Escolar Documentos
Profissional Documentos
Cultura Documentos
Nonstatistical samplingmay be
substantially less capable of detecting a
material error than a statistical approach.
Tommie W. Singleton, Ph.D.,
CISA, CITP, CMA, CPA, is
an associate professor of
information systems (IS) at
the University of Alabama at
Birmingham (USA), a Marshall
IS Scholar and a director
of the Forensic Accounting
Program. Prior to obtaining his
doctorate in accountancy from
the University of Mississippi
(USA) in 1995, Singleton was
president of a small, value-
added dealer of accounting
IS using microcomputers.
Singleton is also a
scholar-in-residence
for IT audit and forensic
accounting at Carr Riggs
Ingram, a large regional
public accounting firm in the
southeastern US. In 1999,
the Alabama Society of CPAs
awarded Singleton the
1998-1999 Innovative User of
Technology Award. Singleton
is the ISACA academic
advocate at the University of
Alabama at Birmingham. His
publications on fraud, IT/IS,
IT auditing and IT governance
have appeared in numerous
publications, including the
ISACA Journal.
What Every IT Auditor Should
Know About Sampling
2 ISACA JOURNAL VOLUME 1, 2009 2009 ISACA. All rights reserved. www.isaca.org
estimation and difference estimation. For example, this
method would be used to confirm accounts receivable.
Probability-proportional-to-size samplingThis method
develops an estimate of the total monetary amount of
misstatement in a population. PPS uses dollar-unit sampling
or monetary-unit sampling (MUS). Other methods are based
on instances or occurrences, but this method is based on
monetary values, where higher monetary value transactions
have a higher likelihood of being chosen in a samplethus
the name PPS. MUS includes:
a. A tolerable misstatement amount (the total misstatement
the auditor will allow in the population)
b. Acceptable risk of incorrect acceptance (risk that the
sample does not support the conclusion about not being
materially misstated, i.e., a false-positive; generally
5 percent or 10 percent)
c. Acceptable risk of incorrect rejection (opposite of b; sample
shows material misstatement in population when it is not
materially misstated, i.e., a false-negative)
d. Assumption of average percent of misstatement (for items
misstated, the assumed average size of each misstatement
compared to the recorded amount)
MUS is often used in statistical examinations where the
purpose is fraud detection.
The American Institute of Certified Public Accountants
(AICPA) Statistical Sampling Subcommittee prepared an audit
guide in 1983, titled Audit Sampling, that describes PPS. The
audit guide lists several advantages of PPS over CVS.
CHOICE OF SAMPLING METHODOLOGY
The choice of a method depends on the primary purpose of the
sample and substantive test. If the auditor needs to perform a
test of control, the best choice is attribute sampling, generally
speaking. If the purpose of the audit procedure is to detect fraud,
then discovery sampling is the best choice, but MUS is a good
choice, too. If the purpose is to look for material misstatements
in an account balance or class of transactions, CVS is a good
choice. But, CVS does tend to require larger samples than
other methods and is, therefore, costly. PPS requires smaller
samples. PPS is designed to be especially effective in the audit of
accounts receivable and inventory, with a few exceptions, and
thus is usually a better choice than classical variables for account
balances such as these. However, PPS is prone to trigger false-
positives, and the auditor must be aware of this possibility.
It is possible to use a different method from that generally
chosen, if there is an extenuating circumstance or objective.
Obviously, discovery sampling has a more stringent requirement
regarding deviations or exceptions, so is usually the prime
choice for fraud detection.
In discovery sampling, a key point is what is meant by critical
deviation. In particular, the standardized audit methodologies
indicate that if the auditor detects a fraudulent transaction, such
as an invoice from a shell (fictitious) vendor, that transaction
is considered a critical deviation. An identified deviation (or
anomaly), therefore, can be classified into two categories:
Those that are clearly fraudulent or highly suspicious of fraud
Those that are clearly errors
According to the discovery sampling methodology, if a
fraudulent deviation (i.e., a critical deviation) is detected, then the
review of the sample should be stopped and the entire population
should be reviewed (this method is sometimes referred to as stop-
and-go sampling). The theory behind discovery sampling is that
the goal is zero critical deviations. As defined, that means zero
fraud. Because the purpose is to have zero tolerance for fraud,
the sample sizes tend to be
larger than other sampling
methodologies and, obviously,
have a significantly smaller
allowance for deviations.
However, that does not mean
that, if a deviation that is the
result of error is found, the auditor must stop and review the
population. In fact, the language of authoritative sources says the
auditor may decide to review the population, not that the auditor
must do so.
EXAMPLE OF APPLICATION
What does it mean when a deviation occurs in the sample?
The following is an illustration of what would happen if two
different sampling techniques were used to examine a common
population for the purpose of fraud detection. The set of
circumstances for the illustration is as follows:
The population is 10,000 transactions.
The objective is the effectiveness of antifraud controls.
The IT auditor chose discovery sampling.
A sample size of 483 was taken, based on discovery
sampling table.
Two errors were discovered but neither had any
fraudulent implications.