Risks
The limitations discussed above can also be sources of risk. For example, an audit team that does not have enough expertise on sampling may fail to consider an important aspect when developing a sampling plan or it may apply a rule of thumb in selecting a sample size without fully understanding all the implications. A lack of expertise may result in using an inadequate sampling methodology and producing audit observations that cannot be used for the intended purpose, therefore potentially wasting precious time and money. For these reasons, the level of expertise required should be assessed in the early phase of an audit.
Data quality is also an important risk. A successful sampling exercise is highly dependent on accurate and complete data. Without such data, sampling cannot result in reliable and credible observations. This issue is further discussed in the subsection on quality of available data in Part 2 of this guide.
Sample size can also be a source of risk. Samples that are too small may result in findings that are easily challenged. Conversely, samples that are too large may result in dedicating too many resources to a specific line of enquiry in a performance audit, thereby decreasing the budget available for other lines of enquiry or other audits. Determining the right sample size to provide the information required to address a specific audit question is therefore a crucial success factor for audit teams.
Another risk that may arise from sampling relates to complexity. A complex sampling methodology may increase the risk of audit failure. This is because as a sampling methodology becomes more complex, it may also become more difficult to implement properly or to explain findings in plain language to the auditees, parliamentarians, or stakeholders. This has an impact on the ability to defend the resulting audit observations. It may also become more difficult to clearly state the methodology and its results in the final audit report. In contrast, simple and straightforward sampling methodologies are easier to explain and less likely to be successfully challenged by the auditees.
All these risks are subcomponents of the overall audit engagement risk as defined by audit standards used by performance auditors (CSAE 3001, A14). These standards recognize the risk that the procedures performed by the practitioner will not detect a significant deviation. Due to its very nature, sampling introduces potential error that a census would not. Like other evidence collection techniques available to auditors, sampling always entails a risk of leading to inaccurate observations, incorrect conclusions, or a plain failure to detect significant deviations in the subject matter. This risk can, of course, be mitigated by consulting experts, using prudent and deliberate sampling approaches, and leveraging existing methodological tools and resources such as the suggestions in this Practice Guide.
LinkedIn
Twitter