AU Section 350 - Audit Sampling

AU Section 350 - Audit Sampling

Sampling and Nonsampling Risk

AU Section 350 of the AICPA Professional Standards indicates that audit risk arises from sampling and nonsampling
risk. Sampling risk results from performing an audit procedure on less than one hundred percent of the population. It
represents the risk that the audit sample is not representative of the population. In other words, that the auditor's
evaluation of a population based on an audit sample is different from what it would be if the entire population was
tested. Nonsampling risk results from human error. It represents the risk that the selected audit procedure is not
appropriate for the intended purpose or the evidence from an audit procedure is misinterpreted. Nonsampling risk exists
regardless of the number of items selected from a population for testing.

Sampling risk should be considered when an auditor performs an audit procedure on less than one hundred percent of a
clearly definable population for the purpose of evaluating the population. There are two aspects to sampling risk when
performing tests of controls:

The risk of assessing control risk too low represents the risk that an audit sample supports the conclusion that the
design and operation of an internal control is effective when in fact it is not.
The risk of assessing control risk too high represents the risk that an audit sample supports the conclusion that the
design and operation of an internal control is not effective when in fact it is effective.

Similarly there are two aspects to sampling risk when performing substantive tests:

The risk of incorrect acceptance represents the risk that an audit sample supports the conclusion that a material
misstatement does not exist when in fact a material misstatement does exist. This risk is similar to the risk of
assessing control risk too low.
The risk of incorrect rejection represents the risk that an audit sample supports the conclusion that a material
misstatement exists when in fact a material misstatement does not exist. This risk is similar to the risk of assessing
control risk too high.

The risk of assessing control risk too low and the risk of incorrect acceptance are concerned with the effectiveness of
audit tests while the risk of assessing control risk too high and the risk of incorrect acceptance are concerned with the
efficiency of audit tests.

Sampling risk can be considered using a non-statistical or statistical approach. Both approaches require professional
judgement. The main difference between the two approaches is that statistical approaches allow auditors to quantify
sampling risk.

Sample Selection Methods

Five methods are commonly used to select population items for audit testing:

Random Sampling involves selecting items from the population so that each item has an equal chance of being
selected. Random selection requires the use of random number tables or computer programs to guarantee that
each population item has an equal chance of selection.
Systematic Sampling involves selecting every kth item from the population after a random start.
Haphazard Sampling involves selecting items from the population without consideration to known characteristics
of the items in the population (i.e. any conscious bias in the selection of population items).
Block Sampling involves selecting items from the population in contiguous groups (or blocks).
Purposive or Directed Sampling involves selecting items from the population using some prespecified criteria
(i.e., selecting accounts receivable for confirmation based on the size of the outstanding balance).

The first two sample selection methods are referred to as probability (statistical) sample selection methods since every
population item has a known probability of selection. The last three methods are referred to as non-probability (non-
statistical) sample selection methods since every population item does not have a known probability of selection. This

http://www4.ncsu.edu/unity/users/b/buckless/www/AUSection350.html[5/2/2017 3:28:11 PM]

AU Section 350 - Audit Sampling

distinction is important because sample results from probability selection methods can be assessed using statistical
theory whereas sample results from non-probability samples cannot. The subjectivity of non-probability selection
precludes the development of a theoretical framework for evaluating sample results. Non-probability samples can be
assessed only by subjective evaluation, not by assumption-free statistical methods. Nevertheless both probability and
non-probability selection methods are considered acceptable and used in practice.

Attribute Sampling

Attribute sampling is a statistical approach used with tests of controls. It requires the use of a probabilistic sample
selection method (random or systematic sampling). Attribute sampling allows the auditor to estimate the proportion of
population items containing a specified characteristic. The characteristic auditors are concerned with for tests of controls
is deviations from internal controls.

Sample size for attribute sampling can be determined by reference to attribute sampling tables. These sample
determination tables require the auditor to establish three factors:

Risk of assessing control risk too low represents the risk that the auditor concludes that the design and operation
of an internal control is effective when in fact it is not. The level used for this risk is based on the auditor's desired
control risk assessment. The lower the desired control risk assessment the lower the needed risk of assessing
control risk too low. This risk is inversely related to sample size.
Expected Population Deviation Rate represents the auditor's best estimate of the population deviation rate. This
rate is normally based on prior experience with the client. This rate is directly related to sample size.
Tolerable Deviation Rate represents the highest deviation rate the auditor could accept and still conclude that the
design and operation of an internal control is effective. This rate is based on the tolerable misstatement relative to
the number and dollar size of traansactions included in the population. Tolerable misstatement represents the
maximum misstatement that could occur before the population would be considered materially misstated. The
lower the required tolerable misstatement relative to the number and dollar size of transactions the lower the
needed tolerable deviation rate. This rate is inversely related to sample size.

Sample results are evaluated by comparing the computed maximum population deviation rate to the tolerable deviation
rate. The computed maximum population deviation rate equals the sample deviation rate plus an allowance for sampling
risk. If the maximum population deviation rate is larger than the tolerable deviation rate the auditor will conclude that
the design and operation of the internal control is not effective. If the computed maximum population deviation rate is
less than or equal to the tolerable deviation rate the auditor will conclude that the design and operation of the internal
control is effective.

Attribute sampling tables have been constructed to determine the computed maximum population deviation rate. These
attribute evaluation tables require the auditor to know three factors:

Risk of assessing control risk too low (see above).

Sample Size represents the number of population items tested.
Sample Deviations represents the number of sample items that deviated from internal controls.

Probability-proportionate-to-size Sampling (Monetary-unit Sampling)

Probability-proportionate-to-size Sampling (PPS) is used with substantive tests. It requires the use of a probabilistic
sample selection method (random or systematic sampling). PPS allows the auditor to estimate the total misstatement of
a population. It is different from other sampling approaches used by auditors in that each dollar in the population is
treated as a separate sampling unit instead of each customer, invoice, check, vendor, etc.

Sample size for a PPS application can be determined by reference to a PPS sampling table. The factors considered when
determining sample size for substantive tests are:

Risk of incorrect acceptance represents the risk that the auditor concludes that a material misstatement does not
exist when in fact a material misstatement does exist. The level used for this risk is based on the auditor's planned

http://www4.ncsu.edu/unity/users/b/buckless/www/AUSection350.html[5/2/2017 3:28:11 PM]

AU Section 350 - Audit Sampling

detection risk and other planned substantive tests. A higher risk of incorrect acceptance is used with a higher
planned detection risk and/or other planned substantive tests. This risk is inversely related to sample size.
Expected Number of Misstated Dollars represents the auditor's best estimate of the number of sample dollars that
will be misstated. This estimate is based on prior experience with the client and is normally expected to be zero
when PPS is used. This estimate is directly related to sample size.
Tolerable Misstatement represents the highest misstatement that could occur before the population would be
considered materially misstated. This amount has an inverse relationship with sample size.
Reported $ Balance represents the total recorded dollar balance in the population.

The risk of incorrect acceptance and expected number of misstated dollars are used to determine the PPS Factor from
the PPS table. The sample size is then determined using the following formula:

Obviously, substantive tests are not performed on individual dollars but rather are performed on logical units (invoice,
customer, check, vender, etc,) containing individual dollars. Therefore, evaluation of sample results requires restatement
of the logical unit results in terms of the sampling unit (individual population dollars). Sample results are evaluated by
comparing the adjusted upper and lower limits on misstatements (error bounds) to tolerable misstatement. If the adjusted
upper and lower limits on misstatements are smaller than or equal to tolerable misstatement the auditor will conclude
that a material misstatement does not exist. If either the upper or lower limit on misstatement is greater than tolerable
misstatement the auditor will conclude that a material misstatement does exist.

The adjusted upper and lower limits on misstatements can be calculated using the PPS table. The first step in calculating
the adjusted upper and lower limits on misstatement is to divide misstated dollars into over and understated dollars and
then to rank them from the highest to lowest percent misstatement. The percent misstatement for each misstated dollar is
call tainting and is calculated using the following formula:

The second step is to calculate an unadjusted upper and lower limit on misstatement using the PPS table. These
calculations require the auditor to know the risk of incorrect acceptance, sample size, recorded dollars in the population
(reported balance), sample dollars misstated, and tainting of misstated dollars. The unadjusted upper limit on
misstatement is based on the observed overstated dollars and the lower limit on misstatement is based on the observed
understated dollars. The unadjusted upper and lower limits on misstatement are calculated using the following formula:

http://www4.ncsu.edu/unity/users/b/buckless/www/AUSection350.html[5/2/2017 3:28:11 PM]

AU Section 350 - Audit Sampling

The taintings are used in order of highest to lowest.

The third step is to calculate the estimated dollar overstatement and understatement in the population. The estimated
dollar overstatement is calculated based on the number of observed overstated dollars. The estimated dollar
understatement is calculated based on the number of observed understated dollars. These amounts are calculated using
the following formula:

The final step is to calculate the adjusted upper and lower limits on misstatement. The adjusted upper limit on
misstatement is calculated by subtracting from the unadjusted upper limit on misstatement the estimated dollar
understatement in the population. The adjusted lower limit on misstatement is calculated by subtracting from the
unadjusted lower limit on misstatement the estimated dollar overstatement in the population.

Non-statistical Sampling

Non-statistical sampling can be used with tests of controls or substantive tests. Non-statistical sampling does not require
the use of a probabilistic selection method. The main advantage of non-statistical sampling is that it is less complex and
less time consuming than statistical sampling. The main disadvantage is that sampling theory cannot be used to quantify
sampling risk.

Sample size for non-statistical sampling is left entirely to the auditors professional judgement. The factors considered
when determining sample size for tests of controls using a non-statistical approach are the same as those considered for
attributes sampling. The factors considered when determining sample size for substantive tests using a non-statistical
approach are:

Risk of incorrect acceptance represents the risk that the auditor concludes that a material misstatement does not
exist when in fact a material misstatement does exist. The level used for this risk is based on the auditor's planned
detection risk and other planned substantive tests. A higher risk of incorrect acceptance is used with a higher
planned detection risk and/or other planned substantive tests. This risk is inversely related to sample size.
Risk of incorrect rejection represents the risk that the auditor concludes that a material misstatement exists when
in fact a material misstatement does not exist. The level used for this risk is based on the cost and difficulty of
obtaining additional evidence. A lower risk of incorrect acceptance is used when more costly or difficult evidence
will be required if expanded testing is needed. This risk is inversely related to sample size.

http://www4.ncsu.edu/unity/users/b/buckless/www/AUSection350.html[5/2/2017 3:28:11 PM]

AU Section 350 - Audit Sampling

Expected Misstatement represents the auditor's best estimate of the population misstatement. This estimate is
normally based on prior experience with the client. This estimate is directly related to sample size.
Tolerable Misstatement represents the highest misstatement that could occur before the population would be
considered materially misstated. This amount has an inverse relationship with sample size.

Sample results for tests of controls are evaluated by comparing the sample deviation rate to the tolerable deviation rate
and calculating an allowance for sampling risk. The sample deviation rate is calculated by dividing the number of
sample deviations by the sample size. The allowance for sampling risk is calculated by subtracting the sample deviation
rate from the tolerable deviation rate. If the allowance for sampling risk is large and positive the auditor would most
likely conclude that the design and operation of an internal control is effective. However, if the allowance for sampling
risk is small or negative the auditor would conclude that the design and operation of an internal control is not effective.
What constitutes a large enough difference is a matter for professional judgement. Generally, smaller allowances for
sampling risk are tolerated with higher risks of assessing control risk too low and larger sample sizes.

Sample results for substantive tests are evaluated in a similar manner. A projected population misstatement is calculated
based on the sample results and compared to the tolerable misstatement. The projected population misstatement is
computed by dividing the sample misstatement by the dollar value of the sample and multiplying this amount by the
dollar value of the population. The difference between the projected population misstatement and tolerable misstatement
is called the allowance for sampling risk. If the allowance for sampling risk is large and positive the auditor would most
likely conclude that a material misstatement does not exist. However, if the allowance for sampling risk is small or
negative the auditor would conclude that a material misstatement does exist. What constitutes a large enough difference
is a matter for professional judgement. Generally, smaller allowances for sampling risk are tolerated with higher risks of
incorrect acceptance and larger sample sizes.

Analyze Exceptions/Misstatements

Regardless of whether a statistical or non-statistical approach is used to evaluate sample results, the auditor needs to
consider the nature and cause of every observed exception or misstatement. Exceptions or misstatements that are
intentional will normally affect the audit tests performed even when the quantitative analysis supports effective controls
or no material misstatement. Additionally, the auditor may need to revise the original inherent risk and control risk
assessments based on subsequently performed substantive tests. The original assessments may need to be revised
upward if misstatements are observed.

http://www4.ncsu.edu/unity/users/b/buckless/www/AUSection350.html[5/2/2017 3:28:11 PM]