Before we dive straight into sampling risk, let us first understand what audit sampling means. Audit sampling is essentially a performance of audit procedures on less than 100% of the total population.
Sampling allows the auditor to test selected items that are representative of the total population so that he still can obtain sufficient and appropriate audit evidence. As a result, with an appropriate sampling method, the auditor does not need to review the entire population to issue an audit opinion.
Now that we understood what audit sampling is, sampling risk is the risk that the auditor’s conclusion based on the samples may be different from the conclusion if the entire population were the subject of the same audit procedure.
This is because when audit sampling is applied, an assumption is made that the samples are representative of the entire population in terms of their characteristics and risk. If there is a certain subpopulation that has a different characteristic or risk, chances are they may not be selected for testing.
Incorrect audit opinion
The first sampling risk is that it may lead to an incorrect audit opinion being formed by the auditor. As mentioned above, audit sampling relies on certain audit sampling methods to identify samples that are representative of the entire population.
For example, the samples selected may miss a small number of transactions that have a higher risk of error or fraud risk attached to them especially when the total population is small in value but highly voluminous.
When this happens, the auditor would have drawn a conclusion based on those selected samples but had the auditor tested the entire population, the auditor would have derived a different conclusion. This means the conclusion made based on audit sampling was wrong.
However, this does not mean that audit sampling is risky and that auditors should avoid it. If an appropriate audit sampling method is applied on top of proper risk assessment, the auditor would have selected samples firstly from the higher risk population and then from the remaining population.
To illustrate, the auditor is auditing revenue and are selecting samples to be tested. Through risk assessment performed earlier during the audit planning stage, the auditor is aware that within the entire population of revenue transactions, there is a small population of foreign customers which has a higher risk of being fictitious.
The auditor can now split the population into revenue from foreign customers and revenue from local customers and apply an appropriate sampling method on both populations respectively. This will allow the auditor to still derive a reasonable conclusion to support his audit opinion while reducing the need to test the entire population.
Incorrect conclusion on the effectiveness of control
The next common sampling risk is that it may lead to an incorrect conclusion being made on the effectiveness of control. Audit sampling is not only applied to substantive testing but is also applied to control testing by auditors. For example, an auditor may select certain months of bank reconciliation to perform control testing on.
It is common for the auditor to apply certain sampling techniques on the total population to test if the control is in place for certain processes and to ultimately conclude if these processes are effective.
Although the auditor may not be issuing an opinion on the effectiveness of control, such a conclusion will have a significant implication on the auditor’s audit strategy.
For instance, the auditor is testing the control over the revenue process of the company. The auditor applies the sampling technique to the total population and identifies samples to test the effectiveness of the control.
The auditor then concludes that the control is ineffective based on the tested samples as he discovered that certain sales delivery orders in the entity’s record were not acknowledged by the customers.
However, there is a possibility that, had the entire population been tested, the auditor would have been able to identify whether the root cause of the ineffective control was one-off or limited to a certain subpopulation within the entire population.
This may allow the auditor to perform further testing and still conclude that the control is effective. In this scenario, the auditor has, based on this conclusion, adopted a substantive approach. The implication to the audit is that the auditor will set a much lower audit threshold and result in over-auditing and have a detrimental impact on audit efficiency.
This should not discourage auditors from applying the sampling approach as it is just an example that audit sampling may lead to an incorrect conclusion on the effectiveness of control.
The auditor should always investigate the root cause of any ineffective control identified when testing control and determine whether there is any mitigating control to reduce the risk or if it is a one-off error.
Referring to the above example, the auditor could have further identified that the sales delivery orders that were not acknowledged by the customers are only related to a small batch of sales transactions in a particular period.
The auditor could then design substantive procedures to address this batch of revenue transactions instead of designating the entire control as ineffective. Of course, such investigation may still cause the auditor to conclude that the control is ineffective as the control may be truly absent and without any mitigating control.
Sampling risk is always present when not 100% of the population is tested. However, such risk can always be managed by ensuring that an appropriate sampling method is used and that the auditor has a sufficient understanding of the population that will be tested.
It is important to reduce the sampling risk to an acceptable level as only then, can the sampling method achieve its objective of assisting the auditor to issue an audit opinion on the audit procedures performed while ensuring the audit is carried out efficiently.
A key reminder is that audit sampling should not be viewed as merely a method to reduce audit work but as a method that can help to achieve a high level of audit efficiency.