How does risk relate to sampling?
As stated in the previous article, if detection risk is set as low, then more testing will be required to reduce the overall risk to an acceptable level. How much is enough?
Some firms use a scoring system, whereby they allocate points out of ten to various types of audit procedures.
For instance in the typical small audit:
- Tests of Controls = 0
- Substantive Analytical Review Procedures = 2
- Detailed substantive testing = 8
Another small audit where more reliance can be placed on Analytical Review (perhaps due to the nature of transactions) could look like this:
- Tests of Controls = 0
- Substantive Analytical Review Procedures = 7
- Detailed substantive testing = 3
In a larger audit that has controls that can be relied upon it will be more efficient to test these controls and place more reliance on them (as above this can never be total reliance) - the resulting assessment could look like this:
- Tests of Controls = 4
- Substantive Analytical Review Procedures = 3
- Detailed substantive testing = 3
How does this translate into Audit Assistant?
The Risk Analysis, Strategy and Plan page at the end of the planning section is the place to document what has been decided in terms of reliance on controls. For instance:
Now when doing detailed substantive testing (using the sampling tool) we divide our performance materiality by our confidence factor is set at say 0.5, effectively creating a sampling interval at twice performance materiality.
If we were relying entirely on substantive testing, we should increase our confidence factor above 1.0 to the point where we were comfortable that we are reducing risk to an acceptable level.
Also, see articles on transactions testing and sampling and our sampling tool.
(Some of the above is taken from Bill Heritage's webinar Controls Testing)