

• A sample to test the effectiveness of controls in operation • The auditor's observation of the controls within significant business processes • Tests of controls built into the client's computer system • Inquiry of relevant employees • Review of monitoring reports

Examples of the circumstances in which MUS might be used include:

• Accounts receivable confirmations (when credit balances are not significant) • Loans receivable confirmations (e.g., real-estate mortgage loans, commercial loans, and installment loans) • Inventory price tests in which the auditor anticipates relatively few misstatements and the population is not expected to contain a significant number of large understatements • Fixed-asset additions tests where existence is the relevant assertion

Some circumstances in which MUS might not be the most appropriate approach include:

• Accounts receivable confirmations in which a large number of credit balances exist • Inventory test counts and price tests for which the auditor anticipates a significant number of misstatements that can be both understatements and overstatements

Unacceptable Sample Results When the total estimated misstatement (the sum of the total factual and projected misstatement) exceeds the tolerable mis- statement, the auditor has several possible courses of action. The auditor can:

• Ask the client to correct the factual misstatements—If this is done, the total estimated misstatement can be adjusted for those corrections, but not for the projection of misstatements associated with those items. In some cases, simply correcting the factual misstatement can bring the total estimated misstatement below the auditor's tolerable misstatement level. • Analyze the detected misstatements for common problem(s)—When mis- statements are discovered, the auditor should look beyond the quantitative aspects of the misstatements to understand the nature and cause of the mis- statements—especially to determine if there is a systematic pattern to the misstatements. If a systematic pattern is found, the client can be asked to investigate and make an estimate of the correction needed. The auditor can review and test this estimate. Further, the auditor can recommend improvements to prevent such errors in the future. For example, assume several confirmation replies indicate that merchandise was returned prior to year- end but credit was not recorded until the subsequent year. A careful review of receiving reports related to merchandise returned prior to year-end and of credits recorded in the subsequent year will provide evidence regarding the extent of the needed correction. The auditor should also consider the relationship of the misstatements to other phases of the audit; problems in recording receivables may also reveal problems in the accuracy of recorded sales. • Design an alternative audit strategy—Discovering more misstatements than expected in the risk assessment phase of the audit suggests that the planning assumptions may have been incorrect and that internal controls were not as effective as originally assessed. In such cases, the auditor should plan the rest of the audit accordingly. For public companies, significant problems with internal control will cause the auditor to consider whether it is necessary to express an adverse opinion on the effectiveness of the client's internal controls over financial reporting. • Expand the sample—The auditor can calculate the additional sample size needed by substituting the most likely misstatement from the sample evaluation for the original expected misstatement in the sample interval formula and determine a new interval and total sample size based on the new expectations. The number of additional sample items can then be determined by subtracting the original sample size from the new sample size. The new sampling interval can be used for selection of items not already included in the sample. • Change the audit objective to estimating the correct value—In cases where material misstatements are likely, it may be necessary to change from an objective of testing details to an objective of estimating the correct population value. A lower detection risk and a smaller tolerable misstatement should be used because the auditor is no longer testing the balance but is estimating the correct population value from the sample. The auditor will expect the client to adjust the book value to the estimated value. A larger sample size will normally be required.

When evaluating the MUS sample results, the auditor calculates the total estimated misstatement in the account balance based on the sampling process. This total includes the following four components:

• Factual misstatement for items in the top stratum • Basic precision—The amount of uncertainty associated with testing only a part of the population (sampling risk). Basic precision is the amount of error you are confident of not exceeding if no errors are detected in the sample. Basic precision is calculated as the sampling interval multiplied by a confidence factor. See Exhibit 8.9 for the confidence factors. • Projected misstatement for items in the lower stratum—The best estimate of the actual amount of dollar misstatements in the population based on projecting the sample results to the population. The projected misstatement is calculated as the sampling interval multiplied by the tainting percentage. The terms likely misstatement or most likely misstatement are also used to refer to projected misstatement. • Incremental allowance for sampling risk—An increase in the total estimated misstatement caused by the statistical properties of misstatements detected in the lower stratum.

Audit sampling requires that the auditor collect only a relatively small sub-sample of data, thereby resulting in detection risk, that is, the risk that, based on the sample the auditor takes, the auditor will fail to detect a material misstatement in the financial statements. Data analytics seems to present a panacea to that notion of risk because, by auditing 100% of the sample, detection risk can be lower.

• It seems like data analytics is the perfect answer to the audit risk problem. So, comment on a variety of reasons that auditors might not be willing to rely on data analytics to drive audit risk down. • Which do you think is costlier: sampling or data analytics? What are the different costs between sampling and data analytics? • What role does cost-benefit play in the choice between employing statistical sampling versus data analytics?

Summary of MUS Strengths and Weaknesses As an auditor considers whether to use MUS as the sampling approach for substantive tests of details, it is helpful to review its strengths and weaknesses. Strengths of MUS include:

• MUS is generally easier to apply than other statistical sampling approaches. • MUS automatically selects a sample in proportion to an item's dollar amount, thus providing automatic stratification of the sample. • If the auditor expects (and finds) no misstatements, MUS usually results in a highly efficient sample size.

There are three reasonable approaches to selecting the items for these tests:

• The auditor could select 176 sales transactions (the largest sample size) and audit all of them for Attribute 2, three of four for Attribute 1, and every other one for Attribute 3. This process, however, is quite cumbersome. • The auditor could examine the first 76 randomly selected documents for all three attributes and documents, sample items 77-132 for Attributes 1 and 2, and the remainder only for Attribute 2. This process is also quite cumbersome. • Often the most efficient approach is to test the 176 items for all three attributes. Attributes 1 and 3 will be in some sense over audited, but the over auditing may take less time than keeping track of which sample items should be tested for which attribute. Testing for Attributes 1 and 3 does not take very long once the auditor has selected the documents in the sample. The auditor's evaluation of the control is based on the 176 items examined and improves the accuracy of the control risk assessment.

Step 2. Define the Population from Which the Auditor Takes the Sample In defining the population, the auditor considers:

• The period to be covered by the test; for example, the audit year, or an interim period • The sampling unit; for example, monthly bank reconciliations • The completeness of the population; data analytical tools are useful for this purpose