CHAPTER ONE

SAMPLING IN AUDITING

1.1 RATIONALE FOR AND METHODS OF AUDIT SAMPLING

The purpose of audit sampling is to provide a reasonable basis for the auditor to draw
conclusions about the population from which the sample is selected.
Even a very small company produces huge records; no auditor could ever audit all the records
available and still get the audit done in time for the data obtained to be relevant. Sampling allows
you to choose a small but pertinent and representative group of records that will give you an
accurate picture of the company.
AUDIT SAMPLING
Audit sampling is the application of an audit procedure to less than 100 percent of the items
within an account balance or class of transactions for the purpose of evaluating some
characteristic of the balance or class. The auditor often is aware of account balances and
transactions that may be more likely to contain misstatements.
He considers this knowledge in planning his procedures, including audit sampling. The auditor
usually will have no special knowledge about other account balances and transactions that, in his
judgment, will need to be tested to fulfill his audit objectives. Audit sampling is especially useful
in these cases.
When selecting a sample from a population, the auditor strives to obtain a representative sample.
A representative sample is one in which the characteristics in the sample are approximately the
same as those of the population. This means that the sampled items are similar to the items not
sampled. Assume a client’s internal controls require a clerk to attach a shipping document to
every duplicate sales invoice, but the clerk fails to follow the procedure exactly 3 percent of the
time. If the auditor selects a sample of 100 duplicate sales invoices and finds three are missing
attached shipping documents, the sample is highly representative. If two or four such items are
found in the sample, the sample is reasonably representative. If no or many missing items are
found, the sample is non-representative.
In practice, auditors never know whether a sample is representative, even after all testing is
complete. (The only way to know if a sample is representative is to subsequently audit the entire
population.) However, auditors can increase the likelihood of a sample being representative by
using care in designing the sampling process, sample selection, and evaluation of sample results.
A sample result can be non-representative due to non-sampling error or sampling error.

“Sampling risk” arises from the possibility that the auditor’s conclusion, based on a sample may
be different from the conclusion reached if the entire population were subjected to the same audit
procedure. There are two types of sampling risk:
(a) The risk the auditor will conclude, in the case of a test of controls, that controls are more
effective than they actually are, or in the case of a test of details, that a material error does not
exist when in fact it does. This type of risk affects audit effectiveness and is more likely to lead to
an inappropriate audit opinion; and
(b) The risk the auditor will conclude, in the case of a test of controls, that controls are less
effective than they actually are, or in the case of a test of details, that a material error exists when
in fact it does not.

1
This type of risk affects audit efficiency as it would usually lead to additional work to establish
that initial conclusions were incorrect.
Sampling risk can lead to erroneous conclusions. In order to reduce sampling risk, the auditor can
increase the sample size and Use an appropriate method of selecting sample items from the
population. Erroneous conclusions may occur on both tests of controls and tests of details.
Sampling risk should be considered when an auditor performs an audit procedure on less than
100% of a clearly definable population for the purpose of evaluating the population. There are
two aspects to sampling risk when performing tests of controls:

 The risk of assessing control risk too low represents the risk that an audit sample supports
the conclusion that the design and operation of an internal control is effective when in fact
it is not.
 The risk of assessing control risk too high represents the risk that an audit sample supports
the conclusion that the design and operation of an internal control is not effective when in
fact it is effective.

“Non-sampling risk” arises from factors that cause the auditor to reach an erroneous conclusion
for any reason not related to the size of the sample.
For example, ordinarily the auditor finds it necessary to rely on audit evidence that is persuasive
rather than conclusive, the auditor might use inappropriate audit procedures, or the auditor might
misinterpret audit evidence and fail to recognize an error.
Non-sampling risk is the component of detection risk that is not due to examining only a portion
of the population, i.e. It is not related to sampling risk. Examples of non-sampling risk include
use of inappropriate audit procedures, or misinterpretation of audit evidence and failure to
recognize a misstatement or deviation. The auditor seeks to minimize non-sampling risk by
proper planning, supervision and review.
“Sampling unit” means the individual items constituting a population, for example checks listed
on deposit slips, credit entries on bank statements, sales invoices or debtors’ balances, or a
monetary unit.

METHODS OF AUDIT SAMPLING

Statistical Versus Non-statistical Sampling Approaches

“Statistical sampling” means any approach to sampling that has the following characteristics:
(a) Random selection of a sample; and
(b) Use of probability theory to evaluate sample results, including measurement of sampling risk.
A sampling approach that does not have characteristics (a) and (b) is considered non-statistical
sampling.
 Statistical sampling methods are:

 Simple random sampling-In a simple random sample, every possible combination of

population items has an equal chance of being included in the sample. Auditors use simple
random sampling to sample populations when there is no need to emphasize one or more
types of population items. Say, for example, auditors want to sample a client’s cash
disbursements for the year. They might select a simple random sample of 60 items from
the cash disbursements journal, apply appropriate auditing procedures to the 60 items

2
 selected, and draw conclusions about all recorded cash disbursement transactions. When
auditors obtain a simple random sample, they must use a method that ensures all items in
the population have an equal chance of selection. Suppose an auditor decides to select a
sample from a total of 12,000 cash disbursement trans -actions for the year. A simple
random sample of one transaction will be such that each of the 12,000 transactions has an
equal chance of being selected
 Systematic sampling—In systematic sample selection (also called systematic sampling),
the auditor calculates an interval and then selects the items for the sample based on the
size of the interval. The interval is determined by dividing the population size by the
desired sample size..
 Stratified random sampling—ensures that all sampling units in each subgroup have a
known, non-zero chance of selection.
Professionals should consider using statistical software for calculating standard deviations
and other summary statistics for results of statistical sampling.

 Non-statistical sampling methods are:

 Haphazard sampling—Professionals select the sample without following a structured

technique, while avoiding any conscious bias or predictability. However, analysis of a
haphazard sample should not be relied upon to form a conclusion on the population.
 Judgmental sampling—Professionals place a bias on the sample (e.g., all sampling units
over a certain value, all for a specific type of exception, all negatives). It should be noted
that a judgmental sample is not statistically based and results should not be extrapolated
over the population because the sample is unlikely to be representative of the population
as a whole.
The decision whether to use a statistical or non-statistical sampling approach is a matter for the
auditor’s judgment regarding the most efficient manner to obtain sufficient appropriate audit
evidence in the particular circumstances. For example, in the case of tests of controls the auditor’s
analysis of the nature and cause of errors will often be more important than the statistical analysis
of the mere presence or absence (that is, the count) of errors. In such a situation, non-statistical
sampling may be most appropriate.
When applying statistical sampling, the sample size can be determined using either probability
theory or professional judgment. Statistical sampling requires that sample items are selected at
random so that each sampling unit has a known chance of being selected.
SAMPLE SIZE
In determining the sample size, the auditor should consider whether sampling risk is reduced to
an acceptably low level. Sample size is affected by the level of sampling risk that the auditor is
willing to accept.
The lower the risk the auditor is willing to accept, the greater the sample size will need to be.
The sample size can be determined by the application of a statistically-based formula or through
the exercise of professional judgment objectively applied to the circumstances.
For tests of controls, the auditor makes an assessment of the expected rate of deviation based on
the auditor’s understanding of the relevant controls or on the examination of a small number
of items from the population. This assessment is made in order to design an audit sample and to
determine the sample size. For example, if the expected rate of deviation is unacceptably high,

3
the auditor will normally decide not to perform tests of controls. For tests of details, the auditor
makes an assessment of the expected misstatement in the population. If the expected
misstatement is high, all items are examined or a large sample size may be used.

Absolute assurance cannot be achieved through sampling procedures. The lower the assurance
required, the smaller the required sample size. For tests of controls, the tolerable rate of
deviation is the maximum deviation rate that can be accepted to conclude that the audit
objective has been achieved. For tests of details, the tolerable misstatement is the maximum
misstatement that can be accepted to conclude the audit objective has been achieved.
Audit efficiency may be improved if the auditor stratifies a population by dividing it into discrete
sub-populations which have an identifying characteristic. The objective of stratification is to
reduce the variability of items within each stratum and therefore to allow the sample size to be
reduced without increasing the sampling risk. This enables the auditor to devote more
time to items considered most susceptible to material misstatement. For example, the auditor
may stratify the accounts receivable balances by age and focus on the overdue accounts.

Design of the Sample

Professionals should select sample items in such a way that the sample is expected to be representative of
the population regarding the characteristics being tested

When designing an audit sample, the auditor should consider the objectives of the audit procedure
and the attributes of the population from which the sample will be drawn.
When designing an audit sample the auditor should also consider the sampling and selection
methods.
When performing tests of controls, the auditor generally makes an assessment of the rate of error
the auditor expects to find in the population to be tested. This assessment is based on the auditor’s
understanding of the design of the relevant controls and whether they have been implemented
through the examination of a small number of items from the population.

Similarly, for tests of details, the auditor generally makes an assessment of the expected amount
of error in the population. These assessments are useful for designing an audit sample and in
determining sample size. For example, if the expected rate of error is unacceptably high, tests of
controls will normally not be performed. However, when performing tests of details, if the
expected amount of error is high, 100% examination or the use of a large sample size may be
appropriate

Determine whether audit sampling is necessary

In practice, auditors may perform their tests on all items, specific items, and audit
samples. In general, auditors are unlikely to test all items in the case of tests of controls,
unless they are using computer assisted auditing techniques. Full testing in this case is impractical
due to both the time and cost involved. It is more usual to do a full examination on tests of
details. For example, an auditor may test all items if a population includes a small number of
large value items, when there is a significant risk and other means do not provide sufficient

4
appropriate audit evidence, or when a full examination is cost effective. Selecting specific items
for testing is based on the auditor’s judgments and may be subject to non-sampling risk. Auditors
may select high value items or all items over a certain amount. These two selection methods do
not constitute audit sampling because the results of audit procedures applied to items selected in
these ways cannot be projected to the entire population.

1.2. AUDIT SAMPLING FOR TESTS OF CONTROLS

You may be wondering how to select the controls to test. Your first step is to identify significant
accounts.
Test of controls are an audit procedure designed to evaluate the operating effectiveness of
controls in preventing, or detecting and correcting, material misstatements at the assertion level.
The auditor may wish to test controls if they will be relied upon to reduce substantive testing, or
obtain information on which to base recommendations in the Management Letter.
Eight steps are involved in audit sampling for tests of controls. The example of the customer
billing process is used to walk you through the steps:
1. Look at your audit objectives. The objective of tests of controls is to provide you with
evidence about whether controls are operating effectively. The audit objective of our
example test (focusing on customer billing) is to find out if client invoices are correct.
Audit objectives vary between accounts and the purpose of your procedure.
2. Describe the control activity. The control activity is the policy or procedure management
uses to provide assurance that material misstatements will be prevented or detected in a
timely fashion.
3. Define the population. To do so, decide on the appropriate sampling unit and consider the
completeness of the population.
4. Define the deviation conditions. Say for example that the control is that client invoices are
correct. An error or deviation in this control would be if the cost per unit on the client
invoices doesn’t agree with the standard price list, and there’s no explanation for the
deviation (such as the fact that the client was given a discount). Even if an explanation
exists, you still have a deviation if the proper authority didn’t okay the discount.
5. Think about your expected number of deviations. This means the number of errors you
anticipate finding.
6. Determine the planned assessed level of control risk. This step addresses whether the
population is free from material misstatement. You rank the risk as low, moderate, or
maximum.
7. Determine the appropriate sample size.
Your sample size can be a factor of your firm’s policy (the number of items your firm
normally samples), or you can use sampling software to select the sample size.
8. Determine the method of selecting the sample. One method of sampling you use frequently
for tests of controls is attribute sampling.
9. Perform the audit procedures
10. Generalize from the sample to the population.
11. Analyze exceptions.
12. Decide the acceptability of the population.
Tests of Control

5
Test of Control: test if the internal control is effective designed and application
Substantive Test: test the account/disclosure/transaction has the accurately existence & occurrence,
rights and obligation, completeness, accuracy cutoff and classification. Example, 'observation of the
taking of physical inventory' is substantive test, because audit watch client count inventory, and then get
the balance. 'observation of an employee's preparation of a daily deposit slip is I/C because he couldn't get
the balance through this procedure, only see if I/C is strong, and 'inspection of purchase orders for the
authorization of the purchasing agent' is same, audit couldn't get the balance of accounts payable or
inventory, he could only test if the purchase order are prepared by authorization person.

A test of controls is an audit procedure to test the effectiveness of a control used by a client entity to
prevent or detect material misstatements. Depending on the results of this test, auditors may choose to
rely upon a client's system of controls as part of their auditing activities. However, if the test reveals that
controls are weak, the auditors will enhance their use of substantive testing, which usually increases the
cost of an audit. The following are general classifications of tests of controls:

 Make inquiries of appropriate client personnel

 Re perform client procedures: Auditors may initiate a new transaction, to see which controls are
used by the client and the effectiveness of those controls.
 Observation. Auditors may observe a business process in action and in particular the control
elements of the process.
 Inspection. Auditors may examine business documents for approval signatures, stamps, or review
checkmarks, which indicate that controls have been performed.

If the inspection approach is used, a test of controls is typically conducted for a sample of
documents related to transactions that occurred throughout the year. Doing so provides evidence
that the system of controls has operated in a reliable manner throughout the reporting period.

A test of controls is made irrespective of the dollar amount of the underlying business
transaction. The main point of the test is to see if a control functions properly, so the dollar
amount of a transaction is not of consequence to the goal of the test.

Tests of controls are performed when the auditor’s risk assessment includes an expectation of the
operating effectiveness of controls. When performing tests of controls, the auditor is primarily
concerned with obtaining audit evidence that controls operated effectively throughout the period
of reliance. This includes obtaining audit evidence about how controls were applied at relevant
times during the period under audit, the consistency with which they were applied, and by whom
or by what means they were applied. The concept of effectiveness of the operation of controls
recognizes that some errors in the way controls are applied by the entity may occur. However,
when such errors are identified, the auditor makes specific inquiries to understand these matters
and also needs to consider matters such as:

(a) The direct effect of identified errors on the financial statements; and
(b) The effectiveness of internal control and their effect on the audit approach when, for
example, the errors result from management override of a control.

6
In these cases, the auditor determines whether the tests of controls performed provide an
appropriate basis for use as audit evidence, whether additional tests of controls are necessary, or
whether the potential risks of misstatement need to be addressed using substantive procedures.
Based on the auditor’s understanding of internal control, the auditor identifies the characteristics
or attributes that indicate performance of a control, as well as possible deviation conditions
which indicate departures from adequate performance. The presence or absence of attributes can
then be tested by the auditor.

Audit sampling for tests of controls is generally appropriate when application of the control
leaves audit evidence of performance (for example, initials of the credit manager on a sales
invoice indicating credit approval, or evidence of authorization of data input to a microcomputer
based data processing system

1.3. AUDIT SAMPLING FOR SUBSTANTIVE TESTS

Substantive testing is an audit procedure that examines the financial statements and supporting
documentation to see if they contain errors. These tests are needed as evidence to support the
assertion that the financial records of an entity are complete, valid, and accurate.

There are many substantive tests that an auditor can use. The following list is a sampling of the
available tests:

 Conduct a bank confirmation to test ending cash balances

 Contact customers to confirm that accounts receivable balances are correct
 Observe the period-end counting of inventory
 Confirm the validity of inventory valuation calculations
 Confirm with experts that the fair values assigned to assets obtained through a business
combination are reasonable
 Physically match fixed assets to fixed asset records
 Contact suppliers to confirm that accounts payable balances are correct
 Contact lenders to confirm that loan balances are correct
 Review board of directors minutes to verify the existence of approved dividends
 Match purchase orders and supplier invoices to fixed asset records
 Confirm accounts payable
 Examine accounts payable supporting documents
 Confirm debt
 Analytical analysis of assets, liabilities, revenue, and expenses

As indicated by the examples, substantive testing is likely to include confirmation of account

balances with third parties (such as confirming receivables), recalculating calculations made by
the client (such as valuing inventory), and observing transactions being performed (such as the
physical inventory count).

7
What are substantive procedures?

Substantive procedures are intended to create evidence that an auditor assembles to support the
assertion that there are no material misstatements in regard to the completeness, validity, and
accuracy of the financial records of an entity. Thus, substantive procedures are performed by an
auditor to detect whether there are any material misstatements in accounting transactions

Substantive procedures include the following general categories of activity:

 Testing classes of transactions, account balances, and disclosures

 Agreeing the financial statements and accompanying notes to the underlying accounting
records
 Examining material journal entries and other adjustments made during the preparation of
the financial statements

At a general level, substantive procedures related to testing transactions can include the
following:

 Examining documentation indicating that a procedure was performed

 Re performing a procedure to ensure that the procedure functions as planned
 Inquiring or observing regarding a transaction

The purpose of substantive procedures is to obtain audit evidence to detect material

misstatements at the assertion level. When performing tests of details, audit sampling and other
means of selecting items for testing and gathering audit evidence may be used to verify one or
more assertions about a financial statement amount (for example, the existence of accounts
receivable), or to make an independent estimate of some amount (for example, the value of
obsolete inventories).
Risk Considerations in Obtaining Audit Evidence
In obtaining audit evidence, the auditor should use professional judgment to assess the risk of
material misstatement (which includes inherent and control risk) and design further audit
procedures to ensure this risk is reduced to an acceptably low level.

There are two aspects to sampling risk when performing substantive tests:

 The risk of incorrect acceptance represents the risk that an audit sample supports the
conclusion that a material misstatement does not exist when in fact a material
misstatement does exist. This risk is similar to the risk of assessing control risk too low.
 The risk of incorrect rejection represents the risk that an audit sample supports the
conclusion that a material misstatement exists when in fact a material misstatement does
not exist. This risk is similar to the risk of assessing control risk too high.

Sampling risk and non-sampling risk can affect the components of the risk of material
misstatement. For example, when performing tests of controls, the auditor may find no errors in
a sample and conclude that controls are operating effectively, when the rate of error in the
population is, in fact, unacceptably high (sampling risk). Or there may be errors in the sample

8
which the auditor fails to recognize (non-sampling risk). With respect to substantive procedures,
the auditor may use a variety of methods to reduce detection risk to an acceptable level.
Depending on their nature, these methods will be subject to sampling and/or non-sampling risks.
For example, the auditor may choose an in appropriate substantive analytical procedure (non-
sampling risk) or may find only minor misstatements in a test of details when, in fact, the
population misstatement is greater than the tolerable amount (sampling risk).

For both tests of controls and substantive tests of details, sampling risk can be reduced by
increasing sample size, while non-sampling risk can be reduced by proper engagement planning
supervision and review.
Audit Procedures for Obtaining Audit Evidence

Audit procedures for obtaining audit evidence include inspection, observation, inquiry and
confirmation, recalculation, re-performance and analytical procedures. The choice of appropriate
audit procedures is a matter of professional judgment in the circumstances. Application of these
audit procedures will often involve the selection of items for testing from a population
Selecting Items for Testing to Gather Audit Evidence
When designing audit procedures, the auditor should determine appropriate means of selecting
items for testing.
The means available to the auditor are:
(a) Selecting all items (100% examination);
(b) Selecting specific items, and
(c) Audit sampling.
The decision as to which approach to use will depend on the circumstances, and the application
of any one or combination of the above means may be appropriate in particular circumstances.
While the decision as to which means, or combination of means, to use is made on the basis of
the risk of material misstatement related to the assertion being tested and audit efficiency, the
auditor needs to be satisfied that methods used are effective in providing sufficient appropriate
audit evidence to meet the objectives of the audit procedure
Selecting All Items
The auditor may decide that it will be most appropriate to examine the entire population of items
that make up a class of transactions or account balance (or a stratum within that population).
100% examination is unlikely in the case of tests of controls; however, it is more common for
tests of details. For example, 100% examination may be appropriate when the population
constitutes a small number of large value items, when there is a significant risk and other means
do not provide sufficient appropriate audit evidence, or when the repetitive nature of a
calculation or other process performed automatically by an information system makes a 100%
examination cost effective.
Selecting Specific Items:
The auditor may decide to select specific items from a population based on such factors as the
auditor’s understanding of the entity, the assessed risk of material misstatement, and the
characteristics of the population being tested. The judgmental selection of specific items is
subject to non- sampling risk. Specific items selected may include:
 High value or key items: The auditor may decide to select specific items within a
population because they are of high value, or exhibit some other characteristic, for

9
 example items that are suspicious, unusual, particularly risk-prone or that have a history
of error.
 All items over a certain amount: The auditor may decide to examine items whose values
exceed a certain amount so as to verify a large proportion of the total amount of class of
transactions or account balance.
 Items to obtain information: The auditor may examine items to obtain information about
matters such as the nature of the entity, the nature of transactions, and internal control.
 Items to test control activities: The auditor may use judgment to select and examine
specific items to determine whether or not a particular control activity is being
performed.

While selective examination of specific items from a class of transactions or account balance will
often be an efficient means of gathering audit evidence, it does not constitute audit sampling.
The results of audit procedures applied to items selected in this way cannot be projected to the
entire population. The auditor considers the need to obtain sufficient appropriate audit evidence
regarding the remainder of the population when that remainder is material.

When auditors must decide which type of test to select for obtaining sufficient appropriate
evidence, the cost of the evidence is an important consideration. The types of tests are listed
below in order of increasing cost:
• Analytical procedures
• Risk assessment procedures, including procedures to obtain an understanding of internal
control
• Tests of controls
• Substantive tests of transactions
• Tests of details of balances

10