The following is the text of the Standard on Internal Audit (SIA) 5, Sampling, issued by the Council of the Institute of Chartered Accountants of India. These Standards should be read in conjunction with the Preface to the Standards on Internal Audit, issued by the Institute.
In terms of the decision of the Council of the Institute of Chartered Accountants of India taken at its 260th meeting held in June 2006, the following Standard on Internal Audit shall be recommendatory in nature in the initial period. The Standards shall become mandatory from such date as notified by the Council.
1. The purpose of this Standard on Internal Audit (SIA) is to establish standards on the design and selection of an audit sample and provide guidance on the use of audit sampling in internal audit engagements. The SIA also deals with the evaluation of the sample results. This SIA applies equally to both statistical and non-statistical sampling methods. Either method, when properly applied, can provide sufficient appropriate audit evidence.
2. When using either statistical or non-statistical sampling methods, the internal auditor should design and select an audit sample, perform audit procedures thereon, and evaluate sample results so as to provide sufficient appropriate audit evidence to meet the objectives of the internal audit engagement unless otherwise specified by the client.
3. “Audit sampling” means the application of audit procedures to less than 100% of the items within an account balance or class of transactions to enable the internal auditor to obtain and evaluate audit evidence about some characteristic of the items selected in order to form a conclusion concerning the population. Certain testing procedures, however, do not come within the definition of sampling. Tests performed on 100% of the items within a population do not involve sampling. Likewise, applying internal audit procedures to all items within a population which have a particular characteristic (for example, all items over a certain amount) does not qualify as audit sampling with respect to the portion of the population examined, nor with regard to the population as a whole, since the items were not selected from the total population on a basis that was expected to be representative. Such items might imply some characteristic of the remaining portion of the population but would not necessarily be the basis for a valid conclusion about the remaining portion of the population.
4. “Error” means either control deviations when performing tests of controls, or misstatements, when performing tests of details.
5. “Population” means the entire set of data from which the sample is selected and about which the internal auditor wishes to draw conclusions. A population may be divided into various strata, or sub-populations, with each stratum being examined separately.
6. “Sampling risk‘” means the risk that from the possibility that the internal auditor’s conclusions, based on examination of a sample may be different from the conclusion reached if the entire population was subjected to the same types of internal audit procedure. The two types of sampling risk are –
(a) The risk that the internal auditor concludes, in the case of tests of controls (TOC), that controls are more effective than they actually are, or in the case of tests of details (TOD), that a material error or misstatement does not exist when in fact it does.
(b) The risk that the internal auditor concludes, in the case of tests of controls (TOC), that controls are less effective than they actually are, or in the case of tests of details (TOD), that a material error or misstatement exists when in fact it does not.
The mathematical complements of these risks are termed confidence levels.
7. “Sampling unit” means the individual items or units constituting a population, for example, credit entries in bank statements, sales invoices or debtors’ balances.
8. “Statistical sampling” means any approach to sampling procedure which has the following characteristics –
(a) Random selection of a sample; and
(b) Use of theory of probability to evaluate sample results, including measurement of sampling risk.
9. “Tolerable error” means the maximum error in a population that the internal auditor is willing to accept.
Use of Sampling in Risk Assessment Procedures and Tests of Controls
10. The internal auditor performs risk assessment procedures to obtain an understanding of the entity, business and its environment, including the mechanism of its internal control. Ordinarily, risk assessment procedures do not involve the use of sampling. However, there are cases, where the internal auditor often plans and performs tests of controls concurrently with obtaining an understanding of the design of controls and examining whether they have been implemented.
11. Tests of controls are performed when the internal auditor‘s risk assessment includes an expectation of the operating effectiveness of controls. Sampling of tests of controls is appropriate when application of the control leaves audit evidence of performance (for example, initials of the credit manager on a sales invoice indicating formal credit approval).
12. Sampling risk can be reduced by increasing sample size for both tests of controls and tests of details. Non-sampling risk can be reduced by proper engagement planning, supervision, monitoring and review.
Design of the Sample
13. When designing an audit sample, the internal auditor should consider the specific audit objectives, the population from which the internal auditor wishes to sample, and the sample size.
Internal Audit Objectives
14. The internal auditor would first consider the specific audit objectives to be achieved and the internal audit procedures which are likely to best achieve those objectives. In addition, when internal audit sampling is appropriate, consideration of the nature of the audit evidence sought and possible error conditions or other characteristics relating to that audit evidence will assist the internal auditor in defining what constitutes an error and what population to use for sampling. For example, when performing tests of controls over an entity’s purchasing procedures, the internal auditor will be concerned with matters such as whether an invoice was clerically checked and properly approved. On the other hand, when performing substantive procedures on invoices processed during the period, the internal auditor will be concerned with matters such as the proper reflection of the monetary amounts of such invoices in the periodic financial statements. When performing tests of controls, the internal auditor makes an assessment of the rate of error the internal auditor expects to find in the population to be tested. This assessment is on the basis of the internal auditor’s understanding of the design of the relevant controls, and whether they have actually been implemented or the examination of a small number of items from the population.
15. The population is the entire set of data from which the internal auditor wishes to sample in order to reach a conclusion. The internal auditor will need to determine that the population from which the sample is drawn is appropriate for the specific audit objective. For example, if the internal auditor’s objective were to test for overstatement of accounts receivable, the population could be defined as the accounts receivable listing. On the other hand, when testing for understatement of accounts payable, the population would not be the accounts payable listing, but rather subsequent disbursements, unpaid invoices, suppliers’ statements, unmatched receiving reports, or other populations that would provide audit evidence of understatement of accounts payable.
16. The individual items that make up the population are known as sampling units. The population can be divided into sampling units in a variety of ways. For example, if the internal auditor’s objective were to test the validity of accounts receivables, the sampling unit could be defined as customer balances or individual customer invoices. The internal auditor defines the sampling unit in order to obtain an efficient and effective sample to achieve the particular audit objectives.
17. It is important for the internal auditor to ensure that the population is appropriate to the objective of the internal audit procedure, which will include consideration of the direction of testing. The population also needs to be complete, which means that if the internal auditor intends to use the sample to draw conclusions about whether a control activity operated effectively during the financial reporting period, the population needs to include all relevant items from throughout the entire period.
18. When performing the audit sampling, the internal auditor performs internal audit procedures to ensure that the information upon which the audit sampling is performed is sufficiently complete and accurate.
19. To assist in the efficient and effective design of the sample, stratification may be appropriate. Stratification is the process of dividing a population into sub-populations, each of which is a group of sampling units, which have similar characteristics (often monetary value). The strata need to be explicitly defined so that each sampling unit can belong to only one stratum. This process reduces the variability of the items within each stratum. Stratification, therefore, enables the internal auditor to direct audit efforts towards the items which, for example, contain the greatest potential monetary error. For example, the internal auditor may direct attention to larger value items for accounts receivable to detect overstated material misstatements. In addition, stratification may result in a smaller sample size.
20. When determining the sample size, the internal auditor should consider sampling risk, the tolerable error, and the expected error. The lower the risk that the internal auditor is willing to accept, the greater the sample size needs to be. Examples of some factors affecting sample size are contained in Appendix 1 and Appendix 2 to the Standard.
21. The sample size can be determined by the application of a statistically based formula or through exercise of professional judgment applied objectively to the circumstances of the particular internal audit engagement.
Statistical and Non-Statistical Approaches
22. The decision of using either statistical or non-statistical sampling approach is a matter for the internal auditor’s professional judgment. In the case of tests of controls, the internal auditor’s analysis of the nature and cause of errors will often be of more importance than the statistical analysis of the mere presence or absence of errors. In such case, non-statistical sampling approach may be preferred.
23. When applying statistical sampling, sample size may be ascertained using either probability theory or professional judgment. Sample size is a function of several factors. Appendices 1 and 2 discuss some of these factors.
24. Tolerable error is the maximum error in the population that the internal auditor would be willing to accept and still conclude that the result from the sample has achieved the objective(s) of the internal audit. Tolerable error is considered during the planning stage and, for substantive procedures, is related to the internal auditor’s judgement about materiality. The smaller the tolerable error, the greater the sample size will need to be.
25. In tests of controls, the tolerable error is the maximum rate of deviation from a prescribed control procedure that the internal auditor would be willing to accept, based on the preliminary assessment of control risk. In substantive procedures, the tolerable error is the maximum monetary error in an account balance or class of transactions that the internal auditor would be willing to accept so that when the results of all audit procedures are considered, the internal auditor is able to conclude, with reasonable assurance, that the financial statements are not materially misstated.
26. If the internal auditor expects error to be present in the population, a larger sample than when no error is expected ordinarily needs to be examined to conclude that the actual error in the population is not greater than the planned tolerable error. Smaller sample sizes are justified when the population is expected to be error free. In determining the expected error in a population, the internal auditor would consider such matters as error levels identified in previous internal audits, changes in the entity’s procedures, and evidence available from other procedures.
Selection of the Sample
27. The internal auditor should select sample items in such a way that the sample can be expected to be representative of the population. This requires that all items or sampling units in the population have an opportunity of being selected.
28. While there are a number of selection methods, three methods commonly used are:
Appendix 3 to the Standard discusses these methods.
Evaluation of Sample Results
29. Having carried out, on each sample item, those audit procedures that are appropriate to the particular audit objective, the internal auditor should:
(a) analyse the nature and cause of any errors detected in the sample;
(b) project the errors found in the sample to the population;
(c) reassess the sampling risk; and
(d) consider their possible effect on the particular internal audit objective and on other areas of the internal audit engagement.
30. The internal auditor should evaluate the sample results to determine whether the assessment of the relevant characteristics of the population is confirmed or whether it needs to be revised.
Analysis of Errors in the Sample
31. In analysing the errors detected in the sample, the internal auditor will first need to determine that an item in question is in fact an error. In designing the sample, the internal auditor will have defined those conditions that constitute an error by reference to the audit objectives. For example, in a substantive procedure relating to the recording of accounts receivable, a mis-posting between customer accounts does not affect the total accounts receivable. Therefore, it may be inappropriate to consider this an error in evaluating the sample results of this particular procedure, even though it may have an effect on other areas of the audit such as the assessment of doubtful accounts.
32. When the expected audit evidence regarding a specific sample item cannot be obtained, the internal auditor may be able to obtain sufficient appropriate audit evidence through performing alternative procedures. For example, if a positive account receivable confirmation has been requested and no reply was received, the internal auditor may be able to obtain sufficient appropriate audit evidence that the receivable is valid by reviewing subsequent payments from the customer. If the internal auditor does not, or is unable to, perform satisfactory alternative procedures, or if the procedures performed do not enable the internal auditor to obtain sufficient appropriate audit evidence, the item would be treated as an error.
33. The internal auditor would also consider the qualitative aspects of the errors. These include the nature and cause of the error and the possible effect of the error on other phases of the audit.
34. In analysing the errors discovered, the internal auditor may observe that many have a common feature, for example, type of transaction, location, product line, or period of time. In such circumstances, the internal auditor may decide to identify all items in the population which possess the common feature, thereby producing a sub-population, and extend audit procedures in this area. The internal auditor would then perform a separate analysis based on the items examined for each sub-population.
Projection of Errors
35. The internal auditor projects the error results of the sample to the population from which the sample was selected. There are several acceptable methods of projecting error results. However, in all the cases, the method of projection will need to be consistent with the method used to select the sampling unit. When projecting error results, the internal auditor needs to keep in mind the qualitative aspects of the errors found. When the population has been divided into sub-population, the projection of errors is done separately for each sub-population and the results are combined.
36. For tests of controls, no explicit projection of errors is necessary since the sample error rate is also the projected rate of error for the population as a whole.
Reassessing Sampling Risk
37. The internal auditor needs to consider whether errors in the population might exceed the tolerable error. To accomplish this, the internal auditor compares the projected population error to the tolerable error taking into account the results of other audit procedures relevant to the specific control or financial statement assertion. The projected population error used for this comparison in the case of substantive procedures is net of adjustments made by the entity. When the projected error exceeds tolerable error, the internal auditor reassesses the sampling risk and if that risk is unacceptable, would consider extending the audit procedure or performing alternative internal audit procedures.
38. If the evaluation of sample results indicate that the assessment of the relevant characteristic of the population needs to be revised, the internal auditor, may:
(a) Request management to investigate the identified errors and the potential for any further errors, and to make necessary adjustments, in cases where management prescribes the sample size; and / or
(b) Modify the nature, timing and extent of internal audit procedures. In case of tests of controls, the internal auditor might extend the sample size, test an alternative control or modify related substantive procedures; and / or
(c) Consider the effect on the Internal Audit Report.
39. Documentation provides the essential support to the opinion and/ or findings of the internal auditor. In the context of sampling, the internal auditor’s documentation may include aspects such as:
i. Relationship between the design of the sample vis a vis specific audit objectives, population from which sample is drawn and the sample size.
ii. Assessment of the expected rate of error in the population to be tested vis a vis auditor’s understanding of the design of the relevant controls
iii. Assessment of the sampling risk and the tolerable error.
iv. Assessment of the nature and cause of errors.
v. Rationale for using a particular sampling technique and results thereof.
vi. Analysis of the nature an cause of any errors detected in the sample.
vii. Projection of the errors found in the sample to the population.
viii. Reassessment of sampling risk, where appropriate.
ix. Effect of the sample results on the internal audit’s objective(s).
x. Projection of sample results to the characteristics of the population.
40. This Standard on Internal Audit is applicable to all internal audits commencing on or after______. Earlier application of the SIA is encouraged.
Examples of Factors Influencing Sample Size for Tests of Controls
The following are some factors which the internal auditor considers when determining the sample size required for tests of controls (TOC). These factors need to be considered together assuming the internal auditor does not modify the nature or timing of TOC or otherwise modify the approach to substantive procedures in response to assessed risks.
|Factor to be considered by Internal Auditor||Effect on sample size|
|An increase in the extent to which the risk of material misstatement is reduced by the operating effectiveness of controls||Increase|
|An increase in the rate of deviation from the prescribed control activity that the internal auditor is willing to accept||Decrease|
|An increase in the rate of deviation from the prescribed control activity that the internal auditor expects to find in the population||Increase|
|An increase in the internal auditor’s required confidence level||Increase|
|An increase in the number of sampling units in the population||Negligible effect|
1. Other things being equal, the more the internal auditor relies on the operating effectiveness of controls in risk assessment, the greater is the extent of the internal auditor’s tests of controls, and hence the sample size is increased.
2. The lower the rate of deviation that the internal auditor is willing to accept, the larger the sample size needs to be.
3. The higher the rate of deviation that the internal auditor expects, the larger the sample size needs to be so as to make a reasonable estimate of the actual rate of deviation.
4. The higher the degree of confidence that the internal auditor requires that the results of the sample are indicative of the actual incidence of errors in the population, the larger the sample size needs to be.
5. For large populations, the actual population size has little effect on sample size. For small populations, sampling is often not as efficient as alternative means of obtaining sufficient appropriate audit evidence.
Examples of Factors Influencing Sample Size for Tests of Details (TOD)
The following are some factors which the internal auditor considers when determining the sample size required for tests of details (TOD). These factors need to be considered together assuming the internal auditor does not modify the nature or timing of TOD or otherwise modify the approach to substantive procedures in response to assessed risks.
|Factor to be considered by Internal Auditor||Effect on sample size|
|An increase in the internal auditor’s assessment of the risk of material misstatement||Increase|
|An increase in the use of other substantive procedures by the internal auditor, directed at the same assertion||Decrease|
|An increase in the total error that the internal auditor is willing to accept (Tolerable Error)||Decrease|
|Stratification of the population when appropriate||Decrease|
|An increase in the amount of error which the internal auditor expects to find in the population||Increase|
|An increase in the internal auditor’s required confidence level||Increase|
|The number of sampling units in the population||Negligible
Methods of Sample Selection
The principal methods of sample selection are as –
1. Using a computerised random number generator or through random number tables.
2. Systematic selection – In this method, the number of sampling units in the population is divided by the sample size to give a sampling interval, for example 20, and having thus determined a starting point within the first 20, each 20thsampling unit thereafter is selected. Although the starting point may be haphazardly determined, the sample is likely to be truly random if the same is determined by using a computerised random number generator or random number tables. In this method, the internal auditor would need to determine that sampling units within the population are not structured in such a way that the sampling interval corresponds with any particular pattern within the population.
3. Haphazard selection – In this method, the internal auditor selects the sample without following any structured technique. The internal auditor should attempt to ensure that all items within the population have a chance of selection, without having any conscious bias or predictability. This method is not appropriate when using statistical sampling technique.
4. Block selection – This method involves selection of a block(s) of adjacent or contiguous items from within the population. Block selection normally cannot be used in internal audit sampling because most populations are structured in such a manner that items forming a sequence can be expected to have similar characteristics to each other, but different characteristics from items elsewhere in the population. This method would not be an appropriate sample selection technique when the internal auditor intends to draw valid inferences about the entire population, based on the sample.
Frequency of Control Activity and Sample Size
The following guidance related to the frequency of the performance of control may be considered when planning the extent of tests of operating effectiveness of manual controls for which control deviations are not expected to be found. The internal auditor may determine the appropriate number of control occurrences to test based on the following minimum sample size for the frequency of the control activity dependant on whether assessment has been made on a lower or higher risk of failure of the control.
|Frequency of control activity||Minimum sample size|
|Risk of failure|
|Quarterly (including period- end, i.e., +1)||1+1||1+1|
|Recurring manual control (multiple times per day)||25||40|
Note : Although +1 is used to indicate that the period–end control is tested, this does not mean that for more frequent control operations the year-end operation cannot be tested.
* Published in the October 2008 issue of The Chartered Accountant.