|
|
Total Number of Subscribers: 425 |
|
|
|
||
|
|
||
|
Date: 25 March 2008 |
Compiled by : M. Sathya Kumar |
|
|
|
Risk Analysis &
Statistical Sampling in Audit – Methodology The risk model Making an audit assertion with absolute
certainty would be vastly expensive. There would always be some risk that
audit fails to discover all material errors, even when 100% of the
transactions are audited. Recognising this, the auditor defines an audit risk
that he is willing to accept or conversely the assurance that he desires to
provide that his audit assertions/ opinions are correct. This risk (or assurance) is usually defined
as a matter of SAI policy. Using this assurance as input, it is possible to
define a sample, using statistical sampling methods, on which audit tests
that are carried out give results that can be projected to the entire
population. This approach prescribes a uniform audit scrutiny for all
transactions in the population. However, all transactions are not equally
risky and treating them as such will mean higher costs of audit in less risky
transactions on the one hand and the threat that risky transactions will not
be detected on the other. The risk model is an analytical tool for planning and execution.
This approach detects high-risk areas where audit effort can be concentrated.
Audit can thus focus on areas which are likely to generate better assurance
instead of sampling and testing of larger but low risk areas. It structures
the audit procedures and re-organises the audit
work in terms of risk perception. The Risk Model can
be expressed by the following equation: OAR = IR x CR x DR
And the underlying assumption is that the individual risks,
viz., IR, CR, DR are independent of each other The overall audit risk is defined by the
audit institution and hence is a constant pre-determined quantity. The
objective for the auditor is to first assess inherent and control risks in
the entity, and then to design and perform appropriate compliance and
substantive procedures that provide sufficient assurance such that the
product of the risks identified is less than or equal to the overall audit
risk that the auditor is willing to accept.
In the risk model, thus, the auditor assesses the inherent risk
and control risk and solves the equation for detection risk. The detection
risk (DR) is actually a combination of two risks; analytical procedures risk
(AP) which is the risk that analytical procedures will fail to detect
material errors and tests of detail risk (TD) which is the risk that detailed
test procedures will fail to detect the material errors. These two risks are
again considered independent and thus a multiplicative model is
possible. DR = AP X TD OAR = IR x CR x AP x TD The auditors exercise professional judgement in assessing the IR, CR and AP. Then solve the
model to arrive at the test of details risk(TD). Materiality and
audit risk While risk is concerned with the likelihood
of error, materiality deals with the extent to which we can tolerate error. Materiality
relates to the maximum possible mis-statements/
error. The auditor needs to do just enough work to conclude that the maximum
possible mis-statement/ error at the desired level
of assurance is less than the materiality. Materiality is determined from the
user’s point of view, and is independent of the overall audit
assurance (risk). While making materiality judgements
three main factors are considered; the value of the error, the nature of the
error and context in which the transaction has occurred. It is normally
sufficient to determine a single materiality level for the audit. However, in
some situations it may be desirable to use different materiality levels for
different components/ areas of audit. The auditor is concerned only with material errors. Risk
assessment will thus focus on the likelihood of material error. To use the
risk model, the auditor has thus to specify the materiality level along with
the overall assurance required form the audit. To assess inherent
risk Inherent risk assesses the nature,
complexity, and volume of the activities that gives rise to the possibility
of error occurring in the first place. The assessment of inherent risk
factors would to a large extent be based on the knowledge and understanding
of the business of the auditee based on our
experience from previous audits and identification of events, transactions
and practices which may have a significant impact on the audit
area. The major factors that can be considered for assessment of
inherent risk in a financial (certification) audit are listed below
Different audits will have a different set of risk parameters
for assessment of inherent risk. Inherent risk has to be assessed for each audit assertion/
opinion. Inherent risk factors impacting the audit assertion need to be
documented. The risk associated with each individual factor is then assessed
as high, moderate or low. The assessment is then consolidated for overall
assessment of inherent risk. It is possible to assign numerical values to the
risk assessed, or the assessment can be done quantitatively in terms of high,
moderate and low. To assess control risk Control risk
assesses the adequacy of the policies and procedures in the auditee organisation for
detecting material error for identified functions or activities. For
assessing the control risk, the auditor considers both the control
environment and control systems together. Techniques used to evaluate
internal control are narrative descriptions, questionnaires, check lists,
flow charts, inspection, inquiries, observation and re-performance of
internal controls. Different kinds of audit will have a different set of
control factors to be considered. The auditor evaluates the control
environment and systems (both manual and IT) and places reliance on them.
This evaluation is the preliminary systems examinations and are designed to
assess whether the activities undertaken by the audited body are in
accordance with the statutory and other authorities, whether the audited body’s structure is likely to ensure adequate internal control, the
adequacy of general financial controls, whether the employees in areas
critical to internal controls are competent and whether there are adequate
other general controls in areas relevant to audit. The control risk is then
assessed and expressed either in numerical (percentage terms) or qualitative
(high, medium, low) terms. To assess detection
risk Having assessed the inherent and control
risks, the risk equation can be solved for detection risk, i.e. the assurance
required from audit procedures. An assurance guide is where the required
assurance from substantive audit tests can be read off. This assurance level
will be used as input in determining the sample size on which the audit tests
need to be performed to arrive at the required overall assistance. Risk assessment
leads to a stratification of the audit population Based on the level of assurance required
from audit testing of an area and the materiality of errors associated, audit
processes are defined. A high likelihood of error in an audit area which
requires a high level of assurance of the audit test along with a high
significance would, for example make the area a critical concern for audit
and one may decide to conduct a 100% check on these kind of areas. Based on
the perception of risk and the materiality along with the value of the set of
transactions the population is stratified. Each strata of the population will
involve a different level of substantive audit checks. The high risk, high
materiality items will be subjected to a higher level of substantive audit
test, while an area with lower materiality may be tested through analytical
methods or test of controls and lesser substantive tests. As a rule it is prudent to examine all transactions that are
individually material. The conclusions which can be drawn from a test of
items selected on a high value basis will only relate to these items and
provide better assurance to the auditor. Similarly, there could be key items
which are especially prone to error or other risks, or merit special
attention. The auditor may wish to examine these items 100% when forming an
audit opinion. Statistical
sampling Sampling means testing less than 100% of the
items in the population for some characteristic and then drawing a conclusion
about that characteristic for the entire population. Traditionally, auditors
use ‘test check’ (or judgmental sampling, non-statistical
sampling) approach. This means checking a pre-determined proportion of the
transactions on the basis of the auditor’s judgement. This sampling technique
can be effective if properly designed. However, it does not have the ability to
measure sampling risk and thus audit conclusions reached becomes rather
difficult to defend. For statistical sampling techniques, there
is a measurable relationship between the size of the sample and the degree of
risk. Statistical sampling procedure uses the laws of probability and
provides a measurable degree of sampling risk. Accepting this level of risk,
(or conversely at a definite assurance level) the auditor can state his
conclusions for the entire population. In sum, statistical sampling provides
greater objectivity in the sample selection and in the audit conclusion. The basic hypotheses of statistical sampling
theory are: (a)The population is a homogeneous group. (b) There is no bias in the selection of items of the sample. All
items of the population have equal chance of being selected in the sample. Attributes and
Variable sampling Statistical sampling may be used in
different auditing situations. The auditor may wish to estimate how many
departures have occurred from the prescribed procedures; or estimate a
quantity, eg., the value (amount) of errors in the
population. Based on whether the audit objective is to determine a
qualitative characteristic or a quantitative estimate of the population, the
sampling is called an attribute or variable sampling. Attributes sampling estimates the proportion
of items in a population having a certain attribute or characteristic. In an
audit situation, attribute sampling would estimate the existence or otherwise
of an error. Attribute sampling would be used when drawing assurance that
prescribed procedures are being followed properly. For example, attribute
sampling may be used to derive assurance that procedures for classification
of vouchers have been followed properly. Here, the auditor estimates through
attribute sampling the percentage of error (vouchers that have been mis-classified) and sets an upper limit of error that he
is willing to accept and still be assured that the systems are in place. Variables sampling estimates a quantity, eg., amount of sundry debtors shown in the balance sheet
or the underassessment in a tax circle. Variables sampling has certain
drawbacks which can be overcome through monetary unit sampling, which is an
attribute sampling which provides quantitative results and is suited to most
audit situations. Sampling methods There are different ways in which a
statistical sample can be selected. A simple random sampling ensures that
every member of the population has an equal chance of selection. Though simple
to administer, the underlying assumption is that the population is
homogeneous. In cases where the population is non-homogeneous, a stratified
sampling would be a better option. Here the population is sub-divided into
homogeneous groups and then a random sampling is done on the groups, ensuring
a better representative sample. Each sampling method has its practical use
and limitation. The auditor uses his judgement in
determining which kind of sampling is best suited to his audit job. Designing a sample Once the method of sampling is decided, it is essential to
design the actual sample. The basic stages that are involved in attributes
sampling are mentioned below: (a) Determining the sample size (b) Selecting the sample and performing substantive audit tests
on the sample (c) Projecting the results (a) Determining the sample size: The first step is to define clearly the target population and
the error/ exception(attribute) that audit wishes to test. The tolerable error or the maximum errors that the auditor is
willing to accept and still conclude that the auditee
is following the procedures properly. Audit test on the sample will throw up an
estimate of error for the population. The true error of the population could
be more than this estimate. The difference between the sample estimate and
the actual population is the precision level. The auditor has to
decide the precision he desires to provide in his estimates. Tolerable error
being the maximum error that the auditor is willing to accept is Maximum
(sample estimate + precision level) that is accept The confidence level or the level of
assurance that audit needs to provide is to be defined. When a risk
assessment has preceded the sampling process, the confidence level would be
(1- detection risk). Confidence level states how certain the auditor is, that
the actual population measure is within the sample estimate and its
associated precision level. The occurrence rate or population
proportion which is the proportion of items in the population having the
error/ exception that audit wishes to test. The required sample size can be calculated
using the formula Sample size (n)
= Z 2 p(1-p) , Where, Z = score
associated with confidence level Or read off from standard statistical
tables at the required confidence level. The sample size would be larger, higher the
confidence level and precision required. Also if the occurrence rate in the
population becomes larger the size of the sample would increase. In case of
variables sampling, where the estimate of a quantity is required, sample size
becomes a function of the standard deviation in the population rather than
the occurrence rate. (b) Selecting the
sample and performing substantive audit tests on the sample There are a large number of methods of
sample selection. The most frequently used method is random selection where each item in
the population has a equal chance of selection. This could be done by using
random number tables or through computers. In a systematic
selection, one or two items are selected randomly, but the other items
are selected by adding the average sampling interval. The greatest advantage
of this method is that when it is used in monetary unit sampling, it
automatically ensures that all items greater than the average sampling
interval are selected. However, this method cannot be used when
some fixed numbers are assigned to various categories of transactions, which
make up the accounts, as either all items of a particular category will be
selected or ignored completely. In the cell sampling method, the
population is divided into a number of cells and one item is selected from
each cell randomly. This method overcomes the drawback of
systematic sampling when fixed numbers are given to various categories, but
retains the advantage of systematic sampling of automatically selecting items
bigger than the average sampling interval. Auditing software, eg.,
IDEA is an efficient tool for sample selection. Once the sample is selected,
identified audit tests are to be applied on the sample. (c ) Projecting the
results Once the audit tests are performed on the
sample, the test results need to be projected to the population. Following
this, a conclusion has to be reached whether the auditor can place an
assurance on the systems. After the audit tests, the auditor obtains
the actual number of errors in the sample selected. As the sample size and
the confidence level desired by the auditor are known elements, the formula
given above can be used to solve for the precision. The maximum error
estimate of the population would then be obtained after loading the sample
estimate with the precision. This is the computed tolerable error. Instead of
solving the mathematical formula, it is possible to read off the ‘computed tolerable error’ straightaway from the statistical
tables for the desired confidence (assurance levels). In a case when the computed tolerable error
is less than the tolerable error, the auditor can place the desired assurance
on the systems. When the computed tolerable error is higher than the
tolerable error, the auditor cannot derive assurance from the systems. The
auditor may, in such situations reduce the assurance he derives from the
control and increase the assurance required from substantive tests. Edited Excerpts from Ms. Parama Sen , Presently Director
(Performance Audit) – Office of
the CAG of India, New Delhi |
|
|
|
|
|
|
|
|
|
|
|
||
|
|
|
|
|
|
Rewards waiting for feedback at |
|
|
|
|
|
|
|
||
|
|
|
|
|
|
Disclaimer: We believe that the information contained in this e-zine is true. If you do not wish to receive Smart Trainee please click here. |
|
|
|
||
|
|
|
|
|
|
Click here to contact us, if you are unable to view the content properly |
|
|
|
|
|
