SAMPLING FOR EFFECTIVE INTERNAL AUDITING By Mwenya P. Chitalu CIA
EXPECTED PRESENTATION OUTCOMES Why Do Auditors Sample? Sampling Policy Statistical & Non-statistical Sampling
Statistical Terminologies Statistical Sampling Plans External Auditing Standards Sample Selection Methods
Illustrations
DEMYSTIFYING STATISTICAL SAMPLING The Principle (or Law) of Parsimony: That things are usually
connected in the simplest or most economical way. Reducing ideas to small, easy-to-write symbols & saying a lot in a small
area covered by a formula. Eliminate the Greek, Arabic & Roman language barrier in symbols & Formulae
that mystify Mathematics or Statistics. Just like any other audit, Probe Statistical Assertions-Life can be made easy
with appropriate sampling. If it cannot be measured, then it cannot be managed economically,
efficiently, & effectively. Mathematics or statistics is commitment to logical thinking. It squeezes the most learning about the population from limited sample
data.
WHY DO AUDITORS SAMPLE? International Standards for the Professional Practice of Internal Auditing:
Guides Information should be: Sufficient, Reliable, Relevant & Useful Acknowledges Sampling Techniques in Evidence Acquisition Opinions are NOT ABSOLUTE GUARANTEE but REASONABLE
ASSURANCE of Accuracy Proficiency & Due Professional Care Cost-Benefit Considerations: The Economy, Efficiency & Effectiveness, … Corroborating Evidence for Control Processes & Account Balances
SAMPLING POLICY Written Policy Statement When to Sample?
Who Should Sample? How to Sample? Inappropriate Uses for Sampling: When a Total is easily Audited Inquiry & Observation Procedures Analytical Procedures
STATISTICAL & NON-STATISTICAL SAMPLING
Three Characteristics in Common: Both Require Auditor judgment in Planning, Implementing, &
Evaluating the Sampling Plan Actual Audit Procedures Performed are the same Both Non-Statistical & Statistical Techniques are Permitted by the
IPPF
STATISTICAL & NON-STATISTICAL SAMPLING
Differences between Statistical & Non-statistical Sampling Sampling Risk is Controlled & Measurable
Technical Training & Knowledge is Required Computer Accessibility
STATISTICAL & NON-STATISTICAL SAMPLING In Summary, the following should be addressed: What is the Internal Audit Department’s Recommended Policy or
Procedure? Is a Quantitative measure of Sampling Risk Desired? What is the relative Cost & Benefit of Statistical versus Nonstatistical Sampling? Is Technical Expertise Available? Is Computer Software Accessible or Expertise to Write a Program?
STATISTICAL TERMINOLOGIES Confidence Level (C): Is the Reliability Level or Degree of Belief in
the Obtained Results. Measure of Central Tendency: Mean (µ): The arithmetic average of a set of numbers.
Median: The halfway value of raw data arranged in numerical order from
lowest to highest. Mode: The most frequently occurring value.
STATISTICAL TERMINOLOGIES Standard Deviation (𝝈): The statistical measurement of the variability
of values in a sample (the square root of the variance).
Range: The difference between the largest and smallest values of any
group.
Population (N): The total number of items from which the sample is
drawn-It’s the focus of interest comprising sampling units.
Sampling Unit: Individual items making up a Population. Sample (n): Collection of sampling units on which audit procedures are
performed.
STATISTICAL TERMINOLOGIES Logical Unit: Account or transaction selected to be sampled. Expected Population Deviation Rate (𝝆): Estimate of the actual deviation
rate in the population, usually based on prior experience, inquiries, and observations.
Precision (P): An assumed amount of possible unknown or the range of
allowable error.
Tolerable Misstatement: The auditor’s assessment of materiality with
respect to the population.
Upper Precision Limit: Upper limit on deviations expected in the
population.
STATISTICAL TERMINOLOGIES Tainting: Percentage of misstatement in a logical unit in a PPS sample. Upper Misstatement Limit (UML): Estimated maximum misstatement
existing in the population at a specified reliability in PPS sampling.
Sampling Risk: Conclusions
based on sample differing with conclusions that could be reached if the entire population were examined.
Non-sampling risk: Drawing incorrect conclusion for reasons other than
sampling due to poor judgment or failure to adhere to professional standards.
STATISTICAL SAMPLING Advantages
Disadvantages
May yield desired results from
Can be costly and time-
minimum number of items Yields quantified data Includes measures of sampling
risk, confidence level, and precision Is adaptable to computer testing Lends credibility to audit
conclusions/recommendations
consuming May require training and software costs May preclude experienced auditors’ insights
NON-STATISTICAL SAMPLING Advantages
Disadvantages
Flexibility
Results not statistically valid
Use of internal auditor’s
No objective measure of
judgment Allows reasonable reliability at reasonable cost
sampling risk provided Chance of wrong sample size Effectiveness depends upon auditor’s skill
STATISTICAL SAMPLING PLANS 1.
ATTRIBUTES SAMPLING (TESTS OF CONTROLS) Concerns binary, yes/no, or error/non-error populations It tests the effectiveness of controls.
2.
VARIABLES SAMPLING (SUBSTANTIVE TESTS) Concerns monetary amounts & other measures. It assesses materially misstated account balances & ...
3.
THE PPS SAMPLING ( THE CAV SAMPLING) Concerns primary engagement objective of few overstatements & not understatement. Difference & Ratio Estimations may not be efficient.
EXTERNAL AUDITING STANDARDS
Internal & External Audit Work Coordination & Recognition: Statement on Auditing Standards (SA) No. 39: Audit Sampling & SAS No. 47: Audit Risk & Materiality in Conducting an Audit – AICPA. Audit Risk Model:
Audit Risk
= Inherent Risk x Control Risk x Detection Risk
Audit Risk: Issuing unmodified opinion on financial statements that are
materially misstated. Inherent Risk: Material misstatement occurring in the absence of appropriate controls. Control Risk: Controls ineffective & fails to prevent or detect material misstatement in a timely manner. Detection Risk: Substantive procedures failing to detect a material misstatement.
EXTERNAL AUDITING STANDARDS Sampling risk impacts the Efficiency & Effectiveness of an audit
Components of Sampling Risk Audit Test Tests of Controls
Audit Efficiency Risk of Assessing Control Risk Too High (i.e., not depending upon effective controls)
Substantive Tests
Risk of Incorrect Rejection (i.e., Risk of Incorrect Acceptance rejecting a materially correct (i.e., accepting a materially balance) incorrect balance)
Statistical Term Alpha Risk (∝)
Audit Effectiveness Risk of Assessing Control Risk Too Low (i.e., depending upon ineffective controls)
Beta Risk ( 𝛽)
EXTERNAL AUDITING STANDARDS Non-sampling Risk
“The audit failing to detect an internal control weakness or material misstatement for reasons other than the fact that sampling was used.” Application of an inappropriate audit procedure Failure to recognize an error condition Omission of an essential audit step
Materiality: Amount of difference tolerated by the auditor & concluding the
assertion tested as reasonable:
Tolerable deviation rate for tests of control Tolerable misstatement for substantive testing
Materiality is inversely related to sample size Materiality assessment must be a cost versus benefit decision
SAMPLE SELECTION METHODS Methods Appropriate for Both Statistical & Non-statistical Sampling: Simple Random Sampling: Items with equal chance of selection. Systematic Sampling: nth item selection with random start within the n
interval. PPS uses systematic sampling.
Methods Used Only for Non-statistical Sampling: Haphazard Selection: Selecting sample items without intentional bias. Block Selection: Audit of a group of contiguous transactions like delivery
notes for March or invoices in a sequence. Block Amount: Whole amount is audited.
Other Considerations in Sample Selection: Void Items: Select additional sampling units for voided items. Missing Items: Must be treated as an error condition- In attributes,
control is not effective & in substantive testing, audited value is ZMK 0.00
ATTRIBUTE SAMPLING When to use
. Size of sample (n)
Statistical table specifications
To estimate the number of times a certain characteristic may occur in a population
Based on judgment about probability that errors (or other characteristics) will occur or based on statistical tables 𝐂 𝟐 𝝆𝒒 𝐧= 𝐏𝟐 • Population size (N) • Confidence level (C) • Precision (P) • Expected rate of errors (𝝆) &q=100-𝝆
Attributes Sampling Illustrations
.ITEM 1 2 3 4 5 6
ACCOUNTS RECEIVABLES AS AT 31ST DECEMBER 2013 Population Size of Accounts Receivable Confidence Level Confidence Coefficient Tolerable Deviation Rate (TDR) (Based on Prior Years of Findings or Pilot Sample) Planned Risk of Assessing Control Risk Too Low (Beta Risk) Planned Risk of Assessing Control Risk Too High (Alpha Risk) Desired Precision = Beta x TDR/Alpha
7 8
Sample Size Expected Number of Errors (From Statistical Tables) Assuming Control Procedures Anticipated Deviation Rate = Zero Upper Precision Limit (UPL) from the Statistical Tables (And is Less than Tolerable Deviation Rate=5%)
9
Assuming 2 Actual Control Procedure Errors: Upper Precision Limit (from the Tables)
N C
𝛽 P n
UPL
4,000 Accounts 90% 1.64 5% 5% 10% 2.50% 204 Accounts 5 0% 1.50%
2 3.20%
10
And UPL < ρ
Conclusion???
11
CONCLUSION
Controls are Effective
Attributes Sampling Variations Stop-or-Go Sampling: The Auditor guards against selecting an
unnecessarily large sample. Discovery Sampling: The Auditor targets discovering at least one
deviation if the percentage of deviations in the population is at or above a specified level, e.g. Fraud, Substantial mistake or Compliance failure.
VARIABLES SAMPLING
When to use
.
When size matters; e.g., amount of a discrepancy in monetary or weight terms
Size of sample (n)
𝐂 𝟐 𝝈𝟐 𝐧= 𝟐 𝐏 Statistical table specifications
• • • •
Population size (N) Confidence level/Coefficient (C) Precision (P) Standard deviation (𝝈)
Variables Sampling Illustration ITEM ACCOUNTS RECEIVABLES AS AT 31ST DECEMBER 2013
.
1 2 3 4 5 6
8 9
Recorded Amount of Accounts Receivable (N) Tolerable Misstatement Planned Risk of Incorrent Acceptance (Beta Risk) Planned Risk of Incorrect Rejection (Alpha Risk) Number of Accounts Receivable (N) Estimated Population Standard Deviation (Based on Prior Years of Findings or Pilot Sample) Confidence Level Confidence Coefficient Desired Precision = Beta x TM/Alpha Precision per-item basis (Desired Precision/N)
7
Sample Size
7
RM TM 𝛽
C P n
360,000 ZMK 18,000 ZMK 5% 10% 4,000 Accounts 8.68 ZMK 90% 1.64 9,000 ZMK 2.25 ZMK 40 Accounts
Three Types of Variables Sampling Mean-per-unit Estimation: Estimates the total monetary amount of the
population by calculating a sample mean & multiplying by the number of items in the population.
Difference Estimation: Estimates the total error in the population. Useful only if population contains enough errors to generate a reliable sample
estimate & the differences are not proportional to the book values.
Ratio Estimation: Estimates the total monetary amount of the population
by calculating the ratio between the audited & book values in the sample and using this ratio to make the estimate. Useful when differences between book & sample values are proportional to book
values.
Variables Sampling: Mean-per-Unit Estimation Case example Population: 4,000 Accounts Total book value: ZMK 360,000.00 Sample size: 40 Accounts Sample book value: ZMK 3,600.00 Sample audit value: ZMK 3,400.00
Step 1: Calculate average audit value (i.e., mean-perunit value for audited samples).
K3,400.00/40 = K85.00 / Account. Step 2: Multiply mean-per-unit value by number of accounts in the population. K85.00 4,000 Accounts = K340,000.00 Over-count = K20,000.00 (K340,000.00 – K360,000.00)
Variables Sampling: Difference Estimation Case example Population: 4,000 Accounts Total book value: ZMK 360,000.00 Sample size: 40 Accounts Sample book value: ZMK 3,600.00 Sample audit value: ZMK 3,400.00
Step 1: Calculate average difference between audit value and book value for the sample. (K3,400.00 – K3,600.00)/40 Accounts = (K5.00) Step 2: Determine the difference estimate for the population. (K5.00) 4,000 accounts = (K20,000.00)
Step 3: Estimate actual value by adding the difference estimate and book value for the population. (K20,000.00) + K360,000.00 = K340,000.00
Book value is Overstated by K20,000.00
Variables Sampling: Ratio Estimation Case example Population: 4,000 Accounts Total book value: ZMK360,000.00 Sample size: 40 Accounts Sample book value: ZMK3,600.00 Sample audit value: ZMK 3,400.00
Step 1: Audit value for sample = K3,400.00 Step 2: Book value for sample = K3,600.00 Step 3: Find ratio of audit value to book value: K3,400.00 / K3,600.00 = 0.94 Step 4: Estimate actual population value by multiplying ratio by population book value:
0.94 K360,000.00 = K338,400.00
Book value is Overstated by K21,600.00
PROBABILITY-PROPORTIONAL-TO-SIZE (PPS) SAMPLING
When to use
Size of sample (n)
When auditing account balances for few . overstated items; e.g., in inventory, receivables, disbursements, etc.
(n1: AM=0, & n2: AM>=1)
Statistical specifications
𝐧𝟏 = • • • • •
𝐑𝐌 𝐱 𝐑𝐅 𝐓𝐌
or
𝐑𝐌 𝐱 𝐑𝐅
𝐧𝟐 = 𝐓𝐌−(𝐀𝐌 𝐱 𝐄𝐅)
Recorded Amount of the Account (RM) Reliability Factor (RF) Tolerable Misstatement (TM) Anticipated Misstatement (AM) Expansion Factor (EF)
PPS ILLUSTRATION ACCOUNTS RECEIVABLE AS AT 31ST DECEMBER 2013
.Recorded Amt of A/C Receivables Tolerable Misstatement Anticipated Misstatement Risk of Incorrect Acceptance AMT A/C No. ZMK ACT0001 ACT0002 ACT0003 ACT0004 ACT0005 ACT0006 . . . ACT4000
CUM AMT
9,450 9,450 480 9,930 2,800 12,730 5,106 17,836 2,100 19,936 8,000 27,050 . . . . . . 6,000 360,000
TOTAL
360,000 18,000 0 5%
Kw acha Sampling Observed Tainting Sampling Projected Selected Unit Amount % Interval Misstatement 9,000
9,450
7,875
*
*
1,575
18,000 27,000 . . . 360,000
2,100 8,000 . . . 6,000
0 8,000
100% 0
9,000 9,000
9,000 0
4,500
25%
9,000
2,250
360,000
Basic Precision(SI x RF = K9,000 x 3) Total Projected Misstatment Allowance for Precision Gap Widening: (4.75-3.00-1.00) x K9,000 (6.30-4.75-1.00) x K2,250 Upper Misstatement Limit (UML)>TM CONCLUSION
RM TM AM
12,825 ZMK ZMK
27,000 12,825
ZMK ZMK ZMK
6,750 1,238 47,813
Accounts Receivable Materially Overstated
CONCLUSION/RECOMMENDATIONS
It is Concluded & Recommended that Internal Auditors comply with the Proficiency & Due Professional Care IIA Standards by Appropriate Application of both Statistical & Non Statistical Sampling to Reasonably Assure that Opinion Evidence is: Sufficient, Reliable, Relevant and Useful.
REFERENCES FOR FURTHER READING
1.
Sampling for Internal Auditors:Text-based Self Study CourseThe Institute of Internal Auditors by Barbara Apostolou, PhD, CPA, DABFA.
2.
Internal Audit Practice-Part 1:The IIA’s CIA Learning System by The Institute of Internal Auditors.
3.
Internal Audit Practice-Part 1: Gleim CIA Review by Professor Irvin N. Gleim, PhD, CPA, CIA, CMA, CFM.
COMMENTS, REMARKS & QUESTIONS
Confidence coefficient, C, Based on the Risk of Incorrect Rejection Risk of Incorrect Rejection 20% 10% 5% 1%
Confidence Level 80% 90% 95% 99%
Confidence Coefficient 1.28 1.64 1.96 2.58
Attributes Sample Size Statistical Tables For Tests of Controls Five Percent (5%) Risk of Assessing Control Risk Too Low (Number of Expected Errors in parentheses)
.Expected Population Deviation Rate (%) 0.00 0.25 0.50 0.75 1.00 1.25 1.50 1.75 2.00 2.25 2.50 2.75 3.00 3.25 3.50 3.75 4.00 5.00 6.00 7.00
2% 149(0) 236(1) * * * * * * * * * * * * * * * * * *
3% 99(0) 157(1) 157(1) 208(2) * * * * * * * * * * * * * * * *
4% 74(0) 117(1) 117(1) 117(1) 156(2) 156(2) 192(3) 227(4) * * * * * * * * * * * *
5% 59(0) 93(1) 93(1) 93(1) 93(1) 124(2) 124(2) 153(3) 181(4) 208(5) * * * * * * * * * *
Tolerable Deviation Rate 6% 7% 8% 49(0) 42(0) 36(0) 78(1) 66(1) 58(1) 78(1) 66(1) 58(1) 78(1) 66(1) 58(1) 78(1) 66(1) 58(1) 78(1) 66(1) 58(1) 103(2) 66(1) 58(1) 103(2) 88(2) 77(2) 127(3) 88(2) 77(2) 127(3) 88(2) 77(2) 150(4) 109(3) 77(2) 173(5) 109(3) 95(3) 195(6) 129(4) 95(3) * 148(5) 112(4) * 167(6) 112(4) * 185(7) 129(5) * * 146(6) * * * * * * * * *
9% 32(0) 51(1) 51(1) 51(1) 51(1) 51(1) 51(1) 51(1) 68(2) 68(2) 68(2) 68(2) 84(3) 84(3) 84(3) 100(4) 100(4) 158(8) * *
10% 29(0) 46(1) 46(1) 46(1) 46(1) 46(1) 46(1) 46(1) 46(1) 61(2) 61(2) 61(2) 61(2) 61(2) 76(3) 76(3) 89(4) 116(6) 179(11) *
15% 19(0) 30(1) 30(1) 30(1) 30(1) 30(1) 30(1) 30(1) 30(1) 30(1) 30(1) 30(1) 30(1) 30(1) 40(2) 40(2) 40(2) 40(2) 50(3) 68(5)
20% 14(0) 22(1) 22(1) 22(1) 22(1) 22(1) 22(1) 22(1) 22(1) 22(1) 22(1) 22(1) 22(1) 22(1) 22(1) 22(1) 22(1) 30(2) 30(2) 37(3)
Attributes Sample Evaluation Tables For Tests of Controls Upper Limits at Five Percent (5%) Risk of Assessing Control Risk Too Low Sample Size . 25 30 35 40 45 50 55 60 65 70 75 80 90 100 125 150 200
0 11.3 9.5 8.3 7.3 6.5 5.9 5.4 4.9 4.6 4.2 4.0 3.7 3.3 3.0 2.4 2.0 1.5
1 17.6 14.9 12.9 11.4 10.2 9.2 8.4 7.7 7.1 6.6 6.2 5.8 5.2 4.7 3.8 3.2 2.4
2 * 19.6 17.0 15.0 13.4 12.1 11.1 10.2 9.4 8.8 8.2 7.7 6.9 6.2 5.0 4.2 3.2
Actual Number of Deviations Found 3 4 5 6 7 * * * * * * * * * * * * * * * 18.3 * * * * 16.4 19.2 * * * 14.8 17.4 19.9 * * 13.5 15.9 18.2 * * 12.5 14.7 16.8 18.8 * 11.5 13.6 15.5 17.4 19.3 10.8 12.6 14.5 16.3 18.0 10.1 11.8 13.6 15.2 16.9 9.5 11.1 12.7 14.3 15.9 8.4 9.9 11.4 12.8 14.2 7.6 9.0 10.3 11.5 12.8 6.1 7.2 8.3 9.3 10.3 5.1 6.0 6.9 7.8 8.6 3.9 4.6 5.2 5.9 6.5
8 * * * * * * * * * 19.7 18.5 17.4 15.5 14.0 11.3 9.5 7.2
9 * * * * * * * * * * 20.0 18.9 16.8 15.2 12.3 10.3 7.8
10 * * * * * * * * * * * * 18.2 16.4 13.2 11.1 8.4
.
Reliability Factors (RF) for Overstatements
Number of Overstatements
0 1 2
Risk of Incorrect Acceptance
1% 4.61 6.64 8.41
5% 3.00 4.75 6.30
10% 2.31 3.89 5.33
15% 1.90 3.38 4.72
20% 1.61 3.00 4.28
PPS Sampling Expansion Factors For Expected Misstatements .
Risk of Incorrect Acceptance (%) 1 5 10 15 20 25 30 37 50
Expansion Factor 1.90 1.60 1.50 1.40 1.30 1.25 1.20 1.15 1.10
