How to Use Sampling to Test Internal Controls
Even a very small company produces voluminous records; no auditor could ever audit all the records available and still get the audit done in time for the data obtained to be relevant. Sampling allows you to choose a small but pertinent and representative group of records that will give you an accurate picture of the company.
You may be wondering how to select the controls to test. Your first step is to identify significant accounts. You do this by considering both quantitative and qualitative factors. Here’s the difference between the two:
Quantitative: An account is significant on a quantitative basis if it could likely contain misstatements that would materially affect the financial statements. For example, during the initial interviews, you find out that related party transactions are reflected in an account.
Qualitative: Other financial accounts may be significant on a qualitative basis if they affect investors’ expectations. Creditors may be interested in a particular account, not because it is materially significant, but because it represents an important performance measurement.
Eight steps are involved in audit sampling for tests of controls. The example of the customer billing process is used to walk you through the steps:
Look at your audit objectives.
The objective of tests of controls is to provide yourself with evidence about whether controls are operating effectively. The audit objective of our example test (focusing on customer billing) is to find out if client invoices are correct. Audit objectives vary between accounts and the purpose of your procedure.
Describe the control activity.
The control activity is the policy or procedure management uses to provide assurance that material misstatements will be prevented or detected in a timely fashion.
Define the population.
To do so, decide on the appropriate sampling unit and consider the completeness of the population.
Define the deviation conditions.
Say for example that the control is that client invoices are correct. An error or deviation in this control would be if the cost per unit on the client invoices doesn’t agree with the standard price list, and there’s no explanation for the deviation (such as the fact that the client was given a discount). Even if an explanation exists, you still have a deviation if the proper authority didn’t okay the discount.
Think about your expected number of deviations.
This means the number of errors you anticipate finding.
Determine the planned assessed level of control risk.
This step addresses whether the population is free from material misstatement. You rank the risk as low, moderate, or maximum.
Determine the appropriate sample size.
Your sample size can be a factor of your firm’s policy (the number of items your firm normally samples), or you can use sampling software to select the sample size.
Determine the method of selecting the sample.
One method of sampling you use frequently for tests of controls is attribute sampling.