How statistical audit sampling can be used in selecting sample for an audit?
In a compliance audit process, forming an audit opinion or conclusion does not necessarily come from examining all the available data in scope. It may be impractical to conduct an audit on a high volume dataset or the entire dataset in scope to draw valid conclusions. This is when sampling comes into the picture of an audit process. Show
Audit Sampling is a technique widely adopted in different types of financial and non-financial audit processes. It is a technique that makes it possible for the auditor to obtain sufficient audit evidence to form valid conclusions and provide an opinion on the controls audited in the Compliance process. The practice of audit sampling ensures efficient review and audit outcomes. In compliance audits for testing of controls, attribute sampling is typically used, where a sampling approach is an event or transaction. Elaborating more on this, we have covered in this article the purpose and importance of sampling in the audit process. But before that let us first understand what is sampling in the audit process. What is Audit Sampling?A sample is a subset of a larger population. So, basically in an audit sampling, a dataset of less than 100% of the larger population is used for examining in the audit process. The auditor studies a small sample of the population to obtain reasonable assurance/understanding of the working effectiveness of the much larger population. Further, it helps the auditor achieve their audit objectives without having to examine every single item which may otherwise require an impractical lot of time and resource investment. So, when the auditor decides to adopt audit sampling for their Compliance audit procedure, they either use statistical sampling audit process or non-statistical sampling to test the performance of controls and evaluate the results from the sample. However, the auditor must ensure the sample selected for the compliance audit process is the exact representation of the population in the scope of compliance. Moreover, it also important to understand that at times the auditor may not adopt the audit sampling method for a specific audit. This could be so because the auditor may deem 100% testing appropriate for a small number that makes up a population, or when there is a significant risk of misrepresentation of samples or considers that the sampling audit technique may not provide sufficient and appropriate audit evidence. Sometimes such as seen in standards such as PCI DSS, audit sampling technique is allowed only for those specific controls and is not really even a choice of the auditor. Points to be considered when designing an Audit SampleSampling is a technique based on the assumption that every sample, by and large, has almost the same characteristics of the complete data that it represents. But, with this technique, there is always an uncertainty in the level of accuracy and deviation in its overall outcome for the entire class of data. For these reasons, auditors should be considering a few points for sample design, size, and selection of items for testing. So, when designing an audit sample, the auditor must consider-
The auditor typically adopts the following methods for selecting samples from the entire class or population of data. This includes-
Haphazard sampling is a sampling method in which there is no systematic way of selecting samples. For instance, samples are randomly selected from an entire population of data across a system that has no specific sequence, or order cyclically or periodically. They will be a random set of numbers or data that may not necessarily be a representative of the entire population of data. So, this method gives you a very limited guarantee of the samples selected may be representative of the entire population of data. Potential Risk of Sampling Technique in Compliance AuditIn the sampling technique, there is always a degree of uncertainty that is implicit. This means when a test of controls or a substantive test is restricted to just the selected sample, there is always a possibility of deviation in the outcome. The auditor’s conclusion may be different from the conclusions he would reach if the test was applied to the entire class or population of data. For a sample of a specific design, and size, the sampling risk varies inversely. So, for instance, with a smaller sample size, there is a greater possibility of sampling risk. Adopting the technique of sampling in an audit depends on the acceptance of such uncertainties. The justification of accepting a certain level of deviation depends on the cost and time required to examine all of the data and the adverse consequences of possible incorrect decisions based on the outcome of examining only a sample of the entire class of data. If this does not justify the acceptance of uncertainty, it is best to examine the entire population or class of data. However, since this is seldom and the basic concept of sampling is well established in auditing practices, it is a technique most commonly adopted in the audit process. Why does an auditor use a sampling technique in the audit process?Compliance audits are often conducted to verify an organization’s current security posture as per the given industry standards. It is important to ensure that entities are not misrepresenting their compliance stand and that relevant stakeholders do not make decisions based on faulty statements. It is important to establish trust and efficiency within the industry. The information generated from the audit process is useful for relevant decision-makers. However, the information provided needs to be accurate and fairly presented. So, often sampling audit techniques are adopted to speed up the process of audit while ensuring the accuracy and fairness of the results. No matter what kind of audit is performed, when the data sets are large audit sampling technique must be adopted so that auditors can complete their audits without wasting resources on checking every single item in scope. The main purpose of the sampling audit can be as identified below-
Specifically, when it comes to SOC Attestation, there are four types of audit sampling techniques used (Simple Random Sampling, Systemic Sampling, Haphazard Sampling, and Block Sampling). Depending on the type of population, the way it is generated, and the size of the population, it impacts the decision of selecting a specific type of audit sampling method. Ideally, the SOC auditors must review their sampling methods to ensure they are aligned with the AICPA guidelines when performing their SOC Audit process. ConclusionThe purpose of audit sampling is to appropriately test the right samples and determine the operating effectiveness of controls in the organization. But, before proceeding with this technique, the auditor should review and consider the sampling method, sample size, acceptable rate of deviation. The auditor should consider the level of tolerable misstatement that the technique can lead to and the impact of misstatement. The auditor must investigate the possible effect on the purpose of the audit procedure and the other audit areas. The auditor should also perform additional audit procedures to obtain substantial audit evidence that the misstatement or deviation does not affect the remainder of the population. The auditors should use their professional judgment to assess audit risk and establish appropriate procedures and methods for testing. Why is statistical sampling useful in audit?statistical sampling provides greater objectivity in the sample selection and in the audit conclusion. Statistical Sampling can provide a valid and defensible methodology but it is important to match the type of sample needed to the type of analysis required.
What is the advantage of statistical sampling for internal auditors?The primary benefit of statistical sampling is that it allows the internal auditor to quantify, measure, and control sampling risk.
|