AUD: Audit Sampling Methods

Audit sampling is not about checking every single transaction—that’s often impractical. Instead, it’s a powerful, risk-based tool that allows auditors to draw valid conclusions about an entire financial statement population by examining a carefully selected subset. For the CPA candidate, mastering audit sampling—the application of an audit procedure to less than 100% of items in a population—is critical. It directly bridges the core auditing concepts of materiality, risk, and evidence to the practical work of forming an opinion. Understanding both the statistical theory and professional judgment involved is essential for passing the AUD exam and performing effective audits in practice.

The Foundation: Why and When We Sample

The primary objective of auditing is to obtain sufficient appropriate audit evidence to support the audit opinion. Examining every item in a population (a census) is sometimes necessary for high-risk areas, but it is often inefficient or impossible. Sampling provides a reasonable alternative. The decision to sample is grounded in the audit risk model, where auditors accept some level of sampling risk—the risk that the auditor’s conclusion based on a sample may be different from the conclusion if the entire population were tested.

Sampling is applicable to both tests of controls and substantive tests of details. For tests of controls, you are sampling to estimate the rate of deviation from a prescribed control procedure. For substantive testing, you are sampling to detect material misstatements in account balances or transaction classes. A crucial initial step is defining the population (the entire set of data from which the sample is drawn) and the sampling unit (the individual items that make up the population) to ensure the sample can address the audit objective.

Statistical vs. Non-Statistical Sampling

All audit sampling falls into one of two broad approaches: statistical or non-statistical. Both require professional judgment and can provide sufficient audit evidence.

Statistical sampling applies the laws of probability to measure sampling risk objectively. It uses random selection techniques, allowing the auditor to quantify risk mathematically. A key advantage is that it facilitates the design of an efficient sample and the objective evaluation of results. Common statistical methods include random number sampling and systematic sampling.

Non-statistical sampling (or judgmental sampling) also aims to provide a representative sample, but the auditor does not use probability theory to quantify sampling risk. Instead, sample size, selection, and evaluation are based entirely on the auditor’s professional judgment and experience. While often easier to apply, the conclusions drawn are more subjective. The CPA exam requires you to know that either approach can be valid, but only statistical sampling allows for the precise quantification of sampling risk.

Core Method 1: Attribute Sampling for Tests of Controls

Attribute sampling is used in tests of controls to estimate the proportion of a population that possesses a specific characteristic—typically, a deviation from a key internal control. You are auditing an "attribute" (e.g., whether a purchase order has proper approval). The goal is to determine if the deviation rate in the population is acceptably low, supporting your assessed level of control risk.

Key concepts here include:

• Tolerable Deviation Rate: The maximum rate of deviation the auditor is willing to accept without altering the planned assessed level of control risk.
• Expected Population Deviation Rate: The rate the auditor anticipates exists in the population.
• Sample Size Determination: Sample size increases as the tolerable deviation rate decreases or the expected population deviation rate increases. Higher acceptable levels of risk of overreliance (the risk that the auditor concludes controls are more effective than they actually are) allow for a smaller sample.
• Evaluation: If the sample deviation rate (number of deviations found ÷ sample size) plus an allowance for sampling risk is less than or equal to the tolerable deviation rate, the control may be considered effective. If it exceeds the tolerable rate, control risk must be assessed as higher, likely leading to expanded substantive procedures.

Core Method 2: Variables Sampling for Substantive Testing

Variables sampling is used for substantive testing of details to estimate the monetary amount of a misstatement in a population, such as an accounts receivable balance. The most common approach is monetary unit sampling (MUS), which treats each individual dollar in an account as a sampling unit. This technique automatically gives higher-value items a greater chance of selection (probability-proportional-to-size).

Key variables sampling concepts include:

• Tolerable Misstatement: The maximum monetary misstatement for a population that the auditor is willing to accept. This is typically a portion of overall materiality.
• Expected Misstatement: The amount of misstatement the auditor anticipates finding in the population.
• Risk of Incorrect Acceptance: The risk that the auditor concludes a balance is not materially misstated when it actually is. This risk relates directly to audit effectiveness.
• Risk of Incorrect Rejection: The risk that the auditor concludes a balance is materially misstated when it actually is not. This risk relates to audit efficiency.
• Sample Size & Evaluation: Sample size increases as tolerable misstatement decreases, expected misstatement increases, or the acceptable level of risk of incorrect acceptance decreases. Results are evaluated by projecting the misstatements found in the sample to the population (e.g., in MUS, the projected misstatement is calculated) and adding an allowance for sampling risk. The auditor compares this total to tolerable misstatement to form a conclusion.

Determining Sample Size and Evaluating Results

While formulas differ for attribute and variables sampling, the underlying drivers of sample size are consistent across audit objectives:

1. Acceptable Level of Risk (Sampling Risk): The higher the acceptable risk (e.g., risk of incorrect acceptance), the smaller the required sample size.
2. Tolerable Rate/Amount: The smaller the tolerable deviation rate or tolerable misstatement, the larger the required sample size.
3. Expected Error/Misstatement: The higher the expected deviation rate or expected misstatement, the larger the required sample size to achieve precision.
4. Population Characteristics: While population size generally has a minimal effect on sample size for large populations, its variability (standard deviation in variables sampling) is a major factor.

Evaluation is the final, critical step. It involves:

• Projecting Sample Results: Calculating a projected error/misstatement for the entire population.
• Considering Sampling Risk: Adding an allowance for sampling risk to the projected amount to establish an upper limit.
• Comparing to Benchmark: Comparing this upper limit to the tolerable rate or amount. If the upper limit exceeds the benchmark, the sample results do not support the auditor’s initial risk assessment or the fairness of the account balance.

Common Pitfalls

1. Confusing the Risks of Incorrect Acceptance and Incorrect Rejection: A classic exam trap. Remember: Risk of incorrect acceptance (concluding no material misstatement when one exists) affects audit effectiveness and is a serious concern. Risk of incorrect rejection (concluding a material misstatement exists when one does not) affects audit efficiency; it may lead to extra work but is less critical. In planning, the auditor primarily focuses on controlling the risk of incorrect acceptance.

1. Misapplying Attribute Sampling to Substantive Testing: Attribute sampling yields a rate (e.g., 5% deviation). It is not designed to project a monetary misstatement. Using it to evaluate the monetary correctness of an account balance is a fundamental methodological error. For that, you must use variables sampling.

1. Selecting a Non-Representative Sample: Even with perfect statistical calculations, if the sample selection method is biased (e.g., only selecting items from the first month of the year or only large, easy-to-locate items), the sample is not representative. The conclusions drawn will be invalid. Proper random or systematic selection is paramount.

1. Failing to Project Errors Properly: Finding an error in a sample is not the end of the work. A common mistake is to treat the dollar value of errors found in the sample as the total error for the population. Auditors must project the sample error to the population, considering the sampling method used (e.g., using the ratio or difference method for classical variables sampling, or the specific MUS formula for monetary unit sampling).

Summary

• Audit sampling is the testing of less than 100% of a population to draw a conclusion about the whole, balancing efficiency with the need for sufficient evidence.
• The two primary methods are attribute sampling (for tests of controls, estimating deviation rates) and variables sampling (for substantive testing, estimating monetary misstatements, with monetary unit sampling being a common technique).
• Sample size is driven by the auditor’s acceptable level of sampling risk (including risk of incorrect acceptance and rejection), the tolerable misstatement or deviation rate, and the expected misstatement or deviation rate.
• Evaluating results requires projecting sample errors to the population and adding an allowance for sampling risk, then comparing this total to the tolerable benchmark to support the audit conclusion.
• For the CPA exam, meticulously distinguish between concepts for tests of controls versus substantive testing, and always remember that only statistical sampling allows the auditor to quantify sampling risk.