Deloitte. Audit Sampling and Substantive Analytical Procedures: Quick Reference Guide Sample Sizes for Audit Sampling (Tests of Controls, Tests of Details, and Attribute Sampling) and Thresholds for Substantive Analytical Procedures July 2019Contents ‘Sample size tables for tests of controls . Figure 23001.1 — Suggested sample sizes for inspection n of documentation to support ‘our inquiries for the purpose of testing the operating effectiveness of controls — Lower and higher risks of material misstatement......csssessssssssnsnsesssssseeesnsisvsssssseesvesssssseeeD Figure 23001.2 — Suggested sample sizes for inspection of documentation to support ‘our inquiries for the purpose of testing the operating effectiveness of controls — Significant risks of material misstatement ...cissssssssesssesssnssessssnssassssseensavesssssseeeeied Figure 23001.3—Suggested sample sizes for inspection of documentation to support our inquiries for the purpose of testing the operating effectiveness of controls when planning for one deviation in a control that occurs many times per day. ‘Sample size tables for tests of details .. . an Figure 23002-4.1 Aucit Sampling Sample Size Table — Lower and Higher Riskés.u6 Figure 23002-4.2 Audit Sampling Sample Size Table — Significant Risks.. 7 Thresholds for substantive analytical procedures... . Figure 23002-2.1: Determination of Threshold Levels... Attribute sampling tables Figure 23005A.1 Attribute Sampling Sample 5 Size Teble — Attribute sampling Used as the Only Substantive Procedure ...... Figure 23005A.2 Attribute Sampling Sample size Table — Ateibute Sempling Used in Combination with Other Substantive Procedures .....ssssesssssssssssnsssssseseeervenssssseeees®Sample size tables for tests of controls Figure 23001.1 — Suggested sample sizes for inspection of documentation to support our inquiries for the purpose of testing the operating effectiveness of controls — Lower and higher risks of material misstatement eg ead reer sernty pied Risk Associated with the | Risk Associated with the Peete peter Peet De acne ears Controt ceed Manual ony times per day 0 1s 25 25 vtanual oaly 7 0 1s 20 Manual Weekly 3 3 5 8 Manual Monthly 2 2 2 3 Manual Quotery a 2 2 2 Manca! annually 1 1 1 1 Automated Controls Wwe have tested the related general TT controls and such controls are operating effectively, a sample size of one of each relevant variant of an automated control typically provides us with sufficient appropriate audit evidence that the automated control is operating effectively. A variant of an automated control is a version of the automated control that varies in function or calculation from other forms of the some automated control. We determine which variants are relevant in the context of how the variants address the Identified risk of material misstatement. If there are a large number of relevant variants, we may use a sample size determined in accordance with Figure 23001.1 or Figure 23001.2, taking into consideration the risk of material misstatement, the risk associated with the control, and the number of relevant variants 2nd how this translates to a frequency. Indirect Controls (2.9., "For those indirect entity-level controls that do not themselves directly address risks of material Indirect entity-level misstatement, the higher risk of material misstatement column, along with the appropriate column for the controls, general IT assessed risk associated with the control (i.e, higher or not higher) is the suggested minimum sample controls) size for the test of operating effectiveness. For general IT controls, assess the risk arising from IT as lower, higher, or significant and use the corresponding sample size from the appropriate risk of material misstatement column in Figure 2304.1 (Le,, lower or higher) or Figure 23001.2 (\.e., significant), along with the appropriate column for the ‘assessed risk associated with the control (i.e, higher or not higher) as the suggested minimum sample size for the test of operating effectiveness. In the event that the indirect control is directly responsive to a significant risk (e.g., management override of controls), the significant risk of material misstatement column, along with the apprapriate column for the assessed risk associated with the control, n Figure 2301.2 Is the suggested minimum sample size for ‘the test of operating effectiveness, The table assumes zero deviations.Figure 23001.2 — Suggested sample sizes for inspection of documentation to support our inquiries for the purpose of testing the operating effectiveness of controls — Significant risks of material nea Manual Many times per day 45 60* Manual Dally 25 40* Manual Weekly 8 10 Manual Monthiy 3 4 Manual Quarterly 2 2 Manual Annually a 1 If we have tested the related general IT controls and such controls are operating effectively, 2 sample size of one of each relevant variant of an automated control typically provides us with sufficient appropriate audit evidence that the automated control is operating effectively. A variant of an automated control is a ‘version of the automated control that varies In function or calculation from other forms of the same ‘automated control. We determine which variants are relevant in the context af haw the variants address the identified risk of material misstatement. If there are a large number of relevant variants, we may use a sample size determined in accordance with Figure 23001.1 or Figure 23001.2, taking Into consideration the risk of material misstatement, the risk associated with the control, and the number of relevant variants and how this translates to a frequency. ‘Automated Controls Indirect Controls (e.g., For those Indirect entity-level controls that do not themselves directly address risks of material Indirect entity-level_ "misstatement, the higher risk of material misstatement column, along with the appropriate column for the controls, general IT assessed risk associated with the control (i.e., higher or not higher) in Figure 2301.1 is the suggested controls) minimum sample size for the test of operating effectiveness. For general IT controls, assess the risk arising from IT as lower, higher, or significant and use the corresponding sample size from the appropriate risk of material misstatement column In Figure 2301.1 (Le,, lower or higher) or Figure 23003.2 (.e., significant), along with the appropriate column for the assessed risk associated with the control (i.e, higher or net higher) as the suggested minimum sample size for the test of operating effectiveness. In the event that the indirect control is directly responsive to a significant risk (e.9., management override ‘of controls), the significant risk of material misstatement calumn, along with the appropriate column for the assessed risk associated with the control, Is the suggested minimum sample size for the test of operating effectiveness, The table assumes zero deviations. In the event that we Identify a control that operates many times a day or dally that addresses a significant risk for which the risk associated with the control ig assessed as higher, consider whether this ig the most appropriate control to address the risk.Figure 23001.3 — Suggested sample sizes for inspection of documentation to support our inquiries for the purpose of testing the operating effectiveness of controls when planning for one deviation in a control that occurs many times per day eed Sued Ruse rear ren Pay hestenad esr ered Risk Associated with | Risk Associated with | Risk Associated with Cyceres) the Control the Control ee eo Aad Fe macy Conroe a onion Manual Many times per day 25 35 40 60 7 95, ‘The table assumes one dviation In 2 control that occurs many times par day has been planned for. When the control is performed less than many times per day IIs likely not appropriate to plan for deviations,Sample size tables for tests of details Figure 23002-4.1 — Audit Sampling Sample Size Tabl Lower and Higher Risks Dr eo eed Cer ec eu Ome) 1x 1 2 1 1 2x 2 3 1 1 3x 2 5 1 2 4x a 6 1 2 3x 3 8 1 3 6x 4 9 2 3 Ix 5 1 2 4 8x 5 12 2 4 9x 6 14 2 5 10x 6 15 2 5 15x. 9 23 3 8 20x 2 20 4 10 25x a5 38 5 13 30x 18 45 6 15 40x 24 60 8 20 50x 30, 7 10 25 00x 60. 150 20 50 Greater than 100% o “ oO oO The sample sizes above represent suggested minimum samples sizes. Engagement management may determine that, in some circumstances, It is appropriate to increase the sample sizes above those in this table. For populations In between the listed levels of performance materiality, we may interpolate to determine the appropriate sample (*) See DTTL AAM 23002-4.32A or DTTL PCAOB AAM 23002-4.26F for considerations that are applicable when determining the minimum suggested sample size. Consultation in such circumstance is encouraged.Figure 23002-4.2 — Aui ‘Sampling Sample Size Table — Significant Risks oa Deuce De oa ay ores Relying on Controls 2x 6 2 ax 20 4 4x 2 4 ox 16 6 6x 18 6 a 22 8 8x 24 8 9x 28 10 10x. 30 10. 15x 46, 16, 20x 60 20 25x 76 26 30x 30 30, 40x 120 40 50x 150 50, 100% 300 100 Greater than 100x “ oO ‘The sample sizes above represent suggested minimum samples sizes. Engagement management may determine that, In some circumstances, It is appropriate to Increase the sample sizes above those In this table, For populations in between the listed levels of performance materiality, we may interpolate to determine the appropriate sample size. (2) For populations that contain o significant risk, we are required to perform substantive procedures that are specifically responsive to that ‘isk, For audits performed in accordance with the standards of the PCAOB, such procedures are required to include tests of details, These specifically responsive substantive procedures frequently involve nonrepresentative selection. (+) See paragraph DTTL AM 23002-4,32A or DTTL PCAOB AM 23002-4.28F for considerations that are applicable when determining the ‘minimum suggested sample size. Consultation in such circumstance Is encouraged.Thresholds for substantive analytical procedures Figure 23002-2.1 — Determination of Threshold Levels Peer een i eee tes Csr fered Perey Significant Risk © Percentage of disaggregated recorded amount, 22% 15% 35% 20% Percentage of performance materiality 65% 45% 95% 20% 50% (1) For populations that contain a significant risk, we are required to perform substantive procedures that are specifically responsive to that risk, For audits performed in accordance with the standards of the PCAOB, such procedures are required to include tests of details Attribute sampling tables The sample sizes in Figures 23005A.1 and 23005A.2 represent suggested minimum samples sizes. Figure 23005A.1 — Attribute Sampling Sample Size Table — Attribute Sampling Used as the Only Substantive Procedure eg Higher Risk ee od ae Ped Cae ae Pac Eu ad er] and Relying |Relyingon [and Relying |Relyingon | Relyingon _| and Not Relying PA a Conc Parr rae renin Cons Prono 1 16 24 28 57 4a 95, 2 30 54 46 83 66 27 Figure 23005A.2 — Attribute Sampling Sample Size Table — Attribute Sampling Used in Combination with Other Substantive Procedures. ead re eee eg cae Pe dd Higher Risk | and Not pene oer] Soe on Co mc coco nr io Deviations on Controls _| Controls Porat ram Conn ctnrs a 2 2 38, 33 36, 46 53Deloitte. About Deloitte Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited ("DTTL"), Its global network of member firms and thelr ralated entities. DTTL (alao referred to as "Deloitte Global") and each of its member firms are legally separate and independent entities. DTTL does not provide services to clients. Please see www deloitte.com/about to lear ‘This document Is for internal distribution and use only among personnel of Deloitte Touche Tohmatsu Limited, Its member firms and thelr related entities (collectively, the "Deloitte network"). None of the Deloitte network shall be responsible for any loss, whatsoever sustained by any person who relies on this communi © 2019. For information, contact Deloitte Tohmatsu Limited