S 13:S 13: Management of Risks in Management of Risks in AuditAudit

RISK ANALYSIS RISK ANALYSIS AND AND

STATISTICAL SAMPLING IN STATISTICAL SAMPLING IN AUDITAUDIT

Session ObjectivesSession Objectives

To revisit the Audit Risk Model and To revisit the Audit Risk Model and Materiality concepts;Materiality concepts;

To explain the Theory of Sampling as To explain the Theory of Sampling as applied to auditapplied to audit

To Explain the link between risk To Explain the link between risk assessment and samplingassessment and sampling

The Risk Model The Risk Model Theory and AssumptionsTheory and Assumptions

Control Risk (CR)Control Risk (CR) Risk that the internal control systems in an Risk that the internal control systems in an

organization will not be able to detect an organization will not be able to detect an error or material misstatementerror or material misstatement

Inherent Risk (IR)Inherent Risk (IR) Susceptibility of a class of transactions to Susceptibility of a class of transactions to

material misstatement or errors material misstatement or errors Risk of Occurrence of ErrorRisk of Occurrence of Error

Detection Risk (DR)Detection Risk (DR) Risk that auditor’s substantive tests will not Risk that auditor’s substantive tests will not

be able to detect a material misstatement in be able to detect a material misstatement in the audited transactions the audited transactions

OverallOverall Audit Risk Audit Risk (OAR)(OAR)

Assurance required from audit proceduresAssurance required from audit procedures the maximum risk the auditor is willing to the maximum risk the auditor is willing to

acceptaccept OAR = CR x IR x DROAR = CR x IR x DR

OAR defined by the audit institution OAR defined by the audit institution A constant pre-determined quantityA constant pre-determined quantity

Objective of the auditor Objective of the auditor assess inherent and control risks in the entityassess inherent and control risks in the entity design and perform compliance and substantive design and perform compliance and substantive

tests tests to provide sufficient assurance that the product of to provide sufficient assurance that the product of

the risks identified ≤ overall audit riskthe risks identified ≤ overall audit risk solve the equation for DR assessing IR and CRsolve the equation for DR assessing IR and CR

Detection Risk (DR)Detection Risk (DR)

DR is actually a combination of:DR is actually a combination of: Analytical procedures risk (AP): Risk that Analytical procedures risk (AP): Risk that

analytical procedures will fail to detect analytical procedures will fail to detect material errors material errors

Tests of detail risk (TD): Risk that detailed Tests of detail risk (TD): Risk that detailed test procedures will fail to detect the material test procedures will fail to detect the material errors errors

DR = AP X TDDR = AP X TD OAR = IR X CR X AP X TDOAR = IR X CR X AP X TD Auditor exercises professional judgment in Auditor exercises professional judgment in

assessing IR, CR and AP and solves the equation assessing IR, CR and AP and solves the equation for TD.for TD.

Confidence LevelConfidence Level

Detection Risk is closely related to the Detection Risk is closely related to the confidence that the auditor wishes to obtain confidence that the auditor wishes to obtain from his substantive tests. from his substantive tests.

Increased confidence => Low DR => more Increased confidence => Low DR => more transactions and balances need to be tested transactions and balances need to be tested substantively substantively

Confidence Level = 100%-Detection RiskConfidence Level = 100%-Detection Risk Detection Risk Detection Risk

Only risk that the auditor has under his Only risk that the auditor has under his control control

Must be kept low Must be kept low

MaterialityMateriality and Audit and Audit Risk-IRisk-I

Independent of OARIndependent of OAR Related to VALUE, NATURE and CONTEXT Related to VALUE, NATURE and CONTEXT

of Errorof Error Materiality relates to the maximum possible Materiality relates to the maximum possible

misstatements/ errormisstatements/ error Risk -- concerned with the likelihood of Risk -- concerned with the likelihood of

errorerror Materiality – concerned with extent to which Materiality – concerned with extent to which

we can tolerate errorwe can tolerate error

Materiality and Audit Risk -IIMateriality and Audit Risk -II

Auditor to ensure: Auditor to ensure: Maximum possible error at the desired Maximum possible error at the desired

assurance level < Materialityassurance level < Materiality IR + CR => IR + CR => Expected error rate in Expected error rate in

the populationthe population Materiality => Materiality => Tolerable error rate Tolerable error rate

in the populationin the population

Assessment of Risks-IAssessment of Risks-I

Assessment of Inherent RiskAssessment of Inherent Risk Depends on nature, complexity and Depends on nature, complexity and

volume of transactionsvolume of transactions Inherent to these activities or sets of Inherent to these activities or sets of

transactions transactions Risk classified as high, moderate or lowRisk classified as high, moderate or low

Possible to assign numerical values to the Possible to assign numerical values to the risk assessedrisk assessed

Assessment of Risks-IIAssessment of Risks-II

Assessment of Control Risk:Assessment of Control Risk: Assesses adequacy of policies, procedures and Assesses adequacy of policies, procedures and

systems in the organization systems in the organization Whether controls are adequate to detect errorsWhether controls are adequate to detect errors Expressed either in numerical (%) or qualitative Expressed either in numerical (%) or qualitative

(high, medium, low) terms(high, medium, low) terms Assessment of Detection RiskAssessment of Detection Risk Assurance about transactions required from Assurance about transactions required from

audit proceduresaudit procedures Risk Assurance GuideRisk Assurance Guide

Sample Size Sample Size

Detection Risk Assurance Detection Risk Assurance GuideGuide

Assurance from inherent risk evaluation

Assurance from internal control

Assurance from substantive

analytical review procedures

Required assurance from detailed substantive tests confidence level

High (Excellent system)

Med Low Nil

60 70 75

Med (Good system)

Med Low Nil

65 75 80

Low (Fair system)

Med Low Nil

75 80 85

High

Nil (Poor System/DST)

Med Low Nil

92 94 95

Risk Assessment and Risk Assessment and SamplingSampling

Statistical SamplingStatistical Sampling The population is a homogeneous groupThe population is a homogeneous group There is no bias in the selection of sample itemsThere is no bias in the selection of sample items

Attribute Sampling, Variable Sampling and Attribute Sampling, Variable Sampling and MUSMUS

Attribute samplingAttribute sampling Estimates proportion of items in a population having a Estimates proportion of items in a population having a

certain attribute or characteristic. certain attribute or characteristic. In audit, estimates the existence or otherwise of an error. In audit, estimates the existence or otherwise of an error.

Used to derive assurance about prescribed procedures/ Used to derive assurance about prescribed procedures/

controls. controls. Estimates % of error (say, vouchers that have been Estimates % of error (say, vouchers that have been

misclassified)misclassified)

Attribute samplingAttribute sampling

Set upper limit of acceptable Set upper limit of acceptable error, being still assured that error, being still assured that systems are in place.systems are in place. Can only be used in assessment of Can only be used in assessment of

control risk.control risk. The attribute : whether a specific The attribute : whether a specific

control has been applied or not control has been applied or not applied.applied.

Types of Audit samplingTypes of Audit sampling

Variables samplingVariables sampling estimates a quantity estimates a quantity

e.g. amount of sundry debtors shown in e.g. amount of sundry debtors shown in the balance sheet the balance sheet

the underassessment in a tax circle. the underassessment in a tax circle.

Monetary Unit SamplingMonetary Unit Sampling

provides quantitative results and is suited provides quantitative results and is suited to most audit situations to most audit situations

More accurate in low level error situations More accurate in low level error situations with a relatively small population, where with a relatively small population, where there are no negative or zero balances. there are no negative or zero balances.

‘‘PPS’ or ‘Probability Proportional to Size’ PPS’ or ‘Probability Proportional to Size’ the probability of selection becomes the probability of selection becomes

proportional to the size of a/c proportional to the size of a/c high value items tend to get more weight high value items tend to get more weight

and therefore more probability of getting and therefore more probability of getting picked up in any random selection, sincepicked up in any random selection, since

Sampling MethodsSampling Methods

Simple random samplingSimple random sampling Systematic random samplingSystematic random sampling Stratified samplingStratified sampling CAATs: IDEA => identified audit CAATs: IDEA => identified audit

tests can directly be applied on tests can directly be applied on the sample elements.the sample elements.

Audit AssumptionsAudit Assumptions Audit works on the principle that higher the Audit works on the principle that higher the

risk involved in the transactions, higher the risk involved in the transactions, higher the need for more extensive checks.need for more extensive checks.

Audit through statistical sampling Audit through statistical sampling Assessment of Inherent Risk through auditor’s Assessment of Inherent Risk through auditor’s

knowledge, judgment and application of specific knowledge, judgment and application of specific auditing procedures like analytical reviews etc. auditing procedures like analytical reviews etc.

Assessment of Control Risk through Compliance Assessment of Control Risk through Compliance Testing, done through attribute sampling, Testing, done through attribute sampling, analytical reviews etc. analytical reviews etc.

Design the Sampling Frame for Substantive Design the Sampling Frame for Substantive Testing : determine sampling method, sample size.Testing : determine sampling method, sample size.

Evaluation of results of Substantive Tests and Evaluation of results of Substantive Tests and expression of audit opinion.expression of audit opinion.

Compliance Testing and Compliance Testing and Substantive TestingSubstantive Testing

Compliance Testing: review and evaluate Compliance Testing: review and evaluate the effectiveness of internal control systemsthe effectiveness of internal control systems

Substantive Testing: gather evidence on Substantive Testing: gather evidence on completeness, accuracy and validity of data.completeness, accuracy and validity of data.

Sampling Risks of an AuditorSampling Risks of an Auditor Sampling Risk in Compliance Testing: risk Sampling Risk in Compliance Testing: risk

of over-reliance / under-reliance on controlsof over-reliance / under-reliance on controls Sampling Risk in Substantive Testing: risk Sampling Risk in Substantive Testing: risk

of incorrect acceptance / rejectionof incorrect acceptance / rejection Selection of appropriate sample size of utmost Selection of appropriate sample size of utmost

importance in minimising risk importance in minimising risk

Designing a SampleDesigning a Sample StepsSteps

Define population and select an appropriate Define population and select an appropriate sampling method: attribute, variable, monetary sampling method: attribute, variable, monetary unit etc. unit etc.

Determine sample size Determine sample size Identify sampling procedure, random, Identify sampling procedure, random,

systematic, stratified etc.systematic, stratified etc. Perform substantive audit tests on the sample Perform substantive audit tests on the sample

elements elements Estimate Population Value of ParameterEstimate Population Value of Parameter

Express audit opinion on the entire Express audit opinion on the entire population population

Determinants of Sample Size Determinants of Sample Size 1.1. Expected Error Rate in PopulationExpected Error Rate in Population

Error Rate /AmountError Rate /Amount in the Population: in the Population: mistakes in vouchers /wrong entries in cash mistakes in vouchers /wrong entries in cash

books/stores ledgerbooks/stores ledger unauthorized payments unauthorized payments cash books not daily checked /physical cash books not daily checked /physical

verifications not done verifications not done Areas of applicationAreas of application

sanctions / propriety / regularity / financial auditsanctions / propriety / regularity / financial audit auditor only wants to confirm if the balance is auditor only wants to confirm if the balance is

correctly stated or not without estimating the correctly stated or not without estimating the correct balancecorrect balance

The greater the expected error rate, the larger the The greater the expected error rate, the larger the sample size for the auditor to conclude:sample size for the auditor to conclude: actual error rate < tolerate error rateactual error rate < tolerate error rate. .

2. Tolerate Error Rate in 2. Tolerate Error Rate in PopulationPopulation

Tolerate error rate / amountTolerate error rate / amount the maximum error rate the auditor is prepared the maximum error rate the auditor is prepared

to accept when deciding whether his initial to accept when deciding whether his initial evaluation of the control risk is valid evaluation of the control risk is valid

maximum error rate the auditor is willing to maximum error rate the auditor is willing to accept and still conclude that the auditee is accept and still conclude that the auditee is following the procedures properly following the procedures properly

tolerable error is limited by the level of tolerable error is limited by the level of materiality set by the auditormateriality set by the auditor

The lower the tolerable error, the larger The lower the tolerable error, the larger would be the sample sizewould be the sample size

3. Precision Level3. Precision Level

Precision level: Precision level: Difference between the sample estimate Difference between the sample estimate

and the actual population valueand the actual population value The auditor to decide the precision to The auditor to decide the precision to

provide in his estimates provide in his estimates Tolerable Error Tolerable Error

= maximum error the auditor is willing to = maximum error the auditor is willing to accept accept

= Maximum (sample estimate + precision = Maximum (sample estimate + precision level).level).

Confidence Level Confidence Level

Confidence level =100%- DR (%)Confidence level =100%- DR (%) Confidence level: Confidence level:

how certain the auditor is that the how certain the auditor is that the actual population measure is within actual population measure is within the sample estimates and its the sample estimates and its associated precision levelassociated precision level

Occurrence rateOccurrence rate Population proportion having the error Population proportion having the error

that audit wishes to testthat audit wishes to test

Acceptable risk of Over-Acceptable risk of Over-RelianceReliance

Risk of under-reliance does not affect the Risk of under-reliance does not affect the correctness of the auditor’s opinioncorrectness of the auditor’s opinion it only results in increasing his it only results in increasing his

workloadworkload Over Reliance may lead to wrong audit Over Reliance may lead to wrong audit

opinionopinion When the degree of reliance in controls is When the degree of reliance in controls is

high, acceptable risk of over reliance is high, acceptable risk of over reliance is low and vice versalow and vice versa May be quantified as 5%, 10%, 15% etc.May be quantified as 5%, 10%, 15% etc.

Estimating Population Estimating Population ValueValue

If Computed tolerable error = Sample estimate If Computed tolerable error = Sample estimate + precision < tolerable error + precision < tolerable error assurance can be placed by auditor on the assurance can be placed by auditor on the

systemsystem If Computed tolerable error > tolerable error, If Computed tolerable error > tolerable error,

assurance derived from control has to be assurance derived from control has to be reduced reduced

assurance required from substantive tests assurance required from substantive tests has to be increased has to be increased

To identify areas of To identify areas of applicabilityapplicability

A Few Suggested AreasA Few Suggested Areas Checking correct accountal of expenditure/ Checking correct accountal of expenditure/

receipts;receipts; Checking calculations of payment or receipts;Checking calculations of payment or receipts; Checking propriety and regularity of Checking propriety and regularity of

expenditure; expenditure; Checking interpretation or application of Checking interpretation or application of

rules /contract clauses /provisions of tax acts;rules /contract clauses /provisions of tax acts; Checking achievement of objective of Checking achievement of objective of

expenditure / exemption of receipts.expenditure / exemption of receipts. Any other areas to be identifiedAny other areas to be identified

Summing UpSumming Up

Audit is primarily a judgmental Audit is primarily a judgmental process process

Statistical sampling cannot be a Statistical sampling cannot be a substitute for Auditor’s judgmentsubstitute for Auditor’s judgment

At best the two are At best the two are complementarycomplementary

Nature of Population Nature of Population DistributionDistribution

Is it necessary to estimate?Is it necessary to estimate? Assumption of homogeneity-how true? Assumption of homogeneity-how true? Sampling distribution of mean Sampling distribution of mean

What about smaller samples? What about smaller samples? normal for large samplenormal for large sample

For small samples- what distribution (t?). For small samples- what distribution (t?).

Testing for a single attribute (say Testing for a single attribute (say classification mistake) classification mistake) - What distribution to assume? - What distribution to assume?

Case StudyCase Study