Audit Sampling:

An Overview and
Application to
Tests of Controls

Copyright © 2017 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education.
 LO# 1

Introduction
Auditing standards recognize and permit both statistical
and nonstatistical methods of audit sampling.

Two technological advances have reduced the number

of times auditors need to apply sampling techniques to
gather audit evidence:

1 2
Development of Powerful audit
well-controlled, software to download
automated and examine entire
accounting populations
systems. of data. 8-2
 LO# 1

Introduction
However, technology will never eliminate the need for
auditors to rely on sampling to some degree because:
1. Many control processes require human involvement.
2. Many testing procedures require the auditor to
physically inspect an asset.
3. In many cases, auditors are required to obtain and
evaluate evidence from third parties.
4. Data analysis is only as good as the quality of the
underlying data and often the completeness,
accuracy, and validity of the underlying data need to
be tested and sampling can be an effective an
efficient technique.
8-3
 LO# 1
and 2

Definitions and Key Concepts

On the following slides we will define:
1. Audit Sampling.
2. Sampling Risk.
3. Confidence Level.
4. Tolerable and Expected Error.

8-4
 LO# 1

Audit Sampling
The selection and evaluation of less than 100
percent of the items in a population of audit
relevance selected in such a way that the
auditor expects the sample to be
representative of the population and thus
likely to provide a reasonable basis for
conclusions about the population.

8-5
 LO# 2

Sampling Risk
Sampling risk is the possibility that the sample drawn
is not representative of the population. There are two
types of sampling risk.
Risk of incorrect rejection (Type I) – in a test of internal
controls, it is the risk that the sample supports a conclusion that the
control is not operating effectively when, in fact, it is operating effectively.
Also known as the risk of underreliance.
In substantive testing, it is the risk that the sample indicates that the
recorded balance is materially misstated when, in fact, it is not.

Risk of incorrect acceptance (Type II) – in a test of internal

controls, it is the risk that the sample supports a conclusion that the
control is operating effectively when, in fact, it is not operating effectively.
Also known as the risk of overreliance.
In substantive testing, it is the risk that the sample supports the recorded
balance when it is, in fact, materially misstated.
8-6
 LO# 2

Sampling Risk
Three Important Factors in Determining Sample Size
1. The desired level of assurance in the results
(or confidence level),
2. Acceptable defect rate (or tolerable error), and
3. The historical defect rate (or expected error).

8-7
 LO# 2

Confidence Level
Confidence level is the
complement of sampling risk.
The auditor may set
sampling risk for a
particular sampling
application at
5 percent,
percent which
results in a
confidence level of
95 percent.
percent
8-8
 LO# 2

Tolerable and Expected Error

Once the desired confidence level is established, the
sample size is determined largely by how much the
tolerable error exceeds expected error.

Precision, at the
planning stage of
audit sampling, is Auditing Standards
the difference refer to Precision
between the as the “Allowance for
expected and sampling risk.”
tolerable deviation
rates.
8-9
 LO# 3

Audit Evidence – To Sample or

Not to Sample?
Relationship between Evidence Types and Audit Sampling
Audit Sampling
Type of Evidence Commonly Used
Inspection of tangible assets Yes
Inspection of records or documents Yes
Reperformance Yes
Recalculation Yes
Confirmation Yes
Analytical procedures No
Scanning No
Inquiry No
Observation No

8-10
 LO# 3

Audit Evidence – To Sample or

Not?
• Inspection of tangible assets. Auditors typically attend
the entity’s year-end inventory count. When there are a
large number of items in inventory, the auditor will select a
sample to physically inspect and count.
• Inspection of records or documents. Certain controls
may require the matching of documents. The procedure
may take place many times a day. The auditor may gather
evidence on the effectiveness of the control by testing a
sample of the documentation packages.

8-11
 LO# 3

Audit Evidence – To Sample or

Not?
 Reperformance. To comply with PCAOB standards,
publicly traded entities must document and test controls
over important assertions for significant accounts. The
auditor may reperform a sample of the tests performed by
the entity.
 Confirmation. Rather than confirm all customer account
receivable balances, the auditor may select a sample of
customers.

8-12
 LO# 3

Testing All Items with a Particular

Characteristic
When an account or class of transactions is made up
of a few large items, the auditor may examine all the
items in the account or class of transaction.
When a small number of large transactions make up
a relatively large percent of an account or class of
transactions, auditors will typically test all the
transactions greater than a particular dollar amount.

8-13
 LO# 3

Testing Only One or a Few

Items
Automated information systems process
transactions consistently unless the system
or programs are changed.

The auditor may test the

general controls over the
system and any program
changes, but test only a few
transactions processed by
the IT system.

8-14
 LO# 4

Types of Audit Sampling

Auditing standards recognize and permit both statistical
and nonstatistical methods of audit sampling.

In nonstatistical (or Statistical sampling uses

judgmental) sampling, the the laws of probability to
auditor does not use compute sample size and
statistical techniques to evaluate results. The
determine sample size, auditor is able to use the
select the sample items, or most efficient sample size
measure sampling risk. and quantify sampling risk.

8-15
 LO# 4

Types of Audit Sampling

Advantages of statistical sampling:
1. Design an efficient sample.
2. Measure the sufficiency of
evidence obtained.
3. Quantify sampling risk.
Disadvantages of statistical sampling:
1. Cost of training auditors in proper
use.
2. Cost to design and conduct
sampling application.
3. Lack of consistent application
across audit teams. 8-16
 LO# 4

Statistical Sampling Techniques

1. Attribute Sampling.
2. Monetary-Unit Sampling.
3. Classical Variables Sampling.

8-17
 LO# 4

Attribute Sampling
Used to estimate the proportion of a
population that possess a specified
characteristic. The most common use of
attribute sampling is for tests of controls.

Yes, I know. We are The entity’s controls

planning a test of that require that all checks
have two independent
control using
signatures.
attribute sampling.

8-18
 LO# 4

Monetary-Unit Sampling
Monetary-unit sampling uses attribute sampling theory
to estimate the dollar amount of misstatement for a
class of transactions or an account balance.

This technique is used

extensively because it has
a number of advantages
over classical variables
sampling.

8-19
 LO# 4

Classical Variables Sampling

Auditors sometimes use classical variables sampling
to estimate the dollar value of a class of transactions
or account balance. It is more frequently used to
determine whether an account is materially
misstated.

8-20
 LO#
5, 6, & 7

Attribute Sampling Applied to

Tests of Controls
In conducting a statistical sample for a
test of controls, auditing standards
require the auditor to properly plan,
perform, and evaluate the sampling
application and to adequately document
each phase of the sampling application.
Plan Perform Evaluate Document

8-21
 LO#
5, 6, & 7

Planning
Planning
1. Determine the test objectives.
2. Define the population characteristics:
• Define the sampling population.
• Define the sampling unit.
• Define the control deviation conditions.
3. Determine the sample size, using the following inputs:
• The desired confidence level or risk of incorrect acceptance.
• The tolerable deviation rate.
• The expected population deviation rate.

The objective of attribute sampling when used for

tests of controls is to evaluate the operating
effectiveness of the internal control.

8-22
 LO#
5, 6, & 7

Planning
Planning
2. Define the population characteristics:
• Define the sampling population.
• Define the sampling unit.
• Define the control deviation conditions.
3. Determine the sample size, using the following inputs:
• The desired confidence level or risk of incorrect acceptance.
• The tolerable deviation rate.
• The expected population deviation rate.

All or a subset of the items that constitute the class

of transactions make up the sampling population.

8-23
 LO#
5, 6, & 7

Planning
Planning
2. Define the population characteristics:
• Define the sampling population.
• Define the sampling unit.
• Define the control deviation conditions.
3. Determine the sample size, using the following inputs:
• The desired confidence level or risk of incorrect acceptance.
• The tolerable deviation rate.
• The expected population deviation rate.

Each sampling unit makes up one item in the

population. The sampling unit should be defined in
relation to the control being tested.

8-24
 LO#
5, 6, & 7

Planning
Planning
2. Define the population characteristics:
• Define the sampling population.
• Define the sampling unit.
• Define the control deviation conditions.
3. Determine the sample size, using the following inputs:
• The desired confidence level or risk of incorrect acceptance.
• The tolerable deviation rate.
• The expected population deviation rate.

A deviation is a departure from adequate

performance of the internal control.

8-25
 LO#
5, 6, & 7

Planning
Planning
3. Determine the sample size, using the following inputs:
• The desired confidence level or risk of incorrect acceptance.
• The tolerable deviation rate.
• The expected population deviation rate.

The confidence level is the desired level of

assurance that the sample results will support a
conclusion that the control is functioning
effectively. Generally, when the auditor has
decided to rely on controls, the confidence level
is set at 90% or 95%. This means the auditor is
willing to accept a 10% or 5% risk of accepting
the control as effective when it is not.
8-26
 LO#
5, 6, & 7

Planning
Planning
3. Determine the sample size, using the following inputs:
• The desired confidence level or risk of incorrect acceptance.
• The tolerable deviation rate.
• The expected population deviation rate.

The tolerable deviation rate is the maximum deviation

rate from a prescribed control that the auditor is willing to
accept and still consider the control effective.
Example Suggested Tolerable Deviation Rates:
Tolerable
Assessed Improtance of a Deviation
Control Rate
Highly important 3–5%

Moderately important 6–10%

8-27
 LO#
5, 6, & 7

Planning
Planning
3. Determine the sample size, using the following inputs:
• The desired confidence level or risk of incorrect acceptance.
• The tolerable deviation rate.
• The expected population deviation rate.

The expected population deviation rate is

the rate the auditor expects to exist in the
population. The larger the expected
population deviation rate, the larger the
sample size must be, all else equal.
EXAMPLE: Assume a
desired confidence level of
95%, and a large
population, the effect of the
expected population
deviation rate on sample
size is shown right:
8-28
 LO#

Population Size: Attributes 5, 6, & 7

Sampling
Population size is not an important factor in determining
sample size for attributes sampling. The population size
has little or no effect on the sample size, unless the
population is relatively small, say less than 1,000 items.

8-29
 LO#

Performance
5, 6, & 7

Every item in the population has the same

probability of being selected as every other
sampling unit in the population.
8-30
 LO#
5, 6, & 7

Performance

The auditor determines the sampling interval by dividing

the population by the sample size. A starting number is
randomly selected in the first interval and then every nth
item is selected. 8-31
 LO#
5, 6, & 7

Performance

For example, assume a sales invoice should not be

prepared unless there is a related shipping document. If
the shipping document is present, there is evidence the
control is working properly. If the shipping document is not
present, a control deviation exists.
8-32
 LO#
5, 6, & 7

Performance

Unless the auditor finds something unusual about

either of these items, they should be replaced with a
new sample item.

8-33
 LO#
5, 6, & 7

Performance

If the auditor is unable to examine a document or to

use an alternative procedure to test the control, the
sample item is a deviation for purposes of evaluating
the sample results.

8-34
 LO#
5, 6, & 7

Performance

If a large number of deviations are detected

early in the tests of controls, the auditor should
consider stopping the test, as soon as it is clear
that the results of the test will not support the
planned assessed level of control risk.
8-35
 LO#
5, 6, & 7

Evaluation
Evaluation
6. Calculate the Sample Deviation and Upper Deviation Rates.
7. Draw Final Conclusions.

After completing the audit procedures, the

auditor summarizes the deviations for each
control tested and evaluates the results. For
example, if the auditor discovered two
deviations in a sample of 50, the deviation rate
in the sample would be 4% (2 ÷ 50).
The upper deviation rate is the sum of the
sample deviation rate and an appropriate
allowance for sampling risk.
8-36
 LO#
5, 6, & 7

Evaluation
Evaluation
6. Calculate the Sample Deviation and Upper Deviation Rates.
7. Draw Final Conclusions.

The auditor compares the tolerable deviation rate

to the computed upper deviation rate.
True State of Internal Control
Auditor's Decision Based on
Sample Evidence Reliable Not Reliable
Supports the planned level Risk of incorrect
Correct decision
of control risk acceptance (Type II)
Does not support the Risk of incorrect
Correct decision
planned level of control risk rejection (Type I)

8-37
 LO#
5, 6, & 7

Attribute Sampling Example

The auditor has decided to test a control at Calabro
Wireless Services. The test is to determine that the sales
and service contracts are properly authorized for credit
approval. A deviation in this test is defined as the failure of
the credit department personnel to follow proper credit
approval procedures for new and existing customers. Here
is information relating to the test:
Desired confidence level 95%
Tolerable deviation rate 6%
Expected population deviation rate 1%
Sample size 78

8-38
 LO#
5, 6, & 7

Attribute Sampling Example

Part of the table used to determine sample size when
the auditor specifies a 95% desired confidence level.

If there are 125,000 items in the population numbered

from 1 to 125,000, the auditor can use Excel to generate
random selections from the population for testing. 8-39
 LO#
5, 6, & 7

Attribute Sampling Example

The auditor examines each selected contract for credit
approval and determines the following:

Number of deviations 2
Sample size 78
Sample deviation rate 2.6%
Computed upper deviation rate 8.2%
Tolerable deviation rate 6.0%

Let’s see how we get the computed

upper deviation rate.

8-40
 LO#
5, 6, & 7

Attribute Sampling Example

Part of the table used to determine the computed upper
deviation rate at 95% desired confidence level:
Sample Actual Number of Deviations Found
Size 0 1 2 3
25 11.3 17.6 - -
30 9.5 14.9 19.6 -
35 8.3 12.9 17.0 -
40 7.3 11.4 15.0 18.3
45 6.5 10.2 13.4 16.4
50 5.9 9.2 12.1 14.8
55 5.4 8.4 11.1 13.5
60 4.9 7.7 10.2 12.5
65 4.6 7.1 9.4 11.5
70 4.2 6.6 8.8 10.8
75 4.0 6.2 8.2 10.1
80 3.7 5.8 7.7 9.5
8-41
 LO#
5, 6, & 7

Attribute Sampling Example

Tolerable Computed
Deviation
Rate (6%)
< Upper Deviation
Rate (8.2%)

Auditor’s Decision:
Does not support reliance on the control.

8-42
 LO# 8

Nonstatistical Sampling for Tests of

Controls
Determining the Sample Size
An auditing firm may establish a nonstatistical sampling
policy like the one below:

Such a policy will promote consistency in sampling

applications.
8-43
 LO# 8

Nonstatistical Sampling for

Tests of Controls
Selecting the Sample Items
Nonstatistical sampling allows the use of
random or systematic selection, but also
permits the use of other methods such as
haphazard sampling.
When haphazard sample
selection is used, sampling
units are selected without any
bias, that is to say, without a
special reason for including
or omitting items from the
sample.
8-44
 LO# 8

Nonstatistical Sampling for

Tests of Controls
Calculating the Upper Deviation Rate
With a nonstatistical sample, the auditor can
calculate the sample deviation rate, but cannot
mathematically quantify the computed upper
deviation rate and sampling risk associated
with the test.

8-45
 LO# 8

Control Tests for Low Control

Frequency
The sample size tables in the chapter assume a large
population. Sample size can be adjusted using the
“finite correction factor” in the Advanced Module or by
using the table below for very small populations
(control performed less frequently):

Control Frequency
and Population Size Sample Size
Quarterly (4) 2

Monthly (12) 2-4

Semimonthly (24) 3-8

Weekly (52) 5-9

8-46
Comparing Terminology for LO# 8

Attribute Sampling
between IDEA and Sampling
Tables

8-47