Attribute Sampling-represent the most common statistical application used by internal auditors to test the effectiveness of controls and determine the rate of compliance with established criteria.
When developing an attribute sampling plan, the auditor must first define the audit test objective, population involved, sampling unit, and control items to be tested
4 statistical parameters to determine an appropriate sample size:
Confidence level-reliability the auditor places on the samples results (a 95 percent confidence level means the auditor assumes the risk that 5 out of 100 samples will not reflect the true values in the population)
Expected Deviation Rate-auditor’s best estimate of the actual failure rate of a control in a population-rate is based on client inquiries, changes in personnel, process observations, prior year test results, or the results of a preliminary sample
Tolerable Rate-Maximum rate of noncompliance the auditor will tolerate and still rely on the prescribed control
Population-contains all items to be considered for testing-each must have an unbiased chance of selection to ensure the final sample is representative of the entire population
Example: Auditor estimates a 1.5% expected deviation rate of missing credit approvals relative to total sales orders, establishes a tolerable rate of 6%, and accepts a 95% confidence level that the sample results will reflect missing credit approvals fairly in the population: See Statistical Sample Sizes for Test of Controls Chart below to find that the appropriate sample size is 103 sales orders that should be tested
Each of the sales orders can be randomly selected using a random-number table or systematic selection-picking every nth sales order as long as the first item sampled is randomly selected-the results may be skewed if missing credit approvals occur in a systematic pattern
Suppose 4 sales orders lacked appropriate credit approval in the sample test, the auditor would project these results to the entire population by calculating the upper deviation rate-a statistical estimate of the maximum deviation rate in the population-this rate can be determined using a simple statistical table or a manual or computer-generated computation
Using the Statistical Sampling Results Evaluation Table for Tests of Controls-the upper deviation rate in the example would be about 9%
If the upper deviation rate is less than the auditor’s tolerable rate, the auditor would consider the control effective
If the upper deviation rate is greater than the tolerable rate, the auditor would consider the control ineffective
In this example the upper deviation rate (9%) is greater than tolerable rate (6%)-therefore, the auditor would advise management not to rely on the control, concluding with 95% certainty that the rate of missed credit approvals exceeds the tolerable rate
http://www.theiia.org/intAuditor/back-to-basics/2010/attribute-sampling-plans/ A Practical Guide to Sampling Article:
Sample design-method of selection, the sample structure and plans for analyzing and interpreting the results-more complex the design, larger the sample size
Sampling Frame-a list of all units in your population
Sample Size-Depends on 5 key factors:
Population Size-total number of items in the population-only important if the sample size is greater than 5% of the population in which case the sample size reduces
Population Proportion-the portion of items in the population displaying the attributes that you are seeking
Margin of error or precision-a measure of the possible difference between the sample estimate and the actual population value-the better the design, the less margin of error, smaller sample size required
Variability in the Population-the standard deviation is the most usual measure and often needs to be estimated-more variability the less accurate the estimate and the larger the sample size required
Confidence Level-how certain you want to be that the population figure is within the sample estimate and its associated precision-higher the confidence level, larger the sample size (usually 95%)
The following table shows the sample size needed to achieve the required precision depending on the population proportion using simple random sampling. For example, for a margin of error of 5% and a population proportion of 70%, a sample size of 323 is required at the 95% confidence level.
Figure 1: Sample size lookup table
Population Proportion Precision (at the 95 per cent confidence level)
To ensure that the sample size achieved provides the required level of precision.
Multi-Stage Sampling-the sample is drawn in 2 or more stages-usually the most efficient and practical way to carry out large survey of the public-complex calculations of the estimates and associated precision
Probability Proportional to Size-samples are drawn in proportion to their size giving a higher chance of selection to the larger items-when you want each element to have equal chance of selection rather than each sampling unit-can be expensive to get the information to draw the sample. Only appropriate if you are interested in the elements
Quota Sampling-The aim is to obtain a sample that is representative of the population. The population is stratified by important variables and the required quota is obtained from each stratum-It is a quick way of obtaining a sample, it can be fairly cheap, if there is no sampling frame it may be the only way forward, additional information may improve the credibility of the results-not random so stronger possibility of bias, good knowledge of population characteristics is essential, estimates of the sampling error and confidence limits probably can’t be calculated
Simple Random Sampling-Ensures every member of the population has an equal chance of selection-produces defensible estimates of the population and the sampling error, simple sample design and interpretation-need complete and accurate population listing, may not be practicable if a country-wide sample would involve lots of audit visits
Stratified Sampling-The population is sub-divided into homogenous groups, the strata can have equal sizes or you may wish a higher proportion in certain strata-ensures units from each main group are included and may therefore be more reliably representative, should reduce the error due to sampling-selecting the sample is more complex and requires good population information, the estimates involve complex calculations
Systematic Sampling-After randomly selecting a starting point in the population between 1 and n, every nth unit is selected, when n equals the population size divided by the sample size-easier to extract the sample than simple random, ensures cases are spread across the population-can be costly and time consuming if the sample is not conveniently located, can’t be used where there is periodicity in the population
Examiners should consider quantity of risk, direction of risk, and quality of risk management in determining precision levels to use. In designing samples, the precision limit affects the sample size; the smaller the precision limits, the larger the size of the sample selected and the smaller amount of exceptions allowable
When an examiner can tolerate few exceptions, a precision of 5% is normally chosen. When an examiner can tolerate a large rate of exceptions, a precision of 20% is normally chosen. Precision levels greater than 20% is not recommended
AU Section 350-Audit Sampling:
Attribute sampling is a statistical approach used with tests of controls. It requires the use of a probabilistic sample selection method (random or systematic sampling). Attribute sampling allows the auditor to estimate the proportion of population items containing a specified characteristic. The characteristic auditors are concerned with for tests of controls is deviations from internal controls.
Sample size for attribute sampling can be determined by reference to attribute sampling tables. These sample determination tables require the auditor to establish three factors:
Risk of assessing control risk too low represents the risk that the auditor concludes that the design and operation of an internal control is effective when in fact it is not. The level used for this risk is based on the auditor's desired control risk assessment. The lower the desired control risk assessment the lower the needed risk of assessing control risk too low. This risk is inversely related to sample size.
Expected Population Deviation Rate represents the auditor's best estimate of the population deviation rate. This rate is normally based on prior experience with the client. This rate is directly related to sample size.
Tolerable Deviation Rate represents the highest deviation rate the auditor could accept and still conclude that the design and operation of an internal control is effective. This rate is based on the tolerable misstatement relative to the number and dollar size of transactions included in the population. Tolerable misstatement represents the maximum misstatement that could occur before the population would be considered materially misstated. The lower the required tolerable misstatement relative to the number and dollar size of transactions the lower the needed tolerable deviation rate. This rate is inversely related to sample size.
Sample results are evaluated by comparing the computed maximum population deviation rate to the tolerable deviation rate. The computed maximum population deviation rate equals the sample deviation rate plus an allowance for sampling risk. If the maximum population deviation rate is larger than the tolerable deviation rate the auditor will conclude that the design and operation of the internal control is not effective. If the computed maximum population deviation rate is less than or equal to the tolerable deviation rate the auditor will conclude that the design and operation of the internal control is effective.