Annual Audit Manual

COPYRIGHT NOTICE — This document is intended for internal use. It cannot be distributed to or reproduced by third parties without prior written permission from the Copyright Coordinator for the Office of the Auditor General of Canada. This includes email, fax, mail and hand delivery, or use of any other method of distribution or reproduction. CPA Canada Handbook sections and excerpts are reproduced herein for your non-commercial use with the permission of The Chartered Professional Accountants of Canada (“CPA Canada”). These may not be modified, copied or distributed in any form as this would infringe CPA Canada’s copyright. Reproduced, with permission, from the CPA Canada Handbook, The Chartered Professional Accountants of Canada, Toronto, Canada.

7044 Audit sampling
Sep-2022

In This Section

Definitions

Relationship with other CASs

Statistical vs. non-statistical audit sampling

Limitations on the use of audit sampling

“Two step” approach to revenue testing

Designing an audit sampling test

Use of non-statistical sampling

Overview

This topic explains:

  • The objective of audit sampling
  • Limitations on the use of audit sampling
  • Use of statistical vs. non-statistical audit sampling

CAS Objective

The objective of the auditor, when using audit sampling, is to provide a reasonable basis for the auditor to draw conclusions about the population from which the sample is selected. (CAS 530.4)

Definitions

CAS Requirement

For purposes of the CASs, the following terms have the meanings attributed below (CAS 530.5):

  • (a) Audit sampling (sampling)—The application of audit procedures to less than 100 percent of items within a population of audit relevance such that all sampling units have a chance of selection in order to provide the auditor with a reasonable basis on which to draw conclusions about the entire population.

  • (b) Population—The entire set of data from which a sample is selected and about which the auditor wishes to draw conclusions.

  • (c)  Sampling risk—The risk that the auditor’s conclusion based on a sample may be different from the conclusion if the entire population were subjected to the same audit procedure. Sampling risk can lead to two types of erroneous conclusions:

    • (i)  In the case of a test of controls, that controls are more effective than they actually are, or in the case of a test of details, that a material misstatement does not exist when in fact it does. The auditor is primarily concerned with this type of erroneous conclusion because it affects audit effectiveness and is more likely to lead to an inappropriate audit opinion.

    • (ii) In the case of a test of controls, that controls are less effective than they actually are, or in the case of a test of details, that a material misstatement exists when in fact it does not. This type of erroneous conclusion affects audit efficiency as it would usually lead to additional work to establish that initial conclusions were incorrect.

  • (d)  Non-sampling risk—The risk that the auditor reaches an erroneous conclusion for any reason not related to sampling risk. (Ref: Para. A1)

  • (e)  Anomaly—A misstatement or deviation that is demonstrably not representative of misstatements or deviations in a population.

  • (f)  Sampling unit—The individual items constituting a population. (Ref: Para. A2)

  • (g)  Statistical sampling—An approach to sampling that has the following characteristics:

    • (i)  Random selection of the sample items; and
    • (ii) The use of probability theory to evaluate sample results, including measurement of sampling risk.

  • A sampling approach that does not have characteristics (i) and (ii) is considered non‑statistical sampling.

  • (h) Stratification—The process of dividing a population into subpopulations, each of which is a group of sampling units which have similar characteristics (often monetary value).

  • (i)  Tolerable misstatement—A monetary amount set by the auditor in respect of which the auditor seeks to obtain an appropriate level of assurance that the monetary amount set by the auditor is not exceeded by the actual misstatement in the population. (Ref: Para. A3)

  • (j)  Tolerable rate of deviation—A rate of deviation from prescribed internal control procedures set by the auditor in respect of which the auditor seeks to obtain an appropriate level of assurance that the rate of deviation set by the auditor is not exceeded by the actual rate of deviation in the population.

Relationship with other CASs

CAS Guidance

This CAS complements CAS 500, which deals with the auditor’s responsibility to design and perform audit procedures to obtain sufficient appropriate audit evidence to be able to draw reasonable conclusions on which to base the auditor’s opinion. CAS 500 provides guidance on the means available to the auditor for selecting items for testing, of which audit sampling is one means. (CAS 530.2)

(See OAG Audit 7041 for types of detailed testing.)

Statistical vs. non‑statistical audit sampling

CAS Guidance

The decision whether to use a statistical or non‑statistical sampling approach is a matter for the auditor’s judgment; however, sample size is not a valid criterion to distinguish between statistical and non‑statistical approaches. (CAS 530.A9)

OAG Guidance

CAS 530 recognizes both non-statistical and statistical approaches for audit sampling therefore professional judgement is required when determining which approach is appropriate for an engagement.

The primary advantages of statistical audit sampling are a statistically derived sample size and a statistically determined evaluation of sampling risk. However, the advantages of statistical sampling may not outweigh the primary disadvantages, which include the use of formal techniques to determine sample size, to select the sample and to evaluate the results. Therefore, the preferable approach will depend on the circumstances of each audit and require the use of professional judgment.

The choice of non-statistical or statistical sampling does not directly affect decisions about the auditing procedures to be applied, the appropriateness of the audit evidence obtained with respect to individual items in the sample, or the actions that might be taken in light of the nature and cause of particular misstatements.

The underlying principles, procedures and matters relevant to the planning and performance of audit sampling are similar for both non‑statistical and statistical methods. Thus, while the procedures and methods used in non‑statistical sampling are less formal, they are nonetheless rigorous. Ordinarily, the application of non‑statistical sampling will result in a sample size comparable to the sample size resulting from an efficient and effectively designed statistical sample, considering the same sampling parameters. The audit sampling guidance in OAG Audit 7044.1, while directed to non‑statistical sampling applications, is grounded in statistical theory and is designed to provide the necessary information to determine appropriate sample sizes and selection techniques, and properly project and evaluate results from non‑statistical audit sampling.

On engagements where we believe statistical sampling is the preferred approach consider consulting the OAG Internal Specialist of Research and Quantitative Analysis. For further guidance on statistical sampling, see OAG Audit 7044.2.

Limitations on the use of audit sampling

OAG Guidance

Because of sampling risk and the fact that items tested in audit sampling are selected essentially using a random selection method, haphazard selection method or a systematic method, we first consider the use of targeted testing. Audit sampling will typically be used on populations that are made up of many homogeneous items when it is more efficient than targeted testing based on coverage (e.g., coverage would require a large number of items to be tested) or when, because of the nature of the population, there are insufficient good “targets” to allow use of risk‑based targeted testing (e.g., many homogeneous items with few or no particularly higher‑risk or unusual items).

When we use audit sampling, our primary concern is overstatement. However, it can be an effective technique to test for unrecorded items, if the plan for detecting such misstatements involves selecting from a source that will provide appropriate evidence of whether there is understatement. For example, when testing for understatement of accounts payable the population is not the accounts payable listing but rather subsequent disbursements, unpaid invoices, suppliers’ statements, unmatched receiving reports or other appropriate populations. Also, audit sampling is not appropriate when a population comprises non‑homogeneous items. For example, a software development entity may enter into long‑term contracts to develop customised solutions. If the terms and conditions of the development contracts were non‑standardised, the use of audit sampling would not be appropriate for testing costs and revenues associated with the development contracts.

Audit sampling is a tool primarily designed to obtain sufficient appropriate audit evidence to support the assertion that a sampling population is fairly stated. It is not well suited for populations with high error rates or to estimate misstatements for purposes of correcting a materially misstated account. As such audit sampling would ordinarily not be used when estimated misstatement is more than 5 percent of the sample population or more than 70 percent of tolerable misstatement. Consider the appropriate testing strategy before defaulting to audit sampling. When audit sampling is not considered practical because the resulting sample size is very large, we look to obtain evidence from other procedures if appropriate (e.g., controls testing, substantive analytics or targeted testing). In some cases, by adding or increasing evidence from other procedures, sampling may become practical because the desired level of evidence from the sample can be reduced and/or after more targeted testing, the sampling population (numerator in the sample size formula—see further in this section) decreases which results in a smaller sample size. In some cases where a high proportion of misstatement is expected or observed, it may be necessary for the entity to correct errors to reduce the error rate or to perform testing that can be audited to provide the necessary evidence. If this is the case, consider consultation with the OAG Internal Specialist of Research and Quantitative Analysis.

In addition to the general limitations referred to above, there are specific considerations related to performing non‑statistical sampling at the Supplemental level of assurance. As explained further in OAG Audit 7044.1, the Supplemental level of assurance provides limited confidence (and therefore limited evidence) and will not by itself provide sufficient substantive evidence at the FSLI assertion level. Therefore we would only use this level when we performed sufficient other substantive procedures related to the relevant FSLI assertion.

In other words, the limited substantive evidence provided by a non‑statistical sample at the Supplemental level of assurance needs to be combined with other substantive procedures to provide the desired substantive evidence at the FSLI assertion level. For further guidance on the Supplemental level of assurance, refer to OAG Audit 7044.1.

“Two step” approach to revenue testing

OAG Guidance

As explained in OAG Audit 7011.1, in certain circumstances we may apply a “two step” approach to detailed testing of revenue transactions. In particular, if specific criteria are satisfied we can initially limit the sample size to 120. If no misstatements related to our test objectives are identified for the relevant assertions under testing, further revenue transactions testing would not be required.

The two-step approach to revenue transaction testing recognizes that the representative selection of revenue transactions is not a stand‑alone test and once it is performed to a certain level of precision, we can obtain the desired level of assurance from a combination of the representative selection of transactions and other audit procedures.  Specifically, the two step approach recognizes that due to the fact that performance materiality as percentage of revenue can be extremely small (often less than 0.5 percent) non‑statistical samples of revenue can become quite large. When precision gets extremely small (due to the size of the account balance and/or materiality level) expanding the number of selections beyond 120 provides little incremental audit evidence and such evidence needed to achieve the desired level of assurance is provided by other procedures (e.g., confirmation of accounts receivable at a moderate level of evidence) supporting an expectation of zero misstatement due to error or fraud, combined with the other conditions described above.

When we obtain evidence at the Supplemental level of assurance assuming no misstatements result from the testing performed, 120 transactions represents tolerable misstatement in relation to the balance tested of 0.33 percent. The logic being that once we have obtained evidence at a precision of say 0.33 percent of the revenue balance tested, we have useful audit evidence, combined and corroborated with other evidence, to reduce the remaining risk of material misstatement to a sufficiently low level.  As noted in OAG Audit 7011.1, in order to use the 120 testing levels, an engagement team would need to meet certain criteria, including achieving at least a moderate level of evidence over accounts receivable and performing some targeted testing on revenue transactions.  These additional criteria combined with a test of details based on a representative selection of revenue transactions achieve our related audit objectives.

Consider whether the “two step” approach may be applied to testing revenue transactions. In such cases follow the guidance in OAG Audit 7011.1.

Designing an audit sampling test

CAS Requirement

When designing an audit sample, the auditor shall consider the purpose of the audit procedure and the characteristics of the population from which the sample will be drawn. (CAS 530.6)

CAS Guidance

Audit sampling enables the auditor to obtain and evaluate audit evidence about some characteristic of the items selected in order to form or assist in forming a conclusion concerning the population from which the sample is drawn. Audit sampling can be applied using either non‑statistical or statistical sampling approaches. (CAS 530.A4)

When designing an audit sample, the auditor’s consideration includes the specific purpose to be achieved and the combination of audit procedures that is likely to best achieve that purpose. Consideration of the nature of the audit evidence sought and possible deviation or misstatement conditions or other characteristics relating to that audit evidence will assist the auditor in defining what constitutes a deviation or misstatement and what population to use for sampling. In fulfilling the requirement of paragraph 10 of CAS 500, when performing audit sampling, the auditor performs audit procedures to obtain evidence that the population from which the audit sample is drawn is complete. (CAS 530.A5)

In considering the characteristics of the population from which the sample will be drawn, the auditor may determine that stratification or value weighted selection is appropriate. Appendix 1 provides further discussion on stratification and value‑weighted selection. (CAS 530.A8)

OAG Policy

When designing an audit sampling test, the auditor shall consider the impact of tolerable misstatement and expected misstatement on the sample size and the appropriateness of audit sampling. Where the aggregate of the haircut and the expected misstatements for a particular sample population is greater than 50 percent of overall materiality, the engagement leader is required to consult with Audit Services before testing the population in question. [Jun‑2020]

OAG Guidance

To assist with consistency of application we have developed an eight step approach to non‑statistical and statistical sampling. Each of the eight steps is outlined further in this topic and forms the basis of application when performing sampling as part of OAG Audit.

OAG Audit 7044.1 Eight Step Approach to Performing Non‑Statistical Audit Sampling

OAG Audit 7044.2 Eight Step Approach to Performing Statistical Audit Sampling

Use of non-statistical Sampling

OAG Guidance

The following chart illustrates levels of assurance we would normally seek to obtain from non‑statistical sampling (when we decided to use non‑statistical sampling), depending on the results of risk assessment, controls reliance achieved, and level of evidence obtained from other substantive procedures at the FSLI assertion level. The chart assumes a large population made up of homogenous items and that individually significant items by nature (i.e., risk) or monetary value for which acceptance of any sampling risk is not justified will be individually targeted for testing rather than being left in the sampling population. For example, when we deal with a relevant assertion for a significant FSLI made up of homogenous items with a normal risk of material misstatement relative to one or more assertions, achieved partial controls reliance, obtained low assurance from other substantive procedures (i.e., dollar or risk‑based targeted tests, substantive analytical procedures and, where appropriate, accept‑reject tests), and including substantive evidence obtained from testing of other related accounts (e.g., accounts receivable in relation to revenue) and consider that further evidence is necessary from non‑statistical sampling, performing non‑statistical sampling at a low or supplemental level may be considered appropriate.

Note that the chart is provided for illustrative purposes only and we need to use professional judgment to develop a testing plan that would be most effective and efficient in specific engagement circumstances, including considering the risk of material misstatement in a remaining balance not subject to testing. We are not required to use non‑statistical sampling in the specific situations illustrated below. We may decide that it would be more effective and efficient to obtain substantive evidence by performing targeted testing or other types of substantive tests, including substantive analytics. The chart illustrates the level of evidence we may seek from non‑statistical sampling only when we consider it effective and efficient to perform non‑statistical sampling. Note: These illustrative examples of the levels of evidence we may seek from non‑statistical sampling are not intended to suggest that higher levels of assurance may not be sought by teams in specific engagement circumstances.

Consider the chart below in conjunction with the guidance on developing testing strategy (OAG Audit 4024) and selecting the appropriate type of substantive procedures to perform (OAG Audit 7013). Also keep in mind that CASs require us to perform substantive procedures for each material class of transactions, account balance, and disclosure (CAS 330.18); and when our approach to a significant risk consists only of substantive procedures, those procedures need to include tests of details (CAS 330.21). In relation to revenue and other income statement accounts testing, consider guidance in OAG Audit 7011.1. If the “two step” approach is applied to testing of revenue transactions, the chart below would not illustrate our revenue testing.

Examples of Levels of Assurance to be obtained from Non‑Statistical Sampling at the FSLI assertion level.

View actual size