Audit Sampling Guidelines and Reference Materials for Internal Auditors

undefined
A
UDIT
 S
AMPLING
L
OUISIANA
 A
SSOCIATION
 
OF
 C
OLLEGE
 
AND
U
NIVERSITY
 A
UDITORS
 (LACUA)
O
CTOBER
 28, 2022
O
BJECTIVES
To review authoritative guidance for audit
sampling:
Potential for external auditor reliance on
internal auditors (AU-C §610).
To project results of our work with a greater
degree of certainty.
O
BJECTIVES
Guidance on sampling related topics:
Understand sampling
Apply concepts
To respond to questions related to audit
sampling.
A
VAILABLE
R
EFERENCE
 M
ATERIAL
AICPA 
Codification of Statements on
Auditing Standards
, AU-C §530, 
Audit
Sampling
AICPA 
Codification of Statements on
Auditing Standards
, AU-C §935,
Compliance Audits
, ¶.A21
A
VAILABLE
R
EFERENCE
 M
ATERIAL
AICPA 
Audit Guide
, 
Audit Sampling
AICPA Audit Guide, 
Government Auditing
Standards and Single Audits
A
VAILABLE
R
EFERENCE
 M
ATERIAL
The Institute of Internal Auditors (IIA)
International Professional Practices
Framework (IPPF)
IPPF Practice Guide, Assisting Small
Internal Audit Activities in Implementing
the Standards
IIA S
MALL
 I
NTERNAL
 A
UDIT
A
CTIVITIES
One to five auditors
Productive hours less than 7,500/year
Limited co-sourcing or out-sourcing
IPPF S
TANDARDS
 §2310
Auditors must identify sufficient, reliable,
relevant, and useful information to achieve
the engagement’s objectives.
IPPF I
MPLEMENTATION
 G
UIDANCE
If internal auditors choose to select a
sample, they are responsible for applying
methods to assure that the sample selected
represents the whole population and/or time
period to which the results will be
generalized.
IPPF P
RACTICE
 G
UIDE
External audit requirements for sampling
may not correspond to that of the internal
audit activity.
IPPF P
RACTICE
 G
UIDE
The Standards encourage collaboration with
external auditing and such collaboration
may include discussion of external audit
sampling and scoping parameters.
Such discussions in advance of audit plan
development and execution may allow for
greater reliance on the work of internal
auditing.
A
UDIT
 S
AMPLING
 D
EFINED
(AU-C §530.05)
The selection and evaluation of less than
100% of the population of audit relevance
such that the auditor expects the items
selected (the sample) to be representative of
the population and, thus, likely to provide a
reasonable basis for conclusions about the
population.
A
UDIT
 S
AMPLING
 D
EFINED
(AU-C §530.05)
Representative
Sample conclusions, subject to the limitations
of sampling risk, are similar to those that would
be drawn if the same procedures were applied
to the entire population.
S
AMPLING
 R
ISK
 D
EFINED
(AU-C §530.05)
The risk that the auditor’s conclusion based
on the sampling procedures may be
different than a conclusion based on
applying the same audit procedure to the
entire population.
S
AMPLING
 R
ISK
 D
EFINED
(AU-C §530.05)
Ineffective sample:
Concluding controls are 
more
 effective than
they actually are, or a material
misstatement/material noncompliance does not
exist when it does and is:
Likely to lead to an inappropriate conclusion.
Risk of overreliance
Potential audit failure
S
AMPLING
 R
ISK
 D
EFINED
(AU-C §530.05)
Inefficient sample:
Concluding controls are 
less
 effective than they
actually are or a material misstatement/material
noncompliance exists when it does not.
May result in additional work to determine
initial conclusions were incorrect.
Underreliance.
A
UDITOR
 J
UDGMENT
 
IN
 S
AMPLING
Auditor judgment is critical for
determining/assessing:
Risks (differs from the annual internal audit
risk assessments)
A
UDITOR
 J
UDGMENT
 
IN
 S
AMPLING
Auditor judgment is critical for
determining:
Materiality
Performance Materiality and Tolerable
Misstatement/Deviation
Immaterial Misstatements
Trivial Misstatements
A
UDITOR
 J
UDGMENT
 
IN
 S
AMPLING
However
“We judgmentally selected a sample of . . .”
“We judgmentally determined to use a sample
size of . . .”
May not be appropriate.
A
UDITOR
 J
UDGMENT
 
IN
 S
AMPLING
Auditor understanding of population:
Allows judgment when determining whether to
stratify the population before sampling, or
whether to use sampling at all.
Determining if population consists primarily of
significant transactions.
Using substantive analytical procedures to
provide sufficient appropriate audit evidence.
A
UDITOR
 J
UDGMENT
 
IN
 S
AMPLING
D
ATA
 A
NALYTICS
A
UDITOR
 J
UDGMENT
 
IN
 S
AMPLING
Acceptable sampling methods:
Random (statistical or nonstatistical)
Systematic (starting point, then every 
nth
 item
in the population)
Haphazard
A
UDITOR
 J
UDGMENT
 
IN
 S
AMPLING
Acceptable sampling methods include:
Monetary Unit Sampling (statistical) – used to
assess the amount of monetary misstatement
that may exist in a population.
R
ELEVANT
 A
SSERTIONS
(M
ANAGEMENT
S
 A
SSERTIONS
)
A
ND
 C
OMPLIANCE
(
E
.
G
., 
LAWS
 
AND
 
REGULATIONS
,
FEDERAL
 
PROGRAM
 
REQUIREMENTS
)
P
CARDS
/T
RAVEL
 C
ARDS
?
S
TUDENT
 F
INANCIAL
 A
ID
?
I
S
 S
AMPLING
 A
PPROPRIATE
Determine if sampling is most appropriate/
effective:
Homogeneous population
Control tests/substantive tests of details vs
substantive analytical procedures?
Data Analytics
D
ETERMINING
 
IF
 A
UDIT
 S
AMPLING
I
S
 A
PPROPRIATE
 
FOR
 
THE
 T
ESTS
Homogeneous Population:
College/university’s tuition and fee revenues totaled
$400 million for the fiscal year.
Enrollment = 30,000
Full-time COA = $7,500 per semester
Sample of 100 students = $750,000 (maximum)
Will a substantive analytical procedure provide
better, sufficient appropriate substantive evidence?
Homogeneous Population:
Testing controls (sampling) - effective or efficient?
Test of controls with a limited number of transactions
through/from the software application?
Fewer students?
More students?
Substantive analytical procedure?
Data analytics?
D
ETERMINING
 
IF
 A
UDIT
 S
AMPLING
I
S
 A
PPROPRIATE
 
FOR
 
THE
 T
ESTS
Homogeneous
 Population:
Substantive analytical procedure:
Published tuition and fee costs per credit hour (A)
Validate schedule - i.e., approved and agrees with the fee
tables in the software application
Student enrollment (B)
Break down enrollment by credit hours
Tolerable limit (C)
Acceptable difference from reported amount
D
ETERMINING
 
IF
 A
UDIT
 S
AMPLING
I
S
 A
PPROPRIATE
 
FOR
 
THE
 T
ESTS
Homogeneous
 Population:
A x B 
 Tuition and fees on income statement.
Result within C (+ or -)?
D
ETERMINING
 
IF
 A
UDIT
 S
AMPLING
I
S
 A
PPROPRIATE
 
FOR
 
THE
 T
ESTS
Homogeneous Population:
Evaluate effectiveness:
Does the calculation provide evidence that the fee
schedule is applied to each student appropriately
(provides evidence that controls are effective)?
Is the calculated total within the expectation/
tolerable limit (substantive result)?
Does the calculation provide assurance that the reported
balance is materially correct?
D
ETERMINING
 
IF
 A
UDIT
 S
AMPLING
I
S
 A
PPROPRIATE
 
FOR
 
THE
 T
ESTS
Homogeneous Population:
If a fee is not correct in the IT system, is sampling
individual students necessary?
Conclude based on a substantive procedure
(calculation)?
A $10 fee charged per 
student
 is posted in the system as
$9.50 maximum error  = $15,000 (0.00375%).
A $10 fee charged per 
credit hour
 (360,000 hours) is
posted as $9.50.  Maximum error = $180,000 (0.045%).
Is either material?
D
ETERMINING
 
IF
 A
UDIT
 S
AMPLING
I
S
 A
PPROPRIATE
 
FOR
 
THE
 T
ESTS
PCard/Travel Expenses:
Not homogeneous
Airfare, hotel, car rental, food, incidentals, etc.
Sample?
Stratify population?
Combination of the two?
D
ETERMINING
 
IF
 A
UDIT
 S
AMPLING
I
S
 A
PPROPRIATE
 
FOR
 
THE
 T
ESTS
D
OCUMENTING
 
THE
 S
AMPLE
D
EFINING
 
THE
 O
BJECTIVE
 
OF
 
THE
S
AMPLE
The control or amount (substantive) of the
account balance, class of transactions, or
disclosure component being tested.
D
EFINING
 
THE
 O
BJECTIVE
 
OF
 
THE
S
AMPLE
Control
To determine whether key controls relating to
PCard/travel expenses are in place and
operating effectively
To support the preliminary risk assessment
(identified for each key control), and
To determine if the institution has complied with
applicable, material purchasing laws/regulations
D
EFINING
 
THE
 O
BJECTIVE
 
OF
 
THE
S
AMPLE
Substantive
To determine if PCard/travel expenses are
materially correct.
D
EFINING
 
THE
 P
OPULATION
 
FROM
W
HICH
 
THE
 S
AMPLE
 I
S
 T
AKEN
Control/Substantive or Both
The population is all PCard/travel expenses
recorded in the general ledger.
D
EFINING
 
THE
 P
OPULATION
 
FROM
W
HICH
 
THE
 S
AMPLE
 I
S
 T
AKEN
Control/Substantive or Both
Transactions to be included in the population:
All expenses coded to travel accounts (e.g., GL
accounts 7451-7460).
PCard transactions processed through the issuing
bank.
D
EFINING
 
THE
 P
ERIOD
 C
OVERED
 
FOR
THE
 P
OPULATION
Control/Substantive or Both
All expenses as defined above included in the
period from July 1, 2021, through June 30,
2022.
C
ONSIDERATION
 
OF
 
THE
C
OMPLETENESS
 
OF
 
THE
 P
OPULATION
Control/Substantive or Both
Reconcile detail expense transactions processed
through AP to the GL accounts.
Reconcile PCard transactions to bank
statements.
D
EFINING
 
THE
 S
AMPLING
 U
NIT
Control/Substantive or Both
Any individual transaction from the population
from which the sample will be taken.
I
DENTIFICATION
 
OF
 I
NDIVIDUALLY
S
IGNIFICANT
 I
TEMS
 (S
TRATIFYING
)
Substantive (using the same population for
control testing)
I
DENTIFICATION
 
OF
 I
NDIVIDUALLY
S
IGNIFICANT
 I
TEMS
 (S
TRATIFYING
)
Substantive
Justify the portion of the population not tested:
All transactions <= $100 totaled $3,750, 0.375% of
dollars and 25% of transactions
Transactions in total are less than the level of
immateriality and represent little to no risk of
material misstatement for the population as a whole.
D
EFINING
 
THE
 E
RROR
Deviation condition (control) or error
(substantive - i.e., misstatement/exception):
An answer of “X” to any of the control/
substantive attributes listed at the test.
D
ETERMINING
 S
AMPLE
 S
IZE
Control test:
Determine confidence level and risk of
overreliance – a 95% confidence level results in
a 5% risk of overreliance (¶¶3.38-3.61).
Determine the tolerable deviation rate
(normally expressed as a percentage).
Determine the expected deviation rate – the
higher the rate, the larger the sample.
D
ETERMINING
 S
AMPLE
 S
IZE
Control test:
If practicable, use the 
Audit Guide
 Table A-1.
Adjust the base sample size if the population is
small or if operating controls are infrequent.
See the 
Audit Guide
, Tables 3-4 and 3-5 for
sample sizes for small populations.  Note that
for populations of 4 - 52, Table 3-5 suggests
sample sizes (requires sample to be
documented).
D
ETERMINING
 S
AMPLE
 S
IZE
Substantive test of details:
Determine the objective:
To determine if PCard/travel expenses are materially
correct.
D
ETERMINING
 S
AMPLE
 S
IZE
Substantive test of details:
Determine the RMM.
Determine analytical procedures risk:
Will substantive analytical procedures provide
sufficient appropriate audit evidence?
Will substantive analytical procedures reduce
sample sizes?
D
ETERMINING
 S
AMPLE
 S
IZE
Substantive test of details:
Substantive analytical procedures as a primary
test generally aren’t appropriate for non-
homogeneous populations.
D
ETERMINING
 S
AMPLE
 S
IZE
Substantive test of details - Payroll:
Determine analytical procedures risk:
Payroll analytical procedures:
Divide employer contributions to pension plans by
the contribution rate to determine covered payroll,
and then compare the results to total payroll.
D
ETERMINING
 S
AMPLE
 S
IZE
Substantive test of details - Payroll:
Determine analytical procedures risk:
Analytical procedures may not be appropriate for:
Testing time and attendance; or
Census data testing for pensions and OPEB.
D
ETERMINING
 S
AMPLE
 S
IZE
Substantive test of details:
Determine tolerable misstatement as a
percentage of the population subject to testing.
D
ETERMINING
 S
AMPLE
 S
IZE
Materiality:
D
ETERMINING
 S
AMPLE
 S
IZE
Substantive test of details:
Determine tolerable misstatement as a
percentage of the population subject to testing
(7.5% above)
Note in the previous table that tolerable
misstatement for the account tested is
$7,500,000 and 
not
 $75,000,000
D
ETERMINING
 S
AMPLE
 S
IZE
Substantive test of details:
In the above, if the population tested is the $100
million, and if financial statement tolerable
misstatement is used, then the auditor is saying
that if a $74,999,999 error is identified, the
population is materially correct because the
error does not exceed the tolerable
misstatement.
D
ETERMINING
 S
AMPLE
 S
IZE
Substantive test of details:
Determine the expected misstatement as a
percentage of the population subject to
sampling:
The greater this percentage, the larger the sample.
D
ETERMINING
 S
AMPLE
 S
IZE
Substantive test of details:
Determine the base sample size (
Audit
Sampling
, Table 4-5 for one example).
In dual-purpose testing for control and
substantive tests, if the auditor has calculated a
sample size of 60 for control and 80 for
substantive testing, the sample size should be
80 (
Audit Sampling
, ¶2.13).
D
ETERMINING
 S
AMPLE
 S
IZE
Substantive test of details:
Adjust the sample size due to variation and
stratification:
Variation 
- 
effectiveness of the sample.
Not removing low dollar items, or not testing high
dollar 
- efficiency and effectiveness, respectively
.
D
ETERMINING
 S
AMPLE
 S
IZE
Substantive test of details:
Adjust the sample size due to variation and
stratification:
For example, pulling a sample for a population of $1
million results in a sample whose total dollars were
$21,000.
D
ETERMINING
 S
AMPLE
 S
IZE
Substantive test of details:
Adjust the sample size and/or approach due to
variation and stratification.
D
ETERMINING
 S
AMPLE
 S
IZE
Substantive test of details:
Adjust the sample size due to variation and
stratification:
The 15 items (individually significant) tested are not
part of the sample
If calculated sample size is 80, then 95 transactions
are tested.
D
ETERMINING
 S
AMPLE
 S
IZE
Substantive test of details:
Adjust the sample size due to variation and
stratification:
However, stratification of the population can reduce
sample size below 80 if the stratification reduces
audit risk.
D
ETERMINING
 S
AMPLE
 S
IZE
Substantive test of details:
Adjust the sample size due to the number of
items in the population:
See 
Audit Sampling
, Tables 3-4 and 3-5 for sample
sizes for smaller populations.
D
ETERMINING
 S
AMPLE
 S
IZE
Substantive test of details:
State the final sample size.
P
ERFORMING
 
THE
 T
EST
(
S
)
Substantive test of details:
Describe how the sampling procedure was
performed.
E
VALUATING
 
THE
 S
AMPLE
 R
ESULTS
Number of deviations in the sample
(control) or the misstatement identified in
the sample (substantive).
Deviations or misstatement as a percentage
of the sample.
Project deviations or misstatement to the
population as a whole.
E
VALUATING
 
THE
 S
AMPLE
 R
ESULTS
Consider the qualitative aspects of sample
results:
Nature and cause (fraud or error).
Whether results lead to a conclusion that the
sample is not representative of the population.
E
VALUATING
 
THE
 S
AMPLE
 R
ESULTS
Consider the qualitative aspects of sample
results:
Is there a broader impact of the deviations/
misstatements from:
Management override of controls?
Identified weaknesses in an IT application that
processes other transactions?
E
VALUATING
 
THE
 S
AMPLE
 R
ESULTS
Consider sampling risk:
If sampling risk is high, the projected
deviations or misstatement may exceed the
expected error.
Determine if the sample should be expanded
(
Audit Sampling
, ¶¶3.82-.84 and 4.95-.100).
Determine if evidence supports writing a
finding.
E
VALUATING
 
THE
 S
AMPLE
 R
ESULTS
Consider sampling risk:
Are deviations and/or misstatements
determined to be isolated or anomalies, or are
they pervasive throughout the population?
Do compensating/mitigating controls exist, are
they operating as designed, and do they reduce
risk to an acceptable level?
S
AMPLING
 
FOR
 U
NIFORM
 G
UIDANCE
C
OMPLIANCE
 A
UDITS
AICPA 
Audit Guide
, 
Government Auditing
Standards and Single Audits
, Chapter 11
S
AMPLING
 
FOR
 U
NIFORM
 G
UIDANCE
C
OMPLIANCE
 A
UDITS
Procedures not involving audit sampling:
Inquiry and observation
Analytical procedures
Testing 100% of a population
S
AMPLING
 
FOR
 U
NIFORM
 G
UIDANCE
C
OMPLIANCE
 A
UDITS
Procedures not involving audit sampling:
Individually important items
Obtaining an understanding of and testing
operating effectiveness of controls over
compliance
S
AMPLING
 
FOR
 U
NIFORM
 G
UIDANCE
C
OMPLIANCE
 A
UDITS
Sampling steps/procedures are similar to
those for control tests and substantive tests
of details.
S
AMPLING
 
FOR
 U
NIFORM
 G
UIDANCE
C
OMPLIANCE
 A
UDITS
Additional steps include:
Considering multiple major programs:
Where controls for a type of compliance
requirement are the same for more than one major
federal program, the transactions for the programs
may be combined into one population for testing
(Audit Guide ¶11.42).
e.g., CARES Act/HEERF consist of numerous
programs/CFDAs that can be tested together.
S
AMPLING
 
FOR
 U
NIFORM
 G
UIDANCE
C
OMPLIANCE
 A
UDITS
Additional steps include:
Considering multiple organizational units (e.g.,
colleges/universities with multiple campuses):
Are separate internal controls used – i.e., do controls
vary significantly?
S
AMPLING
 
FOR
 U
NIFORM
 G
UIDANCE
C
OMPLIANCE
 A
UDITS
Additional steps include:
Considering clusters of programs (Student
Financial Assistance Cluster of Programs):
Sufficient appropriate audit evidence is to be
gathered for the compliance requirements for cluster
programs as a whole (i.e., treat the cluster as one
program).
i.e., is the sample representative of the program
cluster as whole?
S
AMPLING
 
FOR
 U
NIFORM
 G
UIDANCE
C
OMPLIANCE
 A
UDITS
Dual purpose testing opportunities may
exist:
Allowable costs and cost principles.
Evidence that the recorded amount, account,
and period are correct for financial reporting.
S
AMPLING
 
FOR
 U
NIFORM
 G
UIDANCE
C
OMPLIANCE
 A
UDITS
See 
Audit Guide
 Table 11-1 for control
testing sample sizes based on the RMN.
Sample sizes in the table range from 25 to 60.
Inherent risks that may be applicable are at
¶11.67.
S
AMPLING
 
FOR
 U
NIFORM
 G
UIDANCE
C
OMPLIANCE
 A
UDITS
See 
Audit Guide
 Table 11-2 for compliance
testing sample sizes based on the desired
level of assurance for the remaining RMN,
with high, moderate, low risks and no
expected deviations.
Sample sizes in the table range from 25 to 60.
S
AMPLING
 
FOR
 U
NIFORM
 G
UIDANCE
C
OMPLIANCE
 A
UDITS
Audit Guide
 small sample sizes:
Quarterly
  
   (2)
Monthly
  
(2-4)
Semimonthly
  
(3-8)
Weekly
  
(5-9)
S
AMPLING
 
FOR
 U
NIFORM
 G
UIDANCE
C
OMPLIANCE
 A
UDITS
Documenting the sample is critical.
Identifying specifically what controls are
tested is critical.
Auditor flexibility is limited when
determining if a finding is to be written:
$25,000 in 
known or 
likely
 questioned costs
Exception rate over the tolerable deviation
undefined
P
OINTS
 
OF
 E
MPHASIS
V
OIDED
 D
OCUMENTS
If a transaction has been properly voided
and does not represent a deviation from the
prescribed control:
Replace the voided transaction.
If simple random sampling is used, should
match a replacement random number with the
appropriate transaction (¶3.67).
U
NUSED
 
OR
 I
NAPPLICABLE
 D
OCUMENTS
Unused document number included in the
sample
Obtain evidence the number actually represents
an unused document and is not a deviation.
Replace the document number with an
additional document number.  (¶3.68)
U
NUSED
 
OR
 I
NAPPLICABLE
 D
OCUMENTS
Deviation defined as a transaction not
supported by a receiving report:
A utility expense selected not expected to be
supported by a receiving report.
Replace the item with another transaction.
(¶3.68)
V
ARIATION
 
IN
 
THE
 P
OPULATION
Stating there is little to no variation is
generally not appropriate in a substantive
test of details.
The auditor is required to understand the
population and the audit objectives before
sampling begins.
V
ARIATION
 
IN
 
THE
 P
OPULATION
(S
UBSTANTIVE
 T
ESTS
 
OF
 D
ETAILS
)
Variation example:
The transaction amounts range from $10 to $1,000,000.
To address the variation in the population, we have
removed the transactions below $100 (50% of the
transactions total $XX, which is below immateriality)
We will remove transactions above significance (or
above a certain dollar amount) and will test 100% of
the transactions.  These transactions total 50% of the
population dollars.
V
ARIATION
 
IN
 
THE
 P
OPULATION
Using monetary unit sampling (MUS) may
be more efficient than stratifying or
increasing the sample size.
V
ERIFYING
 
THE
 C
OMPLETENESS
 
OF
 
THE
P
OPULATION
Completeness of a population when
agreeing detail transactions to the general
ledger (GL) or financial statements is easier
than circumstances where other sources
must be used.
V
ERIFYING
 
THE
 C
OMPLETENESS
 
OF
 
THE
P
OPULATION
Number of employees
Payroll compared to organization charts in
smaller organizations.
HR employee lists compared to the payroll
transaction population to ensure employees are
active.
Conversely, determine if transactions represent
active employees reported by HR.
V
ERIFYING
 
THE
 C
OMPLETENESS
 
OF
 
THE
P
OPULATION
Number of tickets:
When prenumbered, obtain used and partially
used ticket books to determine a population
size.
For an event:
Number of seats in an arena/auditorium
compared to tickets sold and attendance
records.
U
NIFORM
 G
UIDANCE
S
IGNIFICANCE
 
OF
 
THE
 C
ONTROL
(
S
)
Significance of the control is to be
determined for 
each
 control and 
not
 
overall
for the compliance 
requirement
.
U
NIFORM
 G
UIDANCE
I
NHERENT
 R
ISK
Inherent risk is to be assessed for 
each
compliance requirement tested and 
not
overall
 for the program.
R
ESULTS
, C
ONCLUSIONS
, 
AND
A
DDITIONAL
 P
ROCEDURES
Determinations of the sample size for tests
of controls and the sample size for
substantive tests of details and compliance
tests are separate.
R
ESULTS
, C
ONCLUSIONS
, 
AND
A
DDITIONAL
 P
ROCEDURES
The results of the tests of controls and substantive
tests of details/compliance tests can impact each
other:
Deviations in tests of controls may impact substantive/
compliance tests.
If the auditor does not expand tests of controls, thereby
increasing the assessed level of control risk (writing a
finding), the original sample sizes for substantive or
compliance tests may no longer be appropriate.
undefined
D
ATA
 A
NALYTICS
D
ATA
 A
NALYTICS
Can be used to test 100% of a population.
Advantages:
NO SAMPLING!
Gives the auditor a much deeper understanding
of populations and data.
Can save significant time.
Significantly more reliable results.
D
ATA
 A
NALYTICS
Advantages:
Easier to adjust criteria where the output is not
what the auditor is looking for.
D
ATA
 A
NALYTICS
Comparing different data sets:
Vendor Bank
Accounts
Employee Bank
Accounts
D
ATA
 A
NALYTICS
Coverage for areas that may not have been
given attention in previous work.
May apply to federal program compliance:
Student Financial Assistance:
All students – aid posted to student accounts within
the required timeframe.
Maximum award by academic years and aggregated
for lifetime limitation.
D
ATA
 A
NALYTICS
Highlighting anomalies within a population.
Finding errors in data sets.
Stratifying data.
D
ATA
 A
NALYTICS
 S
OFTWARE
Multiple options for visualizing data:
Spreadsheets and schedules
Line graphs
Charts
Reports
Data extraction based on predetermined
criteria.
D
ATA
 A
NALYTICS
 S
OFTWARE
Inputs from a variety of sources:
Excel
Power BI datasets
SQL
Text/CSV
Etc.
D
ATA
 A
NALYTICS
May not be practical for all tests:
Federal Program compliance tests – Student
Financial Assistance (e.g., eligibility).
Providing a substantive assurance in a non-
homogeneous population.
PCard tests
D
ATA
 A
NALYTICS
 S
OFTWARE
Microsoft Excel:
Pivot Tables
Filtering
V-Lookups
Sampling
D
ATA
 A
NALYTICS
 S
OFTWARE
Microsoft Power BI ($9.99/mo/user):
Parish libraries may have instructional videos
free to members
Data from numerous sources
Identify relationships
Provides measures
What ifs
D
ATA
 A
NALYTICS
 S
OFTWARE
TeamMate Analytics
Provides statistics
D
ATA
 A
NALYTICS
 S
OFTWARE
TeamMate Analytics
Visualizes data
D
ATA
 A
NALYTICS
 S
OFTWARE
TeamMate Analytics
Join
Append
Split
Data extraction
Regression analysis
Sampling
D
ATA
 A
NALYTICS
 S
OFTWARE
Other products based on a Google search:
Tableau - $70/mo/user
Qlik ($30/mo/user
Looker (Contact vendor)
Klipfolio (Free)
Zoho (Free)
Domo (Contact vendor)
https://www.forbes.com/advisor/business/software/best-data-analytics-tools/
undefined
C
ONCLUSION
Slide Note
Embed
Share

Review authoritative guidance for audit sampling and the potential for external auditor reliance on internal auditors. Understand and apply concepts related to audit sampling to project results with certainty. Available reference materials include AICPA Codification of Statements, AICPA Audit Guide, and The Institute of Internal Auditors International Professional Practices Framework. The IPPF standards emphasize the need for auditors to identify sufficient, reliable, relevant, and useful information. Implementation guidance requires internal auditors to select representative samples for generalization of results.

  • Audit Sampling
  • Internal Auditors
  • Reference Materials
  • AICPA Codification
  • IPPF Standards

Uploaded on Jul 12, 2024 | 9 Views


Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. Download presentation by click this link. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

E N D

Presentation Transcript


  1. AUDIT SAMPLING LOUISIANA ASSOCIATION OF COLLEGE AND UNIVERSITY AUDITORS (LACUA) OCTOBER 28, 2022

  2. OBJECTIVES To review authoritative guidance for audit sampling: Potential for external auditor reliance on internal auditors (AU-C 610). To project results of our work with a greater degree of certainty.

  3. OBJECTIVES Guidance on sampling related topics: Understand sampling Apply concepts To respond to questions related to audit sampling.

  4. AVAILABLE REFERENCE MATERIAL AICPA Codification of Statements on Auditing Standards, AU-C 530, Audit Sampling AICPA Codification of Statements on Auditing Standards, AU-C 935, Compliance Audits, .A21

  5. AVAILABLE REFERENCE MATERIAL AICPA Audit Guide, Audit Sampling AICPA Audit Guide, Government Auditing Standards and Single Audits

  6. AVAILABLE REFERENCE MATERIAL The Institute of Internal Auditors (IIA) International Professional Practices Framework (IPPF) IPPF Practice Guide, Assisting Small Internal Audit Activities in Implementing the Standards

  7. IIA SMALL INTERNAL AUDIT ACTIVITIES One to five auditors Productive hours less than 7,500/year Limited co-sourcing or out-sourcing

  8. IPPF STANDARDS 2310 Auditors must identify sufficient, reliable, relevant, and useful information to achieve the engagement s objectives.

  9. IPPF IMPLEMENTATION GUIDANCE If internal auditors choose to select a sample, they are responsible for applying methods to assure that the sample selected represents the whole population and/or time period to which the results will be generalized.

  10. IPPF PRACTICE GUIDE External audit requirements for sampling may not correspond to that of the internal audit activity.

  11. IPPF PRACTICE GUIDE The Standards encourage collaboration with external auditing and such collaboration may include discussion of external audit sampling and scoping parameters. Such discussions in advance of audit plan development and execution may allow for greater reliance on the work of internal auditing.

  12. AUDIT SAMPLING DEFINED (AU-C 530.05) The selection and evaluation of less than 100% of the population of audit relevance such that the auditor expects the items selected (the sample) to be representative of the population and, thus, likely to provide a reasonable basis for conclusions about the population.

  13. AUDIT SAMPLING DEFINED (AU-C 530.05) Representative Sample conclusions, subject to the limitations of sampling risk, are similar to those that would be drawn if the same procedures were applied to the entire population.

  14. SAMPLING RISK DEFINED (AU-C 530.05) The risk that the auditor s conclusion based on the sampling procedures may be different than a conclusion based on applying the same audit procedure to the entire population.

  15. SAMPLING RISK DEFINED (AU-C 530.05) Ineffective sample: Concluding controls are more effective than they actually are, or a material misstatement/material noncompliance does not exist when it does and is: Likely to lead to an inappropriate conclusion. Risk of overreliance Potential audit failure

  16. SAMPLING RISK DEFINED (AU-C 530.05) Inefficient sample: Concluding controls are less effective than they actually are or a material misstatement/material noncompliance exists when it does not. May result in additional work to determine initial conclusions were incorrect. Underreliance.

  17. AUDITOR JUDGMENT IN SAMPLING Auditor judgment is critical for determining/assessing: Risks (differs from the annual internal audit risk assessments)

  18. AUDITOR JUDGMENT IN SAMPLING Auditor judgment is critical for determining: Materiality Performance Materiality and Tolerable Misstatement/Deviation Immaterial Misstatements Trivial Misstatements

  19. AUDITOR JUDGMENT IN SAMPLING However We judgmentally selected a sample of . . . We judgmentally determined to use a sample size of . . . May not be appropriate.

  20. AUDITOR JUDGMENT IN SAMPLING Auditor understanding of population: Allows judgment when determining whether to stratify the population before sampling, or whether to use sampling at all. Determining if population consists primarily of significant transactions. Using substantive analytical procedures to provide sufficient appropriate audit evidence.

  21. AUDITOR JUDGMENT IN SAMPLING DATA ANALYTICS

  22. AUDITOR JUDGMENTIN SAMPLING Acceptable sampling methods: Random (statistical or nonstatistical) Systematic (starting point, then every nth item in the population) Haphazard

  23. AUDITOR JUDGMENTIN SAMPLING Acceptable sampling methods include: Monetary Unit Sampling (statistical) used to assess the amount of monetary misstatement that may exist in a population.

  24. RELEVANT ASSERTIONS (MANAGEMENT S ASSERTIONS)

  25. Account Balances Presentation and Disclosure Classes of Transactions Occurrence/Existence Transactions and events that have been recorded have occurred and pertain to the college/university Assets, liabilities, and equity interests exist Disclosed events and transactions have occurred and pertain to the college/university Rights and Obligations The college/university holds or controls the rights to assets, and liabilities are obligations of the college/university Completeness All transactions and events that should have been recorded have been recorded All assets, liabilities, and equity interests that should have been recorded have been recorded All disclosures that should have been included in the financial statements have been included Accuracy/Valuation and Allocation Amounts related to transactions have been recorded appropriately Assets, liabilities, and equity are included in the financial statements at appropriate amounts Information is disclosed fairly and at appropriate amounts Cut Off Transactions have been recorded in the correct accounting period Classification and Presentation Transactions have been recorded in proper amounts Financial information is appropriately presented and described

  26. AND COMPLIANCE (E.G., LAWSANDREGULATIONS, FEDERALPROGRAMREQUIREMENTS) PCARDS/TRAVEL CARDS? STUDENT FINANCIAL AID?

  27. IS SAMPLING APPROPRIATE Determine if sampling is most appropriate/ effective: Homogeneous population Control tests/substantive tests of details vs substantive analytical procedures? DATA ANALYTICS

  28. DETERMININGIF AUDIT SAMPLING IS APPROPRIATEFORTHE TESTS Homogeneous Population: College/university s tuition and fee revenues totaled $400 million for the fiscal year. Enrollment = 30,000 Full-time COA = $7,500 per semester Sample of 100 students = $750,000 (maximum) Will a substantive analytical procedure provide better, sufficient appropriate substantive evidence?

  29. DETERMININGIF AUDIT SAMPLING IS APPROPRIATEFORTHE TESTS Homogeneous Population: Testing controls (sampling) - effective or efficient? Test of controls with a limited number of transactions through/from the software application? Fewer students? More students? Substantive analytical procedure? Data analytics?

  30. DETERMININGIF AUDIT SAMPLING IS APPROPRIATEFORTHE TESTS Homogeneous Population: Substantive analytical procedure: Published tuition and fee costs per credit hour (A) Validate schedule - i.e., approved and agrees with the fee tables in the software application Student enrollment (B) Break down enrollment by credit hours Tolerable limit (C) Acceptable difference from reported amount

  31. DETERMININGIF AUDIT SAMPLING IS APPROPRIATEFORTHE TESTS Homogeneous Population: A x B Tuition and fees on income statement. Result within C (+ or -)?

  32. DETERMININGIF AUDIT SAMPLING IS APPROPRIATEFORTHE TESTS Homogeneous Population: Evaluate effectiveness: Does the calculation provide evidence that the fee schedule is applied to each student appropriately (provides evidence that controls are effective)? Is the calculated total within the expectation/ tolerable limit (substantive result)? Does the calculation provide assurance that the reported balance is materially correct?

  33. DETERMININGIF AUDIT SAMPLING IS APPROPRIATEFORTHE TESTS Homogeneous Population: If a fee is not correct in the IT system, is sampling individual students necessary? Conclude based on a substantive procedure (calculation)? A $10 fee charged per student is posted in the system as $9.50 maximum error = $15,000 (0.00375%). A $10 fee charged per credit hour (360,000 hours) is posted as $9.50. Maximum error = $180,000 (0.045%). Is either material?

  34. DETERMININGIF AUDIT SAMPLING IS APPROPRIATEFORTHE TESTS PCard/Travel Expenses: Not homogeneous Airfare, hotel, car rental, food, incidentals, etc. Sample? Stratify population? Combination of the two?

  35. DOCUMENTINGTHE SAMPLE

  36. DEFININGTHE OBJECTIVEOFTHE SAMPLE The control or amount (substantive) of the account balance, class of transactions, or disclosure component being tested.

  37. DEFININGTHE OBJECTIVEOFTHE SAMPLE Control To determine whether key controls relating to PCard/travel expenses are in place and operating effectively To support the preliminary risk assessment (identified for each key control), and To determine if the institution has complied with applicable, material purchasing laws/regulations

  38. DEFININGTHE OBJECTIVEOFTHE SAMPLE Substantive To determine if PCard/travel expenses are materially correct.

  39. DEFININGTHE POPULATIONFROM WHICHTHE SAMPLE IS TAKEN Control/Substantive or Both The population is all PCard/travel expenses recorded in the general ledger.

  40. DEFININGTHE POPULATIONFROM WHICHTHE SAMPLE IS TAKEN Control/Substantive or Both Transactions to be included in the population: All expenses coded to travel accounts (e.g., GL accounts 7451-7460). PCard transactions processed through the issuing bank.

  41. DEFININGTHE PERIOD COVEREDFOR THE POPULATION Control/Substantive or Both All expenses as defined above included in the period from July 1, 2021, through June 30, 2022.

  42. CONSIDERATIONOFTHE COMPLETENESSOFTHE POPULATION Control/Substantive or Both Reconcile detail expense transactions processed through AP to the GL accounts. Reconcile PCard transactions to bank statements.

  43. DEFININGTHE SAMPLING UNIT Control/Substantive or Both Any individual transaction from the population from which the sample will be taken.

  44. IDENTIFICATIONOF INDIVIDUALLY SIGNIFICANT ITEMS (STRATIFYING) Substantive (using the same population for control testing) PERCENTOF DOLLARS NUMBER OF UNITS PERCENTOF POPULATION DOLLAR AMOUNT 100% 100% Total population 1,000 $1,000,000 25% 0.375% Total of items excluded from the population (<=$100) 250 $3,750 1.5% 15% Total of items tested separately (i.e., at 100%) 15 $150,000 73.5% 84.625% Remaining population subject to sampling 735 $846,250

  45. IDENTIFICATIONOF INDIVIDUALLY SIGNIFICANT ITEMS (STRATIFYING) Substantive Justify the portion of the population not tested: All transactions <= $100 totaled $3,750, 0.375% of dollars and 25% of transactions Transactions in total are less than the level of immateriality and represent little to no risk of material misstatement for the population as a whole.

  46. DEFININGTHE ERROR Deviation condition (control) or error (substantive - i.e., misstatement/exception): An answer of X to any of the control/ substantive attributes listed at the test.

  47. DETERMINING SAMPLE SIZE Control test: Determine confidence level and risk of overreliance a 95% confidence level results in a 5% risk of overreliance ( 3.38-3.61). Determine the tolerable deviation rate (normally expressed as a percentage). Determine the expected deviation rate the higher the rate, the larger the sample.

  48. DETERMINING SAMPLE SIZE Control test: If practicable, use the Audit Guide Table A-1. Adjust the base sample size if the population is small or if operating controls are infrequent. See the Audit Guide, Tables 3-4 and 3-5 for sample sizes for small populations. Note that for populations of 4 - 52, Table 3-5 suggests sample sizes (requires sample to be documented).

  49. DETERMINING SAMPLE SIZE Substantive test of details: Determine the objective: To determine if PCard/travel expenses are materially correct.

  50. DETERMINING SAMPLE SIZE Substantive test of details: Determine the RMM. Determine analytical procedures risk: Will substantive analytical procedures provide sufficient appropriate audit evidence? Will substantive analytical procedures reduce sample sizes?

More Related Content

giItT1WQy@!-/#giItT1WQy@!-/#giItT1WQy@!-/#giItT1WQy@!-/#