Sampling risk

Last updated

Sampling risk is one of the many types of risks an auditor may face when performing the necessary procedure of audit sampling. Audit sampling exists because of the impractical and costly effects of examining all or 100% of a client's records or books. As a result, a "sample" of a client's accounts are examined. [1] Due to the negative effects produced by sampling risk, an auditor may have to perform additional procedures which in turn can impact the overall efficiency of the audit. [2]

Contents

Sampling risk represents the possibility that an auditor's conclusion based on a sample is different from that reached if the entire population were subject to audit procedure. The auditor may conclude that material misstatements exist, when in fact they do not; or material misstatements do not exist but in fact they do exist. Auditors can lower the sampling risk by increasing the sampling size.

Although there are many types of risks associated with the audit process, each type primarily has an effect on the overall audit engagement. The effects produced by sampling risk generally can increase audit risk, the risk that an entity's financial statements will contain a material misstatement, though given an unqualified ('clean') audit report. Sampling risk can also increase detection risk which suggests the possibility that an auditor will not find material misstatements relating to the financial statements through substantive tests and analysis. [3]

Types of sampling risk

Typical scenarios

Auditors must often make professional judgments in assessing sampling risk. When testing samples the auditor is primarily concerned with two aspects of sampling risk: [4]

Risk of accepting incorrect data: the sample supports the conclusion that the recorded account balance is not materially misstated when it is materially misstated.

Risk of incorrect rejection: the risk that the sample supports the conclusion that the recorded amount balance is materially misstated when it is not materially misstated.

In addition, the auditor is concerned with sampling risk and its relationship with controls. Two types of sample risk/control risks are:

Assessing too low: the risk that the assessed level of control risk based on the sample is less than the true operating effectiveness of the control.

Assessing too high: the risk that the assessed level of control risk based on the sample is greater than the true operating effectiveness of the control.

Sample selection

When selecting a sampling approach there are two approaches to audit sampling: non-statistical and statistical approach. Three ways that statistical sampling can assist the auditor are: to maximize the productivity with minimum wasted effort in designing the sample, to measure the sufficiency of the evidence taken during the audit, and to analyze the results. The statistical approach allows the auditor to measure the risk that is being sampled to help in reducing it to an acceptable level. With respect to performing samples, statistical sampling involves different kinds of costs such as training the auditors, designing individual samples to meet the requirements, and choosing the items to be examined. If there is insufficient audit evidence it is the responsibility of the auditor to choose between non statistical or the statistical sampling approaches considering their effectiveness and related costs. [4]

Although exercising careful judgment is crucial during every step of the sampling process, it is extremely necessary when choosing the non-statistical approach. This method does not include the use of tables or statistical percentages, but rather it relies upon professional judgment on the part of the auditor as well as the policy implemented by the firm. Under this approach, it is common practice for most accounting firms to create universal guidelines for auditors in order to determine a proper sample size. For example, if a given client's control risk is high, a firm would typically require a high sample size when selecting records.

In order to successfully gather a sample, it is important to consider the collection as a whole and the relevance of the particular items. The most common successful method is to select an even number of items which accurately represents the list as a whole. Selecting only large or small numbers could distort the sample which creates risk.

See also

Related Research Articles

Broadly speaking, a risk assessment is the combined effort of:

  1. identifying and analyzing potential (future) events that may negatively impact individuals, assets, and/or the environment ; and
  2. making judgments "on the tolerability of the risk on the basis of a risk analysis" while considering influencing factors.
Audit Systematic and independent examination of books, accounts, documents and vouchers of an organization

An audit is an "independent examination of financial information of any entity, whether profit oriented or not, irrespective of its size or legal form when such an examination is conducted with a view to express an opinion thereon" It also attempts to ensure that the books of accounts are properly maintained by the concern as required by law. Auditing has become such a ubiquitous phenomenon in the corporate and the public sector that academics have started identifying an "Audit Society". Auditors perceive and recognize the propositions before them examination, obtain evidence, evaluate the same and formulate an opinion on the basis of their judgement which is communicated through their auditing report.

Financial audit

A financial audit is conducted to provide an opinion whether "financial statements" are stated in accordance with specified criteria. Normally, the criteria are international accounting standards, although auditors may conduct audits of financial statements prepared using the cash basis or some other basis of accounting appropriate for the organisation. In providing an opinion whether financial statements are fairly stated in accordance with accounting standards, the auditor gathers evidence to determine whether the statements contain material errors or other misstatements.

An auditor is a person or a firm appointed by a company to execute an audit. To act as an auditor, a person should be certified by the regulatory authority of accounting and auditing or possess certain specified qualifications. Generally, to act as an external auditor of the company, a person should have a certificate of practice from the regulatory authority.

Auditors report

The auditor's report is a formal opinion, or disclaimer thereof, issued by either an internal auditor or an independent external auditor as a result of an internal or external audit, as an assurance service in order for the user to make decisions based on the results of the audit.

An information technology audit, or information systems audit, is an examination of the management controls within an Information technology (IT) infrastructure. The evaluation of obtained evidence determines if the information systems are safeguarding assets, maintaining data integrity, and operating effectively to achieve the organization's goals or objectives. These reviews may be performed in conjunction with a financial statement audit, internal audit, or other form of attestation engagement.

Statement on Auditing Standards No. 99: Consideration of Fraud in a Financial Statement Audit, commonly abbreviated as SAS 99, is an auditing statement issued by the Auditing Standards Board of the American Institute of Certified Public Accountants (AICPA) in October 2002. The original exposure draft was distributed in February 2002.

External auditor

An external auditor performs an audit, in accordance with specific laws or rules, of the financial statements of a company, government entity, other legal entity, or organization, and is independent of the entity being audited. Users of these entities' financial information, such as investors, government agencies, and the general public, rely on the external auditor to present an unbiased and independent audit report.

An information security audit is an audit on the level of information security in an organization. Within the broad scope of auditing information security there are multiple types of audits, multiple objectives for different audits, etc. Most commonly the controls being audited can be categorized to technical, physical and administrative. Auditing information security covers topics from auditing the physical security of data centers to auditing the logical security of databases and highlights key components to look for and different methods for auditing these areas.

A going concern is a business that is assumed will meet its financial obligations when they fall due. It functions without the threat of liquidation for the foreseeable future, which is usually regarded as at least the next 12 months or the specified accounting period. The presumption of going concern for the business implies the basic declaration of intention to keep operating its activities at least for the next year, which is a basic assumption for preparing financial statements that comprehend the conceptual framework of the IFRS. Hence, a declaration of going concern means that the business has neither the intention nor the need to liquidate or to materially curtail the scale of its operations.

Audit risk refers to the risk that an auditor may issue an unqualified report due to the auditor's failure to detect material misstatement either due to error or fraud. This risk is composed of:

Materiality is a concept or convention within auditing and accounting relating to the importance/significance of an amount, transaction, or discrepancy. The objective of an audit of financial statements is to enable the auditor to express an opinion whether the financial statements are prepared, in all material respects, in conformity with an identified financial reporting framework such as Generally Accepted Accounting Principles (GAAP).

ISA 400 Risk Assessments and Internal Control is one of the International Standards on Auditing. It serves to require the auditor to understand the client's accounting system and internal control system and to assess control risk and inherent risk. The objective is to determine the nature, timing and extent of substantive procedures in order to reduce audit risk to an acceptable low level.

ISA 500 Audit Evidence is one of the International Standards on Auditing. It serves to guide the auditor on obtaining audit evidence through the application of an appropriate mix of tests of control systems and substantive tests of transaction and balances.

Internal control, as defined by accounting and auditing, is a process for assuring of an organization's objectives in operational effectiveness and efficiency, reliable financial reporting, and compliance with laws, regulations and policies. A broad concept, internal control involves everything that controls risks to an organization.

SOX 404 top–down risk assessment

In financial auditing of public companies in the United States, SOX 404 top–down risk assessment (TDRA) is a financial risk assessment performed to comply with Section 404 of the Sarbanes-Oxley Act of 2002. Under SOX 404, management must test its internal controls; a TDRA is used to determine the scope of such testing. It is also used by the external auditor to issue a formal opinion on the company's internal controls. However, as a result of the passage of Auditing Standard No. 5, which the SEC has since approved, external auditors are no longer required to provide an opinion on management's assessment of its own internal controls.

Detection Risk (DR) is the risk that the auditor will not detect a misstatement that exists in an assertion that could be material (significant), either individually or when aggregated with other misstatements. In other words, the chance that the auditor will not find material misstatements relating to an assertion in the Financial statements through substantive test and analysis. Detection risk results in the auditor's conclusion that no material errors are present where in fact there are. It is a component of audit risk.

Continuous auditing

Continuous auditing is an automatic method used to perform auditing activities, such as control and risk assessments, on a more frequent basis. Technology plays a key role in continuous audit activities by helping to automate the identification of exceptions or anomalies, analyze patterns within the digits of key numeric fields, review trends, and test controls, among other activities.

Entity-level controls

Entity-level controls are internal controls that help to ensure that management directives pertaining to the entire entity are carried out. They are the second level of a top-down approach to understanding the risks of an organization. Generally, entity refers to the entire company.

Whether providing services as an accountant or auditor, a certified public accountant (CPA) owes a duty of care to the client and third parties who foreseeably rely on the accountant's work. Accountants can be sued for negligence or malpractice in the performance of their duties, and for fraud.

References

  1. "Audit Sampling Requires Auditor Judgment". The Agency Examiner. Retrieved 30 January 2013.
  2. "What is Sampling Risk in Auditing?". Pak Accountants. Retrieved 30 January 2013.
  3. "Detection Risk". Investopedia. Retrieved 30 January 2013.
  4. 1 2 "AU Section 350" (pdf). Audit Sampling. AICPA. Retrieved 30 January 2013.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.