Guidance Explores Appropriate Use of Data Sampling
An IIA practice advisory says effective sampling procedures will increase the coverage, focus, and efficiency of audits and allow the auditor to provide reliable assurance on business processes that impact the organization's achievement of its objectives.
Albert G. Holzinger
May 01, 2013
Internal auditors must base their conclusions on the rigorous analysis and evaluation of information available to them, says The IIA's International Standards for the Professional Practice of Internal Auditing (Word document) — specifically Standard 2320: Analysis and Evaluation. The Institute's Global Technology Audit Guide 16: Data Analysis Technologies (PDF download for IIA members) suggests that nowadays this mandate ideally should be fulfilled by using software to monitor entire data sets, either continuously or periodically.
In the real world, however, technology-based auditing is not always possible or practical. In those instances, practitioners must use traditional manual data-sampling techniques to provide the factual evidence needed to make and support valid conclusions. The Institute's Practice Advisory 2320‐3: Audit Sampling (PDF download for IIA members) explores the nature and use of such sampling. Like all practice advisories, application of this new IIA guidance is highly recommended, but not mandatory, under The IIA's International Professional Practices Framework.
"Effective audit sampling procedures will increase the coverage, focus, and efficiency of audits and will allow the auditor to provide [reliable] assurance on business processes that impact the organization's achievement of its objectives," the advisory says. "It is important that the auditor understand accepted guidance and standards on sampling along with the business processes and data he or she is working with when selecting the appropriate audit sampling technique" and evaluation data set. The advisory says data samples that will be relied on as audit evidence should be:
Sufficient to provide information that is factual, adequate, and convincing "so that a prudent, informed person would reach the same conclusions as the auditor."
Reliable, in that the data is "the best attainable information through the use of appropriate engagement techniques."
Relevant to supporting engagement observations and recommendations.
Consistent with the objectives for the engagement.
Useful in helping provide assurance that the organization will fulfill its strategies and meet its goals.
Sampling risk is the possibility that a conclusion based on sampling may differ from the corresponding conclusion if the entire data population were subjected to the same audit procedures. "The level of sampling risk that the auditor is willing to accept, tolerable error, and the expected error all affect sample size," the advisory notes. "Sampling risk should be considered in relation to the audit risk approach and its components, which include inherent risk, control risk, and detection risk."
The guidance says sampling techniques may be either statistical or nonstatistical in nature. Effective statistical sampling, which the advisory says allows the auditor to draw conclusions supported by "arithmetic confidence levels," requires the internal auditor to validate the completeness of the data set and randomly or systematically select sample transactions that are representative of the overall population.
In contrast, nonstatistical sampling entails data selection based on the auditor's "own experience and knowledge." This approach, the guidance says, can be effective "when results are needed quickly and needed to confirm a condition rather than being needed to project the mathematical accuracy of the conclusions." The specific statistical and nonstatistical sampling techniques explored in the advisory are:
Random sampling, which is not governed by predetermined selection considerations so every unit of the data universe has an equal selection chance.
Monetary unit sampling, often used in an attempt to identify monetary misstatements in an account balance.
Stratified sampling, the practice of segregating an entire population into subgroups and randomly selecting data from each of the groups for review.
Attribute sampling, which can be used to determine the characteristics of a population being evaluated.
Variable sampling, commonly used to determine the potential monetary impact of characteristics of a population.
Judgmental sampling, which — as its name implies — is based on the auditor's professional judgment and is "meant to focus and confirm a condition that is reasonably thought to exist."
Discovery sampling, typically used in engagements where evidence of a single error or instance would call for an intensive investigation.
When determining the appropriate size and structure of a sample, the advisory says the internal auditor "should consider the specific audit objectives, the nature of the population, and the sampling and selection methods." The auditor also should consider whether it may be appropriate to involve specialists in the design and analysis of the sampling methodology or the execution of the sampling process.
The advisory says the internal auditor should analyze possible errors detected during analysis of the data sample to determine whether they actually are mistakes and, if so, their precise nature and cause. "For those that are assessed as errors, it should be determined whether additional testing is required," the document says.
The guidance notes that when a specific sample item does not yield the expected audit evidence, the internal auditor may be able to obtain sufficient evidence by performing alternative procedures on the item selected. However, if the auditor is unable to apply the designed audit procedures or alternative procedures to a selected item, he or she "should treat that item as a deviation from the prescribed control."
Audit workpapers should include sufficient detail to describe clearly the sampling objective and the sampling process used, the advisory says. More specifically, workpapers should include the source of the data population, the sampling method used, sampling parameters — random start number or method by which the random start was obtained and the sampling interval, for example — items selected, details of audit tests performed, and conclusion reached. When the internal auditor is reporting results of testing and his or her conclusions reached, the advisory reminds that "sufficient information needs to be reported for the reader to understand the basis of the conclusion."