2000.04 REV-2 CHG-lO Appendix A Attribute Sampling This appendix applies to all chapters in this audit guide. When planning to test a particular sample of transactions, the auditor should consider the specific audit objective to be achieved and should determine whether the audit procedure or combination of procedures to be applied will achieve that objective. The size of a sample necessary to provide sufficient evidential matter depends on both the objectives and the efficiency of the sample. As noted in section l-7C of chapter 1, all material instances of noncompliance, including those identified through sampling, must he reported as findings in the audit report. Determining Test Objective, Defining the Population, and Defining an Exception. Before beginning testing, the auditor must understand and document what attribute and/or assertions are being tested. The auditor needs to identify and document the appropriate population and should also perform procedures (e.g., reconciliations, inquiry) to ensure that the population from which the samples are selected is complete. Each compliance requirement selected for testing should be considered a separate population, and samples should be selected accordingly. The sample selected could possibly be used to test multiple attributes within each compliance requirement. Additionally, auditors must assess the control environment at entities with multiple locations. If controls at the different locations are significantly different, each location must be considered a separate population. The auditor must document the “sampling unit,” which is the individual item subject to sampling in the population (i.e., reconciliations. loan files, cash disbursements. cash receipts, etc.). When selecting the sample of individual items, auditors must ensure that the sample is representative of the universe for the compliance requirement being tested. The auditor should also clearly define what would be considered an exception. A single exception would indicate noncompliance, subject to further determination of materiality necessary to determine the required method of reporting. A. Determining the Sample Size. To determine attribute testing sample sizes, the auditor needs to determine the value for three inputs: desired confidence level, tolerable exception rate, and expected exception rate. The compliance table sample size is based on the following expectations. 3/2011 Page 1 2000.04 REV-2 CHG-10 1. Desired Confidence. Auditors should obtain a high degree of assurance by using a confidence level of 90. 95. or 99 percent. 2. Tolerable Exception Rate. A 5-10 percent exception rate is acceptable. 3. Expected Exception Rate. No exceptions should be accepted. 3. Materiality. Using attribute testing. monetary materiality, or tolerable misstatement is not a necessary input for determining sample size. B. Sample Size Table. Using the preferences above and an attribute sampling software program, if a high level of assurance is defined as 90 percent confidence and tolerable exception rate is 5 or 10 percent with an expectation of zero exceptions, the sample size is 48 or 23 (respectively for 5 and 10 percent exception rates), which is rounded to 50 and 25 below. Similarly, using 95 percent confidence, zero exceptions, and a 5 or 10 percent tolerable exception rate, the sample size is 64 or 32, which is rounded to 65 and 35 below. Compliance sample size table Importance/significance of Confidence Tolerable Minimum sample size for the attribute being tested level rate populations over 200 Low 90% 5% 50 Low 90% 10% 25 High 95% 5% I 65 High 95% 10% 35 This table is illustrative but does not replace professional judgment. As noted in the table, these are minimum sample sizes, and there may be many situations in which the auditor should also consider qualitative factors when determining sample size. Such qualitative factors may include but are not limited to (1) First year the auditor audited an entity. (2) Larger, decentralized entities. (3) High number of findings in the past. (4) Significant deficiencies or material weaknesses in the past. (5) Poor internal controls. (6) Extremely high volume of activity in a particular compliance requirement. (7) High project employee turnover in a particular area or department. If the initial sample does not include a particular attribute being tested. typically there would be a need to have additional items included in the sample to address just that specific attribute. 4/2011 Page 2 2000.04 REV-2 CHG-l0 Each compliance lest performed should be evaluated separately for purposes of determining sample size Judgment should be used to determine what tests are . considered low risk and which are considered high risk. When making the determination of high or low risk, it will he important to understand the population. C. Populations of 200 or Fewer Items. When performing compliance testing of populations of fewer than 200 items, the following guidance is provided. Generally examine at least (1) 20 items when the population being tested contains between I 00 and 1 99 items. (2) 10 items when the population being tested contains between 50 and 99 items, (3) 5 items when the population being tested contains between 20 and 49 items, and (4) Fewer than 5 items for smaller populations. As noted above, these are suggested minimum sample sizes, and there may be quantitative factors used to determine the sample size to be used. D. Testing and Evaluating Results. The sample sizes in the table above are based on an expectation of no exceptions. If the testing performed discovers no exceptions. the auditor has achieved a high degree of confidence that the attribute/assertion is performed at an acceptable level. If there are observed exceptions, the auditor should investigate the nature and cause of the exceptions to determine whether the exceptions are immaterial or material compliance findings, significant deficiencies, or material weaknesses in internal control. It is not necessary to expand testing when exceptions are found. All exceptions must be reported. Refer to paragraph 1 -7C and chapter 2 for reporting requirements using this audit guide. In cases in which an exception is found, the auditor must determine whether the individual exception is material enough to include or is a compliance violation that must be included in the report. If it is determined that an exception is not material enough to report and is not a compliance issue that must be reported as a finding, the auditor may want to apply additional procedures to evaluate the magnitude of the exception. The auditor should consider whether the lack of an effective internal control constitutes a significant deficiency or a material weakness and document the basis for an unqualified opinion if a finding is determined to be a significant deficiency or material weakness. E. Work Paper Documentation Needed. Documentation of sampling procedures must include the test objective, the definition of an exception. a description of the population tested and the sampling unit, the confidence level, the significance of the attribute. the sample size, and the results of testing. 4/2011 Page 3 2000.04 REV-2 CHG-10 F. Technical Assistance Available. Technical guidance on audit sampling is available in the following documents: SAS No. 39. Audit Sampling (AICPA) SAS No 111. Amendment to SAS No, 39, Audit Sampling (AICPA, Professional Standards, vol. 1, AU sec. 350), as amended AICPA Audit Guide. Audit Sampling, New Edition as of April 1, 2001 AICPA Audit Guide. Government Auditing Standards SAS No. 74. Compliance Auditing Considerations in Audits of Governmental Entities and Recipients of Governmental Financial Assistance (AICPA, Professional Standards, vol. 1, AU sec. 801) 4/2011 Page 4
Chapter 1 -Appendix A - Attribute Sampling
Published by the Department of Housing and Urban Development, Office of Inspector General on 2011-04-01.
Below is a raw (and likely hideous) rendition of the original report. (PDF)