Chapter 1 -Appendix A - Attribute Sampling

Published by the Department of Housing and Urban Development, Office of Inspector General on 2011-04-01.

Below is a raw (and likely hideous) rendition of the original report. (PDF)

                                                                   2000.04 REV-2 CHG-lO

                                                                           Appendix A

                                   Attribute Sampling

This appendix applies to all chapters in this audit guide.

When planning to test a particular sample of transactions, the auditor should consider the
specific audit objective to be achieved and should determine whether the audit procedure or
combination of procedures to be applied will achieve that objective. The size of a sample
necessary to provide sufficient evidential matter depends on both the objectives and the
efficiency of the sample. As noted in section l-7C of chapter 1, all material instances of
noncompliance, including those identified through sampling, must he reported as findings
in the audit report.

Determining Test Objective, Defining the Population, and Defining an

Before beginning testing, the auditor must understand and document what attribute and/or
assertions are being tested. The auditor needs to identify and document the appropriate
population and should also perform procedures (e.g., reconciliations, inquiry) to ensure that
the population from which the samples are selected is complete.

Each compliance requirement selected for testing should be considered a separate
population, and samples should be selected accordingly. The sample selected could
possibly be used to test multiple attributes within each compliance requirement.
Additionally, auditors must assess the control environment at entities with multiple
locations. If controls at the different locations are significantly different, each location
must be considered a separate population.

The auditor must document the “sampling unit,” which is the individual item subject to
sampling in the population (i.e., reconciliations. loan files, cash disbursements. cash
receipts, etc.).

When selecting the sample of individual items, auditors must ensure that the sample is
representative of the universe for the compliance requirement being tested.

The auditor should also clearly define what would be considered an exception. A single
exception would indicate noncompliance, subject to further determination of materiality
necessary to determine the required method of reporting.

   A. Determining the Sample Size.
      To determine attribute testing sample sizes, the auditor needs to determine the value
      for three inputs: desired confidence level, tolerable exception rate, and expected
      exception rate. The compliance table sample size is based on the following

                                                                              3/2011   Page   1
                                                                        2000.04 REV-2 CHG-10

             1. Desired Confidence. Auditors should obtain a high degree of assurance
                by using a confidence level of 90. 95. or 99 percent.

             2. Tolerable Exception Rate. A 5-10 percent exception rate is acceptable.

             3. Expected Exception Rate. No exceptions should be accepted.

             3. Materiality. Using attribute testing. monetary materiality, or tolerable
                misstatement is not a necessary input for determining sample size.

   B. Sample Size Table. Using the preferences above and an attribute sampling
      software program, if a high level of assurance is defined as 90 percent confidence
      and tolerable exception rate is 5 or 10 percent with an expectation of zero
      exceptions, the sample size is 48 or 23 (respectively for 5 and 10 percent exception
      rates), which is rounded to 50 and 25 below. Similarly, using 95 percent
      confidence, zero exceptions, and a 5 or 10 percent tolerable exception rate, the
      sample size is 64 or 32, which is rounded to 65 and 35 below.

                                Compliance sample size table

 Importance/significance of         Confidence       Tolerable        Minimum sample size for
  the attribute being tested          level            rate            populations over 200

               Low                      90%              5%                      50
               Low                      90%             10%                      25
              High                      95%              5%       I              65
               High                     95%             10%                      35

This table is illustrative but does not replace professional judgment. As noted in the table,
these are minimum sample sizes, and there may be many situations in which the auditor
should also consider qualitative factors when determining sample size. Such qualitative
factors may include but are not limited to

   (1)     First year the auditor audited an entity.
   (2)     Larger, decentralized entities.
   (3)     High number of findings in the past.
   (4)     Significant deficiencies or material weaknesses in the past.
   (5)     Poor internal controls.
   (6)     Extremely high volume of activity in a particular compliance requirement.
   (7)     High project employee turnover in a particular area or department.

         If the initial sample does not include a particular attribute being tested. typically
         there would be a need to have additional items included in the sample to address
         just that specific attribute.

                                                                                   4/2011   Page   2
                                                               2000.04 REV-2 CHG-l0

   Each compliance lest performed should be evaluated separately for purposes of
   determining sample size Judgment should be used to determine what tests are

   considered low risk and which are considered high risk. When making the
   determination of high or low risk, it will he important to understand the population.

C. Populations of 200 or Fewer Items. When performing compliance testing of
   populations of fewer than 200 items, the following guidance is provided. Generally
   examine at least

   (1) 20 items when the population being tested contains between I 00 and 1 99 items.
   (2) 10 items when the population being tested contains between 50 and 99 items,
   (3) 5 items when the population being tested contains between 20 and 49 items,
   (4) Fewer than 5 items for smaller populations.

   As noted above, these are suggested minimum sample sizes, and there may be
   quantitative factors used to determine the sample size to be used.

D. Testing and Evaluating Results. The sample sizes in the table above are based
   on an expectation of no exceptions. If the testing performed discovers no
   exceptions. the auditor has achieved a high degree of confidence that the
   attribute/assertion is performed at an acceptable level.

   If there are observed exceptions, the auditor should investigate the nature and cause
   of the exceptions to determine whether the exceptions are immaterial or material
   compliance findings, significant deficiencies, or material weaknesses in internal
   control. It is not necessary to expand testing when exceptions are found. All
   exceptions must be reported. Refer to paragraph 1 -7C and chapter 2 for reporting
   requirements using this audit guide.

   In cases in which an exception is found, the auditor must determine whether the
   individual exception is material enough to include or is a compliance violation that
   must be included in the report. If it is determined that an exception is not material
   enough to report and is not a compliance issue that must be reported as a finding,
   the auditor may want to apply additional procedures to evaluate the magnitude of
   the exception.

   The auditor should consider whether the lack of an effective internal control
   constitutes a significant deficiency or a material weakness and document the basis
   for an unqualified opinion if a finding is determined to be a significant deficiency or
   material weakness.

E. Work Paper Documentation Needed. Documentation of sampling procedures
   must include the test objective, the definition of an exception. a description of the
   population tested and the sampling unit, the confidence level, the significance of the
   attribute. the sample size, and the results of testing.

                                                                           4/2011   Page   3
                                                           2000.04 REV-2 CHG-10

F. Technical Assistance Available.         Technical guidance on audit sampling is
   available in the following documents:

     SAS No. 39. Audit Sampling (AICPA)
     SAS No 111. Amendment to SAS No, 39, Audit Sampling (AICPA, Professional
     Standards, vol. 1, AU sec. 350), as amended
     AICPA Audit Guide. Audit Sampling, New Edition as of April 1, 2001
     AICPA Audit Guide. Government Auditing Standards
     SAS No. 74. Compliance Auditing Considerations in Audits of Governmental
     Entities and Recipients of Governmental Financial Assistance (AICPA,
     Professional Standards, vol. 1, AU sec. 801)

                                                                     4/2011   Page   4