Sampling and non-sampling risk for control testing
Required
(a) What population(s) would be relevant to Frank’s control testing?
(b) Explain the potential implications of sampling risk for the audit of cash payments.
(c) What possible non-sampling risks exist in this case?
(a) Frank is gathering evidence over cash payment controls. This means that the population definition must relate to the controls over cash payment transactions. Frank would need to gain an understanding of controls over cash payments and identify the controls for each type of potential misstatement, or ‘what could go wrong’ (WCGW). Frank would then sample from the instances of each control, as required. For example, the cash payments are authorised by a senior accountant in order to prevent unauthorised payments being made. Frank would need to consider all authorisations as a population from which to sample. All cash payments are based on a set of documents assembled and checked by the accounts staff; Frank would need to regard all these sets of documents as a population and would sample a number of sets of documents to test if the documents were assembled correctly and checked as required. Frank would also sample from the processed cash payment transactions and test the documents and authorisations on which the transactions are based. In this case, the population is the processed cash payments.
(b) Sampling risk refers to the possibility of drawing an incorrect conclusion about the population based on the sample results. There is a possibility that the sample is not representative of the population, and the sample deviation rate (departure from controls in the sample items) differs significantly from the population deviation rate (departure from controls in the population).
Sampling risk could lead to the auditor concluding that the population contains more control deviations than it actually does. In this case, the sample deviation rate is higher than the population deviation rate. In this case the auditor would under-rely on the controls and conduct further testing which was not necessary.
Sampling risk could also lead to the auditor concluding that the population contains fewer control deviations than it actually does. In this case, the sample deviation rate is higher than the population deviation rate. In this case the auditor would over-rely on the controls and conclude that the control is working effectively. The auditor would not conduct further testing and has a higher risk of providing an inappropriate audit opinion.
(c) Non-sampling risks always exist. This is the risk that the auditor will make an inappropriate conclusion based on anything other than sampling risk. That is, the auditor misinterprets the evidence or misapplies the audit techniques. For example, in this case, the auditor could fail to detect that cheques were countersigned by the chief accountant by being careless when reviewing the documents. The auditor could fail to understand the significance of certain cash payment entries being authorised for maintenance on items which were not owned by the client (i.e. the maintenance was for a staff member’s private assets). The auditor could fail to ask the chief accountant about their leave and the arrangements for counter-signing cheques whilst on leave.