8/3/2019 CIA Material Sampling

http://slidepdf.com/reader/full/cia-material-sampling 1/6

Internal Auditor  – 8th July 2011

Print Close

 Attribute Sampling Plans 

A simple statistical application may dramatically improve the reliability of

internal control testing. 

DENNIS APPLEGATE 

A reliability assessment of the organization's internal control system involves decidinghow much evidence to gather. Because an examination of all underlying control data is

not always feasible, auditors must often draw samples, audit the items selected, and

extrapolate the results to the larger population.

Either a statistical or nonstatistical approach to sampling is acceptable under The IIA's

International Standards for the Professional Practice of Internal Auditing and The

American Institute of Certified Public Accountants' (AICPA's) Professional Auditing

Standards. The use of statistics, however, will help auditors develop sample plans more

efficiently and assess sample results more objectively than nonstatistical methods alone.

Even a well-designed nonstatistical sample cannot measure the risk that the sample is

not representative of the population - a distinct advantage of statistically based sampling

plans. Moreover, increased regulatory requirements to provide greater assurance over

internal accounting controls and company demands for greater productivity from their

audit shops make statistical sampling a necessary part of the internal auditor's tool kit.

Fortunately, auditors can use statistical sampling techniques without any detailed

knowledge of classical statistical theory and still accomplish their audit objectives.

ATTRIBUTE SAMPLING 

Attribute sampling plans represent the most common statistical application used by

internal auditors to test the effectiveness of controls and determine the rate of

compliance with established criteria. The results of these plans provide a statistical basis

for the auditor to conclude whether the controls are functioning as intended, reflecting

either control compliance or noncompliance - a binary (yes/no) proposition.

8/3/2019 CIA Material Sampling

http://slidepdf.com/reader/full/cia-material-sampling 2/6

In developing an attribute sampling plan, the auditor must first define the audit test

objective, population involved, sampling unit, and control items to be tested. For

example, if the auditor's objective is to determine the percentage of sales orders lacking

credit approval, the population will consist of all sales orders within a given period. Each

sales order becomes the sampling unit, and sales order credit approval represents the

control attribute to be tested.

STATISTICAL CRITERIA 

The auditor must consider four statistical parameters to determine an appropriate

sample size to select for the planned control test: confidence level, expected deviation

rate, tolerable rate, and population. Although guided by assessed risk, inquiries of the

audit client, and prior audit experience, each parameter is ultimately based onprofessional auditor judgment.

Confidence Level 

The sample's confidence level refers to the reliability the auditor places on the sample

results. Confidence levels of 90 percent to 99 percent are common. A 95 percent

confidence level means the auditor assumes the risk that five out of 100 samples will not

reflect the true values in the population.

The auditor's assessment of the control environment contributes to the level of risk the

auditor is willing to assume. At a 95 percent confidence level, 5 percent — the

complement of the confidence level — reflects the auditor's risk of "assessing control

risk too low."

Expected Deviation Rate 

The expected deviation rate represents the auditor's best estimate of the actual failure

rate of a control in a population. The rate usually is based on client inquiries, changes in

personnel, process observations, prior year test results, or even the results of a

preliminary sample.

Tolerable Rate 

The tolerable rate defines the maximum rate of noncompliance the internal auditor will

"tolerate" and still rely on the prescribed control. Many auditors will coordinate with their

audit client before establishing a tolerable level. Client control objectives help determine

8/3/2019 CIA Material Sampling

http://slidepdf.com/reader/full/cia-material-sampling 3/6

the nature and frequency of deviations that can occur and still allow reliance on the

control.

Population 

The population contains all items to be considered for testing. Each must have an

unbiased chance of selection to ensure the final sample is representative of the

population. For large populations containing thousands of items, population size will

cause little impact on total sample size and is often irrelevant for audit sample planning.

APPLICATION OF THE METHODOLOGY 

In a test of sales orders for appropriate credit approval, suppose the auditor estimates a

1.5 percent expected deviation rate of missing credit approvals relative to total sales

orders, establishes a tolerable rate of 6 percent, and accepts a 95 percent confidence

level that the sample results will reflect missing credit approvals fairly in the population.

To calculate sample size, the auditor could use a variety of tools and techniques,

including manual computations, statistical tables, and commercial software packages.

For the statistical parameters provided, a sample size of 103 sales orders would be

needed based on the "Statistical Sample Sizes for Test of Controls" chart below.

Each of the sales orders selected for audit must be randomly drawn to prevent bias in

the sample results. Simple random sampling, such as choosing sales orders based on a

random-number table, is the most common selection technique. Systematic selection -

picking every nth sales order - is also acceptable if the first item sampled is randomly

selected, though the results may be skewed if missing credit approvals occur in a

systematic pattern. Because the random nature of the selection process will protect the

validity of the statistical inferences, simple random sampling is normally the preferred

method.

After selecting a sample of sales orders, the auditor would compare the documented

credit approvals against the operating procedures in place, noting exceptions and

performing other audit steps as necessary in light of sales order protocols unique to the

business. Special consideration should be given to data anomalies resulting from the

selection process. For example, missing sales order documentation should be treated as

an audit exception because the condition implies that control over credit approvals has

not been applied as prescribed. Alternatively, voided sales orders should be replaced by

orders that have not been voided. Mere voiding of a sales order does not alone suggesta weakness in control over credit approval.

8/3/2019 CIA Material Sampling

http://slidepdf.com/reader/full/cia-material-sampling 4/6

Based on these procedures, suppose four sales orders lacked appropriate credit

approval in the sample test. The auditor would project these results to the sales order

population by calculating the upper deviation rate, a statistical estimate of the maximum

deviation rate in the population. This rate can be determined using a simple statistical

table or a manual or computer-generated computation. Based on the sample size and

number of deviations found, the upper deviation rate in the sales example would be

approximately 9 percent based on the "Statistical Sampling Results Evaluation Table for

Tests of Controls" chart below.

AUDIT CONCLUSION 

To form a statistical conclusion about the control tested, the auditor must compare the

upper deviation rate to the tolerable rate in the sampling plan. If the upper deviation rateis less than the auditor's tolerable rate, the auditor would consider the control effective.

Alternatively, if the upper deviation rate exceeds the auditor's tolerable rate, the auditor

would consider the control ineffective. In the sales order example, the upper deviation

rate(9 percent) exceeds the auditor's tolerable rate (6 percent). Therefore, the auditor

would advise management not to rely on the control, concluding with 95 percent

certainty that the rate of missed credit approvals exceeds the tolerable rate.

All audit sampling plans use the upper deviation rate as the basis for an audit conclusion

because it includes an allowance for sampling risk, which provides protection against

undetected deviations. For nonstatistical sampling plans, only the sample deviation rate

can form the basis for an audit conclusion - a limitation of the nonstatistical approach.

WORKPAPER OBJECTIVES 

As with all audit procedures, the auditor must appropriately document the work

performed. For a statistical sampling plan, the auditor's workpapers should include the

essential elements, including the nature of the control tested (in the earlier example,

sales order credit compliance with organizational procedure); details of the population

and sampling unit (prior-year sales orders and related credit approvals); the control

deviation (missing credit approvals); the statistical parameters used (including the

deviation and tolerable rates); the sample size; and the evaluation of results. The

auditor's documentation should also describe how the audit test steps were performed,

and should provide a list of the actual deviations found (namely, in our example, the

missing credit approvals).

AUDITOR JUDGMENT 

8/3/2019 CIA Material Sampling

http://slidepdf.com/reader/full/cia-material-sampling 5/6

Regardless of the sampling approach used, professional auditor judgment must always

govern the quality of the audit evidence. Even with statistical sampling, auditors must

exercise judgment in determining the appropriate statistical parameters to use for a valid

audit conclusion. Nonetheless, a statistical approach to evidence gathering, such as

attribute-based sampling, will normally provide a more objective basis for evaluating

sample results than nonstatistical techniques and enhance the quality of auditors'

reporting to management.

8/3/2019 CIA Material Sampling

http://slidepdf.com/reader/full/cia-material-sampling 6/6

 

To comment on this article, e-mail the author at dennis.applegate@theiia.org.