STANDARD ON INTERNAL AUDIT (SIA) 5
SAMPLING*
Contents
Paragraph(s)
Introduction....................................................................................... 1-2
Definitions......................................................................................... 3-9
Use of Sampling in Risk Assessment Procedures and
Tests of Controls .......................................................................... 10-12
Design of the Sample ................................................................... 13-19
Sample Size ................................................................................. 20-21
Statistical and Non-Statistical Approaches .................................. 22-26
Selection of the Sample ............................................................... 27-28
Evaluation of Sample Results ...................................................... 29-38
Documentation ...................................................................................39
Effective Date .....................................................................................40
Examples of Factors Influencing Sample Size for Tests of Controls
Examples of Factors Influencing Sample Size for Tests of Details
(TOD)
Methods of Sample Selection
Frequency of Control Activity and Sample Size
The following is the text of the Standard on Internal Audit (SIA) 5,
Sampling, issued by the Council of the Institute of Chartered
Accountants of India. These Standards should be read in
conjunction with the Preface to the Standards on Internal Audit,
issued by the Institute.
In terms of the decision of the Council of the Institute of Chartered
Accountants of India taken at its 260 th meeting held in June 2006,
the following Standard on Internal Audit shall be recommendatory
in nature in the initial period. The Standards shall become
mandatory from such date as notified by the Council.
*
Published in the October 2008 issue of The Chartered Accountant.
Standard on Internal Audit (SIA) 5
Introduction
1. The purpose of this Standard on Internal Audit (SIA) is to establish
standards on the design and selection of an audit sample and provide
guidance on the use of audit sampling in internal audit engagements.
The SIA also deals with the evaluation of the sample results. This SIA
applies equally to both statistical and non-statistical sampling
methods. Either method, when properly applied, can provide sufficient
appropriate audit evidence.
2. When using either statistical or non-statistical sampling methods,
the internal auditor should design and select an audit sample,
perform audit procedures thereon, and evaluate sample results
so as to provide sufficient appropriate audit evidence to meet the
objectives of the internal audit engagement unless otherwise
specified by the client.
Definitions
3. "Audit sampling" means the application of audit procedures to less
than 100% of the items within an account balance or class of
transactions to enable the internal auditor to obtain and evaluate audit
evidence about some characteristic of the items selected in order to
form a conclusion concerning the population. Certain testing
procedures, however, do not come within the definition of sampling.
Tests performed on 100% of the items within a population do not
involve sampling. Likewise, applying internal audit procedures to all
items within a population which have a particular characteristic (for
example, all items over a certain amount) does not qualify as audit
sampling with respect to the portion of the population examined, nor
with regard to the population as a whole, since the items were not
selected from the total population on a basis that was expected to be
representative. Such items might imply some characteristic of the
remaining portion of the population but would not necessarily be the
basis for a valid conclusion about the remaining portion of the
population.
2
Sampling
4. "Error" means either control deviations when performing tests of
controls, or misstatements, when performing tests of details.
5. "Population'' means the entire set of data from which the sample is
selected and about which the internal auditor wishes to draw
conclusions. A population may be divided into various strata, or sub-
populations, with each stratum being examined separately.
6. "Sampling risk`" means the risk that from the possibility that the
internal auditor's conclusions, based on examination of a sample may
be different from the conclusion reached if the entire population was
subjected to the same types of internal audit procedure. The two types
of sampling risk are
(a) The risk that the internal auditor concludes, in the case of tests
of controls (TOC), that controls are more effective than they
actually are, or in the case of tests of details (TOD), that a
material error or misstatement does not exist when in fact it
does.
(b) The risk that the internal auditor concludes, in the case of tests
of controls (TOC), that controls are less effective than they
actually are, or in the case of tests of details (TOD), that a
material error or misstatement exists when in fact it does not.
The mathematical complements of these risks are termed confidence
levels.
7. "Sampling unit" means the individual items or units constituting a
population, for example, credit entries in bank statements, sales
invoices or debtors' balances.
8. "Statistical sampling" means any approach to sampling procedure
which has the following characteristics
(a) Random selection of a sample; and
(b) Use of theory of probability to evaluate sample results,
including measurement of sampling risk.
3
Standard on Internal Audit (SIA) 5
9. "Tolerable error" means the maximum error in a population that the
internal auditor is willing to accept.
Use of Sampling in Risk Assessment Procedures and
Tests of Controls
10. The internal auditor performs risk assessment procedures to obtain an
understanding of the entity, business and its environment, including
the mechanism of its internal control. Ordinarily, risk assessment
procedures do not involve the use of sampling. However, there are
cases, where the internal auditor often plans and performs tests of
controls concurrently with obtaining an understanding of the design of
controls and examining whether they have been implemented.
11. Tests of controls are performed when the internal auditor`s risk
assessment includes an expectation of the operating effectiveness of
controls. Sampling of tests of controls is appropriate when application
of the control leaves audit evidence of performance (for example,
initials of the credit manager on a sales invoice indicating formal credit
approval).
12. Sampling risk can be reduced by increasing sample size for both tests
of controls and tests of details. Non-sampling risk can be reduced by
proper engagement planning, supervision, monitoring and review.
Design of the Sample
13. When designing an audit sample, the internal auditor should
consider the specific audit objectives, the population from which
the internal auditor wishes to sample, and the sample size.
Internal Audit Objectives
14. The internal auditor would first consider the specific audit objectives to
be achieved and the internal audit procedures which are likely to best
achieve those objectives. In addition, when internal audit sampling is
appropriate, consideration of the nature of the audit evidence sought
and possible error conditions or other characteristics relating to that
4
Sampling
audit evidence will assist the internal auditor in defining what
constitutes an error and what population to use for sampling. For
example, when performing tests of controls over an entity's purchasing
procedures, the internal auditor will be concerned with matters such
as whether an invoice was clerically checked and properly approved.
On the other hand, when performing substantive procedures on
invoices processed during the period, the internal auditor will be
concerned with matters such as the proper reflection of the monetary
amounts of such invoices in the periodic financial statements. When
performing tests of controls, the internal auditor makes an assessment
of the rate of error the internal auditor expects to find in the population
to be tested. This assessment is on the basis of the internal auditor's
understanding of the design of the relevant controls, and whether they
have actually been implemented or the examination of a small number
of items from the population.
Population
15. The population is the entire set of data from which the internal auditor
wishes to sample in order to reach a conclusion. The internal auditor
will need to determine that the population from which the sample is
drawn is appropriate for the specific audit objective. For example, if
the internal auditor's objective were to test for overstatement of
accounts receivable, the population could be defined as the accounts
receivable listing. On the other hand, when testing for understatement
of accounts payable, the population would not be the accounts
payable listing, but rather subsequent disbursements, unpaid invoices,
suppliers' statements, unmatched receiving reports, or other
populations that would provide audit evidence of understatement of
accounts payable.
16. The individual items that make up the population are known as
sampling units. The population can be divided into sampling units in a
variety of ways. For example, if the internal auditor's objective were to
test the validity of accounts receivables, the sampling unit could be
defined as customer balances or individual customer invoices. The
internal auditor defines the sampling unit in order to obtain an efficient
and effective sample to achieve the particular audit objectives.
5
Standard on Internal Audit (SIA) 5
17. It is important for the internal auditor to ensure that the population is
appropriate to the objective of the internal audit procedure, which will
include consideration of the direction of testing. The population also
needs to be complete, which means that if the internal auditor intends
to use the sample to draw conclusions about whether a control activity
operated effectively during the financial reporting period, the
population needs to include all relevant items from throughout the
entire period.
18. When performing the audit sampling, the internal auditor performs
internal audit procedures to ensure that the information upon which
the audit sampling is performed is sufficiently complete and accurate.
Stratification
19. To assist in the efficient and effective design of the sample,
stratification may be appropriate. Stratification is the process of
dividing a population into sub-populations, each of which is a group of
sampling units, which have similar characteristics (often monetary
value). The strata need to be explicitly defined so that each sampling
unit can belong to only one stratum. This process reduces the
variability of the items within each stratum. Stratification, therefore,
enables the internal auditor to direct audit efforts towards the items
which, for example, contain the greatest potential monetary error. For
example, the internal auditor may direct attention to larger value items
for accounts receivable to detect overstated material misstatements.
In addition, stratification may result in a smaller sample size.
Sample Size
20. When determining the sample size, the internal auditor should
consider sampling risk, the tolerable error, and the expected
error. The lower the risk that the internal auditor is willing to accept,
the greater the sample size needs to be. Examples of some factors
affecting sample size are contained in Appendix 1 and Appendix 2 to
the Standard.
6
Sampling
21. The sample size can be determined by the application of a statistically
based formula or through exercise of professional judgment applied
objectively to the circumstances of the particular internal audit
engagement.
Statistical and Non-Statistical Approaches
22. The decision of using either statistical or non-statistical sampling
approach is a matter for the internal auditor's professional judgment.
In the case of tests of controls, the internal auditor's analysis of the
nature and cause of errors will often be of more importance than the
statistical analysis of the mere presence or absence of errors. In such
case, non-statistical sampling approach may be preferred.
23. When applying statistical sampling, sample size may be ascertained
using either probability theory or professional judgment. Sample size
is a function of several factors. Appendices 1 and 2 discuss some of
these factors.
Tolerable Error
24. Tolerable error is the maximum error in the population that the internal
auditor would be willing to accept and still conclude that the result
from the sample has achieved the objective(s) of the internal audit.
Tolerable error is considered during the planning stage and, for
substantive procedures, is related to the internal auditor's judgement
about materiality. The smaller the tolerable error, the greater the
sample size will need to be.
25. In tests of controls, the tolerable error is the maximum rate of
deviation from a prescribed control procedure that the internal auditor
would be willing to accept, based on the preliminary assessment of
control risk. In substantive procedures, the tolerable error is the
maximum monetary error in an account balance or class of
transactions that the internal auditor would be willing to accept so that
when the results of all audit procedures are considered, the internal
auditor is able to conclude, with reasonable assurance, that the
financial statements are not materially misstated.
7
Standard on Internal Audit (SIA) 5
Expected Error
26. If the internal auditor expects error to be present in the population, a
larger sample than when no error is expected ordinarily needs to be
examined to conclude that the actual error in the population is not
greater than the planned tolerable error. Smaller sample sizes are
justified when the population is expected to be error free. In
determining the expected error in a population, the internal auditor
would consider such matters as error levels identified in previous
internal audits, changes in the entity's procedures, and evidence
available from other procedures.
Selection of the Sample
27. The internal auditor should select sample items in such a way
that the sample can be expected to be representative of the
population. This requires that all items or sampling units in the
population have an opportunity of being selected.
28. While there are a number of selection methods, three methods
commonly used are:
Random selection and use of CAATs
Systematic selection
Haphazard selection
Appendix 3 to the Standard discusses these methods.
Evaluation of Sample Results
29. Having carried out, on each sample item, those audit procedures
that are appropriate to the particular audit objective, the internal
auditor should:
(a) analyse the nature and cause of any errors detected in the
sample;
(b) project the errors found in the sample to the population;
(c) reassess the sampling risk; and
8
Sampling
(d) consider their possible effect on the particular internal
audit objective and on other areas of the internal audit
engagement.
30. The internal auditor should evaluate the sample results to
determine whether the assessment of the relevant characteristics
of the population is confirmed or whether it needs to be revised.
Analysis of Errors in the Sample
31. In analysing the errors detected in the sample, the internal auditor will
first need to determine that an item in question is in fact an error. In
designing the sample, the internal auditor will have defined those
conditions that constitute an error by reference to the audit objectives.
For example, in a substantive procedure relating to the recording of
accounts receivable, a mis-posting between customer accounts does
not affect the total accounts receivable. Therefore, it may be
inappropriate to consider this an error in evaluating the sample results
of this particular procedure, even though it may have an effect on
other areas of the audit such as the assessment of doubtful accounts.
32. When the expected audit evidence regarding a specific sample item
cannot be obtained, the internal auditor may be able to obtain
sufficient appropriate audit evidence through performing alternative
procedures. For example, if a positive account receivable confirmation
has been requested and no reply was received, the internal auditor
may be able to obtain sufficient appropriate audit evidence that the
receivable is valid by reviewing subsequent payments from the
customer. If the internal auditor does not, or is unable to, perform
satisfactory alternative procedures, or if the procedures performed do
not enable the internal auditor to obtain sufficient appropriate audit
evidence, the item would be treated as an error.
33. The internal auditor would also consider the qualitative aspects of the
errors. These include the nature and cause of the error and the
possible effect of the error on other phases of the audit.
34. In analysing the errors discovered, the internal auditor may observe
that many have a common feature, for example, type of transaction,
9
Standard on Internal Audit (SIA) 5
location, product line, or period of time. In such circumstances, the
internal auditor may decide to identify all items in the population which
possess the common feature, thereby producing a sub-population, and
extend audit procedures in this area. The internal auditor would then
perform a separate analysis based on the items examined for each
sub-population.
Projection of Errors
35. The internal auditor projects the error results of the sample to the
population from which the sample was selected. There are several
acceptable methods of projecting error results. However, in all the
cases, the method of projection will need to be consistent with the
method used to select the sampling unit. When projecting error
results, the internal auditor needs to keep in mind the qualitative
aspects of the errors found. When the population has been divided
into sub-population, the projection of errors is done separately for
each sub-population and the results are combined.
36. For tests of controls, no explicit projection of errors is necessary since
the sample error rate is also the projected rate of error for the
population as a whole.
Reassessing Sampling Risk
37. The internal auditor needs to consider whether errors in the population
might exceed the tolerable error. To accomplish this, the internal
auditor compares the projected population error to the tolerable error
taking into account the results of other audit procedures relevant to
the specific control or financial statement assertion. The projected
population error used for this comparison in the case of substantive
procedures is net of adjustments made by the entity. When the
projected error exceeds tolerable error, the internal auditor reassesses
the sampling risk and if that risk is unacceptable, would consider
extending the audit procedure or performing alternative internal audit
procedures.
10
Sampling
38. If the evaluation of sample results indicate that the assessment of the
relevant characteristic of the population needs to be revised, the
internal auditor, may:
(a) Request management to investigate the identified errors and the
potential for any further errors, and to make necessary
adjustments, in cases where management prescribes the sample
size; and / or
(b) Modify the nature, timing and extent of internal audit procedures.
In case of tests of controls, the internal auditor might extend the
sample size, test an alternative control or modify related
substantive procedures; and / or
(c) Consider the effect on the Internal Audit Report.
Documentation
39. Documentation provides the essential support to the opinion and/ or
findings of the internal auditor. In the context of sampling, the internal
auditor's documentation may include aspects such as:
i. Relationship between the design of the sample vis a vis specific
audit objectives, population from which sample is drawn and the
sample size.
ii. Assessment of the expected rate of error in the population to be
tested vis a vis auditor's understanding of the design of the
relevant controls
iii. Assessment of the sampling risk and the tolerable error.
iv. Assessment of the nature and cause of errors.
v. Rationale for using a particular sampling technique and results
thereof.
vi. Analysis of the nature an cause of any errors detected in the
sample.
vii. Projection of the errors found in the sample to the population.
viii. Reassessment of sampling risk, where appropriate.
ix. Effect of the sample results on the internal audit's objective(s).
11
Standard on Internal Audit (SIA) 5
x. Projection of sample results to the characteristics of the
population.
Effective Date
40. This Standard on Internal Audit is applicable to all internal audits
commencing on or after______. Earlier application of the SIA is
encouraged.
12
Sampling
Appendix 1
Examples of Factors Influencing Sample Size for Tests of
Controls
The following are some factors which the internal auditor considers when
determining the sample size required for tests of controls (TOC). These
factors need to be considered together assuming the internal auditor does
not modify the nature or timing of TOC or otherwise modify the approach to
substantive procedures in response to assessed risks.
Factor to be considered by Internal Auditor Effect on sample
size
An increase in the extent to which the risk of material Increase
misstatement is reduced by the operating
effectiveness of controls
An increase in the rate of deviation from the Decrease
prescribed control activity that the internal auditor is
willing to accept
An increase in the rate of deviation from the Increase
prescribed control activity that the internal auditor
expects to find in the population
An increase in the internal auditor's required Increase
confidence level
An increase in the number of sampling units in the Negligible effect
population
Notes
1. Other things being equal, the more the internal auditor relies on the
operating effectiveness of controls in risk assessment, the greater is the
extent of the internal auditor's tests of controls, and hence the sample
size is increased.
13
Standard on Internal Audit (SIA) 5
2. The lower the rate of deviation that the internal auditor is willing to
accept, the larger the sample size needs to be.
3. The higher the rate of deviation that the internal auditor expects, the
larger the sample size needs to be so as to make a reasonable estimate
of the actual rate of deviation.
4. The higher the degree of confidence that the internal auditor requires
that the results of the sample are indicative of the actual incidence of
errors in the population, the larger the sample size needs to be.
5. For large populations, the actual population size has little effect on
sample size. For small populations, sampling is often not as efficient as
alternative means of obtaining sufficient appropriate audit evidence.
14
Sampling
Appendix 2
Examples of Factors Influencing Sample Size for Tests of
Details (TOD)
The following are some factors which the internal auditor considers when
determining the sample size required for tests of details (TOD). These factors
need to be considered together assuming the internal auditor does not modify
the nature or timing of TOD or otherwise modify the approach to substantive
procedures in response to assessed risks.
Factor to be considered by Internal Auditor Effect on
sample size
An increase in the internal auditor's assessment of the Increase
risk of material misstatement
An increase in the use of other substantive procedures by Decrease
the internal auditor, directed at the same assertion
An increase in the total error that the internal auditor is Decrease
willing to accept (Tolerable Error)
Stratification of the population when appropriate Decrease
An increase in the amount of error which the internal Increase
auditor expects to find in the population
An increase in the internal auditor's required confidence Increase
level
The number of sampling units in the population Negligible
effect
15
Standard on Internal Audit (SIA) 5
Appendix 3
Methods of Sample Selection
The principal methods of sample selection are as
1. Using a computerised random number generator or through random
number tables.
2. Systematic selection In this method, the number of sampling units in the
population is divided by the sample size to give a sampling interval, for
example 20, and having thus determined a starting point within the first 20,
each 20th sampling unit thereafter is selected. Although the starting point
may be haphazardly determined, the sample is likely to be truly random if
the same is determined by using a computerised random number generator
or random number tables. In this method, the internal auditor would need to
determine that sampling units within the population are not structured in
such a way that the sampling interval corresponds with any particular
pattern within the population.
3. Haphazard selection In this method, the internal auditor selects the
sample without following any structured technique. The internal auditor
should attempt to ensure that all items within the population have a
chance of selection, without having any conscious bias or
predictability. This method is not appropriate when using statistical
sampling technique.
4. Block selection This method involves selection of a block(s) of adjacent
or contiguous items from within the population. Block selection normally
cannot be used in internal audit sampling because most populations are
structured in such a manner that items forming a sequence can be
expected to have similar characteristics to each other, but different
characteristics from items elsewhere in the population. This method would
not be an appropriate sample selection technique when the internal auditor
intends to draw valid inferences about the entire population, based on the
sample.
16
Sampling
Appendix 4
Frequency of Control Activity and Sample Size
The following guidance related to the frequency of the performance of control
may be considered when planning the extent of tests of operating effectiveness
of manual controls for which control deviations are not expected to be found. The
internal auditor may determine the appropriate number of control occurrences to
test based on the following minimum sample size for the frequency of the control
activity dependant on whether assessment has been made on a lower or higher
risk of failure of the control.
Frequency of control activity Minimum sample size
Risk of failure
Lower Higher
Annual 1 1
Quarterly (including period- end, i.e., +1) 1+1 1+1
Monthly 2 3
Weekly 5 8
Daily 15 25
Recurring manual control (multiple times 25 40
per day)
Note : Although +1 is used to indicate that the periodend control is tested, this
does not mean that for more frequent control operations the year-end operation
cannot be tested.
17
|