CHAPTER 18
AUDIT SAMPLING FOR TESTS OF CONTROLS
I.

Review Questions
1.

A test of control procedure is a statement of
a.
b.

2.

Identification of a population from which sampling units are to be drawn.
Expression of an action taken to produce evidence about a client control
procedure.

Compliance deviations should be defined in advance so auditors will know what
to look for and will know one when they see it.
Seven Examples – Based on Seven General Control Objectives:

3.

Objective

Example

1.

Validity

1.

Sale recorded without supporting shipping
orders.

2.

Authorization

2.

Lack of credit manager approval for a credit
sale.

3.

Accuracy

3.

Mathematical errors in sales invoice
calculations.

4.

Classification

4.

Sales classified in wrong product line revenue

account.

5.

Proper Period

5.

Sales recorded in month (quarter, year) before
the actual shipment.

6.

Accounting

6.

Sales charges fail to be posted to a customer’s
account.

7.

Completeness

7.

Shipments fail to be billed to customers and
recorded as sales and receivables.

Judgments affecting sample size for test of controls auditing.

Judgment
1.

Acceptable risk of
assessing control risk
too low

Influence on sample size
Inverse.

The greater the acceptable risk,
the smaller the sample.


18-2

Solutions Manual - Assurance Principles, Professional Ethics…
2.

Acceptable risk of
assessing control risk
too high

Inverse.

The greater the acceptable risk,
the smaller the sample.

3.


Tolerable deviation
rate

Inverse.

The higher the tolerable rate, the
smaller the sample.

4.

Expected population
deviation rate (an
estimate rather than a
judgment)

Direct.

The higher the expected rate, the
larger the sample.

The sample size is also directly related to the population size, although the
influence is generally minor. The larger the population, the larger the sample,
but not much.
4.

The risk of assessing the control risk too low has the potential of affecting audit
effectiveness, thus damaging the quality of the audit for users. Professionally, in
light of responsibility to users, effectiveness is more important than efficiency,
which is affected by the risk of assessing the control risk too high.


5.

Expanded risk model: AR = IR x CR x AP x TD
Solve for TD, when: .048 = 1.0 x .4 x .6 x TD
TD

=

.048
1.0 x .4 x .6

=

.2

The tolerable misstatement (P10,000) and estimated standard deviation (P25.00)
are “noise” in the question.
6.

The “connection” is a direct relationship between control risk and the tolerable
deviation rate. (1) When larger values are planned for control risk (say, 0.95,
0.90) in an audit plan, more analytical procedure and test of detail work will be
done. Auditors will not rely very much on internal controls. Therefore, not
much help is expected from the controls anyway, so the tolerable deviation rate
can be larger. The direct relation is: The higher the control risk, the higher the
tolerable deviation rate can be. (2) When lower values are assigned to control
risk (say, 0.10, 0.20) in an audit plan, less analytical procedure and test of detail
work will be done. Auditors intend to rely on internal accounting controls.
Therefore, effective compliance with control policies and procedures is
important, and the tolerable deviation rate ought to be low. The direct relation

is: The higher the planned control risk, the higher the tolerable deviation rate
can be.


Audit Sampling for Tests of Controls

18-3

7.

Based on the specifications of risk of assessing control risk too low, tolerable
deviation rate and expected population deviation rate, sample sizes would be
determined independently for the two populations in the subdivision. If the
criteria are at least as stringent for each of the two as they would be for the
undivided population, the sum of the two sample sizes would be at least twice
the size of the sample figured for the single population (provided both
subdivided populations have 1,000 or more units).

8.

Further reduction of the assessed level of control risk is justified only when the
upper occurrence limit is <= the tolerable occurrence rate. Recall that the
tolerable occurrence rate is that rate of error beyond which the auditor cannot
justify further reduction in the assessed level of control risk. A calculated rate
which exceeds the tolerable rate, therefore, would suggest a level of error which
precludes any lowering of assessed control risk.

9.

Expected occurrence rate is the anticipated error rate in a population. It is set on

the basis of one or a combination of: The prior year’s audit; the auditor’s initial
understanding of internal control policies and procedures relative to the
transaction cycle subset; or a pilot sample of documents. The expected
occurrence rate has a positive effect on sample size.
The tolerable occurrence rate is the maximum error rate which the auditor
would accept while still lowering assessed control risk below maximum. The
auditor bases the tolerable rate on materiality of the attribute being tested. The
more critical an attribute to effective internal control, the lower the tolerable
occurrence rate. The tolerable occurrence rate has an inverse effect on sample
size.

10. Inherent risk is the risk that, in the absence of internal control, material errors or
irregularities will occur.
Control risk is the risk that internal financial control policies and procedures will
fail to prevent or detect material errors and irregularities.
Detection risk is the risk that material errors and irregularities, which are not
prevented or detected by internal financial control policies and procedures, will
not be detected by the independent audit.
II. Multiple Choice Questions
1.
2.
3.
4.
5.

d
b
a
d
c


6.
7.
8.
9.
10.

a
a
b
c
b

11.
12.
13.
14.
15.

b
d
c
a
b

16.
17.
18.
19.
20.


d
d
b
d
b

21. d
22. c


18-4

Solutions Manual - Assurance Principles, Professional Ethics…

III. Comprehensive Cases
Case 1. a.

b.

Case 2. a.

Control testing may be approached in three different ways, depending on
the nature of the controls. If a visible audit trail exists in the form of
documentation, the auditor examines documents, as appropriate, for the
purpose of evaluating the operating effectiveness of internal control
procedures. Evidence as to whether transactions have been executed in
accordance with management’s authorization and recorded in accordance
with GAAP is gathered through such examination. In the absence of a
visible audit trail, the auditor tests controls through observation or

reprocessing. The auditor observes the control environment and control
procedures, such as physical safeguards. In the presence of complex EDP
systems, the auditor may find transaction reprocessing the most effective
means for testing selected controls. Statistical sampling methods, involving
attribute sampling, are commonly applied to the first form of control testing.
Observation and reprocessing ordinarily do not require the use of statistical
sampling, although reprocessing may involve judgment sampling in
developing hypothetical transactions to process through the system.
1.
2.

attribute sampling application;
observation to determine effectiveness of the data processing function,
and to support accuracy of financial data; possibly reprocess a sample
of transactions through the system to test effectiveness;
3. observation and inquiry to determine separation of functional
responsibilities necessary to prevent employee fraud;
4. attribute sampling application;
5. observation (inspection of bank reconciliations) to support accuracy of
cash balances;
6. attribute sampling application;
7. observation (inspect client workpapers evidencing periodic check) to
support adequate safeguarding of documents and periodic inventories
and comparisons;
8. observation (inspect voided documents) to support document retention
control and prevent unauthorized use of documents to conceal fraud;
9. attribute sampling application;
10. observation (observe cash receipts processing) to support adequate
separation of functional responsibilities and prevent employee fraud.
Effect on sample size:

1. Positive effect (but only in population sizes under 2,000)
2. Positive effect
3. Inverse effect
4. Inverse effect.


Audit Sampling for Tests of Controls

18-5

b.

How determined:
2. Prior year’s audit; initial understanding of internal control; pilot
sample.
3. Materiality;
4. Materiality (but normally not to exceed 10%).

Case 3. a.

The remaining steps are as follows:
4. Define the attributes (characteristics) of interest to be tested (including
the criteria for establishing the existence of errors or deviant
conditions).
5. Set the tolerable occurrence rate that would support the initial
assessment.
6. Select a confidence level (quantify the risk of underassessment).
7. Estimate the population error rate (expected occurrence rate).
8. Determine the sample size.
9. Choose a method for randomly selecting a sample.

10. Perform the tests of control procedures.

b.

Statistical sampling methodology helps the auditor (a) to design an efficient
sample, (b) to measure the sufficiency of the evidential matter obtained, and
(c) to evaluate the sample results. By using a statistical sampling
methodology, the auditor can quantify sampling risk to assist in limiting it
to an acceptable level.