Audit Sampling Guidelines and Reference Materials for Internal Auditors
undefined
A
UDIT
S
AMPLING
L
OUISIANA
A
SSOCIATION
OF
C
OLLEGE
AND
U
NIVERSITY
A
UDITORS
(LACUA)
O
CTOBER
28, 2022
O
BJECTIVES
•
To review authoritative guidance for audit
sampling:
•
Potential for external auditor reliance on
internal auditors (AU-C §610).
•
To project results of our work with a greater
degree of certainty.
O
BJECTIVES
•
Guidance on sampling related topics:
•
Understand sampling
•
Apply concepts
•
To respond to questions related to audit
sampling.
A
VAILABLE
R
EFERENCE
M
ATERIAL
•
AICPA
Codification of Statements on
Auditing Standards
, AU-C §530,
Audit
Sampling
•
AICPA
Codification of Statements on
Auditing Standards
, AU-C §935,
Compliance Audits
, ¶.A21
A
VAILABLE
R
EFERENCE
M
ATERIAL
•
AICPA
Audit Guide
,
Audit Sampling
•
AICPA Audit Guide,
Government Auditing
Standards and Single Audits
A
VAILABLE
R
EFERENCE
M
ATERIAL
•
The Institute of Internal Auditors (IIA)
International Professional Practices
Framework (IPPF)
•
IPPF Practice Guide, Assisting Small
Internal Audit Activities in Implementing
the Standards
IIA S
MALL
I
NTERNAL
A
UDIT
A
CTIVITIES
•
One to five auditors
•
Productive hours less than 7,500/year
•
Limited co-sourcing or out-sourcing
IPPF S
TANDARDS
§2310
•
Auditors must identify sufficient, reliable,
relevant, and useful information to achieve
the engagement’s objectives.
IPPF I
MPLEMENTATION
G
UIDANCE
•
If internal auditors choose to select a
sample, they are responsible for applying
methods to assure that the sample selected
represents the whole population and/or time
period to which the results will be
generalized.
IPPF P
RACTICE
G
UIDE
•
External audit requirements for sampling
may not correspond to that of the internal
audit activity.
IPPF P
RACTICE
G
UIDE
•
The Standards encourage collaboration with
external auditing and such collaboration
may include discussion of external audit
sampling and scoping parameters.
•
Such discussions in advance of audit plan
development and execution may allow for
greater reliance on the work of internal
auditing.
A
UDIT
S
AMPLING
D
EFINED
(AU-C §530.05)
•
The selection and evaluation of less than
100% of the population of audit relevance
such that the auditor expects the items
selected (the sample) to be representative of
the population and, thus, likely to provide a
reasonable basis for conclusions about the
population.
A
UDIT
S
AMPLING
D
EFINED
(AU-C §530.05)
•
Representative
•
Sample conclusions, subject to the limitations
of sampling risk, are similar to those that would
be drawn if the same procedures were applied
to the entire population.
S
AMPLING
R
ISK
D
EFINED
(AU-C §530.05)
•
The risk that the auditor’s conclusion based
on the sampling procedures may be
different than a conclusion based on
applying the same audit procedure to the
entire population.
S
AMPLING
R
ISK
D
EFINED
(AU-C §530.05)
•
Ineffective sample:
•
Concluding controls are
more
effective than
they actually are, or a material
misstatement/material noncompliance does not
exist when it does and is:
•
Likely to lead to an inappropriate conclusion.
•
Risk of overreliance
•
Potential audit failure
S
AMPLING
R
ISK
D
EFINED
(AU-C §530.05)
•
Inefficient sample:
•
Concluding controls are
less
effective than they
actually are or a material misstatement/material
noncompliance exists when it does not.
•
May result in additional work to determine
initial conclusions were incorrect.
•
Underreliance.
A
UDITOR
J
UDGMENT
IN
S
AMPLING
•
Auditor judgment is critical for
determining/assessing:
•
Risks (differs from the annual internal audit
risk assessments)
A
UDITOR
J
UDGMENT
IN
S
AMPLING
•
Auditor judgment is critical for
determining:
•
Materiality
•
Performance Materiality and Tolerable
Misstatement/Deviation
•
Immaterial Misstatements
•
Trivial Misstatements
A
UDITOR
J
UDGMENT
IN
S
AMPLING
•
However
•
“We judgmentally selected a sample of . . .”
•
“We judgmentally determined to use a sample
size of . . .”
•
May not be appropriate.
A
UDITOR
J
UDGMENT
IN
S
AMPLING
•
Auditor understanding of population:
•
Allows judgment when determining whether to
stratify the population before sampling, or
whether to use sampling at all.
•
Determining if population consists primarily of
significant transactions.
•
Using substantive analytical procedures to
provide sufficient appropriate audit evidence.
A
UDITOR
J
UDGMENT
IN
S
AMPLING
D
ATA
A
NALYTICS
A
UDITOR
J
UDGMENT
IN
S
AMPLING
•
Acceptable sampling methods:
•
Random (statistical or nonstatistical)
•
Systematic (starting point, then every
nth
item
in the population)
•
Haphazard
A
UDITOR
J
UDGMENT
IN
S
AMPLING
•
Acceptable sampling methods include:
•
Monetary Unit Sampling (statistical) – used to
assess the amount of monetary misstatement
that may exist in a population.
R
ELEVANT
A
SSERTIONS
(M
ANAGEMENT
’
S
A
SSERTIONS
)
A
ND
C
OMPLIANCE
(
E
.
G
.,
LAWS
AND
REGULATIONS
,
FEDERAL
PROGRAM
REQUIREMENTS
)
P
CARDS
/T
RAVEL
C
ARDS
?
S
TUDENT
F
INANCIAL
A
ID
?
I
S
S
AMPLING
A
PPROPRIATE
•
Determine if sampling is most appropriate/
effective:
•
Homogeneous population
•
Control tests/substantive tests of details vs
substantive analytical procedures?
•
Data Analytics
D
ETERMINING
IF
A
UDIT
S
AMPLING
I
S
A
PPROPRIATE
FOR
THE
T
ESTS
•
Homogeneous Population:
•
College/university’s tuition and fee revenues totaled
$400 million for the fiscal year.
•
Enrollment = 30,000
•
Full-time COA = $7,500 per semester
•
Sample of 100 students = $750,000 (maximum)
Will a substantive analytical procedure provide
better, sufficient appropriate substantive evidence?
•
Homogeneous Population:
•
Testing controls (sampling) - effective or efficient?
•
Test of controls with a limited number of transactions
through/from the software application?
•
Fewer students?
•
More students?
•
Substantive analytical procedure?
•
Data analytics?
D
ETERMINING
IF
A
UDIT
S
AMPLING
I
S
A
PPROPRIATE
FOR
THE
T
ESTS
•
Homogeneous
Population:
•
Substantive analytical procedure:
•
Published tuition and fee costs per credit hour (A)
•
Validate schedule - i.e., approved and agrees with the fee
tables in the software application
•
Student enrollment (B)
•
Break down enrollment by credit hours
•
Tolerable limit (C)
•
Acceptable difference from reported amount
D
ETERMINING
IF
A
UDIT
S
AMPLING
I
S
A
PPROPRIATE
FOR
THE
T
ESTS
•
Homogeneous
Population:
•
A x B
≈
Tuition and fees on income statement.
•
Result within C (+ or -)?
D
ETERMINING
IF
A
UDIT
S
AMPLING
I
S
A
PPROPRIATE
FOR
THE
T
ESTS
•
Homogeneous Population:
•
Evaluate effectiveness:
•
Does the calculation provide evidence that the fee
schedule is applied to each student appropriately
(provides evidence that controls are effective)?
•
Is the calculated total within the expectation/
tolerable limit (substantive result)?
•
Does the calculation provide assurance that the reported
balance is materially correct?
D
ETERMINING
IF
A
UDIT
S
AMPLING
I
S
A
PPROPRIATE
FOR
THE
T
ESTS
•
Homogeneous Population:
•
If a fee is not correct in the IT system, is sampling
individual students necessary?
•
Conclude based on a substantive procedure
(calculation)?
•
A $10 fee charged per
student
is posted in the system as
$9.50 maximum error = $15,000 (0.00375%).
•
A $10 fee charged per
credit hour
(360,000 hours) is
posted as $9.50. Maximum error = $180,000 (0.045%).
•
Is either material?
D
ETERMINING
IF
A
UDIT
S
AMPLING
I
S
A
PPROPRIATE
FOR
THE
T
ESTS
•
PCard/Travel Expenses:
•
Not homogeneous
•
Airfare, hotel, car rental, food, incidentals, etc.
•
Sample?
•
Stratify population?
•
Combination of the two?
D
ETERMINING
IF
A
UDIT
S
AMPLING
I
S
A
PPROPRIATE
FOR
THE
T
ESTS
D
OCUMENTING
THE
S
AMPLE
D
EFINING
THE
O
BJECTIVE
OF
THE
S
AMPLE
•
The control or amount (substantive) of the
account balance, class of transactions, or
disclosure component being tested.
D
EFINING
THE
O
BJECTIVE
OF
THE
S
AMPLE
•
Control
•
To determine whether key controls relating to
PCard/travel expenses are in place and
operating effectively
•
To support the preliminary risk assessment
(identified for each key control), and
•
To determine if the institution has complied with
applicable, material purchasing laws/regulations
D
EFINING
THE
O
BJECTIVE
OF
THE
S
AMPLE
•
Substantive
•
To determine if PCard/travel expenses are
materially correct.
D
EFINING
THE
P
OPULATION
FROM
W
HICH
THE
S
AMPLE
I
S
T
AKEN
•
Control/Substantive or Both
•
The population is all PCard/travel expenses
recorded in the general ledger.
D
EFINING
THE
P
OPULATION
FROM
W
HICH
THE
S
AMPLE
I
S
T
AKEN
•
Control/Substantive or Both
•
Transactions to be included in the population:
•
All expenses coded to travel accounts (e.g., GL
accounts 7451-7460).
•
PCard transactions processed through the issuing
bank.
D
EFINING
THE
P
ERIOD
C
OVERED
FOR
THE
P
OPULATION
•
Control/Substantive or Both
•
All expenses as defined above included in the
period from July 1, 2021, through June 30,
2022.
C
ONSIDERATION
OF
THE
C
OMPLETENESS
OF
THE
P
OPULATION
•
Control/Substantive or Both
•
Reconcile detail expense transactions processed
through AP to the GL accounts.
•
Reconcile PCard transactions to bank
statements.
D
EFINING
THE
S
AMPLING
U
NIT
•
Control/Substantive or Both
•
Any individual transaction from the population
from which the sample will be taken.
I
DENTIFICATION
OF
I
NDIVIDUALLY
S
IGNIFICANT
I
TEMS
(S
TRATIFYING
)
•
Substantive (using the same population for
control testing)
I
DENTIFICATION
OF
I
NDIVIDUALLY
S
IGNIFICANT
I
TEMS
(S
TRATIFYING
)
•
Substantive
•
Justify the portion of the population not tested:
•
All transactions <= $100 totaled $3,750, 0.375% of
dollars and 25% of transactions
•
Transactions in total are less than the level of
immateriality and represent little to no risk of
material misstatement for the population as a whole.
D
EFINING
THE
E
RROR
•
Deviation condition (control) or error
(substantive - i.e., misstatement/exception):
•
An answer of “X” to any of the control/
substantive attributes listed at the test.
D
ETERMINING
S
AMPLE
S
IZE
•
Control test:
•
Determine confidence level and risk of
overreliance – a 95% confidence level results in
a 5% risk of overreliance (¶¶3.38-3.61).
•
Determine the tolerable deviation rate
(normally expressed as a percentage).
•
Determine the expected deviation rate – the
higher the rate, the larger the sample.
D
ETERMINING
S
AMPLE
S
IZE
•
Control test:
•
If practicable, use the
Audit Guide
Table A-1.
•
Adjust the base sample size if the population is
small or if operating controls are infrequent.
•
See the
Audit Guide
, Tables 3-4 and 3-5 for
sample sizes for small populations. Note that
for populations of 4 - 52, Table 3-5 suggests
sample sizes (requires sample to be
documented).
D
ETERMINING
S
AMPLE
S
IZE
•
Substantive test of details:
•
Determine the objective:
•
To determine if PCard/travel expenses are materially
correct.
D
ETERMINING
S
AMPLE
S
IZE
•
Substantive test of details:
•
Determine the RMM.
•
Determine analytical procedures risk:
•
Will substantive analytical procedures provide
sufficient appropriate audit evidence?
•
Will substantive analytical procedures reduce
sample sizes?
D
ETERMINING
S
AMPLE
S
IZE
•
Substantive test of details:
•
Substantive analytical procedures as a primary
test generally aren’t appropriate for non-
homogeneous populations.
D
ETERMINING
S
AMPLE
S
IZE
•
Substantive test of details - Payroll:
•
Determine analytical procedures risk:
•
Payroll analytical procedures:
•
Divide employer contributions to pension plans by
the contribution rate to determine covered payroll,
and then compare the results to total payroll.
D
ETERMINING
S
AMPLE
S
IZE
•
Substantive test of details - Payroll:
•
Determine analytical procedures risk:
•
Analytical procedures may not be appropriate for:
•
Testing time and attendance; or
•
Census data testing for pensions and OPEB.
D
ETERMINING
S
AMPLE
S
IZE
•
Substantive test of details:
•
Determine tolerable misstatement as a
percentage of the population subject to testing.
D
ETERMINING
S
AMPLE
S
IZE
•
Materiality:
D
ETERMINING
S
AMPLE
S
IZE
•
Substantive test of details:
•
Determine tolerable misstatement as a
percentage of the population subject to testing
(7.5% above)
•
Note in the previous table that tolerable
misstatement for the account tested is
$7,500,000 and
not
$75,000,000
D
ETERMINING
S
AMPLE
S
IZE
•
Substantive test of details:
•
In the above, if the population tested is the $100
million, and if financial statement tolerable
misstatement is used, then the auditor is saying
that if a $74,999,999 error is identified, the
population is materially correct because the
error does not exceed the tolerable
misstatement.
D
ETERMINING
S
AMPLE
S
IZE
•
Substantive test of details:
•
Determine the expected misstatement as a
percentage of the population subject to
sampling:
•
The greater this percentage, the larger the sample.
D
ETERMINING
S
AMPLE
S
IZE
•
Substantive test of details:
•
Determine the base sample size (
Audit
Sampling
, Table 4-5 for one example).
•
In dual-purpose testing for control and
substantive tests, if the auditor has calculated a
sample size of 60 for control and 80 for
substantive testing, the sample size should be
80 (
Audit Sampling
, ¶2.13).
D
ETERMINING
S
AMPLE
S
IZE
•
Substantive test of details:
•
Adjust the sample size due to variation and
stratification:
•
Variation
-
effectiveness of the sample.
•
Not removing low dollar items, or not testing high
dollar
- efficiency and effectiveness, respectively
.
D
ETERMINING
S
AMPLE
S
IZE
•
Substantive test of details:
•
Adjust the sample size due to variation and
stratification:
•
For example, pulling a sample for a population of $1
million results in a sample whose total dollars were
$21,000.
D
ETERMINING
S
AMPLE
S
IZE
•
Substantive test of details:
•
Adjust the sample size and/or approach due to
variation and stratification.
D
ETERMINING
S
AMPLE
S
IZE
•
Substantive test of details:
•
Adjust the sample size due to variation and
stratification:
•
The 15 items (individually significant) tested are not
part of the sample
•
If calculated sample size is 80, then 95 transactions
are tested.
D
ETERMINING
S
AMPLE
S
IZE
•
Substantive test of details:
•
Adjust the sample size due to variation and
stratification:
•
However, stratification of the population can reduce
sample size below 80 if the stratification reduces
audit risk.
D
ETERMINING
S
AMPLE
S
IZE
•
Substantive test of details:
•
Adjust the sample size due to the number of
items in the population:
•
See
Audit Sampling
, Tables 3-4 and 3-5 for sample
sizes for smaller populations.
D
ETERMINING
S
AMPLE
S
IZE
•
Substantive test of details:
•
State the final sample size.
P
ERFORMING
THE
T
EST
(
S
)
•
Substantive test of details:
•
Describe how the sampling procedure was
performed.
E
VALUATING
THE
S
AMPLE
R
ESULTS
•
Number of deviations in the sample
(control) or the misstatement identified in
the sample (substantive).
•
Deviations or misstatement as a percentage
of the sample.
•
Project deviations or misstatement to the
population as a whole.
E
VALUATING
THE
S
AMPLE
R
ESULTS
•
Consider the qualitative aspects of sample
results:
•
Nature and cause (fraud or error).
•
Whether results lead to a conclusion that the
sample is not representative of the population.
E
VALUATING
THE
S
AMPLE
R
ESULTS
•
Consider the qualitative aspects of sample
results:
•
Is there a broader impact of the deviations/
misstatements from:
•
Management override of controls?
•
Identified weaknesses in an IT application that
processes other transactions?
E
VALUATING
THE
S
AMPLE
R
ESULTS
•
Consider sampling risk:
•
If sampling risk is high, the projected
deviations or misstatement may exceed the
expected error.
•
Determine if the sample should be expanded
(
Audit Sampling
, ¶¶3.82-.84 and 4.95-.100).
•
Determine if evidence supports writing a
finding.
E
VALUATING
THE
S
AMPLE
R
ESULTS
•
Consider sampling risk:
•
Are deviations and/or misstatements
determined to be isolated or anomalies, or are
they pervasive throughout the population?
•
Do compensating/mitigating controls exist, are
they operating as designed, and do they reduce
risk to an acceptable level?
S
AMPLING
FOR
U
NIFORM
G
UIDANCE
C
OMPLIANCE
A
UDITS
•
AICPA
Audit Guide
,
Government Auditing
Standards and Single Audits
, Chapter 11
S
AMPLING
FOR
U
NIFORM
G
UIDANCE
C
OMPLIANCE
A
UDITS
•
Procedures not involving audit sampling:
•
Inquiry and observation
•
Analytical procedures
•
Testing 100% of a population
S
AMPLING
FOR
U
NIFORM
G
UIDANCE
C
OMPLIANCE
A
UDITS
•
Procedures not involving audit sampling:
•
Individually important items
•
Obtaining an understanding of and testing
operating effectiveness of controls over
compliance
S
AMPLING
FOR
U
NIFORM
G
UIDANCE
C
OMPLIANCE
A
UDITS
•
Sampling steps/procedures are similar to
those for control tests and substantive tests
of details.
S
AMPLING
FOR
U
NIFORM
G
UIDANCE
C
OMPLIANCE
A
UDITS
•
Additional steps include:
•
Considering multiple major programs:
•
Where controls for a type of compliance
requirement are the same for more than one major
federal program, the transactions for the programs
may be combined into one population for testing
(Audit Guide ¶11.42).
•
e.g., CARES Act/HEERF consist of numerous
programs/CFDAs that can be tested together.
S
AMPLING
FOR
U
NIFORM
G
UIDANCE
C
OMPLIANCE
A
UDITS
•
Additional steps include:
•
Considering multiple organizational units (e.g.,
colleges/universities with multiple campuses):
•
Are separate internal controls used – i.e., do controls
vary significantly?
S
AMPLING
FOR
U
NIFORM
G
UIDANCE
C
OMPLIANCE
A
UDITS
•
Additional steps include:
•
Considering clusters of programs (Student
Financial Assistance Cluster of Programs):
•
Sufficient appropriate audit evidence is to be
gathered for the compliance requirements for cluster
programs as a whole (i.e., treat the cluster as one
program).
•
i.e., is the sample representative of the program
cluster as whole?
S
AMPLING
FOR
U
NIFORM
G
UIDANCE
C
OMPLIANCE
A
UDITS
•
Dual purpose testing opportunities may
exist:
•
Allowable costs and cost principles.
•
Evidence that the recorded amount, account,
and period are correct for financial reporting.
S
AMPLING
FOR
U
NIFORM
G
UIDANCE
C
OMPLIANCE
A
UDITS
•
See
Audit Guide
Table 11-1 for control
testing sample sizes based on the RMN.
•
Sample sizes in the table range from 25 to 60.
•
Inherent risks that may be applicable are at
¶11.67.
S
AMPLING
FOR
U
NIFORM
G
UIDANCE
C
OMPLIANCE
A
UDITS
•
See
Audit Guide
Table 11-2 for compliance
testing sample sizes based on the desired
level of assurance for the remaining RMN,
with high, moderate, low risks and no
expected deviations.
•
Sample sizes in the table range from 25 to 60.
S
AMPLING
FOR
U
NIFORM
G
UIDANCE
C
OMPLIANCE
A
UDITS
•
Audit Guide
small sample sizes:
•
Quarterly
(2)
•
Monthly
(2-4)
•
Semimonthly
(3-8)
•
Weekly
(5-9)
S
AMPLING
FOR
U
NIFORM
G
UIDANCE
C
OMPLIANCE
A
UDITS
•
Documenting the sample is critical.
•
Identifying specifically what controls are
tested is critical.
•
Auditor flexibility is limited when
determining if a finding is to be written:
•
$25,000 in
known or
likely
questioned costs
•
Exception rate over the tolerable deviation
P
OINTS
OF
E
MPHASIS
V
OIDED
D
OCUMENTS
•
If a transaction has been properly voided
and does not represent a deviation from the
prescribed control:
•
Replace the voided transaction.
•
If simple random sampling is used, should
match a replacement random number with the
appropriate transaction (¶3.67).
U
NUSED
OR
I
NAPPLICABLE
D
OCUMENTS
•
Unused document number included in the
sample
•
Obtain evidence the number actually represents
an unused document and is not a deviation.
•
Replace the document number with an
additional document number. (¶3.68)
U
NUSED
OR
I
NAPPLICABLE
D
OCUMENTS
•
Deviation defined as a transaction not
supported by a receiving report:
•
A utility expense selected not expected to be
supported by a receiving report.
•
Replace the item with another transaction.
(¶3.68)
V
ARIATION
IN
THE
P
OPULATION
•
Stating there is little to no variation is
generally not appropriate in a substantive
test of details.
•
The auditor is required to understand the
population and the audit objectives before
sampling begins.
V
ARIATION
IN
THE
P
OPULATION
(S
UBSTANTIVE
T
ESTS
OF
D
ETAILS
)
•
Variation example:
•
The transaction amounts range from $10 to $1,000,000.
To address the variation in the population, we have
removed the transactions below $100 (50% of the
transactions total $XX, which is below immateriality)
•
We will remove transactions above significance (or
above a certain dollar amount) and will test 100% of
the transactions. These transactions total 50% of the
population dollars.
V
ARIATION
IN
THE
P
OPULATION
•
Using monetary unit sampling (MUS) may
be more efficient than stratifying or
increasing the sample size.
V
ERIFYING
THE
C
OMPLETENESS
OF
THE
P
OPULATION
•
Completeness of a population when
agreeing detail transactions to the general
ledger (GL) or financial statements is easier
than circumstances where other sources
must be used.
V
ERIFYING
THE
C
OMPLETENESS
OF
THE
P
OPULATION
•
Number of employees
•
Payroll compared to organization charts in
smaller organizations.
•
HR employee lists compared to the payroll
transaction population to ensure employees are
active.
•
Conversely, determine if transactions represent
active employees reported by HR.
V
ERIFYING
THE
C
OMPLETENESS
OF
THE
P
OPULATION
•
Number of tickets:
•
When prenumbered, obtain used and partially
used ticket books to determine a population
size.
•
For an event:
•
Number of seats in an arena/auditorium
compared to tickets sold and attendance
records.
U
NIFORM
G
UIDANCE
S
IGNIFICANCE
OF
THE
C
ONTROL
(
S
)
•
Significance of the control is to be
determined for
each
control and
not
overall
for the compliance
requirement
.
U
NIFORM
G
UIDANCE
I
NHERENT
R
ISK
•
Inherent risk is to be assessed for
each
compliance requirement tested and
not
overall
for the program.
R
ESULTS
, C
ONCLUSIONS
,
AND
A
DDITIONAL
P
ROCEDURES
•
Determinations of the sample size for tests
of controls and the sample size for
substantive tests of details and compliance
tests are separate.
R
ESULTS
, C
ONCLUSIONS
,
AND
A
DDITIONAL
P
ROCEDURES
•
The results of the tests of controls and substantive
tests of details/compliance tests can impact each
other:
•
Deviations in tests of controls may impact substantive/
compliance tests.
•
If the auditor does not expand tests of controls, thereby
increasing the assessed level of control risk (writing a
finding), the original sample sizes for substantive or
compliance tests may no longer be appropriate.
D
ATA
A
NALYTICS
D
ATA
A
NALYTICS
•
Can be used to test 100% of a population.
•
Advantages:
•
NO SAMPLING!
•
Gives the auditor a much deeper understanding
of populations and data.
•
Can save significant time.
•
Significantly more reliable results.
D
ATA
A
NALYTICS
•
Advantages:
•
Easier to adjust criteria where the output is not
what the auditor is looking for.
D
ATA
A
NALYTICS
•
Comparing different data sets:
Vendor Bank
Accounts
Employee Bank
Accounts
D
ATA
A
NALYTICS
•
Coverage for areas that may not have been
given attention in previous work.
•
May apply to federal program compliance:
•
Student Financial Assistance:
•
All students – aid posted to student accounts within
the required timeframe.
•
Maximum award by academic years and aggregated
for lifetime limitation.
D
ATA
A
NALYTICS
•
Highlighting anomalies within a population.
•
Finding errors in data sets.
•
Stratifying data.
D
ATA
A
NALYTICS
S
OFTWARE
•
Multiple options for visualizing data:
•
Spreadsheets and schedules
•
Line graphs
•
Charts
•
Reports
•
Data extraction based on predetermined
criteria.
D
ATA
A
NALYTICS
S
OFTWARE
•
Inputs from a variety of sources:
•
Excel
•
Power BI datasets
•
SQL
•
Text/CSV
•
Etc.
D
ATA
A
NALYTICS
•
May not be practical for all tests:
•
Federal Program compliance tests – Student
Financial Assistance (e.g., eligibility).
•
Providing a substantive assurance in a non-
homogeneous population.
•
PCard tests
D
ATA
A
NALYTICS
S
OFTWARE
•
Microsoft Excel:
•
Pivot Tables
•
Filtering
•
V-Lookups
•
Sampling
D
ATA
A
NALYTICS
S
OFTWARE
•
Microsoft Power BI ($9.99/mo/user):
•
Parish libraries may have instructional videos
free to members
•
Data from numerous sources
•
Identify relationships
•
Provides measures
•
What ifs
D
ATA
A
NALYTICS
S
OFTWARE
•
TeamMate Analytics
•
Provides statistics
D
ATA
A
NALYTICS
S
OFTWARE
•
TeamMate Analytics
•
Visualizes data
D
ATA
A
NALYTICS
S
OFTWARE
•
TeamMate Analytics
•
Join
•
Append
•
Split
•
Data extraction
•
Regression analysis
•
Sampling
D
ATA
A
NALYTICS
S
OFTWARE
•
Other products based on a Google search:
•
Tableau - $70/mo/user
•
Qlik ($30/mo/user
•
Looker (Contact vendor)
•
Klipfolio (Free)
•
Zoho (Free)
•
Domo (Contact vendor)
https://www.forbes.com/advisor/business/software/best-data-analytics-tools/
C
ONCLUSION
Review authoritative guidance for audit sampling and the potential for external auditor reliance on internal auditors. Understand and apply concepts related to audit sampling to project results with certainty. Available reference materials include AICPA Codification of Statements, AICPA Audit Guide, and The Institute of Internal Auditors International Professional Practices Framework. The IPPF standards emphasize the need for auditors to identify sufficient, reliable, relevant, and useful information. Implementation guidance requires internal auditors to select representative samples for generalization of results.
Download Presentation
Please find below an Image/Link to download the presentation.
The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. Download presentation by click this link. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.
E N D
Presentation Transcript
AUDIT SAMPLING LOUISIANA ASSOCIATION OF COLLEGE AND UNIVERSITY AUDITORS (LACUA) OCTOBER 28, 2022
OBJECTIVES To review authoritative guidance for audit sampling: Potential for external auditor reliance on internal auditors (AU-C 610). To project results of our work with a greater degree of certainty.
OBJECTIVES Guidance on sampling related topics: Understand sampling Apply concepts To respond to questions related to audit sampling.
AVAILABLE REFERENCE MATERIAL AICPA Codification of Statements on Auditing Standards, AU-C 530, Audit Sampling AICPA Codification of Statements on Auditing Standards, AU-C 935, Compliance Audits, .A21
AVAILABLE REFERENCE MATERIAL AICPA Audit Guide, Audit Sampling AICPA Audit Guide, Government Auditing Standards and Single Audits
AVAILABLE REFERENCE MATERIAL The Institute of Internal Auditors (IIA) International Professional Practices Framework (IPPF) IPPF Practice Guide, Assisting Small Internal Audit Activities in Implementing the Standards
IIA SMALL INTERNAL AUDIT ACTIVITIES One to five auditors Productive hours less than 7,500/year Limited co-sourcing or out-sourcing
IPPF STANDARDS 2310 Auditors must identify sufficient, reliable, relevant, and useful information to achieve the engagement s objectives.
IPPF IMPLEMENTATION GUIDANCE If internal auditors choose to select a sample, they are responsible for applying methods to assure that the sample selected represents the whole population and/or time period to which the results will be generalized.
IPPF PRACTICE GUIDE External audit requirements for sampling may not correspond to that of the internal audit activity.
IPPF PRACTICE GUIDE The Standards encourage collaboration with external auditing and such collaboration may include discussion of external audit sampling and scoping parameters. Such discussions in advance of audit plan development and execution may allow for greater reliance on the work of internal auditing.
AUDIT SAMPLING DEFINED (AU-C 530.05) The selection and evaluation of less than 100% of the population of audit relevance such that the auditor expects the items selected (the sample) to be representative of the population and, thus, likely to provide a reasonable basis for conclusions about the population.
AUDIT SAMPLING DEFINED (AU-C 530.05) Representative Sample conclusions, subject to the limitations of sampling risk, are similar to those that would be drawn if the same procedures were applied to the entire population.
SAMPLING RISK DEFINED (AU-C 530.05) The risk that the auditor s conclusion based on the sampling procedures may be different than a conclusion based on applying the same audit procedure to the entire population.
SAMPLING RISK DEFINED (AU-C 530.05) Ineffective sample: Concluding controls are more effective than they actually are, or a material misstatement/material noncompliance does not exist when it does and is: Likely to lead to an inappropriate conclusion. Risk of overreliance Potential audit failure
SAMPLING RISK DEFINED (AU-C 530.05) Inefficient sample: Concluding controls are less effective than they actually are or a material misstatement/material noncompliance exists when it does not. May result in additional work to determine initial conclusions were incorrect. Underreliance.
AUDITOR JUDGMENT IN SAMPLING Auditor judgment is critical for determining/assessing: Risks (differs from the annual internal audit risk assessments)
AUDITOR JUDGMENT IN SAMPLING Auditor judgment is critical for determining: Materiality Performance Materiality and Tolerable Misstatement/Deviation Immaterial Misstatements Trivial Misstatements
AUDITOR JUDGMENT IN SAMPLING However We judgmentally selected a sample of . . . We judgmentally determined to use a sample size of . . . May not be appropriate.
AUDITOR JUDGMENT IN SAMPLING Auditor understanding of population: Allows judgment when determining whether to stratify the population before sampling, or whether to use sampling at all. Determining if population consists primarily of significant transactions. Using substantive analytical procedures to provide sufficient appropriate audit evidence.
AUDITOR JUDGMENT IN SAMPLING DATA ANALYTICS
AUDITOR JUDGMENTIN SAMPLING Acceptable sampling methods: Random (statistical or nonstatistical) Systematic (starting point, then every nth item in the population) Haphazard
AUDITOR JUDGMENTIN SAMPLING Acceptable sampling methods include: Monetary Unit Sampling (statistical) used to assess the amount of monetary misstatement that may exist in a population.
RELEVANT ASSERTIONS (MANAGEMENT S ASSERTIONS)
Account Balances Presentation and Disclosure Classes of Transactions Occurrence/Existence Transactions and events that have been recorded have occurred and pertain to the college/university Assets, liabilities, and equity interests exist Disclosed events and transactions have occurred and pertain to the college/university Rights and Obligations The college/university holds or controls the rights to assets, and liabilities are obligations of the college/university Completeness All transactions and events that should have been recorded have been recorded All assets, liabilities, and equity interests that should have been recorded have been recorded All disclosures that should have been included in the financial statements have been included Accuracy/Valuation and Allocation Amounts related to transactions have been recorded appropriately Assets, liabilities, and equity are included in the financial statements at appropriate amounts Information is disclosed fairly and at appropriate amounts Cut Off Transactions have been recorded in the correct accounting period Classification and Presentation Transactions have been recorded in proper amounts Financial information is appropriately presented and described
AND COMPLIANCE (E.G., LAWSANDREGULATIONS, FEDERALPROGRAMREQUIREMENTS) PCARDS/TRAVEL CARDS? STUDENT FINANCIAL AID?
IS SAMPLING APPROPRIATE Determine if sampling is most appropriate/ effective: Homogeneous population Control tests/substantive tests of details vs substantive analytical procedures? DATA ANALYTICS
DETERMININGIF AUDIT SAMPLING IS APPROPRIATEFORTHE TESTS Homogeneous Population: College/university s tuition and fee revenues totaled $400 million for the fiscal year. Enrollment = 30,000 Full-time COA = $7,500 per semester Sample of 100 students = $750,000 (maximum) Will a substantive analytical procedure provide better, sufficient appropriate substantive evidence?
DETERMININGIF AUDIT SAMPLING IS APPROPRIATEFORTHE TESTS Homogeneous Population: Testing controls (sampling) - effective or efficient? Test of controls with a limited number of transactions through/from the software application? Fewer students? More students? Substantive analytical procedure? Data analytics?
DETERMININGIF AUDIT SAMPLING IS APPROPRIATEFORTHE TESTS Homogeneous Population: Substantive analytical procedure: Published tuition and fee costs per credit hour (A) Validate schedule - i.e., approved and agrees with the fee tables in the software application Student enrollment (B) Break down enrollment by credit hours Tolerable limit (C) Acceptable difference from reported amount
DETERMININGIF AUDIT SAMPLING IS APPROPRIATEFORTHE TESTS Homogeneous Population: A x B Tuition and fees on income statement. Result within C (+ or -)?
DETERMININGIF AUDIT SAMPLING IS APPROPRIATEFORTHE TESTS Homogeneous Population: Evaluate effectiveness: Does the calculation provide evidence that the fee schedule is applied to each student appropriately (provides evidence that controls are effective)? Is the calculated total within the expectation/ tolerable limit (substantive result)? Does the calculation provide assurance that the reported balance is materially correct?
DETERMININGIF AUDIT SAMPLING IS APPROPRIATEFORTHE TESTS Homogeneous Population: If a fee is not correct in the IT system, is sampling individual students necessary? Conclude based on a substantive procedure (calculation)? A $10 fee charged per student is posted in the system as $9.50 maximum error = $15,000 (0.00375%). A $10 fee charged per credit hour (360,000 hours) is posted as $9.50. Maximum error = $180,000 (0.045%). Is either material?
DETERMININGIF AUDIT SAMPLING IS APPROPRIATEFORTHE TESTS PCard/Travel Expenses: Not homogeneous Airfare, hotel, car rental, food, incidentals, etc. Sample? Stratify population? Combination of the two?
DEFININGTHE OBJECTIVEOFTHE SAMPLE The control or amount (substantive) of the account balance, class of transactions, or disclosure component being tested.
DEFININGTHE OBJECTIVEOFTHE SAMPLE Control To determine whether key controls relating to PCard/travel expenses are in place and operating effectively To support the preliminary risk assessment (identified for each key control), and To determine if the institution has complied with applicable, material purchasing laws/regulations
DEFININGTHE OBJECTIVEOFTHE SAMPLE Substantive To determine if PCard/travel expenses are materially correct.
DEFININGTHE POPULATIONFROM WHICHTHE SAMPLE IS TAKEN Control/Substantive or Both The population is all PCard/travel expenses recorded in the general ledger.
DEFININGTHE POPULATIONFROM WHICHTHE SAMPLE IS TAKEN Control/Substantive or Both Transactions to be included in the population: All expenses coded to travel accounts (e.g., GL accounts 7451-7460). PCard transactions processed through the issuing bank.
DEFININGTHE PERIOD COVEREDFOR THE POPULATION Control/Substantive or Both All expenses as defined above included in the period from July 1, 2021, through June 30, 2022.
CONSIDERATIONOFTHE COMPLETENESSOFTHE POPULATION Control/Substantive or Both Reconcile detail expense transactions processed through AP to the GL accounts. Reconcile PCard transactions to bank statements.
DEFININGTHE SAMPLING UNIT Control/Substantive or Both Any individual transaction from the population from which the sample will be taken.
IDENTIFICATIONOF INDIVIDUALLY SIGNIFICANT ITEMS (STRATIFYING) Substantive (using the same population for control testing) PERCENTOF DOLLARS NUMBER OF UNITS PERCENTOF POPULATION DOLLAR AMOUNT 100% 100% Total population 1,000 $1,000,000 25% 0.375% Total of items excluded from the population (<=$100) 250 $3,750 1.5% 15% Total of items tested separately (i.e., at 100%) 15 $150,000 73.5% 84.625% Remaining population subject to sampling 735 $846,250
IDENTIFICATIONOF INDIVIDUALLY SIGNIFICANT ITEMS (STRATIFYING) Substantive Justify the portion of the population not tested: All transactions <= $100 totaled $3,750, 0.375% of dollars and 25% of transactions Transactions in total are less than the level of immateriality and represent little to no risk of material misstatement for the population as a whole.
DEFININGTHE ERROR Deviation condition (control) or error (substantive - i.e., misstatement/exception): An answer of X to any of the control/ substantive attributes listed at the test.
DETERMINING SAMPLE SIZE Control test: Determine confidence level and risk of overreliance a 95% confidence level results in a 5% risk of overreliance ( 3.38-3.61). Determine the tolerable deviation rate (normally expressed as a percentage). Determine the expected deviation rate the higher the rate, the larger the sample.
DETERMINING SAMPLE SIZE Control test: If practicable, use the Audit Guide Table A-1. Adjust the base sample size if the population is small or if operating controls are infrequent. See the Audit Guide, Tables 3-4 and 3-5 for sample sizes for small populations. Note that for populations of 4 - 52, Table 3-5 suggests sample sizes (requires sample to be documented).
DETERMINING SAMPLE SIZE Substantive test of details: Determine the objective: To determine if PCard/travel expenses are materially correct.
DETERMINING SAMPLE SIZE Substantive test of details: Determine the RMM. Determine analytical procedures risk: Will substantive analytical procedures provide sufficient appropriate audit evidence? Will substantive analytical procedures reduce sample sizes?
