MODULE F Attribute Sampling LEARNING OBJECTIVES

Review Checkpoints 1. Identify the objectives of attribute sampling, define deviation conditions, and define the population for an attribute sampling application. Understand how various factors influence the size of an attribute sample. Determine the sample size for an attribute sampling application. 1, 2, 3, 4 Exercises, Problems, and Simulations 42, 43, 56 (partial), 58 (parts a and b), 59 (parts a and b), 60 (partial), 61 (partial) 56 (partial), 57 (parts a and b), 60 (partial), 61 (partial) 47, 48, 49, 50, 56 (partial), 57 (part c), 58 (part c), 59 (part c) 44 (partial), 45, 46, 56 (partial), 58 (part d), 59 (part d) 44 (partial), 51, 52, 53, 54, 55, 56 (partial), 57 (parts d - f), 58 (parts e and f), 59 (parts e - g)

2.

5, 6, 7

3.

8, 9

4.

Identify various methods of selecting an attribute sample.

10, 11, 12, 13

5.

Evaluate the results of an attribute sampling application by determining the computed upper limit (CUL).

14, 15, 16, 17, 18, 19, 20, 21

6.

Define sequential sampling and discovery sampling and identify when these types of sampling applications would be used.

22, 23

SOLUTIONS FOR REVIEW CHECKPOINTS

F.1 Attribute sampling is a method of sampling used to determine the extent to which some characteristic (or attribute) exists within a population of interest. Attribute sampling is used by the auditor in performing tests of controls to determine the operating effectiveness of internal control policies and procedures. The auditors objective in attribute sampling is to determine the operating effectiveness of key controls that influence the financial statement assertions of interest. As a result, the financial statement assertions ultimately determine which control(s) are tested and are the subject of the auditors attribute sampling application. Deviation conditions represent situations in which key controls are not functioning as intended. Deviation conditions are important in an attribute sampling application because they provide the auditor with evidence regarding the operating effectiveness of the clients internal control. An appropriate definition of the population is important because auditor conclusions can only be extended to the population from which the sample is selected. a. Sampling risk is the risk that the decision made by the auditor based on his or her sample is different from the decision that would have been made if the entire population were examined. h. i. The tolerable deviation rate is the maximum rate of deviations permissible by the auditor without modifying his or her reliance on an internal control policy or procedure. The expected deviation rate is the anticipated rate of deviations in the clients internal control policies or procedures.

F.2

F.3

F.4 F.5

The sampling risk and tolerable deviation rate are determined judgmentally by the auditor based on the planned level of control risk (as the planned level of control risk is lower, the sampling risk and tolerable deviation rate should be lower). The expected deviation rate is assessed by the auditor based on either prior experience with the client (for recurring engagements) or a small pilot sample of controls (for first-year engagements). F.6 The risk of assessing control risk too high (risk of underreliance) occurs when the auditors sample indicates that the control is not functioning effectively when, in fact, it is functioning effectively. When this risk occurs, the auditors sample deviation rate exceeds the tolerable deviation rate. However, unknown to the auditor, the true population deviation rate is less than the tolerable deviation rate. The risk of assessing control risk too low (risk of overreliance) occurs when the auditors sample indicates that the control is functioning effectively when, in fact, it is not functioning effectively. When this risk occurs, the auditors sample deviation rate is less than the tolerable deviation rate. However, unknown to the auditor, the true population deviation rate exceeds the tolerable deviation rate. F.7 The risk of assessing control risk too low is more important because this risk may result in a less effective audit being performed. That is, the auditor may not perform a sufficient level of substantive procedures upon which to base his or her opinion on the financial statements.

F.8

a. j. k.

Sample size has an inverse relationship with sampling risk; that is, as the desired sampling risk is lower, sample size increases. Sample size has an inverse relationship with the tolerable deviation rate; that is, as the tolerable deviation rate is lower, sample size increases. Sample size has a direct relationship with the expected deviation rate; that is, as the expected deviation rate is higher, sample size increases.

F.9

In an attribute sampling application, the sample size is determined as follows: 1. 2. 3. 4. Based on the desired level of the risk of assessing control risk too low, select the appropriate sample size table. Identify the row of the table corresponding to the expected deviation rate for the control being examined. Identify the column of the table representing the assessed tolerable deviation rate for the control being examined. Determine the sample size by identifying the junction of the row from step (2) and the column from step (3).

F.10

When selecting sample items, the auditor should take steps to ensure that the sample is representative of the population from which it is drawn. For example, the auditor should select potential applications of control procedures performed throughout the year, performed for larger and smaller dollar amounts, performed by different individuals, and related to transactions with different parties or individuals in different geographic areas. Tests of controls are procedures performed by the auditor to determine the operating effectiveness of the clients key internal control policies and procedures. The auditors goal in performing tests of controls is to determine the rate at which the clients control policies and procedures are not functioning as intended, or the sample deviation rate. If the auditor is unable to find an item that provides evidence of the clients performance of a control, that item is classified as a deviation. The sample deviation rate is the rate of deviations from key control policies and procedures noted by the auditor in his or her sample. It can be calculated by dividing the number of deviations by the sample size. The computed upper limit is an adjusted rate of deviations that provides a conservative measure of the sample deviation rate. This measure allows the auditor to control his or her exposure to sampling risk to desired levels. The computed upper limit is the rate of deviation that has a (one minus the risk of assessing control risk too low) probability of equaling or exceeding the true population deviation rate. Conversely, there is a (risk of assessing control risk too low) probability that the true population deviation rate exceeds the computed upper limit.

F.11

F.12 F.13

F.14

F.15

The computed upper limit is determined based on the risk of assessing control risk too low, sample size, and number of deviations. Since the sample size and number of deviations determine the sample deviation rate, the computed upper limit is essentially based on the sample deviation rate and the risk of assessing control risk too low.

F.16

The computed upper limit is determined as follows: l. Based on the desired risk of assessing control risk too low, select the appropriate evaluation table.

m. Read down the sample size column to find the row representing the appropriate sample size. n. o. F.17 Identify the column corresponding to the number of deviations found by the auditor. The computed upper limit is the value found at the intersection of the row in step (2) and the column in step (3).

If the sample size examined by the auditor is not included in the AICPA sample evaluation tables, the auditor could (1) select additional items for examination to provide him or her with the next highest sample size included on the tables, (2) evaluate the results of his or her sample using a smaller (more conservative) sample size, or (3) interpolate the table values and estimate a computed upper limit for the number of items examined. Since the sample deviation rate is 6 percent (6 deviations 100 items = 6 percent) and the computed upper limit is 8.3 percent, the allowance for sampling risk is 2.3 percent (8.3 percent 6.0 percent = 2.3 percent). If the computed upper limit is less than the tolerable deviation rate, the auditor would conclude that the control is functioning effectively. If the computed upper limit is greater than or equal to the tolerable deviation rate, the auditor would conclude that the control is not functioning effectively. If the computed upper limit is less than the tolerable deviation rate, the auditor can choose to rely on internal control at planned levels or consider obtaining a further reduction in the desired level of control risk. If the computed upper limit is greater than or equal to the tolerable deviation rate, the auditor can reduce his or her reliance on internal control and increase control risk or expand his or her sample to achieve an observed computed upper limit less than the tolerable deviation rate. Sequential sampling is a sampling plan in which an initial sample is selected and the auditor (1) draws a final conclusion regarding the effectiveness of the control policy or procedure or (2) selects additional items before drawing a final conclusion regarding the effectiveness of the control policy or procedure. The primary advantage of sequential sampling is that these types of plans may allow the auditor to form a conclusion on internal control with a relatively small sample size. The primary disadvantage of sequential sampling is that the allowable rate of deviations in the sample is lower than that in a fixed sampling plan (i.e., sequential sampling is more conservative). In addition, sequential sampling may ultimately result in the auditor examining an extremely large number of items if he or she decides to expand the sample.

F.18

F.19

F.20

F.21

F.22

F.23

Discovery sampling is a form of attribute sampling that is utilized when deviations from controls are very critical, yet are expected to occur at a relatively low rate. Discovery sampling should be utilized when a control is extremely important for the auditors examination or when the auditor is suspicious of the existence of fraud.

SOLUTIONS FOR MULTIPLE-CHOICE QUESTIONS

F.24 a. b. c. d. F.25 a Incorrect Correct Incorrect Incorrect Correct Incorrect Incorrect Incorrect Incorrect Correct Incorrect Incorrect Incorrect Incorrect Correct Incorrect Incorrect Incorrect Correct Incorrect Determining preliminary levels of materiality is related to variables sampling. Attribute sampling selects occurrences of key controls for the auditor to examine using tests of controls. Substantive procedures are related to variables sampling. Searching for the possible occurrence of subsequent events is not an example of sampling. Identifying key controls is necessary when determining the objective of sampling. Prior to defining a deviation condition, the key controls must be Prior to defining the population, the key controls must be identified. Prior to determining the sample size, the key controls must be The tolerable deviation rate has an indirect relationship with sample size. The expected deviation rate has a direct relationship with sample size; the tolerable deviation rate has an indirect relationship with sample size. The expected deviation rate has a direct relationship with sample size; the tolerable deviation rate has an indirect relationship with sample size. The expected deviation rate has a direct relationship with sample size. The auditor does not control the RACTH in an attribute sampling application. The auditor does not control the RACTH in an attribute sampling application; however, he or she does control the RACTL. The auditor does not control the RACTH in an attribute sampling application; however, he or she does control the RACTL. The auditor controls the RACTL in an attribute sampling application. Both sampling risks result in incorrect decisions by the auditor. The risk of assessing control risk too high is related to the study and evaluation of internal control The risk of assessing control risk too low may result in the failure to control audit risk to desired levels. Performing tests during an interim period does not influence the risk of assessing control risk too high.

b. identified. c. d. identified. F.26 a. b. c. d. F.27 a. b. c. d. F.28 a. b. c. d. F.29

Note to instructor: Since this question asks students to identify the statement that will not result in an increased sample size, the response labeled correct will not result in an increased sample size and those labeled incorrect will result in an increased sample size. a. b. c. d. Incorrect Correct Incorrect Incorrect Reducing the risk of assessing control risk too low will result in a larger sample size. Increasing the tolerable deviation rate will reduce (not increase) the sample size. Increasing the expected deviation rate will result in a larger sample size Choice (b) above will not result in a larger sample size.

F.30

a. b. c. d.

Incorrect Incorrect Incorrect Correct

From the AICPA sampling tables, the sample size is 195. From the AICPA sampling tables, the sample size is 195. From the AICPA sampling tables, the sample size is 195. From the AICPA sampling tables, the sample size is 195.

F.31

a. b. c. d.

Incorrect Incorrect Incorrect Correct Incorrect Incorrect Incorrect Correct Correct Incorrect Incorrect

RACTL increases as control risk increases; as a result, a 1% RACTL cannot logically be associated with a control risk of 0.80. RACTL increases as a function of control risk; as a result, a 10% RACTL cannot logically be associated with a control risk of 0.20 if a 1% control risk is assigned to a control risk of 0.50. RACTL increases as a function of control risk; as a result, a 10% RACTL cannot logically be associated with a control risk of 0.50 if a 5% RACTL is assigned to a control risk of 0.80. RACTL increases as control risk increases; this series is consistent with this relationship. From the AICPA sample evaluation tables, the computed upper limit is 6.9 percent. From the AICPA sample evaluation tables, the computed upper limit is 6.9 percent. From the AICPA sample evaluation tables, the computed upper limit is 6.9 percent. From the AICPA sample evaluation tables, the computed upper limit is 6.9 percent. This is the correct interpretation of the computed upper limit. The probability that the actual deviation rate in the population is lower than the computed upper limit is one minus the risk of assessing control risk too low. The computed upper limit does not provide an estimate with certainty; in addition, the probability that the actual deviation rate in the population is lower than the computed upper limit is one minus the risk of assessing control risk too low. The computed upper limit does not provide an estimate with certainty. See (d) below. See (d) below. See (d) below. Without knowledge of the risk of assessing control risk too low, it is impossible to calculate the computed upper limit for a sample of 100 transactions with one deviation. For example, with a risk of assessing control risk too low of 5 percent, the computed upper limit is 4.7 and options (a), (b), and (c) would not allow the auditor to assess control risk at the appropriate level. However, if the risk of assessing control risk too low is 10 percent, the computed upper limit would be 3.9 and choice (c) would allow the auditor to assess control risk at the appropriate level. Because the computed upper limit exceeds the tolerable deviation rate, the auditor cannot support a control risk assessment based on the tolerable deviation rate. The auditor can support a control risk assessment at level of the computed upper limit. Despite the fact that the computed upper limit exceeds the tolerable deviation rate, the auditor can support a control risk assessment at less than the maximum level. To support control risk assessments at the minimum level, the computed upper limit would need to be less than the tolerable deviation rate (which would ordinarily be established at less than 4 percent).

F.32

a. b. c. d.

F.33

a. b. c.

d. F.34 a. b. c. d.

Incorrect Incorrect Incorrect Incorrect Correct

F.35

a. b. c. d.

Incorrect Correct Incorrect Incorrect

F.36

a. b. c. d.

Incorrect Incorrect Correct Incorrect Incorrect Correct

Selecting customer accounts for confirmation as a part of the audit of accounts receivable would utilize variables sampling. Selecting inventory items for verification as a part of the audit of inventory would utilize variables sampling. Selecting purchase orders for indication of authorization is a test of controls that would utilize attribute sampling. Selecting additions to property, plant and equipment for verification would utilize variables sampling. The auditor would compare the tolerable deviation rate to the sum of the allowance for sampling risk and sample deviation rate (not expected deviation rate). In this example, the sample deviation rate of 4 percent (5 125 = 4 percent) plus the allowance for sampling risk of 3 percent equals the computed upper limit (7 percent). Since the computed upper limit exceeds the tolerable deviation rate of 5 percent, the auditor should assess a higher control risk. The expected deviation rate is not considered in evaluating the results of the sample. The sample results would support a low control risk assessment if the sample deviation rate plus the allowance for sampling risk is less than (not greater than) the tolerable deviation rate. From the AICPA sample evaluation tables, the computed upper limit is 12.8 percent. From the AICPA sample evaluation tables, the computed upper limit is 12.8 percent. From the AICPA sample evaluation tables, the computed upper limit is 12.8 percent. From the AICPA sample evaluation tables, the computed upper limit is 12.8 percent. See the response to choice (b). The auditor noted 7 deviations in the 90 items examined; therefore, the sample deviation rate is 7.8 percent (7 90 = 7.8 percent). If the CUL is 12.8 percent (see the answer to F.38), the allowance for sampling risk would be 5.0 percent (12.8 percent 7.8 percent = 5.0 percent). See the response to choice (b). See the response to choice (b). The tolerable deviation rate must exceed the computed upper limit in order for the auditor to rely on internal control as planned. The tolerable deviation rate must exceed the computed upper limit in order for the auditor to rely on internal control as planned. The expected deviation rate is not utilized in evaluating sample results. The expected deviation rate is not utilized in evaluating sample results. See the response to choice (d). See the response to choice (d). See the response to choice (d). While (a), (b), and (c) are correct responses, (d) is a more appropriate response because it includes all possible alternatives for the auditor.

F.37

a. b.

c. d.

Incorrect Incorrect

F.38

a. b. c. d.

Incorrect Incorrect Incorrect Correct Incorrect Correct

F.39

a. b.

c. d. F.40 a. b. c. d. F.41 a. b. c. d.

Incorrect Incorrect Incorrect Correct Incorrect Incorrect Incorrect Incorrect Incorrect Correct

SOLUTIONS FOR EXERCISES, PROBLEMS, AND SIMULATIONS

F.42 Test of Controls Objectives and Deviations p. Credit Approval a. b. q. Objective: Determine whether credit is approved in accordance with company policy. Deviation: Absence of notation of approval or disapproval on customers orders.

Validity of Sales and Proper Period Recording a. Objective: Determine whether (i) recorded sales invoices are supported by written notices of shipment, (ii) the sales record date is the same as the shipment date. Deviation: (i) Absence of written shipment notice, (ii) Sales record date and shipment date are not the same.

b. r.

Accuracy of Sales Invoices a. Objective: Determine whether (i) quantities on shipping notices and invoices are the same, (ii) unit prices on the invoices are correct and agree with catalog prices, and (iii) invoices are arithmetically correct. Deviation: (i) Quantities on shipping notices and invoices do not match, (ii) Unit prices do not agree with catalog prices, (iii) Invoices include mathematical mistakes.

b.

s.

Classification of Sales a. b. Objective: Determine whether invoices are properly coded for intercompany sales. Deviation: (i) Invoice to an affiliated company not marked 9 and (ii) Invoice to an outside customer marked 9.

F.43

Examples of Deviations a. 1. While not technically conforming to the control policy, the fact that some indication was placed next to the quantities suggests that this would not be classified as a deviation. Professional standards are explicit in noting that a missing document should be classified as a deviation. The fact that the invoice is marked as VOID provides some evidence that the shipment was not made; accordingly, it does not appear that this would be classified as a deviation. While the quantities may have been properly checked, the fact that this is not noted on an item-by-item basis may indicate that the employee hurriedly reviewed the invoice and did not perform the work. This would likely be classified as a deviation. The fact that check marks were only placed adjacent to items located in the same location of the warehouse indicates that only these quantities were verified. Accordingly, this invoice would be classified as a deviation.

2. 3.

4.

5.

b.

The fallacy in assuming that the controls relating to the remaining 95 invoices were being performed properly is that an employee could merely place a check mark on the invoice without reviewing the quantities (because of time pressure, lack of care, etc.).

F.44

Timing of Test of Controls and Sample Selection TO: FROM: DATE: SUBJECT: Audit Manager Auditor Hill October 1 Interim evaluation of control over cash disbursement authorization

I audited 80 cash disbursements as of September 30 for compliance with the company control procedure requiring authorization of cash disbursements. I found no deviations. Had this audit sampling been performed at December 31 for the entire years disbursements, I would be prepared to assign a low control risk (20 percent). This favorable evaluation would enable us to perform the planned analytical procedures to expenses and perform the level of inventory observation work specified in the preliminary audit program. With a higher control risk, the audit team would need to do more work in both areas. Requirements According to auditing standards, the audit team needs to determine whether the authorization control procedure worked as well during October-December period as it did for the period January-September. I think the audit team should audit the other 20 disbursements to make this determination. Options t. u. The audit team cannot elect to forgo all further work on the control for the OctoberDecember remaining period. The audit team can complete the sampling application by examining 20 additional sampling units selected at random. This approach will probably be the least costly because it will be relatively easy to evaluate the additional 20 sampling units to determine whether the control is functioning effectively. The audit team could make inquiries about the operating effectiveness of the authorization control during the time period from October-December. However, declarations from client personnel that the control was functioning just fine would not be good evidence of continued operating effectiveness. Unless this inquiry reveals that the control is no longer performed, inquiry would not provide much information.

v.

w. The three-month length of the remaining period is enough for concern. The audit team should not merely presume the control continued to operate effectively during this period. x. If the dollar amount of transactions affected by the operating effectiveness of the authorization control were substantially reduced, the audit team would not need to be as concerned about the control. However, cash disbursements are not likely to become unimportant under these circumstances. The audit team could forgo examining an additional 20 items and take its chances that the planned amount of analytical procedures for expenses and work on inventory observation would also reveal any control breakdown in October-December. I do not recommend such action in the circumstances because (a) we should evaluate control risk in order to plan the extent of the other work, (b) the cost of examining an additional 20 items is not high, (c) audit completion might be delayed if we detect a control breakdown later in the audit, and (d) in these circumstances the dual-purpose nature of the other work may turn out to be circular and inefficient.

y.

I trust I have made my preference for completing the test of controls for the authorization control related to cash disbursements clear. I think this work should be done no earlier than December 20. F.45 Sample Selection z. In this case, the challenge is the fact that the checking accounts have overlapping check numbers. Checks written on Account 2 could be considered as numbers 0001 through 6,000 and checks written on Account 1 could be considered as 6001 through 9000 (simply add 2,368 to each check number). For unrestricted random selection, you could identify random numbers between 1 and 9,000 and select the associated check. For systematic random selection, you would choose a random starting point, calculate the sampling interval, and proceed through the population of checks. aa. In this case, the challenge is that random numbers 1 through 8,999 would be discarded in an unrestricted random selection method. You could convert the five-digit sequence (9,000 13,999) to a four-digit sequence by subtracting the constant 8,999 from each purchase order number. This would yield purchase orders numbered 0001 through 5,000. If the above adjustments are made, when using unrestricted random selection, identifying random numbers between 0001 and 5,000 would provide you with the item selected. If you are concerned about discarding random numbers 5,001 through 9,999, you could create a duplicate set of purchase order numbers by adding the constant 5,000 to each number. As a result, item 1 would have two random numbers: 0001 and 5,001. However, you should be certain not to select the same item using two different random numbers. With respect to systematic random selection, you would choose a random starting point, calculate the sampling interval, and proceed through the population of purchase orders. However, you would not create a duplicate set of purchase orders; when you reached the end of the population, you merely begin applying the sampling interval to the beginning of the population until the desired number of items is selected. bb. In this case, the challenge is the sheer magnitude of the listing and the time it would take to select the sample. You can think of this listing as containing a total of 3,750 records [(74 pages x 50 items = 3,700) + 40 items on last page = 3,740 items]. If unrestricted random selection is used, you would identify random numbers corresponding to items 0001 through 3,740. While this is relatively straightforward, the physical act of moving through the population is quire time consuming. If you are concerned about discarding random numbers 3,741 through 9,999, you could create a duplicate set of purchase order numbers by adding the constant 3,741 to each number. As a result, item 1 would have two random numbers: 0001 and 3,742. However, you should be certain not to select the same item using two different random numbers. If systematic random selection is used, you would choose a random starting point, calculate the sampling interval, and proceed through the perpetual inventory records. Depending upon the sample size, you may be able to bypass entire pages of the perpetual inventory records.

F.46

Sample Selection

Based on the document numbers on the vendor invoices, a total of 25,327 invoices (#38121 #12794 = 25327) were issued during the year.
(1) Janice would select either 50, 100, or 500 random numbers from a random number table or computer program and match those numbers to items in the population. For ease of selection, a computer program could be requested to generate the desired number of random numbers between 12,794 and 38,121. Janice would select a random starting point (a number somewhere between 12,794 and 38,121) and bypass a fixed number of items based on the sampling interval, as follows: Sample size of 50: Sample size of 100: Sample size of 500: F.47 Sample Size Determination a. Using the sample size tables for a 5 percent risk of assessing control risk too low, 3 percent expected deviation rate, and 9 percent tolerable deviation rate results in a sample size of 84 items. The risk of assessing control risk too low would be determined judgmentally by Landry based on the desired level of control risk (as the desired level of control risk is lower, the risk of assessing control risk too low should be established at lower levels). The expected deviation rate is established based on prior years audits (for recurring engagements) or a pilot sample of controls (for first-year engagements). The tolerable deviation rate is established based on the desired level of control risk (as the desired level of control risk is lower, the tolerable deviation rate should be established at lower levels). c. d. The revised sample size is 58 items. Because the desired level of sampling risk has increased, Landrys sample does not need to be as effective as when sampling risk is lower (the original level of 5 percent). As a result, Landry can examine a smaller sample. 25,327 50 items = 507 items 25,327 100 items = 254 items 25,327 500 items = 51 items

(2)

b.

F.48

Sample Size Determination a. b. c. Sample size = 42 Sample size = 129 Sample size = 195 cc. Sample size = 32

Comparing the necessary sample sizes in (a) and (b), the only difference in sample size is related to an increase in the expected deviation rate from 0 percent in (a) to 3 percent in (b). As a result, the increase in sample size from 42 to 129 indicates that the expected deviation rate has a direct relationship with sample size. Comparing the necessary sample sizes in (b) and (c), the only difference in sample size is related to a decrease in the tolerable deviation rate from 7 percent in (b) to 6 percent in (c). As a result, the increase in sample size from 129 to 195 indicates that the tolerable deviation rate has an inverse relationship with sample size. Comparing the necessary sample sizes in (a) and (d), the only difference in sample size is related to an increase in the risk of assessing control risk too low from 5 percent in (a) to 10 percent in (d). As a result, the decrease in sample size from 42 to 32 indicates that the risk of assessing control risk too low has an inverse relationship with sample size. F.49 Sample Size Determination dd. ee. ff. gg. Sample size = 156 Sample size = 192 Sample size = 103 Sample size = 132

Comparing the necessary sample sizes in (a) and (b), the only difference in sample size is related to an increase in the expected deviation rate from 1 percent in (a) to 1.5 percent in (b). As a result, the increase in sample size from 156 to 192 indicates that the expected deviation rate has a direct relationship with sample size. Comparing the necessary sample sizes in (b) and (c), the only difference in sample size is related to an increase in the tolerable deviation rate from 4 percent in (b) to 6 percent in (c). As a result, the decrease in sample size from 192 to 103 indicates that the tolerable deviation rate has an inverse relationship with sample size. Comparing the necessary sample sizes in (b) and (d), the only difference in sample size is related to an increase in the risk of assessing control risk too low from 5 percent in (b) to 10 percent in (d). As a result, the decrease in sample size from 192 to 132 indicates that the risk of assessing control risk too low has an inverse relationship with sample size. F.50 Sample Size Determination hh. ii. jj. kk. 66 9 percent 3.25 percent 5 percent

F.51

Sample Results Evaluation

ll. Sample Deviation Rate = No. of Deviations Sample Size

Sample Deviation Rate = 3 60 = 0.05 or 5 percent

mm.Using the sample evaluation table, the computed upper limit is 12.5 percent
Allowance for Sampling Risk = Computed Upper Limit - Sample Deviation Rate Allowance for Sampling Risk = 12.5 percent - 5 percent = 7.5 percent nn. The computed upper limit considers the likelihood that the sample selected by the auditor may underrepresent the deviation rate in the population. The computed upper limit provides a conservative measure of the sample deviation rate to control the auditors exposure to sampling risk to desired levels. oo. Because the computed upper limit (12.5 percent) exceeds the tolerable deviation rate (6 percent), Joan would conclude that the control is not functioning effectively. At this point, she could either reduce her planned level of reliance on internal control or expand the sample to examine a larger number of controls. pp. Using the sample evaluation table for a 10 percent risk of assessing control risk too low yields a computed upper limit of 10.8 percent; while lower than the computed upper limit determined for a 5 percent risk of assessing control risk too low (12.5 percent), this computed upper limit still exceeds the tolerable deviation rate of 6 percent. As a result, Joan would still conclude that the control is not functioning effectively. F.52 Sample Results Evaluation a. (1) (2) (3) Sample deviation rate = 4 60 = 6.7 percent CUL = 14.7 percent Allowance for sampling risk = 14.7 percent 6.7 percent = 8.0 percent

qq. (1) Sample deviation rate = 6 60 = 10 percent

(2) (3) CUL = 18.8 percent Allowance for sampling risk = 18.8 percent 10 percent = 8.8 percent

rr. (1) Sample deviation rate = 6 60 = 10 percent

(2) (3) CUL = 16.9 percent Allowance for sampling risk = 16.9 percent 10 percent = 6.9 percent

Comparing the CUL in (a) and (b), the only difference in the CUL is related to an increase in the number of deviations from 4 in (a) to 6 in (b). As a result, the increase in CUL from 14.7 percent to 18.8 percent indicates that the number of deviations (and sample deviation rate) has a direct relationship with the CUL. Comparing the CUL in (b) and (c), the only difference in the CUL is related to an increase in the risk of assessing control risk too low from 5 percent in (b) to 10 percent in (c). As a result, the decrease in the CUL from 18.8 percent to 16.9 percent indicates that the risk of assessing control risk too low has an inverse relationship with the CUL.

F.53

Sample Results Evaluation a. (1) (2) (3) (1) (2) (3) (1) (2) (3) Sample deviation rate = 8 100 = 8.0 percent CUL = 14.0 percent Allowance for sampling risk = 14.0 percent 8.0 percent = 6.0 percent Sample deviation rate = 4 100 = 4.0 percent CUL = 9.0 percent Allowance for sampling risk = 9.0 percent 4.0 percent = 5.0 percent Sample deviation rate = 8 100 = 8.0 percent CUL = 12.7 percent Allowance for sampling risk = 12.7 percent 8.0 percent = 4.7 percent

b.

c.

Comparing the CUL in (a) and (b), the only difference in the CUL is related to a decrease in the number of deviations from 8 in (a) to 4 in (b). As a result, the decrease in CUL from 14.0 percent to 9.0 percent indicates that the number of deviations (and sample deviation rate) has a direct relationship with the CUL. Comparing the CUL in (a) and (c), the only difference in the CUL is related to an increase in the risk of assessing control risk too low from 5 percent in (a) to 10 percent in (c). As a result, the decrease in the CUL from 14.0 percent to 12.7 percent indicates that the risk of assessing control risk too low has an inverse relationship with the CUL. F.54 Sample Results Evaluation

ss. Sample deviation rate = 2 30 = 0.0667 or 6.7 percent

tt. Computed upper limit = 19.6 percent

uu. Allowance for sampling risk = 19.6 percent 6.7 percent = 12.9 percent vv. Using 4 deviations, a risk of assessing control risk too low of 5 percent, and a computed upper limit of 12.6 percent yields a sample size of 70.

ww.Sample deviation rate = 4 70 (see (d) above) = 0.057 or 5.7 percent

xx. Allowance for sampling risk = 12.6 percent 5.7 percent = 6.9 percent yy. No. of deviations = 200 x 0.025 = 5 zz. Computed upper limit = 4.6 percent

aaa.Sample deviation rate = 2 50 = 4 percent bbb.[Note: The student must complete (k) prior to completing (j)] Reviewing the sample
evaluation tables for 2 deviations, a sample size of 50, and a computed upper limit of 12.1% reveals a risk of assessing control risk too low of 5 percent. ccc. Computed upper limit = 8.1 percent + 4 percent = 12.1 percent

F.55

Sample Results Evaluation This case is one of Robert Ashtons behavioral decision cases (Accounting Review, January, 1984, pp. 78-97). He gives credit to W. Uecker and W. Kinney, Judgment Evaluation of Sample Results: A Study of the Type and Severity of Errors Made by Practicing CPAs, Accounting, Organizations and Society, Vol. 2, No. 3 (1977), pp. 269-75. The answer below is taken from Ashtons study (with modifications). NOTE TO INSTRUCTOR: Take a look at this answer. You may want to get the students to discuss Cases 1, 2, and 3 first, then give them a chance to think about Cases 4 and 5. See if they can be fooled to change their minds to choose the larger samples for Cases 4 and 5, then discuss them. In this exercise, information about the sample size and sample deviation rates is available for each pair of outcomes. While sample size is independent of population parameters, sample deviation rate is representative of the population characteristic of interest (i.e., the population deviation rate). Use of the representativeness heuristic could cause one to ignore the size of the sample, and to base choices solely on the sample deviation rate. Thus one might choose Sample A in Case 1 and Sample B in Case 2 and 3, because their sample deviation rates are lower. The AICPA sample evaluation tables show, however, that none of these three sample outcomes provides adequate assurance that the population deviation rate is below 5 percent. The other sample outcome (Sample B in Case 1 and Sample A in Case 2 and 3) does provide the desired assurance at a 95 percent confidence level (5 percent risk of assessing control risk too low). Thus reliance on the representativeness of the sample outcomes could lead one to choose the weaker evidence in these cases. Notice that the correct choice in Cases 1, 2, and 3 is the larger sample. It might be tempting to conclude that this will always be true (that is, larger samples are always superior to smaller samples). But this simplification will not always work either. Consider Cases 4 and 5. The correct answers are the smaller samples (although neither sample provides desired assurance in Case 5). Interestingly, use of the representativeness heuristic (i.e., focusing on the smaller deviation rates) would lead to the correct choices in these two instances, but would result in incorrect choices in the first three pairs of sample outcomes. This illustrates that while use of simplifying heuristics can lead to good decisions, it can also lead the decision maker into making sub optimal decisions.

F.56

Evaluating a Sampling Application

1.

Mistake The statistical criteria call for a sample of 181, not 100.

1.

Explanation Tom Barton apparently did not utilize AICPA sampling tables in determining sample size or misread the AICPA sampling tables. A selection of two months does not make the sample representative of the years population; checks should be examined for selections from months throughout the year. Tom subsequently decided that the two deviations he found were not control deviations. The pay rate mistake has dollar-value impact that Tom made no effort to recognize (i.e., liability for underpayment of wages). When stratification is done properly, the two samples should be evaluated independently.

2.

Tom Barton used two test months for his selection of sample items.

2.

3.

Tom Barton did not define the deviation conditions carefully before beginning his sampling application. Tom Barton did not follow up sufficiently on the deviations he found. Tom Barton improperly combined a stratified sample into a single evaluation.

3.

4.

4.

5.

5.

6.

The reviewers (senior and partner) were not competent to review the statistical application.

6.

This is not Toms mistake, but it is worthwhile to point out that competence is as necessary at the review level as it is at the performance level.

F.57

Comprehensive Attribute Sampling ddd.The risk of assessing control risk too low would be determined judgmentally by Dodge based on the desired level of control risk (as the desired level of control risk is lower, the risk of assessing control risk too low should be established at lower levels). The expected deviation rate is established by Dodge based on prior years audits (for recurring engagements) or a pilot sample of controls (for first-year engagements). The tolerable deviation rate is established by Dodge based on the desired level of control risk (as the desired level of control risk is lower, the tolerable deviation rate should be established at lower levels). eee. If Dodge wishes to place additional reliance on this control, she would reduce the risk of assessing control risk too low and the tolerable deviation rate. Dodges decision to place additional reliance on the control would not influence the level of the expected deviation rate. fff. Using the AICPA sample size tables, the necessary sample size corresponding to a risk of assessing control risk too low of 5 percent, an expected deviation rate of 2.75 percent, and a tolerable deviation rate of 7 percent would be 109 items.

ggg.Sample deviation rate = No. of deviations Sample size

Sample deviation rate = 4 109 = 0.037 or 3.7 percent (rounded)

hhh.Using a 5 percent risk of assessing control risk too low, 4 deviations, and a sample size of 100 (the next highest sample size on the table), the computed upper limit is 9.0 percent. iii. Because the computed upper limit (9.0 percent) exceeds the tolerable deviation rate (7.0 percent), Dodge would not be able to conclude that the control is functioning effectively. She would either reduce her reliance on internal control (increase the assessed level of control risk) or select additional items and reevaluate the results of her tests of controls. F.58 Comprehensive Attribute Sampling jjj. A deviation would be defined as a situation in which the receiving reports do not have an indication that they have been verified by Rocks receiving personnel (this indication is in the form of marks adjacent to the quantities verified and a signature on the receiving report). kkk.The population would be defined as all receiving reports prepared during the year (or period) under audit. The completeness of the population would be verified by identifying the document numbers corresponding to the first and last receiving reports prepared by Rocks personnel during the year (or period) under audit. lll. Using the AICPA sample size tables, the necessary sample size corresponding to a risk of assessing control risk too low of 5 percent, an expected deviation rate of 1.5 percent, and a tolerable deviation rate of 4 percent would be 192 items.

F.58

Comprehensive Attribute Sampling (Continued) mmm.Rocks electronic listing can be used to select items for examination using the following selection methods: 1. Unrestricted random selection: Alicia could use computer programs to identify 192 random numbers that correspond to receiving reports and select the related reports. Systematic random selection: Alicia could use computer programs to randomly select a starting point in the population and select every nth (corresponding to the sampling interval) receiving report in the population. Haphazard selection: Alicia could nonsystematically select receiving reports from the electronic listing without any rationale for including or excluding various receiving reports. Block selection: Alicia could use computer programs to reorganize the electronic listing to select receiving reports prepared by certain individuals, for certain types of vendors, or during certain dates.

2.

3.

4.

The primary precaution that should be taken by Alicia is to be sure that the electronic listing is randomly arranged, particularly if systematic random selection is utilized.

nnn.1. Sample deviation rate = 2 100 = 2.0 percent

Computed upper limit = 6.2 percent Allowance for sampling risk = 6.2 percent 2.0 percent = 4.2 percent Because the computed upper limit (6.2 percent) exceeds the tolerable deviation rate (4 percent), Alicia could not rely on the internal control as planned and would need to reduce her reliance on internal control or expand her sample to examine additional items. 2. Sample deviation rate = 4 100 = 4.0 percent Computed upper limit = 9.0 percent Allowance for sampling risk = 9.0 percent 4.0 percent = 5.0 percent Because the computed upper limit (9.0 percent) exceeds the tolerable deviation rate (4 percent), Alicia could not rely on the internal control as planned and would need to reduce her reliance on internal control or expand her sample to examine additional items. 3. Sample deviation rate = 10 100 = 10.0 percent Computed upper limit = 16.4 percent Allowance for sampling risk = 16.4 percent 10.0 percent = 6.4 percent Because the computed upper limit (16.4 percent) exceeds the tolerable deviation rate (4 percent), Alicia could not rely on the internal control as planned and would need to reduce her reliance on internal control or expand her sample to examine additional items.

F.58

Comprehensive Attribute Sampling (Continued) ooo.Increasing the risk of assessing control risk too low from 5 percent to 10 percent would affect both the sample size selected for examination (by decreasing the sample size) and the calculation of the computed upper limit used to evaluate the sample (by decreasing the computed upper limit). The advantages of increasing the risk of assessing control risk too low is that Alicia would examine a smaller sample and would have a higher likelihood (all other factors held constant) of obtaining results that would allow her to rely on Rocks internal control. The primary disadvantage is that Alicia would increase the likelihood that she is inappropriately relying on Rocks internal control and, ultimately, failing to control audit risk at the desired level.

F.59

Comprehensive Attribute Sampling a. b. c. The appropriate population would be all receiving reports evidencing goods received by Jasons Inc. The electronic database will include evidence of all receiving reports during the year and can be used as a sampling frame from which William Tortorice can draw his sample. Using AICPA sample size tables, the appropriate sample size for a risk of assessing control risk too low of 5 percent, a tolerable deviation rate of 10 percent, and an expected deviation rate of 2 percent would be 46 receiving reports. (1) Unrestricted random selection: William can select 46 random numbers that represent receiving report numbers prepared during the year and identify the related receiving reports.

d.

ppp.Systematic selection: William can determine a sampling interval by dividing

the number of receiving reports in the population by the desired sample size (146). A random starting point would be selected from within the population and every nth receiving report (corresponding to the sampling interval) thereafter would be selected for examination.

qqq.Haphazard selection: William can select 46 receiving reports without any

specific rationale for including or excluding receiving reports.

rrr. Block selection: William can select receiving reports prepared from March 1
through March 4 (coincidentally, a total of 46 receiving reports were prepared during these four days). e. (1) Sample deviation rate = 0 50 = 0.0 percent Computed upper limit = 5.9 percent Allowance for sampling risk = 5.9 percent 0.0 percent = 5.9 percent

sss. Sample deviation rate = 1 50 = 2.0 percent

Computed upper limit = 9.2 percent Allowance for sampling risk = 9.2 percent 2.0 percent = 7.2 percent

ttt. Sample deviation rate = 3 50 = 6.0 percent

Computed upper limit = 14.8 percent Allowance for sampling risk = 14.8 percent 6.0 percent = 8.8 percent

F.59

Comprehensive Attribute Sampling (Continued) f. (1) Comparing the computed upper limit of 5.9 percent to the tolerable deviation rate of 10 percent, it appears that William can choose to rely on internal control as planned. Examining the matrix, it appears that William could reduce the assessed level of control risk to 0.30 without any further testing, since the tolerable deviation rate associated with this level of control risk is 6 percent. William may even consider a further reduction in control risk lower than 0.30, if the benefits of doing so exceed the costs of additional tests of controls. However, reductions in control risk beyond the planned level typically require very strong levels of evidence. (2) Comparing the computed upper limit of 9.2 percent to the tolerable deviation rate of 10 percent, it appears that William can choose to rely on internal control as planned. Examining the matrix, to achieve a further reduction of control risk to 0.40, William would need to achieve a computed upper limit below 8 percent (the tolerable deviation rate associated with a control risk of 0.40). From the AICPA sample evaluation table, if a total of 60 items were examined with one deviation detected, the computed upper limit is 7.7 percent. Therefore, William would need to examine an additional 10 items and find no deviations to support a control risk assessment of 0.40. However, reductions in control risk beyond the planned level typically require very strong levels of evidence. (3) Comparing the computed upper limit of 14.8 percent to the tolerable deviation rate of 10 percent, it appears that William cannot choose to rely on internal control as planned. Based on the achieved computed upper limit, William could increase the assessment of control risk to 0.80 (which is associated with a tolerable deviation rate of 16 percent). Alternatively, to support a control risk assessment of 0.50 (which is associated with a tolerable deviation rate of 10 percent), William would need to expand his sample. From the AICPA sample evaluation table, if a total of 80 items were examined with three deviations detected, the computed upper limit is 9.5 percent. Therefore, William would need to examine an additional 30 items and find no deviations to support a control risk assessment of 0.50.

F.59

Comprehensive Attribute Sampling (Continued) g. (1) As noted in (f) above, Williams evidence currently supports a reduction in control risk to 0.30. To obtain a reduction to 0.20, the AICPA sample evaluation tables note that the computed upper limit for a sample size of 80 items and zero deviations is 3.7 percent, which is below the necessary tolerable deviation rate of 4 percent. The costs and benefits of this strategy are as follows: Costs of additional tests of controls ([80 50] x $7)................. Savings in substantive tests (20 items x $10)............................. Net additional costs (savings)..................................................... $210 (200) $ 10

As a result, it appears that William would choose to maintain a level of control risk of 0.30. uuu.As noted in (f) above, Williams evidence currently supports a control risk of 0.50 and that examining an additional 10 items would permit him to reduce control risk to 0.40, assuming that no deviations were noted. The costs and benefits of this strategy are as follows: Costs of additional tests of controls ([60 50] x $7)................. Savings in substantive tests (20 items x $10)............................. Net additional costs (savings)..................................................... $ 70 (200) $(130)

As a result, it appears that William would choose to expand his sample and attempt to obtain evidence to permit a reduction in control risk to 0.40. However, recall that reductions in control risk beyond the planned level typically require very strong levels of evidence. vvv.As noted in (f) above, Williams evidence currently supports a control risk of 0.80 and that examining an additional 30 items would permit him to assess control risk at the originally planned level of 0.50, assuming that no deviations were noted. The costs and benefits of this strategy are as follows: Costs of additional tests of controls ([80 50] x $7)................. Savings in substantive tests ([20 items x 3) x $10).................... Net additional costs (savings)..................................................... $ 210 (600) $(390)

Note: The savings in substantive procedures are multiplied by a factor of 3 because William is attempting to reduce control risk by 0.30 and each 0.10 reduction in control risk results in a savings of 20 items. As a result, it appears that William would choose to expand his sample and attempt to obtain evidence to permit a reduction in control risk to 0.50.

F.60

General Attribute Sampling Simulation a. Joes statement is not correct. Generally accepted auditing standards permit the use of either statistical sampling or nonstatistical sampling (AU 350.04). www.Joes statement is not correct. Control risk should be determined prior to the determination of detection risk. In fact, the level of detection risk will be dependent upon the assessed level of control risk (AU 312.32, AU 319.03, AU 319.05). xxx.Joes statement is correct. The risk of assessing control risk too low relates to the effectiveness of an audit. If control risk is assessed at inappropriately low levels, the extent of substantive procedures will not be sufficient to control audit risk to desired levels (AU 350.14). yyy.Joes statement is not correct. While segregation of duties is an important control, sampling is generally not appropriate for controls that do not provide documentary evidence (such as segregation of duties) (AU 350.32). zzz. Joes statement is correct. As the degree of assurance required by a control increases, the necessary tolerable deviation rate should be lower (AU 350.34). aaaa.Joes statement is not correct. Joe needs to consider the sampling risk that may be present in this situation (AU 350.41). bbbb.Joes statement is not correct. While all deviations do have the same effect on the computed upper limit, it is important for auditors to consider qualitative aspects of deviations, such as (1) whether deviations are intentional or unintentional and (2) the possible relationship of the deviation to other phases of the audit (AU 350.42).

F.61

Comprehensive Attribute Sampling Simulation a. Control risk is the risk that a material misstatement that could occur in an assertion will not be prevented or detected on a timely basis by the entitys internal control (AU 312.27). John would assess control risk at the maximum level when (1) controls are unlikely to pertain to an assertion, (2) controls are unlikely to be effective, or (3) evaluating the effectiveness of controls would be inefficient (AU 319.04). John would assess control risk at less than the maximum level when controls pertain to an assertion, controls are likely to be effective, and doing so would be more efficient than performing only substantive procedures (AU 319.03). b. The three objectives of internal control are financial reporting, operations, and compliance. The five components of internal control are the control environment, risk assessment, control activities, information and communications, and monitoring (AU 319.07- AU 319.08). The combination of objectives and components that is most closely related to attribute sampling are the control activities related to the financial reporting objective, since this objective relates to the fairness of the companys financial statements (AU 319.10). c. The two broad types of sampling risk related to attribute sampling are (AU 319.12): The risk of assessing control risk too low is the likelihood that the auditors sample provides evidence that the clients controls are functioning effectively when the population would indicate they are not functioning effectively. The risk of assessing control risk too high is the risk that the auditors sample provides evidence that the clients controls are not functioning effectively when the population would indicate that they are functioning effectively. The risk of assessing control risk too low exposes John to effectiveness losses, in terms of impacting his ability to detect material misstatements. The risk of assessing control risk too high exposes John to efficiency losses, through performing additional substantive procedures (AU 350.13 AU 350.14). cccc.John should consider (1) the relationship of the sample to the objective of the tests of controls, (2) the maximum rate of deviations from prescribed controls that would support his planned assessed level of control risk (tolerable deviation rate), (3) the allowable risk of assessing control risk too low, and (4) characteristics of the population (AU 350.31). dddd.The tolerable deviation rate is the maximum rate of deviations from the prescribed control that the auditor would be willing to accept without altering his planned assessed level of control risk (AU 350.34). In assessing the appropriate level of the tolerable deviation rate, John should consider the level of control risk and the degree of assurance desired by the evidential matter in the sample (AU 350.34). eeee.In establishing the desired level of sampling risk, John should consider the degree of assurance desired from his tests of controls. As the degree of assurance desired from his tests of controls is higher, John would assess sampling risk at lower levels (AU 350.37).

F.61

Comprehensive Attribute Sampling Simulation (Continued) ffff. If John cannot locate an item for examination, he should consider the reasons for this limitation and ordinarily consider these items to be deviations (AU 350.40). gggg.John should consider whether additional evidence to support a further reduction in control risk is likely to be available and whether it would be efficient to perform tests of controls to obtain that evidence (AU 319.87).