SAS 39 is not just for statistical samplers. It applies equally to nonstatistical sampling as well. The SAS makes clear that either approach to audit sampling, when properly applied, can provide sufficient evidential matter. And it establishes specific requirements essential for proper application. Because the SAS establishes requirements that apply whenever audit sampling is used, the definition of audit sampling becomes very important. Audit sampling is defined as “the application of an audit procedure to less than 100% of the items within an account balance or class of transactions for the purpose of evaluating some characteristic of the balance or class” Thus, whenever the auditor intends to reach a conclusion about whether an account balance or class of transactions is misstated based on an examination of less than all the items in the balance or class, he or she should adhere to the requirements of SAS 39.
To make it more applicable and easier to follow, this post emphasizes in techniques for a nonstatistical audit sampling only. It is adapted from the SAS 39. Enjoy!
Applicability of SAS 39
One effect of SAS 39 on practice should be to place a premium on the auditor’s decision to sample:
- If the auditor is sampling, he or she should adhere to the SAS.
- If the auditor has some other audit objective, the SAS does not apply.
Thus, the auditor can no longer simply decide that a procedure will be applied on a test basis. Careful consideration should go into a decision that the best approach to an audit test involves use of audit sampling.
The Non-Statistical Audit Sampling Techniques
A properly designed nonstatistical sampling plan can provide results that are as effective as results from a properly designed statistical sampling plan.
The significant difference between nonstatistical and statistical sampling is that statistical sampling measures the sampling risk associated with sampling procedures. Sampling risk arises from the possibility that when a test of controls or substantive test is applied to a sample, the auditor’s conclusions might be different from those that would have been made if the tests were applied in the same way to all items in the population. That is, the sample selected from the population might not be representative of that population. For tests of controls, sampling risk is the risk of assessing control risk too low or too high. For substantive testing, sampling risk is the risk of incorrect acceptance or incorrect rejection of the amount tested.
Methods Of Sample Selection
Sample items should be selected in a way so that the sample can be expected to be representative of the population; therefore, all items in the population should have a chance of being selected. Common methods of selecting samples are: (a) block sampling; (b) haphazard sampling; (c) random number sampling; and (d) systematic sampling.
Note: Block sampling does not meet the requirements for a representative sample. The other three do. Ordinarily, only the last two methods are used in statistical sampling.
Let’s talk about each of them a bit more. Read on…
Block Sampling – A block sample is obtained by selecting several items in sequence. Once the first item in the block is selected, the remainder of the block is chosen automatically. For example, the sample may consist of all vouchers processed during a two-week period or all vouchers processed on specific days. Block samples could theoretically be representative samples but are rarely used because they are inefficient. The time and expense to select sufficient blocks so that the sample could be considered representative of the total population is prohibitive.
Haphazard Sampling – A haphazard sample is obtained by selecting, without any conscious bias, items regardless of their size, source, or other distinguishing characteristics. It is not the selection of sample units in a careless manner; the units are selected in a manner so that the sample can be expected to be representative of the population. For example, the sample may consist of vouchers pulled from all vouchers processed for the year. Excluding items from the sample on the basis of judgment invalidates the requirement for a representative sample.
Random Number Sampling – A random sample is obtained by selecting numbers from a random number table or by generating numbers randomly by computer and matching them with document numbers, such as check numbers and invoice numbers.
Systematic Sampling – A systematic sample is obtained by selecting items at uniform intervals. The interval is determined by dividing the number of physical units in the population by the sample size. A starting point is selected at random in the first interval, and one item is selected from the population at each of the uniform intervals from the random starting point. For example, in a population of 20,000 units and a desired sample of 100 units, every two hundredth item will e selected from the starting point. Neither the size nor the unusualness of an item should be allowed to influence selection. The auditor can select large and unusual items in addition to items sampled, however.
Tests Of Controls
After the auditor obtains and documents his or her understanding of internal control, he or she may wish to assess control risk at below the maximum for certain assertions. For these assertions, the auditor should perform “tests of controls“.
When testing controls, the auditor may use attribute sampling as it is. What is attribute sampling, and what is the procedure? Move on to the next section…
An attribute is a characteristic of interest. For example: some attributes of a sale that are of interest to the auditor may be the following:
- Authorization by the sales order department.
- Approval by the credit department.
- Comparison of merchandise shipped and merchandise listed on the sales invoice for agreement.
In testing for attributes, the auditor is concerned with how many times a prescribed internal control failed to operate. Based on the occurrence rate in the sample, the auditor decides if he or she can assess control risk at below the maximum.
For nonstatistical attribute sampling, the auditor does the following:
. Determination of sample size – The auditor determines sample size and evaluates sample results using subjective judgment to apply the criteria specified in SAS 39 and his or her own experience with the client. The auditor may, but is not required to, use statistical tables to determine sample size for nonstatistical compliance tests. Sample sizes, according to SAS 39, should be based on the tolerable rate of deviation from the control procedures being tested, the expected rate of deviations, and the allowable risk of assessing control risk too low. The auditor is not required to select a number of items comparable to a statistical sample size. If his or her past experience with a continuing client has been good, the auditor might continue to use sample sizes that have proven effective.
. Selection of sample units – The auditor may use one of the methods described earlier for selecting the sample. In selecting the sample, the auditor may encounter the following:
- Voided documents – If the auditor selects a voided document—for example, a voided sales invoice—he or she should replace it with another. The auditor should obtain reasonable assurance, however, that the document was properly voided and was not a deviation from prescribed internal control.
- Unused or inapplicable documents – If the auditor selects an unused or inapplicable document, he or she should treat it the same as a voided document.
- Inability to examine selected items – If for any reason—for example, the document cannot be located—he or she cannot examine a selected item, the auditor should consider this a deviation from prescribed policies or procedures. Also, the auditor should consider reasons for this deviation and the effect it has on his or her understanding and assessed level of control risk of particular control procedures.
. Evaluating sample results – After he or she has completed the examination of the sample units and noted the deviation from prescribed policies or procedures, the auditor
- Calculation of deviation rate – The deviation rate is the number of observed deviations divided by the sample size. This is the auditor’s best estimate of the deviation rate for the population from which the sample was selected. In statistics, it is called a point estimate.
- Consideration of sampling risk – When he or she evaluates a sample for a test of controls, the auditor should consider sampling risk. For a nonstatistical sample, sampling risk cannot be quantified. Generally, however, sample results do not support assessed risk below the maximum if the actual deviation rate exceeds or is close to the expected population deviation rate used in designing the sample.
- Qualitative aspects of deviations – The qualitative aspects of the observed deviations should be considered by the auditor. Each deviation from a prescribed policy procedure should be analyzed to determine its nature and cause. Deviations that occurred when the person responsible for performing the task was on vacation are not as serious as intentional failure to perform prescribed policies or procedures or misunderstood instructions of prescribed policies or procedures. The nature and cause of deviations may influence the auditor’s decision to assess control risk below the maximum or perform additional audit procedures.
- Reaching a conclusion – Based on the sample results and on his or her experience and judgment, the auditor reaches a conclusion about the level of control risk. If the auditor concludes that he or she cannot assess control risk below the maximum, he or she may: (a) Test additional items with the hope of reducing sampling risk; (b) Modify planned substantive tests
Documentation of Sampling Procedures
This section does not require specific documentation of audit sampling applications; however, the auditor might consider including the following in the audit documentation:
- A description of the control tested.
- Objectives of the sampling application, including its relationship to planned substantive testing.
- Definitions of the population and the sampling unit.
- Definition of a deviation.
- Assessments of: (a) Risk of assessing control risk too low; (b) Tolerable deviation rate; and (c) Expected population deviation rate.
- Method of determining sample size.
- Method of selecting sample.
- Description of how sampling procedure was performed and a list of sample deviations.
- Evaluation of sample and summary of conclusions, including: (a) number of sample deviations; (b)explanation of how sampling risk was considered; (c) determination of whether sample results supported planned assessed level of control risk; (d) qualitative aspects of deviations; and (e) effects of evaluation of results on planned substantive tests.
Using Nonstatistical Sampling for Substantive Tests
In using nonstatistical sampling for substantive tests, the auditor should do the following:
. Identify Individually Significant Items – In using sampling for substantive tests, the auditor may decide that for certain items, accepting some sampling risk is not justified. For example, the auditor may decide to examine all items over a specified dollar amount. Items tested 100% are not part of the sample. Dividing a population into relatively homogeneous units is known as stratification. Excluding individually significant items provides an initial stratification. The auditor may further subdivide the remaining population, however, into subgroups of items with similar values.
. Define the Population – The population consists of the class of transactions or the account balance to be tested. Because the auditor will project the results of the sample to the population, he or she must specify the population so that the sample units come from that population. For example: accounts receivable has four different populations:
- All accounts.
- Accounts with zero balances.
- Accounts with debit balances.
- Accounts with credit balances.
The audit objective determines which population is appropriate.
. Define the Sample Unit – A sampling unit is any item in the population. For example, a sampling unit may be a customer account or an individual transaction.
. Determine Sample Size – For nonstatistical sampling, sample size can be subjectively determined. Factors 1 to 4 should be considered and 5 might be considered:
- factor-1: Amounts of individual items – Accounting populations usually include a few very large amounts, a number of moderately large amounts, and a large number of small amounts. In these circumstances, if the population is not stratified, much larger sample sizes are necessary.
- factor-2: Variability and size of the population – Populations are characterized by some variability; that is, not every item in the population is the same amount. Statistically, this variation is measured by the standard deviation. The larger the variability of the population, the larger the standard deviation is. For nonstatistical sampling, the standard deviation is not quantified; it is estimated in qualitative terms, such as small variability or large variability. The larger the estimated variability of the population, the larger the sample size required is. To estimate variability, the auditor may use: (a) His or her judgment; or (b) Prior year results; or (c) A pilot sample; or (d) a combination. The number of items in the population generally has little effect on the sample size for substantive tests; therefore, it is generally not efficient to determine sample size as a fixed percentage of the population.
- Factor-3: Risk of incorrect acceptance – In determining sample size, the auditor should consider the risk of incorrect acceptance (an aspect of sampling risk). As the level of risk of incorrect acceptance increases, the sample size for the substantive test decreases. For example, a 10% level of risk of incorrect acceptance requires a smaller sample to achieve the same results than does a 5% level of risk. If he or she assessed control risk at lower than the maximum for a given assertion, the auditor can accept a larger risk of incorrect acceptance for the substantive test related to the assertion.
- Factor-4: Tolerable misstatement and expected misstatement – For an account balance or a class of transactions, the sample size, given the risk of incorrect acceptance, increases as the tolerable misstatement for that balance or class of transactions decreases. As the size or frequency of expected misstatements decreases, the sample size also decreases.
- Factor-5: Statistical table or formula – After he or she determines sample size for nonstatistical sampling, the auditor may wish to, but is not required to, compare it with the sample size from a statistical table or formula. The auditor may also use a statistical table or formula to determine sample size for a nonstatistical sample. The distinguishing feature of statistical sampling is mathematical evaluation of sample results using the laws of probability. Use of statistical methods for sample size determination and selection of sample items do not by themselves make the audit sample a statistical sample.\
. Select the Sample – The auditor should select the sample units by using any method that can be expected to result in a representative sample. For substantive tests of account balances, the auditor ordinarily stratifies the population before selecting the sample.
. Evaluate Sample Results – The section requires the auditor to project the misstatement results of the sample to the population from which the sample was selected. One method of projecting the misstatement is to divide the dollar amount of the misstatement in the sample by the percentage of the sample dollars to the total dollars in the population.
Example: If the sample amounted to 5% of the population (in dollars), and if $1,000 of misstatement was observed in the sample, the misstatement projected to the population is $20,000 (=$1,000 / 5%). This is the best estimate of the misstatement in the population. Another method of projecting the misstatement is to multiply the average unit misstatement in the sample by the number of units in the population. For example, if there were 200 units in the sample and $600 in misstatements was observed, the average misstatement in the sample is $3 (=$600 / 200). If there are 30,000 units in the population, the misstatement projected to the population is $90,000 (=30,000 × $3).
Note: Projected misstatement is the best estimate of the misstatement in the population. In statistics, it is called the point estimate.
. Consider Sampling Risk – For nonstatistical sampling, the auditor uses his or her experience with the client and professional judgment when considering sampling risk. If the projected misstatement does not exceed expected misstatement, the auditor may reasonably conclude that there is an acceptably low risk that the true misstatement exceeds the tolerable misstatement. However, if the projected misstatement exceeds or approximates expected misstatement, the auditor may reasonably conclude that there is an unacceptably high risk that the true misstatement exceeds the tolerable misstatement. If he or she believes the recorded amount may be misstated, the auditor ordinarily suggests that the entity investigate the misstatements and, if appropriate, adjust the recorded amount.
. Document Sampling Procedures – This section does not require specific documentation of audit sampling applications; however, the auditor might consider including the following in the audit documentation:
- Objectives of the test and a description of other procedures, if any, directed to these same objectives.
- Definitions of the population and the sampling unit.
- Definition of a misstatement.
- Assessment of: (a) Risk of incorrect acceptance; (b) Risk of incorrect rejection (solely a matter of efficiency); (c) Tolerable misstatement; (d) Expected population misstatement.
- Sampling technique used.
- Method of selecting sample.
- Description of how sampling procedure was performed and a list of sample errors.
- Evaluation of sample and summary of conclusions, including: (a) Projection of misstatements (b) Consideration of sampling risk (c) Qualitative aspects of the misstatements.