Chapter 17 Audit Sampling for Test of Controls

1. What are the test of controls audit procedure in general, and what purpose do they serve?
A test of control audit procedure in general is a statement of identification of a population from
which sampling units are to be drawn and is an expression of an action taken to produce evidence
about a client control procedure.

2. In test of controls auditing, why is it necessary to define a compliance deviation in advance? Give
seven examples of compliance deviations.
It necessary to define a compliance deviation in advance because auditors will know what to
look for and will know one once they see it.

Objective Examples
Validity Sale recorded without supporting shipping
orders.
Authorization Lack of credit manager approval for a credit
sale.
Accuracy Mathematical errors in sales invoice
calculations.
Classification Sales classified in wrong product line revenue
account.
Proper Period Sales recorded in month (quarter, year) before
the actual shipment.
Accounting Sales charges fail to be posted to a customer’s
account.
Completeness Shipments fail to be billed to customers and
recorded as sales and receivables.

3. Which judgments must an auditor make when deciding on a sample size for test of controls audit
sampling? Describe the influence of each judgment on sample size.

Judgment Relationship Influence on sample size

Assessing control risk too low
Acceptable risk of assessing
control risk too high
Tolerable deviation rate
Expected population deviation
rate (an estimate rather than a
judgment)
Inverse The greater the acceptable risk,
the smaller the sample
Inverse The greater the acceptable risk,
the smaller the sample.
Inverse The higher the tolerable rate,
the smaller the sample.
Direct The higher the expected rate,
the larger the sample.

The sample size is directly related to the population size; the larger the population, the larger
the sample, but this is not always the case.

4. Why should auditors be more concerned in test of controls auditing with the risk of assessing the
control risk too low than with the risk of assessing the control risk too high?
 Auditors should be more concerned in test of controls auditing with the risk of assessing the
control risk too low than with the risk of assessing the control risk too high because it has the
potential of affecting audit effectiveness, hence harming the quality of the audit for users.
Effectiveness is more important than efficiency in which the latter is affected by the risk of assessing
the control risk too high.

5. Write the expanded risk model. What risk is implied for “test for detail risk” when: inherent risk =
1.0, control risk = 0.40, analytical procedures risk = 0.60, audit risk = 0.048, tolerable misstatement
= P10, 000, and the estimated standard deviation in the population = P25?
LET TD
TD: Test for detail risk
Expanded risk model: AR = IR x CR x AP x TD
Solve for TD, when: .048 = 1.0 x .4 x .6 x TD

TD = 0.048/(1x.4x.6) = .2

The tolerable misstatement (P10, 000) and estimated standard deviation (P25.00) are “noise” in
the question.

6. What is the connection between possible assessments of control risk and a judgment about
tolerable rate, both considered prior to performing test of controls audit procedures?
There is a direct relationship between control risk and the tolerable deviation rate wherein the
higher the control risk, the higher the tolerable deviation rate can be. More analytical procedure
and test of detail work will be done when larger values are planned for control risk (say, 0.95, 0.90)
in an audit plan. Tolerable deviation rate could be larger since auditors will not rely much on internal
controls, thus the use of controls are insignificant.

7. When you subdivide a population into two populations for attribute sampling, how do the two
samples compare to the one sample that would be drawn if the population had not been
subdivided?
Tolerable deviation rate and expected population deviation rate are the specifications risk of
assessing control risk which are the basis of sample sizes that would be determined independently
for the two populations in the subdivision. The sum of the two sample sizes would be at least twice
the size of the sample figured for the single population provided both subdivided populations have
1,000 or more units if the criteria are at least as inflexible for each of the two as they would be for
the undivided population.

8. How does the relationship between the tolerable occurrence rate and the upper occurrence limit
(maximum deviation rate) affect the auditor’s decision concerning control risk assessment?
Further reduction of the assessed level of control risk is justified only when the upper
occurrence limit is less than or equal to the tolerable occurrence rate in which it is the rate of error
beyond which the auditor cannot justify further reduction in the assessed level of control risk. A
calculated rate which exceeds the tolerable rate, therefore, would suggest a level of error which
precludes any lowering of assessed control risk.

9. Define expected occurrence rate (expected population deviation rate) and tolerable occurrence
rate, explaining how they are set and how they affect sample size.
 Expected occurrence rate is the anticipated error rate in a population and has a positive effect
on sample size. It is set on the basis of one or a combination of the prior year’s audit, the auditor’s
initial understanding of internal control policies and procedures relative to the transaction cycle
subset and a pilot sample of documents.

Alternatively, the tolerable occurrence rate is the maximum error rate which the auditor would
accept while still lowering assessed control risk below maximum and is based on the tolerable rate
on materiality of the attribute being tested. The tolerable occurrence rate has an inverse effect on
sample size; the more critical an attribute to effective internal control, the lower the tolerable
occurrence rate.

10. Name and define three factors comprising overall audit risk.
The three factors comprising overall audit risk are Inherent risk, control risk and detection risk.
Inherent risk is the risk that, in the absence of internal control, material errors or irregularities will
occur. Control risk is the risk that internal financial control policies and procedures will fail to
prevent or detect material errors and irregularities. Detection risk is the risk that material errors and
irregularities, which are not prevented or detected by internal financial control policies and
procedures, will not be detected by the independent audit.

Source:
Cabrera, M. E. (2015). Auditing Theory. 2017 C. M. Recto Avenue, Manila: GIC ENTERPRISES & CO., INC.