s 13: management of risks in audit risk analysis and statistical sampling in audit
TRANSCRIPT
S 13:S 13: Management of Risks in Management of Risks in AuditAudit
RISK ANALYSIS RISK ANALYSIS AND AND
STATISTICAL SAMPLING IN STATISTICAL SAMPLING IN AUDITAUDIT
Session ObjectivesSession Objectives
To revisit the Audit Risk Model and To revisit the Audit Risk Model and Materiality concepts;Materiality concepts;
To explain the Theory of Sampling as To explain the Theory of Sampling as applied to auditapplied to audit
To Explain the link between risk To Explain the link between risk assessment and samplingassessment and sampling
The Risk Model The Risk Model Theory and AssumptionsTheory and Assumptions
Control Risk (CR)Control Risk (CR) Risk that the internal control systems in an Risk that the internal control systems in an
organization will not be able to detect an organization will not be able to detect an error or material misstatementerror or material misstatement
Inherent Risk (IR)Inherent Risk (IR) Susceptibility of a class of transactions to Susceptibility of a class of transactions to
material misstatement or errors material misstatement or errors Risk of Occurrence of ErrorRisk of Occurrence of Error
Detection Risk (DR)Detection Risk (DR) Risk that auditor’s substantive tests will not Risk that auditor’s substantive tests will not
be able to detect a material misstatement in be able to detect a material misstatement in the audited transactions the audited transactions
OverallOverall Audit Risk Audit Risk (OAR)(OAR)
Assurance required from audit proceduresAssurance required from audit procedures the maximum risk the auditor is willing to the maximum risk the auditor is willing to
acceptaccept OAR = CR x IR x DROAR = CR x IR x DR
OAR defined by the audit institution OAR defined by the audit institution A constant pre-determined quantityA constant pre-determined quantity
Objective of the auditor Objective of the auditor assess inherent and control risks in the entityassess inherent and control risks in the entity design and perform compliance and substantive design and perform compliance and substantive
tests tests to provide sufficient assurance that the product of to provide sufficient assurance that the product of
the risks identified ≤ overall audit riskthe risks identified ≤ overall audit risk solve the equation for DR assessing IR and CRsolve the equation for DR assessing IR and CR
Detection Risk (DR)Detection Risk (DR)
DR is actually a combination of:DR is actually a combination of: Analytical procedures risk (AP): Risk that Analytical procedures risk (AP): Risk that
analytical procedures will fail to detect analytical procedures will fail to detect material errors material errors
Tests of detail risk (TD): Risk that detailed Tests of detail risk (TD): Risk that detailed test procedures will fail to detect the material test procedures will fail to detect the material errors errors
DR = AP X TDDR = AP X TD OAR = IR X CR X AP X TDOAR = IR X CR X AP X TD Auditor exercises professional judgment in Auditor exercises professional judgment in
assessing IR, CR and AP and solves the equation assessing IR, CR and AP and solves the equation for TD.for TD.
Confidence LevelConfidence Level
Detection Risk is closely related to the Detection Risk is closely related to the confidence that the auditor wishes to obtain confidence that the auditor wishes to obtain from his substantive tests. from his substantive tests.
Increased confidence => Low DR => more Increased confidence => Low DR => more transactions and balances need to be tested transactions and balances need to be tested substantively substantively
Confidence Level = 100%-Detection RiskConfidence Level = 100%-Detection Risk Detection Risk Detection Risk
Only risk that the auditor has under his Only risk that the auditor has under his control control
Must be kept low Must be kept low
MaterialityMateriality and Audit and Audit Risk-IRisk-I
Independent of OARIndependent of OAR Related to VALUE, NATURE and CONTEXT Related to VALUE, NATURE and CONTEXT
of Errorof Error Materiality relates to the maximum possible Materiality relates to the maximum possible
misstatements/ errormisstatements/ error Risk -- concerned with the likelihood of Risk -- concerned with the likelihood of
errorerror Materiality – concerned with extent to which Materiality – concerned with extent to which
we can tolerate errorwe can tolerate error
Materiality and Audit Risk -IIMateriality and Audit Risk -II
Auditor to ensure: Auditor to ensure: Maximum possible error at the desired Maximum possible error at the desired
assurance level < Materialityassurance level < Materiality IR + CR => IR + CR => Expected error rate in Expected error rate in
the populationthe population Materiality => Materiality => Tolerable error rate Tolerable error rate
in the populationin the population
Assessment of Risks-IAssessment of Risks-I
Assessment of Inherent RiskAssessment of Inherent Risk Depends on nature, complexity and Depends on nature, complexity and
volume of transactionsvolume of transactions Inherent to these activities or sets of Inherent to these activities or sets of
transactions transactions Risk classified as high, moderate or lowRisk classified as high, moderate or low
Possible to assign numerical values to the Possible to assign numerical values to the risk assessedrisk assessed
Assessment of Risks-IIAssessment of Risks-II
Assessment of Control Risk:Assessment of Control Risk: Assesses adequacy of policies, procedures and Assesses adequacy of policies, procedures and
systems in the organization systems in the organization Whether controls are adequate to detect errorsWhether controls are adequate to detect errors Expressed either in numerical (%) or qualitative Expressed either in numerical (%) or qualitative
(high, medium, low) terms(high, medium, low) terms Assessment of Detection RiskAssessment of Detection Risk Assurance about transactions required from Assurance about transactions required from
audit proceduresaudit procedures Risk Assurance GuideRisk Assurance Guide
Sample Size Sample Size
Detection Risk Assurance Detection Risk Assurance GuideGuide
Assurance from inherent risk evaluation
Assurance from internal control
Assurance from substantive
analytical review procedures
Required assurance from detailed substantive tests confidence level
High (Excellent system)
Med Low Nil
60 70 75
Med (Good system)
Med Low Nil
65 75 80
Low (Fair system)
Med Low Nil
75 80 85
High
Nil (Poor System/DST)
Med Low Nil
92 94 95
Risk Assessment and Risk Assessment and SamplingSampling
Statistical SamplingStatistical Sampling The population is a homogeneous groupThe population is a homogeneous group There is no bias in the selection of sample itemsThere is no bias in the selection of sample items
Attribute Sampling, Variable Sampling and Attribute Sampling, Variable Sampling and MUSMUS
Attribute samplingAttribute sampling Estimates proportion of items in a population having a Estimates proportion of items in a population having a
certain attribute or characteristic. certain attribute or characteristic. In audit, estimates the existence or otherwise of an error. In audit, estimates the existence or otherwise of an error.
Used to derive assurance about prescribed procedures/ Used to derive assurance about prescribed procedures/
controls. controls. Estimates % of error (say, vouchers that have been Estimates % of error (say, vouchers that have been
misclassified)misclassified)
Attribute samplingAttribute sampling
Set upper limit of acceptable Set upper limit of acceptable error, being still assured that error, being still assured that systems are in place.systems are in place. Can only be used in assessment of Can only be used in assessment of
control risk.control risk. The attribute : whether a specific The attribute : whether a specific
control has been applied or not control has been applied or not applied.applied.
Types of Audit samplingTypes of Audit sampling
Variables samplingVariables sampling estimates a quantity estimates a quantity
e.g. amount of sundry debtors shown in e.g. amount of sundry debtors shown in the balance sheet the balance sheet
the underassessment in a tax circle. the underassessment in a tax circle.
Monetary Unit SamplingMonetary Unit Sampling
provides quantitative results and is suited provides quantitative results and is suited to most audit situations to most audit situations
More accurate in low level error situations More accurate in low level error situations with a relatively small population, where with a relatively small population, where there are no negative or zero balances. there are no negative or zero balances.
‘‘PPS’ or ‘Probability Proportional to Size’ PPS’ or ‘Probability Proportional to Size’ the probability of selection becomes the probability of selection becomes
proportional to the size of a/c proportional to the size of a/c high value items tend to get more weight high value items tend to get more weight
and therefore more probability of getting and therefore more probability of getting picked up in any random selection, sincepicked up in any random selection, since
Sampling MethodsSampling Methods
Simple random samplingSimple random sampling Systematic random samplingSystematic random sampling Stratified samplingStratified sampling CAATs: IDEA => identified audit CAATs: IDEA => identified audit
tests can directly be applied on tests can directly be applied on the sample elements.the sample elements.
Audit AssumptionsAudit Assumptions Audit works on the principle that higher the Audit works on the principle that higher the
risk involved in the transactions, higher the risk involved in the transactions, higher the need for more extensive checks.need for more extensive checks.
Audit through statistical sampling Audit through statistical sampling Assessment of Inherent Risk through auditor’s Assessment of Inherent Risk through auditor’s
knowledge, judgment and application of specific knowledge, judgment and application of specific auditing procedures like analytical reviews etc. auditing procedures like analytical reviews etc.
Assessment of Control Risk through Compliance Assessment of Control Risk through Compliance Testing, done through attribute sampling, Testing, done through attribute sampling, analytical reviews etc. analytical reviews etc.
Design the Sampling Frame for Substantive Design the Sampling Frame for Substantive Testing : determine sampling method, sample size.Testing : determine sampling method, sample size.
Evaluation of results of Substantive Tests and Evaluation of results of Substantive Tests and expression of audit opinion.expression of audit opinion.
Compliance Testing and Compliance Testing and Substantive TestingSubstantive Testing
Compliance Testing: review and evaluate Compliance Testing: review and evaluate the effectiveness of internal control systemsthe effectiveness of internal control systems
Substantive Testing: gather evidence on Substantive Testing: gather evidence on completeness, accuracy and validity of data.completeness, accuracy and validity of data.
Sampling Risks of an AuditorSampling Risks of an Auditor Sampling Risk in Compliance Testing: risk Sampling Risk in Compliance Testing: risk
of over-reliance / under-reliance on controlsof over-reliance / under-reliance on controls Sampling Risk in Substantive Testing: risk Sampling Risk in Substantive Testing: risk
of incorrect acceptance / rejectionof incorrect acceptance / rejection Selection of appropriate sample size of utmost Selection of appropriate sample size of utmost
importance in minimising risk importance in minimising risk
Designing a SampleDesigning a Sample StepsSteps
Define population and select an appropriate Define population and select an appropriate sampling method: attribute, variable, monetary sampling method: attribute, variable, monetary unit etc. unit etc.
Determine sample size Determine sample size Identify sampling procedure, random, Identify sampling procedure, random,
systematic, stratified etc.systematic, stratified etc. Perform substantive audit tests on the sample Perform substantive audit tests on the sample
elements elements Estimate Population Value of ParameterEstimate Population Value of Parameter
Express audit opinion on the entire Express audit opinion on the entire population population
Determinants of Sample Size Determinants of Sample Size 1.1. Expected Error Rate in PopulationExpected Error Rate in Population
Error Rate /AmountError Rate /Amount in the Population: in the Population: mistakes in vouchers /wrong entries in cash mistakes in vouchers /wrong entries in cash
books/stores ledgerbooks/stores ledger unauthorized payments unauthorized payments cash books not daily checked /physical cash books not daily checked /physical
verifications not done verifications not done Areas of applicationAreas of application
sanctions / propriety / regularity / financial auditsanctions / propriety / regularity / financial audit auditor only wants to confirm if the balance is auditor only wants to confirm if the balance is
correctly stated or not without estimating the correctly stated or not without estimating the correct balancecorrect balance
The greater the expected error rate, the larger the The greater the expected error rate, the larger the sample size for the auditor to conclude:sample size for the auditor to conclude: actual error rate < tolerate error rateactual error rate < tolerate error rate. .
2. Tolerate Error Rate in 2. Tolerate Error Rate in PopulationPopulation
Tolerate error rate / amountTolerate error rate / amount the maximum error rate the auditor is prepared the maximum error rate the auditor is prepared
to accept when deciding whether his initial to accept when deciding whether his initial evaluation of the control risk is valid evaluation of the control risk is valid
maximum error rate the auditor is willing to maximum error rate the auditor is willing to accept and still conclude that the auditee is accept and still conclude that the auditee is following the procedures properly following the procedures properly
tolerable error is limited by the level of tolerable error is limited by the level of materiality set by the auditormateriality set by the auditor
The lower the tolerable error, the larger The lower the tolerable error, the larger would be the sample sizewould be the sample size
3. Precision Level3. Precision Level
Precision level: Precision level: Difference between the sample estimate Difference between the sample estimate
and the actual population valueand the actual population value The auditor to decide the precision to The auditor to decide the precision to
provide in his estimates provide in his estimates Tolerable Error Tolerable Error
= maximum error the auditor is willing to = maximum error the auditor is willing to accept accept
= Maximum (sample estimate + precision = Maximum (sample estimate + precision level).level).
Confidence Level Confidence Level
Confidence level =100%- DR (%)Confidence level =100%- DR (%) Confidence level: Confidence level:
how certain the auditor is that the how certain the auditor is that the actual population measure is within actual population measure is within the sample estimates and its the sample estimates and its associated precision levelassociated precision level
Occurrence rateOccurrence rate Population proportion having the error Population proportion having the error
that audit wishes to testthat audit wishes to test
Acceptable risk of Over-Acceptable risk of Over-RelianceReliance
Risk of under-reliance does not affect the Risk of under-reliance does not affect the correctness of the auditor’s opinioncorrectness of the auditor’s opinion it only results in increasing his it only results in increasing his
workloadworkload Over Reliance may lead to wrong audit Over Reliance may lead to wrong audit
opinionopinion When the degree of reliance in controls is When the degree of reliance in controls is
high, acceptable risk of over reliance is high, acceptable risk of over reliance is low and vice versalow and vice versa May be quantified as 5%, 10%, 15% etc.May be quantified as 5%, 10%, 15% etc.
Estimating Population Estimating Population ValueValue
If Computed tolerable error = Sample estimate If Computed tolerable error = Sample estimate + precision < tolerable error + precision < tolerable error assurance can be placed by auditor on the assurance can be placed by auditor on the
systemsystem If Computed tolerable error > tolerable error, If Computed tolerable error > tolerable error,
assurance derived from control has to be assurance derived from control has to be reduced reduced
assurance required from substantive tests assurance required from substantive tests has to be increased has to be increased
To identify areas of To identify areas of applicabilityapplicability
A Few Suggested AreasA Few Suggested Areas Checking correct accountal of expenditure/ Checking correct accountal of expenditure/
receipts;receipts; Checking calculations of payment or receipts;Checking calculations of payment or receipts; Checking propriety and regularity of Checking propriety and regularity of
expenditure; expenditure; Checking interpretation or application of Checking interpretation or application of
rules /contract clauses /provisions of tax acts;rules /contract clauses /provisions of tax acts; Checking achievement of objective of Checking achievement of objective of
expenditure / exemption of receipts.expenditure / exemption of receipts. Any other areas to be identifiedAny other areas to be identified
Summing UpSumming Up
Audit is primarily a judgmental Audit is primarily a judgmental process process
Statistical sampling cannot be a Statistical sampling cannot be a substitute for Auditor’s judgmentsubstitute for Auditor’s judgment
At best the two are At best the two are complementarycomplementary
Nature of Population Nature of Population DistributionDistribution
Is it necessary to estimate?Is it necessary to estimate? Assumption of homogeneity-how true? Assumption of homogeneity-how true? Sampling distribution of mean Sampling distribution of mean
What about smaller samples? What about smaller samples? normal for large samplenormal for large sample
For small samples- what distribution (t?). For small samples- what distribution (t?).
Testing for a single attribute (say Testing for a single attribute (say classification mistake) classification mistake) - What distribution to assume? - What distribution to assume?
Case StudyCase Study