Risk pt 6 - Risk and sampling

How does risk relate to test sampling?

As stated above, if detection risk is set as low, then more testing will be required to reduce overall risk to an acceptable level. How much is enough?

Some firms use a scoring system, whereby they allocate points out of ten to various types of audit procedures.

For instance in typical small audit:

  • Tests of Controls = 0
  • Substantive Analytical Review Procedures = 2
  • Detailed substantive testing = 8

Another small audit where more reliance can be placed on Analytical Review (perhaps due to the nature of transactions) could look like this:

  • Tests of Controls = 0
  • Substantive Analytical Review Procedures = 7
  • Detailed substantive testing = 3

In a larger audit which has controls that can be relied upon it will be more efficient to test these controls and place more reliance on them (as above this can never be total reliance) - the resulting assessment could look like this:

  • Tests of Controls = 4
  • Substantive Analytical Review Procedures = 3
  • Detailed substantive testing = 3

How does this translate into Audit Assistant?

The Risk Analysis, Strategy and Plan page at the end of the planning section is the place to document what has been decided in terms of reliance on controls. For instance:


Now when doing detailed substantive testing (using the sampling tool) the confidence factor is set at say 0.5, effectively creating a sampling interval at twice performance materiality as follows:


If we were relying entirely on substantive testing, we should increase or confidence factor above 1.0 to the point where we were comfortable that we are reducing risk to an acceptable level. 

(Some of the above is taken from Bill Heritage's webinar Controls Testing)

Have more questions? Submit a request