The auditor is not required to test controls to determine their operating effectiveness. However, the increased depth of the auditor’s understanding of internal control may encourage auditors to rely on controls to modify the nature, timing and extent of substantive tests. As discussed in my previous post [Non-Statistical Audit Sampling Techniques], auditors may wish to assess control risk at below the maximum for certain assertions. For these assertions, the auditor should perform tests of controls. When testing controls, auditors may use attribute sampling. In testing for attributes, the auditor is concerned with how many times a prescribed internal control failed to operate. Based on the occurrence rate in the sample, the auditor decides if she can assess control risk at below the maximum. To save time, auditors can use statistical sampling, in the form of attribute sampling. How? Read on…
Here are 7 steps that auditors usually take to perform statistical sampling for attribute sampling.
Step-1. Determine The Objective Of The Test
Namely, to obtain reasonable assurance that a particular control is in place (e.g., mathematical accuracy of invoices is verified by an individual other than the preparer of the invoice).
Step-2. Define The Deviation Condition
A deviation condition is a departure from a prescribed control (sometimes referred to as an attribute), such as the failure to initial an invoice that was mathematically verified.
Note: Deviation conditions increase the likelihood of, but do not necessarily result in, financial statement misstatements.
Step-3. Define The Population
[-]. Define the period covered. If interim testing is performed, consider (a) inquiring about the period after testing and through the end of the year, and (b) the nature and amount of transactions and balances, and the length of the remaining period.
[-]. Define the sampling unit. The sampling unit represents the item to be tested, e.g., a document, a journal page, a transaction, a line item.
[-]. Determine the completeness of the population. The sample drawn must be representative of the population.
Example: In testing purchase transactions, the population should include unpaid as well as paid invoices.
Step-4. Determine the Selection Technique
[-]. Random number selection provides assurance that each and every item in the population has a chance of being picked.
[-]. Systematic selection involves picking every nth item from the population. The nth item, often referred to as the skip interval, is determined by dividing the population size by the sample size.
Example: If the population size is 10,000 and the sample size is 50, the skip interval is 200. Thus, the auditor would pick every 200th item, beginning with a blind start.
Step-5. Determine The Sample Size By Using The Appropriate Table
[-]. Select an acceptable level of risk of assessing control risk too low. Practically speaking, auditors select either a 5 percent or a 10 percent risk. These levels will provide the auditor 95 percent and 90 percent confidence, respectively, that the sample is representative of the population.
Note: The lower the risk the auditor selects, the bigger the sample size will be.
[-]. Select the tolerable rate. This is the maximum rate of deviation the auditor is willing to tolerate while still being able to reduce assessed control risk. The tolerable rate is dependent on professional judgment and the planned degree of reliance on the control.
[-]. Assess the expected population deviation rate. This may be based on (a) reference to actual deviation rates of the prior year, adjusted for current-year implementation of prior-year recommendations; (b) communication with prior-year accountants; or (c) a preliminary sample of 50 items.
Step-6. Select The Sample And Perform Tests Of Controls
Step-7. Interpret The Sample Results
[-]. Calculate the sample deviation rate—divide the actual number of deviations by the sample size.
[-]. Determine the upper occurrence limit by using the appropriate table. Essentially the upper occurrence limit takes the sample deviation rate and adjusts it upward to reflect the fact that the population is likely to contain a greater rate of deviations.
[-]. Determine whether the deviations are a result of errors (unintentional) or fraud (intentional).
[-]. Accept or reject the sample as representative of the population:
[-]. If the sample deviation is greater than the tolerable rate, no reliance may be placed on the control.
[-]. If the upper occurrence limit is less than the tolerable rate, reliance may be placed upon the control.
[-]. If the upper occurrence limit is greater than the tolerable rate, no reliance should be placed on the control. In this case, the auditor might perform tests of controls on another control or proceed to substantive testing without modification.