April 5, 2022

Strategic Audit Sampling

As a best practice, sampling should be a CPA’s last line of defense! Here’s why.

Do we always need to sample? That’s a question many CPAs ask themselves when getting ready to conduct audit engagement.

An important aspect of planning an audit is deciding the extent of which audit procedures to perform. Decisions about the extent of testing may be dependent on the number of client locations or components to be tested and/or the cutoff amount for individually significant items (ISI) and sample sizes.


Authoritative guidance applies when audit engagement teams decide to use audit sampling in performing audit procedures which can be found in Professional Standards of the American Institute of Certified Public Accountants (AICPA) - AU-C 530B, Audit Sampling. AU-C 530B addresses the engagement team’s use of statistical and nonstatistical sampling when: (a) designing and selecting the audit sample, (b) performing tests of details and tests of controls and (c) evaluating the sampling results.


Guidance requires that when audit engagement teams design tests of controls and/or tests of details, they should determine an approach to selecting items for testing that is effective in meeting the purpose of the audit procedure. Approaches to selecting items for audit testing are as follows: (a) selecting all items in the population (100% testing), (b) target items and (c) audit sampling. Engagement teams may apply any one or a combination of these approaches to selection depending on the facts and circumstances.


Audit sampling enables conclusions to be drawn about an entire population based on tests of a sample taken from that population. The ability to draw valid conclusions based on a sample depends on determining an appropriate sample size, having an appropriate sampling approach and method of selection, and appropriately following up on exceptions.


So, the answer to our opening question regarding whether auditors need to always sample, the answer is (drumroll, please); no! The biggest mistake we make as auditors is to automatically select a sample and perform detailed testing. We have to think about more efficient ways of gaining assurance over an account balance (or a class of transaction) and still ensure the risk is eliminated or appropriately mitigated to an acceptable level. As a best practice, sampling should be used as our last resort. However, in some situations, there may be no alternative but to sample. So, for example, where a population (or part of a population) is material to the audit, consisting of only low value similar items (or transactions), and where the nature of the account is such that analytical review procedures cannot be used, then audit sampling may be our only option in the absence of any suitable controls that could be tested.

 

Here are some upfront questions we should be asking ourselves:

  • Are there any controls at the client we can rely on?
  • What procedures are we performing on the account?
  • What is the level of assurance we will obtain from these procedures?
  • What is the remaining balance amount of the account?
  • Is the remaining balance a significant risk?

 

So, before sampling, it’s advisable to conduct target testing on high-risk transactions first. If you separate and test account balances identified as high risk (e.g., accounts that belong to customers the client has had difficulties with in the past or have unusually high dollar amounts), you may be able to reduce the sample size, or forgo audit sampling altogether. When you complete this type of target testing, you’re taking the inherent risk—the susceptibility of an account balance or class of transactions to material misstatement— from a high risk and bringing it down to a moderate risk.


Often, auditors forgo target testing and leave the inherent risk high, which in turn, causes your sample size to be higher. By target testing high-risk transactions first, you’ll achieve a greater efficiency in coverage.

Remember, you don’t always need to sample. Assess what additional procedures you can perform first before sampling. Your audit approach needs to be tailored based on the nature of the balance you’re testing and the related risks. If the remaining balance is immaterial and you have not raised a significant risk, then no further audit work is needed. It is important to reassess inherent risk over the remaining population in order to obtain sufficient appropriate audit evidence in the most efficient manner.

 


Collemi Consulting has significant expertise in the nuances of deciding whether engagement teams should perform audit sampling and if so, how to properly determine an adequate sample size. We recommend CPA firms and auditors to contact us before or during audit planning so we can assist with the sampling process to maximize efficiency and help ensure that you’ll able to issue an appropriate opinion under Professional Standards.

Learn More

It’s Time For Year-End Audits

December 20, 2024
Are you prepared?
A woman's hands holding a microphone

Shake It Off

December 9, 2024
Conquer your fear of public speaking and present like a pro
Man with hand by his ear straining to listen.

Hear, Hear!

December 4, 2024
Boost your business by becoming adept at active listening.
Open calendar book laying on desk next to open laptop with time on screen

There’s Only One Year Left to Implement the PCAOB’s New Quality Control Standards

November 18, 2024
ADDITIONAL GUIDANCE: Since this blog was first published, the PCAOB released two new guidance documents. The Nov. 26 updates can be found here: An additional overview of the requirements of QC 1000 and staff guidance for firms about how to comply with the standard. This document provides additional staff insights on scope and applicability, responding to engagement deficiencies, and documentation for AS 2901, Responding to Engagement Deficiencies After Issuance of the Auditor’s Report. The Public Company Accounting Oversight Board (PCAOB) recently announced a new set of quality control standards designed around a risk-based approach. And there’s only one year to design and implement them. The PCAOB’s new QC 1000 standard is more than two decades in the making, as it replaces the quality control standards it adopted on an interim basis back in 2003 from the American Institute of Certified Public Accountants (AICPA). The new standard is intended to make independent registered public accounting firms significantly improve their quality control (QC) systems. QC 1000 applies to all PCAOB-registered member firms, with more extensive requirements for those that audit more than 100 issuer clients annually. It has been approved by the U.S. Securities and Exchange Commission (SEC) and goes into effect on December 15, 2025. The new requirements and the work required to implement them will be extensive, and the larger public accounting firms require external oversight of the QC system. Therefore, it is strongly recommended that firms do not put it off until the last minute. At its core, the new standard is intended to enable firms to identify their specific risks and design a quality control system including policies and procedures to guard against those risks. The overall goal is to establish what the PCAOB calls “a continuous feedback-loop for improvement.” In this, the new standard differs from the International Auditing and Assurance Standards Board’s (IAASB) International Standard on Quality Management No. 1 (ISQM 1) and the AICPA Statement on Quality Management Standards No. 1 (SQMS 1). An extensive but not comprehensive comparison document of the three standards may be found here, but is presented only as a reference tool. New requirements QC 1000 has requirements that do not appear in other QC standards. They can be more prescriptive or more specifically tailored to the U.S. legal and regulatory environment. There are 10 main areas in which the QC 1000 standards go beyond other, existing standards. These are: Evaluation and Reporting: QC systems must be evaluated annually and reported to the PCAOB. They must be certified by specific individuals with responsibility and accountability for the firm’s QC system. Governance and Leadership: Firms must create and maintain clear lines of responsibility and supervision. Larger firms must have outside oversight and a confidential complaint system. Ethics and Independence: Quality objectives must be tailored to the U.S. regulatory environment. Larger firms must implement an automated system for identifying securities investments that could impair independence. Monitoring and Remediation: QC 1000 divides monitoring into engagement and QC system levels. Engagement and QC deficiencies are defined, including requirements for their determination. Larger firms must (and smaller ones should) monitor in-process engagements. Quality Objectives: The firm’s personnel must comply with its policies and procedures Information and Communication: Quality objectives for communication with external parties are established at the firm and engagement level. Communication of the firm’s QC system’s policies and procedures must be communicated in writing. Resources: The firm’s personnel must adhere to standards of conduct. Policies and procedures must address both enumerated and circumstance-specific competencies. Mandatory training, licensure and technological resource requirements are established Risk Assessment Processes: Quality risks must be identified and assessed annually. Roles and Responsibilities: A single person must be assigned responsibility for each role and responsibility in the QC 1000 standard. Documentation: With respect to the QC system’s operation, documentation that allows an experienced auditor to evaluate the operation of quality responses must be provided. Documentation must be retained for at least seven years. That’s not an exhaustive list, but it does give an indication of how much work will be involved. And it’s happening at the same time as the AICPA extensive new Statements on Quality Management Standards (SQMS) requirements are coming into effect . Collemi Consulting leverages nearly three decades of experience to provide trusted technical accounting and auditing expertise when you need it the most. We regularly work with CPA firm leadership to help them reduce risk and maximize efficiencies. To schedule an appointment, contact us at (732) 792-6101.
More Posts
Share by: