Page 129 - CITP Review
P. 129
In an audit, it is best practice to employ statistical sampling methods. All methods that follow this approach
study a random selection of the sample items, then use statistical techniques in order to assess the results.
If a method does not share these characteristics, it is considered to be nonstatistical sampling.
There are four methods for statistical sampling:
Attribute sampling. Estimates the rate of occurrence of certain characteristics of the population.
Attribute sampling is particularly useful for examining deviations in the performance of a control, and
is thus useful in ToC. Any failure of the control’s proper functionality would be treated as a deviation.
It is up to the auditor to set a tolerable rate of deviation for any audit.
Discovery sampling. Designed to identify a small number of critical deviations, or exceptions, in the
population. It is most often used to detect a fraudulent transaction; if there is a single deviation in the
sample (that is, a fraudulent transaction), it is protocol that the auditor must examine the entire
population.
Classical variables sampling (CVS). Provides an estimate of a numerical quantity, such as a dollar
balance of an account. It is used by auditors primarily to perform substantive tests. CVS includes
mean-per-unit estimation, ratio estimation, and difference estimation, so CVS is useful in confirming
accounts such as accounts receivable.
Probability-proportional-to-size sampling (PPS). Develops an estimate of the total dollar amount of
misstatement in a population. PPS uses dollar-unit sampling, or monetary unit sampling (MUS); the
higher the dollar value of a sample transaction, the more likely it is to be included in the sample. MUS
is often used in fraud detection.
One other sampling approach is a directed sample. In this approach, the sampler determines sample size
based on professional judgment. For instance, if the table suggests a sample size of 66, the sampler may
choose to add a cutoff factor of all transactions above a certain figure. The sampler may also use
professional judgment to simply reduce the sample size of 66 if the ToC proved to be reliable, where the
assumption is that there is low risk of deviations or misstatements because the ToC are reliable.
The most basic and overarching requirements that an auditor should consider when determining sample
size are purpose, sampling risk, and representation. The overall driving factor of appropriate sample size
should be the purpose of the audit. The auditor has to select a sample size that can best minimize
sampling risk. And the auditor must select items for the sample that accurately and honestly represent
the relevant population. Although there are additional, specific sample size considerations, the audit
purpose, sampling risk, and sample representation are considered to be the overall theme when it comes
to selecting a sample size.
Sample size is also determined by the size of the population, the deviation (error) rate, and statistical
methodology. Tables have been established to assist the IT auditor in determining sample size easily. For
instance, if the population contains 10,000 transactions and the objective is anti-fraud control
effectiveness, with a 95% confidence interval, then discovery sampling tables indicate a sample size of
483. Using the same criteria, attribute sampling tables indicate a sample size of 66 (7% tolerable
deviation rate, one allowable deviation). This comparison supports the fact that sample size is dependent
on methodology, as well as other factors.
This example also demonstrates power. Simply put, the larger the sample size, the more transactions a
CITP will examine, and the greater the probability of uncovering anomalies or exceptions. Thus, in this
© 2019 Association of International Certified Professional Accountants. All rights reserved. 3-45
