sampling for internal auditors - ISACA

By

Mwenya P. Chitalu CIA

SAMPLING FOR EFFECTIVE INTERNAL AUDITING

EXPECTED PRESENTATION OUTCOMES

Why Do Auditors Sample?

Sampling Policy

Statistical & Non-statistical Sampling

Statistical Terminologies

Statistical Sampling Plans

External Auditing Standards

Sample Selection Methods

Illustrations

DEMYSTIFYING STATISTICAL SAMPLING

The Principle (or Law) of Parsimony: That things are usually connected in the simplest or most economical way.

Reducing ideas to small, easy-to-write symbols & saying a lot in a small area covered by a formula. Eliminate the Greek, Arabic & Roman language barrier in symbols & Formulae

that mystify Mathematics or Statistics.

Just like any other audit, Probe Statistical Assertions-Life can be made easy with appropriate sampling.

If it cannot be measured, then it cannot be managed economically, efficiently, & effectively. Mathematics or statistics is commitment to logical thinking. It squeezes the most learning about the population from limited sample

data.

WHY DO AUDITORS SAMPLE?

International Standards for the Professional Practice of Internal Auditing:

Guides Information should be: Sufficient, Reliable, Relevant & Useful

Acknowledges Sampling Techniques in Evidence Acquisition

Opinions are NOT ABSOLUTE GUARANTEE but REASONABLE

ASSURANCE of Accuracy

Proficiency & Due Professional Care

Cost-Benefit Considerations: The Economy, Efficiency & Effectiveness, …

Corroborating Evidence for Control Processes & Account Balances

SAMPLING POLICY

Written Policy Statement

When to Sample?

Who Should Sample?

How to Sample?

Inappropriate Uses for Sampling:

When a Total is easily Audited

Inquiry & Observation Procedures

Analytical Procedures

STATISTICAL & NON-STATISTICAL SAMPLING

Three Characteristics in Common:

Both Require Auditor judgment in Planning, Implementing, &

Evaluating the Sampling Plan

Actual Audit Procedures Performed are the same

Both Non-Statistical & Statistical Techniques are Permitted by the

IPPF


Differences between Statistical & Non-statistical Sampling

Sampling Risk is Controlled & Measurable

Technical Training & Knowledge is Required

Computer Accessibility


In Summary, the following should be addressed:

What is the Internal Audit Department’s Recommended Policy or

Procedure?

Is a Quantitative measure of Sampling Risk Desired?

What is the relative Cost & Benefit of Statistical versus Non-

statistical Sampling?

Is Technical Expertise Available?

Is Computer Software Accessible or Expertise to Write a Program?

STATISTICAL TERMINOLOGIES

Confidence Level (C): Is the Reliability Level or Degree of Belief in

the Obtained Results.

Measure of Central Tendency:

Mean (µ): The arithmetic average of a set of numbers.

Median: The halfway value of raw data arranged in numerical order from

lowest to highest.

Mode: The most frequently occurring value.

Standard Deviation (𝝈): The statistical measurement of the variability of values in a sample (the square root of the variance).

Range: The difference between the largest and smallest values of any group.

Population (N): The total number of items from which the sample is drawn-It’s the focus of interest comprising sampling units.

Sampling Unit: Individual items making up a Population.

Sample (n): Collection of sampling units on which audit procedures are performed.



Logical Unit: Account or transaction selected to be sampled.

Expected Population Deviation Rate (𝝆): Estimate of the actual deviation rate in the population, usually based on prior experience, inquiries, and observations.

Precision (P): An assumed amount of possible unknown or the range of allowable error.

Tolerable Misstatement: The auditor’s assessment of materiality with respect to the population.

Upper Precision Limit: Upper limit on deviations expected in the population.


Tainting: Percentage of misstatement in a logical unit in a PPS sample.

Upper Misstatement Limit (UML): Estimated maximum misstatement existing in the population at a specified reliability in PPS sampling.

Sampling Risk: Conclusions based on sample differing with conclusions that could be reached if the entire population were examined.

Non-sampling risk: Drawing incorrect conclusion for reasons other than sampling due to poor judgment or failure to adhere to professional standards.

STATISTICAL SAMPLING

Advantages Disadvantages

May yield desired results from

minimum number of items

Yields quantified data

Includes measures of sampling

risk, confidence level, and

precision

Is adaptable to computer testing

Lends credibility to audit

conclusions/recommendations

Can be costly and time-

consuming

May require training and

software costs

May preclude experienced

auditors’ insights

NON-STATISTICAL SAMPLING

Advantages Disadvantages

Flexibility

Use of internal auditor’s

judgment

Allows reasonable reliability

at reasonable cost

Results not statistically valid

No objective measure of

sampling risk provided

Chance of wrong sample size

Effectiveness depends upon

auditor’s skill

STATISTICAL SAMPLING PLANS

1. ATTRIBUTES SAMPLING (TESTS OF CONTROLS)

Concerns binary, yes/no, or error/non-error populations

It tests the effectiveness of controls.

2. VARIABLES SAMPLING (SUBSTANTIVE TESTS)

Concerns monetary amounts & other measures.

It assesses materially misstated account balances & ...

3. THE PPS SAMPLING ( THE CAV SAMPLING)

Concerns primary engagement objective of few overstatements & not

understatement.

Difference & Ratio Estimations may not be efficient.

EXTERNAL AUDITING STANDARDS

Internal & External Audit Work Coordination & Recognition:

Statement on Auditing Standards (SA) No. 39: Audit Sampling & SAS

No. 47: Audit Risk & Materiality in Conducting an Audit – AICPA.

Audit Risk Model:

Audit Risk: Issuing unmodified opinion on financial statements that are

materially misstated.

Inherent Risk: Material misstatement occurring in the absence of

appropriate controls.

Control Risk: Controls ineffective & fails to prevent or detect material

misstatement in a timely manner.

Detection Risk: Substantive procedures failing to detect a material

misstatement.

Audit Risk = Inherent Risk x Control Risk x Detection Risk


Sampling risk impacts the Efficiency & Effectiveness of an audit

Components of Sampling Risk

Audit Test Audit Efficiency Audit Effectiveness

Tests of

Controls

Risk of Assessing Control Risk

Too High (i.e., not depending

upon effective controls)

Risk of Assessing Control Risk

Too Low (i.e., depending upon

ineffective controls)

Substantive

Tests

Risk of Incorrect Rejection (i.e.,

rejecting a materially correct

balance)

Risk of Incorrect Acceptance

(i.e., accepting a materially

incorrect balance)

Statistical Term Alpha Risk (∝) Beta Risk ( 𝛽)


Non-sampling Risk

“The audit failing to detect an internal control weakness or material misstatement for reasons other than the fact that sampling was used.” Application of an inappropriate audit procedure

Failure to recognize an error condition

Omission of an essential audit step

Materiality: Amount of difference tolerated by the auditor & concluding the assertion tested as reasonable: Tolerable deviation rate for tests of control

Tolerable misstatement for substantive testing

Materiality is inversely related to sample size

Materiality assessment must be a cost versus benefit decision

SAMPLE SELECTION METHODS

Methods Appropriate for Both Statistical & Non-statistical Sampling: Simple Random Sampling: Items with equal chance of selection. Systematic Sampling: nth item selection with random start within the n

interval. PPS uses systematic sampling.

Methods Used Only for Non-statistical Sampling: Haphazard Selection: Selecting sample items without intentional bias. Block Selection: Audit of a group of contiguous transactions like delivery

notes for March or invoices in a sequence. Block Amount: Whole amount is audited.

Other Considerations in Sample Selection: Void Items: Select additional sampling units for voided items. Missing Items: Must be treated as an error condition- In attributes,

control is not effective & in substantive testing, audited value is ZMK 0.00

ATTRIBUTE SAMPLING

.

When to use

Size of sample (n)

Statistical table

specifications

Based on judgment about probability that errors (or other characteristics) will occur or based on statistical tables

𝐧 =𝐂𝟐𝝆𝒒

𝐏𝟐

• Population size (N)

• Confidence level (C)

• Precision (P)

• Expected rate of errors (𝝆) &q=100-𝝆

To estimate the number of times a certain characteristic may occur in a population

Attributes Sampling Illustrations

. ITEM ACCOUNTS RECEIVABLES AS AT 31ST DECEMBER 2013

1 Population Size of Accounts Receivable N 4,000 Accounts

2 Confidence Level 90%

Confidence Coefficient C 1.64

3 Tolerable Deviation Rate (TDR) 5%

(Based on Prior Years of Findings or Pilot Sample)

4 Planned Risk of Assessing Control Risk Too Low (Beta Risk) 5%

5 Planned Risk of Assessing Control Risk Too High (Alpha Risk) 10%

6 Desired Precision = Beta x TDR/Alpha P 2.50%

7 Sample Size n 204 Accounts

8 Expected Number of Errors (From Statistical Tables) 5

Assuming Control Procedures Anticipated Deviation Rate = Zero 0%

Upper Precision Limit (UPL) from the Statistical Tables 1.50%

(And is Less than Tolerable Deviation Rate=5%)

9 Assuming 2 Actual Control Procedure Errors: 2

Upper Precision Limit (from the Tables) UPL 3.20%

10 And UPL < ρ Conclusion???

11 CONCLUSION Controls are Effective

𝛽

Attributes Sampling Variations

Stop-or-Go Sampling: The Auditor guards against selecting an

unnecessarily large sample.

Discovery Sampling: The Auditor targets discovering at least one

deviation if the percentage of deviations in the population is at or

above a specified level, e.g. Fraud, Substantial mistake or

Compliance failure.

VARIABLES SAMPLING

.

When to use

Size of sample (n)

Statistical table

specifications

𝐧 =𝐂𝟐𝝈𝟐

𝐏𝟐

• Population size (N)

• Confidence level/Coefficient (C)

• Precision (P)

• Standard deviation (𝝈)

When size matters; e.g., amount of a

discrepancy in monetary or weight terms

Variables Sampling Illustration

. ITEM ACCOUNTS RECEIVABLES AS AT 31ST DECEMBER 2013

1 Recorded Amount of Accounts Receivable (N) RM 360,000 ZMK

2 Tolerable Misstatement TM 18,000 ZMK

3 Planned Risk of Incorrent Acceptance (Beta Risk) 5%

4 Planned Risk of Incorrect Rejection (Alpha Risk) 10%

5 Number of Accounts Receivable (N) 4,000 Accounts

6 Estimated Population Standard Deviation 8.68 ZMK

(Based on Prior Years of Findings or Pilot Sample)

7 Confidence Level 90%

Confidence Coefficient C 1.64

8 Desired Precision = Beta x TM/Alpha 9,000 ZMK

9 Precision per-item basis (Desired Precision/N) P 2.25 ZMK

7 Sample Size n 40 Accounts

𝛽

Three Types of Variables Sampling

Mean-per-unit Estimation: Estimates the total monetary amount of the population by calculating a sample mean & multiplying by the number of items in the population.

Difference Estimation: Estimates the total error in the population.

Useful only if population contains enough errors to generate a reliable sample estimate & the differences are not proportional to the book values.

Ratio Estimation: Estimates the total monetary amount of the population by calculating the ratio between the audited & book values in the sample and using this ratio to make the estimate.

Useful when differences between book & sample values are proportional to book values.

Variables Sampling:

Mean-per-Unit Estimation

Step 2: Multiply mean-per-unit value by number of

accounts in the population.

Step 1: Calculate average audit value (i.e., mean-per-

unit value for audited samples).

K85.00 4,000 Accounts = K340,000.00

K3,400.00/40 = K85.00 / Account.

Over-count = K20,000.00

(K340,000.00 – K360,000.00)

Case example Population: 4,000 Accounts

Total book value: ZMK 360,000.00

Sample size: 40 Accounts

Sample book value: ZMK 3,600.00

Sample audit value: ZMK 3,400.00

Variables Sampling: Difference Estimation

(K20,000.00) + K360,000.00 = K340,000.00

Step 3: Estimate actual value by adding the difference

estimate and book value for the population.

Step 1: Calculate average difference between audit value and

book value for the sample.

(K3,400.00 – K3,600.00)/40 Accounts = (K5.00)

Step 2: Determine the difference estimate for the

population.

(K5.00) 4,000 accounts = (K20,000.00)

Book value is Overstated by K20,000.00


Total book value: ZMK 360,000.00


Sample book value: ZMK 3,600.00


Variables Sampling:

Ratio Estimation

Step 4: Estimate actual population value by multiplying

ratio by population book value:

K3,400.00 / K3,600.00 = 0.94

Step 1: Audit value for sample = K3,400.00

Step 2: Book value for sample = K3,600.00

Step 3: Find ratio of audit value to book value:

0.94 K360,000.00 = K338,400.00

Book value is Overstated by K21,600.00


Total book value: ZMK360,000.00


Sample book value: ZMK3,600.00


PROBABILITY-PROPORTIONAL-TO-SIZE (PPS) SAMPLING

. When to use

Size of sample (n)

(n1: AM=0, & n2:

AM>=1)

Statistical

specifications

𝐧𝟏 =𝐑𝐌 𝐱 𝐑𝐅

𝐓𝐌 or 𝐧𝟐 =

𝐑𝐌 𝐱 𝐑𝐅

𝐓𝐌−(𝐀𝐌 𝐱 𝐄𝐅)

• Recorded Amount of the Account (RM)

• Reliability Factor (RF)

• Tolerable Misstatement (TM)

• Anticipated Misstatement (AM)

• Expansion Factor (EF)

When auditing account balances for few

overstated items; e.g., in inventory,

receivables, disbursements, etc.

PPS ILLUSTRATION

. ACCOUNTS RECEIVABLE AS AT 31ST DECEMBER 2013

Recorded Amt of A/C Receivables RM 360,000

Tolerable Misstatement TM 18,000

Anticipated Misstatement AM 0

Risk of Incorrect Acceptance 5%

A/C No.

AMT

ZMK

CUM

AMT

Kwacha

Selected

Sampling

Unit

Observed

Amount

Tainting

%

Sampling

Interval

Projected

Misstatement

ACT0001 9,450 9,450 9,000 9,450 7,875 * * 1,575

ACT0002 480 9,930

ACT0003 2,800 12,730

ACT0004 5,106 17,836

ACT0005 2,100 19,936 18,000 2,100 0 100% 9,000 9,000

ACT0006 8,000 27,050 27,000 8,000 8,000 0 9,000 0. . . . .. . . . .. . . . .

ACT4000 6,000 360,000 360,000 6,000 4,500 25% 9,000 2,250

TOTAL 360,000 12,825

Basic Precision(SI x RF = K9,000 x 3) ZMK 27,000

Total Projected Misstatment ZMK 12,825

Allowance for Precision Gap Widening:

(4.75-3.00-1.00) x K9,000 ZMK 6,750

(6.30-4.75-1.00) x K2,250 ZMK 1,238

Upper Misstatement Limit (UML)>TM ZMK 47,813

CONCLUSION Accounts Receivable Materially Overstated

CONCLUSION/RECOMMENDATIONS

It is Concluded & Recommended that Internal Auditors comply with

the Proficiency & Due Professional Care IIA Standards by Appropriate

Application of both Statistical & Non Statistical Sampling to

Reasonably Assure that Opinion Evidence is: Sufficient, Reliable,

Relevant and Useful.

REFERENCES FOR FURTHER READING

1. Sampling for Internal Auditors: Text-based Self Study Course-

The Institute of Internal Auditors by Barbara Apostolou, PhD,

CPA, DABFA.

2. Internal Audit Practice-Part 1: The IIA’s CIA Learning

System by The Institute of Internal Auditors.

3. Internal Audit Practice-Part 1: Gleim CIA Review by

Professor Irvin N. Gleim, PhD, CPA, CIA, CMA, CFM.

COMMENTS, REMARKS & QUESTIONS

Confidence coefficient, C,

Based on the Risk of Incorrect

Rejection

Risk of

Incorrect

Rejection

Confidence

Level

Confidence

Coefficient

20% 80% 1.28

10% 90% 1.64

5% 95% 1.96

1% 99% 2.58

Attributes Sample Size Statistical Tables

For Tests of Controls

Five Percent (5%) Risk of Assessing Control Risk Too Low

(Number of Expected Errors in parentheses)

. Expected

Population

Deviation

Rate (%)

Tolerable Deviation Rate

2% 3% 4% 5% 6% 7% 8% 9% 10% 15% 20%

0.00 149(0) 99(0) 74(0) 59(0) 49(0) 42(0) 36(0) 32(0) 29(0) 19(0) 14(0)

0.25 236(1) 157(1) 117(1) 93(1) 78(1) 66(1) 58(1) 51(1) 46(1) 30(1) 22(1)

0.50 * 157(1) 117(1) 93(1) 78(1) 66(1) 58(1) 51(1) 46(1) 30(1) 22(1)

0.75 * 208(2) 117(1) 93(1) 78(1) 66(1) 58(1) 51(1) 46(1) 30(1) 22(1)

1.00 * * 156(2) 93(1) 78(1) 66(1) 58(1) 51(1) 46(1) 30(1) 22(1)

1.25 * * 156(2) 124(2) 78(1) 66(1) 58(1) 51(1) 46(1) 30(1) 22(1)

1.50 * * 192(3) 124(2) 103(2) 66(1) 58(1) 51(1) 46(1) 30(1) 22(1)

1.75 * * 227(4) 153(3) 103(2) 88(2) 77(2) 51(1) 46(1) 30(1) 22(1)

2.00 * * * 181(4) 127(3) 88(2) 77(2) 68(2) 46(1) 30(1) 22(1)

2.25 * * * 208(5) 127(3) 88(2) 77(2) 68(2) 61(2) 30(1) 22(1)

2.50 * * * * 150(4) 109(3) 77(2) 68(2) 61(2) 30(1) 22(1)

2.75 * * * * 173(5) 109(3) 95(3) 68(2) 61(2) 30(1) 22(1)

3.00 * * * * 195(6) 129(4) 95(3) 84(3) 61(2) 30(1) 22(1)

3.25 * * * * * 148(5) 112(4) 84(3) 61(2) 30(1) 22(1)

3.50 * * * * * 167(6) 112(4) 84(3) 76(3) 40(2) 22(1)

3.75 * * * * * 185(7) 129(5) 100(4) 76(3) 40(2) 22(1)

4.00 * * * * * * 146(6) 100(4) 89(4) 40(2) 22(1)

5.00 * * * * * * * 158(8) 116(6) 40(2) 30(2)

6.00 * * * * * * * * 179(11) 50(3) 30(2)

7.00 * * * * * * * * * 68(5) 37(3)

Attributes Sample Evaluation Tables

For Tests of Controls Upper Limits at Five Percent (5%) Risk of Assessing Control Risk Too Low

. Sample

Size

Actual Number of Deviations Found

0 1 2 3 4 5 6 7 8 9 10

25 11.3 17.6 * * * * * * * * *

30 9.5 14.9 19.6 * * * * * * * *

35 8.3 12.9 17.0 * * * * * * * *

40 7.3 11.4 15.0 18.3 * * * * * * *

45 6.5 10.2 13.4 16.4 19.2 * * * * * *

50 5.9 9.2 12.1 14.8 17.4 19.9 * * * * *

55 5.4 8.4 11.1 13.5 15.9 18.2 * * * * *

60 4.9 7.7 10.2 12.5 14.7 16.8 18.8 * * * *

65 4.6 7.1 9.4 11.5 13.6 15.5 17.4 19.3 * * *

70 4.2 6.6 8.8 10.8 12.6 14.5 16.3 18.0 19.7 * *

75 4.0 6.2 8.2 10.1 11.8 13.6 15.2 16.9 18.5 20.0 *

80 3.7 5.8 7.7 9.5 11.1 12.7 14.3 15.9 17.4 18.9 *

90 3.3 5.2 6.9 8.4 9.9 11.4 12.8 14.2 15.5 16.8 18.2

100 3.0 4.7 6.2 7.6 9.0 10.3 11.5 12.8 14.0 15.2 16.4

125 2.4 3.8 5.0 6.1 7.2 8.3 9.3 10.3 11.3 12.3 13.2

150 2.0 3.2 4.2 5.1 6.0 6.9 7.8 8.6 9.5 10.3 11.1

200 1.5 2.4 3.2 3.9 4.6 5.2 5.9 6.5 7.2 7.8 8.4

Reliability Factors (RF) for Overstatements

.

Number of

Overstatements

Risk of Incorrect Acceptance

1% 5% 10% 15% 20%

0 4.61 3.00 2.31 1.90 1.61

1 6.64 4.75 3.89 3.38 3.00

2 8.41 6.30 5.33 4.72 4.28

PPS Sampling Expansion Factors

For Expected Misstatements

. Risk of Incorrect

Acceptance (%)

Expansion

Factor

1 1.90

5 1.60

10 1.50

15 1.40

20 1.30

25 1.25

30 1.20

37 1.15

50 1.10

sampling for internal auditors - ISACA

Documents