1 Audit Sampling

Auditors use audit sampling as a technique to assess a selection of transactions or items within a population in order to form conclusions about the population as a whole. It is a cost-efficient method for examining the accuracy of financial information as it allows auditors to test a representative sample of the population rather than the entire population.

In the field of auditing, sampling becomes necessary when the truth about a population is not readily accessible or discernible through other means. With the advent of modern technology, auditors often have access to an abundance of information about a population, which sometimes enables them to perform full population (i.e., integral) testing. Nonetheless, there are situations where a sample is still necessary due to the unavailability of complete data. For instance, an auditor may utilize analytical procedures to verify the consistency of payments with payment orders, but then must subsequently confirm the validity of these orders through detailed testing.

In auditing, there are two primary methods of sampling: statistical and nonstatistical. Statistical sampling involves using probability theory to select a sample from the population and draw conclusions about the population based on the sample. Nonstatistical sampling, on the other hand, is based on the auditor’s professional judgment and does not use statistical inference to come to a conclusion. This book does not cover nonstatistical sampling.

International auditing standards prescribe the manner in which statistical sampling should be conducted in an audit. The following section discusses what these standards require from the auditor’s approach to statistical sampling.

1.1 Auditing Standards

There are three auditing standards related to staistical sampling in the audit:

ISA 530: Auditing standard for international firms published by the International Auditing and Assurance Standards Board (IAASB).
AU-C 530: Auditing standard for private firms published by the American Institute of Certified Public Accountants (AICPA).
AS 2315: Auditing standard for public firms published by the Public Company Accounting Oversign Board (PCAOB).

All three standards present a similar explanation of statistical sampling. For instance, ISA 530 (International Auditing and Assurance Standards Board (IAASB), 2018) defines statistical audit sampling as a method that at minimum exhibits the following two characteristics:

Random selection of sample items,
The use of an appropriate statistical technique to evaluate sample results, including measurement of sampling risk.

According to auditing standards, any sampling approach that lacks these two characteristics is considered nonstatistical sampling.

In order to effectively utilize statistical sampling during an audit, it is necessary to tailor the approach to the specific circumstances of the audit. This may involve considering factors such as the size and complexity of the population, the materiality of the items being tested, and the level of inherent risk in the audit area. It is also essential for the auditor to document the sampling process in order to demonstrate compliance with auditing standards. The following sections will delve further into these crucial concepts in the context of statistical audit sampling.

1.2 Important Concepts

This section aims to delve into several theoretical concepts that are integral to statistical audit sampling.

1.2.1 Materiality

In an audit, materiality is the maximum amount of misstatement that can be present in the financial statements of the auditee before the auditor concludes that the financical statements are materially misstated, meaning that they contains misstatements that would influence the decisions of stakeholders relying on those statements.

The term performance materiality refers to the maximum amount of misstatement that can be present in a given population that is part of the financial statements before the auditor concludes that the population is materially misstated. Performance materiality is used by auditors to determine the appropriate level of testing to be performed on a population. The performance materiality is usually defined to be lower than the materiality because an individual population that is subject to audit sampling is often only a (small) part of the financial statements.

For example, consider an audit of a company’s financial statements for the year ended December 31, 2021. The auditor determines that the company’s accounts receivable balance is a large part of to the financial statements and decides to test a sample of the accounts receivable transactions to assess the accuracy of the balance. The auditor calculates the performance materiality for the accounts receivable balance by considering the materiality for the financial statements as a whole. If the auditor finds misstatements in the sample such that their estimate of the misstatement exceeds the performance materiality, the auditor would need to express an unqualified opinion on the population or would need to perform additional testing on the population. If the auditor finds misstatements in the sample such that their estimate of the misstatement does not exceed the performance materiality, the auditor would express a positive opinion on the financial statements.

1.2.2 Audit risk

After completing an audit and making any necessary corrections, an auditor will issue a written report stating whether the financial statements are accurate and free of material misstatement. The potential for this opinion to be incorrect is known as audit risk, and it is the auditor’s job to minimize this risk as much as possible.

For example, during an audit of a company’s financial statements, the auditor may carefully review documentation, perform tests of details via audit sampling, and speak with management in order to reduce the audit risk and provide a reliable opinion on the accuracy of the financial statements as a whole.

1.2.3 Population

In statistical inference, the term population refers to the entire group of individuals or items that have some common characteristic or interest, and about which we want to gather data or make inferences. A population can be as large as all the people in a country or, as is more sensible in auditing, as small as a group of employees in a specific department of a company.

For example, consider an audit of a company’s payroll records. The population in this case would be all the employees of the company, and the goal of the audit would be to gather data on their salaries, benefits, and other payroll-related information. The audit team would collect this data from a a representative group of employees (i.e., a sample) of the population and use statistical methods to draw conclusions about the entire population.

1.2.4 Sampling risk

There is a possibility that the results of an audit based on a sample may differ from the results if the entire population were examined using the same procedures. This is known as sampling risk. Sampling risk can result in two types of incorrect conclusions:

The first type is when, in a test of controls, the controls are perceived to be more effective than they actually are, or in a test of details, a material misstatement is believed to not exist when it actually does. This type of erroneous conclusion is particularly concerning for auditors because it can compromise the effectiveness of the audit and may lead to an inappropriate audit opinion.
The second type of incorrect conclusion is when, in a test of controls, the controls are perceived to be less effective than they actually are, or in a test of details, a material misstatement is believed to exist when it actually does not. This type of erroneous conclusion impacts the efficiency of the audit as it may require additional work to determine that the initial conclusions were incorrect.

Many audits are performed according to the audit risk model (ARM), which determines that the uncertainty about the auditor’s statement as a whole is a factor of three terms: the inherent risk, the control risk, and the detection risk (i.e., the sampling risk). Inherent risk is the risk posed by a misstatement in the auditees financial statements that could be material, before consideration of any related control systems (e.g., computer systems). Control risk is the risk that a material misstatement is not prevented or detected by the auditee’s internal control systems. Detection risk is the risk that the auditor will fail to find material misstatements that exist in the auditee’s financial statements. The ARM is practically useful because, for a given level of audit risk, the tolerable detection risk bears an inverse relation to the other two risks.

\[\begin{equation} \text{Audit risk} = \text{Inherent risk} \times \text{Control risk} \times \text{Detection risk} \end{equation}\]

Usually the auditor judges inherent risk and control risk on a three-point scale consisting of low, medium, and high. Different audit firms handle different standard percentages for these categories. Given an assessment of the inherent risk and the control risk, the detection risk can be calculated as:

\[\begin{equation} \text{Detection risk} = \frac{\text{Audit risk}}{\text{Inherent risk} \times \text{Control risk}} \end{equation}\]

Let’s consider an example. Suppose that, in their audit guide, an audit firm associates the following percentages with the categories high, medium and low:

High: 100 percent
Medium: 60 percent
Low: 50 percent

If an auditor is working with an audit risk of 0.05, or five percent, and judges inherent and control risk to both be medium, the sampling risk can be calculated as:

\[\begin{equation} \frac{0.05}{0.6 \times 0.6} = 0.139 \end{equation}\]

Note that the ARM is commonly used in practice but it is not a proper model of audit risk. For example, it is not possible to set one of the risks to zero, as that would result in an infinite detection risk (e.g., $\frac{0.05}{0 \times 1}$ = $\infty$).

1.2.5 Sample Size

The sample size is an important consideration in the context of audit sampling, as it determines the number of items that will be selected for testing during the audit process. This factor has an impact on both effectiveness and efficiency. In general, a larger sample size can provide a higher level of assurance, but it requires more audit effort to obtain and inspect. On the other hand, a smaller sample size offers a lower level of assurance, but it is less costly.

1.2.6 Notation

The table below summarizes the notation used in this book (middle column) and in the jfa R package (right column).

Meaning	Symbol	jfa
Probability of misstatement	$\theta$
Performance materiality	$\theta_{max}$	`materiality`
Expected deviation rate	$\theta_{exp}$	`expected`
Type-I error probability	$\alpha$	`1 - conf.level`
Type-II error probability	$\beta$
Population size	$N$	`N.units`
Population misstatements	$K$
Sample size	$n$	`n`
Observed misstatements	$k$	`x`

```{r echo = FALSE, cache = FALSE} source("utils.R", local = TRUE) ``` # Audit Sampling {#chap-foundations} Auditors use audit sampling as a technique to assess a selection of transactions or items within a population in order to form conclusions about the population as a whole. It is a cost-efficient method for examining the accuracy of financial information as it allows auditors to test a representative sample of the population rather than the entire population. In the field of auditing, sampling becomes necessary when the truth about a population is not readily accessible or discernible through other means. With the advent of modern technology, auditors often have access to an abundance of information about a population, which sometimes enables them to perform full population (i.e., integral) testing. Nonetheless, there are situations where a sample is still necessary due to the unavailability of complete data. For instance, an auditor may utilize analytical procedures to verify the consistency of payments with payment orders, but then must subsequently confirm the validity of these orders through detailed testing. In auditing, there are two primary methods of sampling: statistical and nonstatistical. Statistical sampling involves using probability theory to select a sample from the population and draw conclusions about the population based on the sample. Nonstatistical sampling, on the other hand, is based on the auditor's professional judgment and does not use statistical inference to come to a conclusion. This book does not cover nonstatistical sampling. International auditing standards prescribe the manner in which statistical sampling should be conducted in an audit. The following section discusses what these standards require from the auditor's approach to statistical sampling. ## Auditing Standards There are three auditing standards related to staistical sampling in the audit: - [ISA 530](https://www.ifac.org/system/files/downloads/a027-2010-iaasb-handbook-isa-530.pdf): Auditing standard for international firms published by the International Auditing and Assurance Standards Board (IAASB). - [AU-C 530](https://www.aicpa.org/content/dam/aicpa/research/standards/auditattest/downloadabledocuments/au-c-00530.pdf): Auditing standard for private firms published by the American Institute of Certified Public Accountants (AICPA). - [AS 2315](https://pcaobus.org/oversight/standards/auditing-standards/details/AS2315): Auditing standard for public firms published by the Public Company Accounting Oversign Board (PCAOB). All three standards present a similar explanation of statistical sampling. For instance, ISA 530 [@ISA530] defines statistical audit sampling as a method that at minimum exhibits the following two characteristics: - Random selection of sample items, - The use of an appropriate statistical technique to evaluate sample results, including measurement of sampling risk. According to auditing standards, any sampling approach that lacks these two characteristics is considered nonstatistical sampling. In order to effectively utilize statistical sampling during an audit, it is necessary to tailor the approach to the specific circumstances of the audit. This may involve considering factors such as the size and complexity of the population, the materiality of the items being tested, and the level of inherent risk in the audit area. It is also essential for the auditor to document the sampling process in order to demonstrate compliance with auditing standards. The following sections will delve further into these crucial concepts in the context of statistical audit sampling. ## Important Concepts This section aims to delve into several theoretical concepts that are integral to statistical audit sampling. ### Materiality In an audit, materiality is the maximum amount of misstatement that can be present in the financial statements of the auditee before the auditor concludes that the financical statements are materially misstated, meaning that they contains misstatements that would influence the decisions of stakeholders relying on those statements. The term performance materiality refers to the maximum amount of misstatement that can be present in a given population that is part of the financial statements before the auditor concludes that the population is materially misstated. Performance materiality is used by auditors to determine the appropriate level of testing to be performed on a population. The performance materiality is usually defined to be lower than the materiality because an individual population that is subject to audit sampling is often only a (small) part of the financial statements. For example, consider an audit of a company's financial statements for the year ended December 31, 2021. The auditor determines that the company's accounts receivable balance is a large part of to the financial statements and decides to test a sample of the accounts receivable transactions to assess the accuracy of the balance. The auditor calculates the performance materiality for the accounts receivable balance by considering the materiality for the financial statements as a whole. If the auditor finds misstatements in the sample such that their estimate of the misstatement exceeds the performance materiality, the auditor would need to express an unqualified opinion on the population or would need to perform additional testing on the population. If the auditor finds misstatements in the sample such that their estimate of the misstatement does not exceed the performance materiality, the auditor would express a positive opinion on the financial statements. ### Audit risk After completing an audit and making any necessary corrections, an auditor will issue a written report stating whether the financial statements are accurate and free of material misstatement. The potential for this opinion to be incorrect is known as audit risk, and it is the auditor's job to minimize this risk as much as possible. For example, during an audit of a company's financial statements, the auditor may carefully review documentation, perform tests of details via audit sampling, and speak with management in order to reduce the audit risk and provide a reliable opinion on the accuracy of the financial statements as a whole. ### Population In statistical inference, the term population refers to the entire group of individuals or items that have some common characteristic or interest, and about which we want to gather data or make inferences. A population can be as large as all the people in a country or, as is more sensible in auditing, as small as a group of employees in a specific department of a company. For example, consider an audit of a company's payroll records. The population in this case would be all the employees of the company, and the goal of the audit would be to gather data on their salaries, benefits, and other payroll-related information. The audit team would collect this data from a a representative group of employees (i.e., a sample) of the population and use statistical methods to draw conclusions about the entire population. ### Sampling risk There is a possibility that the results of an audit based on a sample may differ from the results if the entire population were examined using the same procedures. This is known as sampling risk. Sampling risk can result in two types of incorrect conclusions: 1. The first type is when, in a test of controls, the controls are perceived to be more effective than they actually are, or in a test of details, a material misstatement is believed to not exist when it actually does. This type of erroneous conclusion is particularly concerning for auditors because it can compromise the effectiveness of the audit and may lead to an inappropriate audit opinion. 2. The second type of incorrect conclusion is when, in a test of controls, the controls are perceived to be less effective than they actually are, or in a test of details, a material misstatement is believed to exist when it actually does not. This type of erroneous conclusion impacts the efficiency of the audit as it may require additional work to determine that the initial conclusions were incorrect. Many audits are performed according to the audit risk model (ARM), which determines that the uncertainty about the auditor's statement as a whole is a factor of three terms: the inherent risk, the control risk, and the detection risk (i.e., the sampling risk). Inherent risk is the risk posed by a misstatement in the auditees financial statements that could be material, before consideration of any related control systems (e.g., computer systems). Control risk is the risk that a material misstatement is not prevented or detected by the auditee's internal control systems. Detection risk is the risk that the auditor will fail to find material misstatements that exist in the auditee's financial statements. The ARM is practically useful because, for a given level of audit risk, the tolerable detection risk bears an inverse relation to the other two risks. \begin{equation} \text{Audit risk} = \text{Inherent risk} \times \text{Control risk} \times \text{Detection risk} \end{equation} Usually the auditor judges inherent risk and control risk on a three-point scale consisting of low, medium, and high. Different audit firms handle different standard percentages for these categories. Given an assessment of the inherent risk and the control risk, the detection risk can be calculated as: \begin{equation} \text{Detection risk} = \frac{\text{Audit risk}}{\text{Inherent risk} \times \text{Control risk}} \end{equation} Let's consider an example. Suppose that, in their audit guide, an audit firm associates the following percentages with the categories high, medium and low: - High: 100 percent - Medium: 60 percent - Low: 50 percent If an auditor is working with an audit risk of 0.05, or five percent, and judges inherent and control risk to both be medium, the sampling risk can be calculated as: \begin{equation} \frac{0.05}{0.6 \times 0.6} = 0.139 \end{equation} Note that the ARM is commonly used in practice but it is not a proper model of audit risk. For example, it is not possible to set one of the risks to zero, as that would result in an infinite detection risk (e.g., $\frac{0.05}{0 \times 1}$ = $\infty$). ### Sample Size The sample size is an important consideration in the context of audit sampling, as it determines the number of items that will be selected for testing during the audit process. This factor has an impact on both effectiveness and efficiency. In general, a larger sample size can provide a higher level of assurance, but it requires more audit effort to obtain and inspect. On the other hand, a smaller sample size offers a lower level of assurance, but it is less costly. ### Notation The table below summarizes the notation used in this book (middle column) and in the **jfa** R package (right column). | Meaning | Symbol | **jfa** | |-----------------------------|----------------|------------------| | Probability of misstatement | $\theta$ | | | Performance materiality | $\theta_{max}$ | `materiality` | | Expected deviation rate | $\theta_{exp}$ | `expected` | | Type-I error probability | $\alpha$ | `1 - conf.level` | | Type-II error probability | $\beta$ | | | Population size | $N$ | `N.units` | | Population misstatements | $K$ | | | Sample size | $n$ | `n` | | Observed misstatements | $k$ | `x` |