Risk and Sample Sizes

The whole focus of an audit hinges on the risk of material misstatement, and the limited resources and time to detect any misstatement. Therefore, the risk of misstatement is assessed, and limited testing performed based on the risk assessed and the measure of accuracy of the results of the tests desired. ISA315 (and its revision) steers clear of explaining the practicalities of applying risk assessment to sample sizes and the audit approach. In this article, we attempt to address this gap.

Risk Assessment Procedures

What is often overlooked is that the following audit procedures are risk assessment procedures, and the more detailed the attention given to these areas is, the more accurately the risk may be set and the better it may be justified:

1. Knowledge of the business – A proper knowledge of the business, the culture of its management and staff, and its business model gives one a clear sense of how the business compares to others, as far as risk is concerned.

2. Analytical review – An intelligent analytical review based on proper knowledge of the business, gives valid reasons for fluctuations, and determines the effect on risk in certain areas, as well as on the overall risk.

3. Documentation of internal controls and testing their implementation – Confusion reigns about whether this step is really necessary when controls are not relied upon. This is, however, an important step, since the purpose of this exercise is to assess the effect on risk. Internal controls include overall controls and information systems; therefore, both need proper documentation and testing of implementation.

Risk of Misstatement

Based on the risk assessment procedures, risk of misstatement is determined overall, at financial statement level, and at balance and assertion level.

The audit firm should have a policy regarding how the risks at balance and assertion level are quantified, in order to apply them in the determination of sample size.

If the firm uses a range of between one and six for risk assessment, one being very low risk, and five and six being significant risk, a table of risk factors for each rating should be drawn up to take into account when determining sample sizes.

The presumed significant risk for revenue recognition may be rebutted, should factors exist to justify not rating an assertion of revenue recognition as a significant risk. A proper risk assessment exercise will make such a rebuttal more credible.

Sample Sizes

Typically, a sample size would be determined by the following steps – they are all important, as leaving some out can lead to lack of proof that the sample is representative of the population, or that the population was adequately tested:
1. Consider the purpose of the audit procedure, e.g. completeness and tests of control are typically selected from ‘outside’ the system.
2. Determine the characteristics of the population. Audit procedures may need to be documented in more detail for populations which differ in transaction type, or the population may need to be stratified. For the purposes of this test, it should also be determined what constitutes a misstatement.
3. Determine the population and demonstrate how it reconciles with the balance, or movement being audited.
4. Deduct the material items (not just ‘large’ items!) tested separately to get to the adjusted population.
5. Stratify the population according to values or by type.
6. Assign a risk factor to the population or stratum.
7. Divide the adjusted population by the materiality.
8. Multiply the result with the risk factor.
9. Compare with firm policy re minimum or maximum sample sizes.
10. Determine the final sample size.

Assigning a Risk Factor

This is the remaining risk after other tests have been considered. For example, if a balance’s assertion which constitutes a significant risk is planned to be tested with compliance tests of controls, as well as substantive tests (tests of detail and/or substantive analytical review), the risk assigned to the tests of controls will be much less than if substantial reliance is placed on the functioning of internal controls. The same applies to the substantive tests of detail sample size, where less or no reliance is placed on the functioning of internal controls. The risk assigned will be much more than when part of the test relies on internal controls. Should risk assessment procedures conclude that the overall risk of the entity is lower than normal, one is justified to adjust the risk factors downwards across the board.

• An easy way to apply the principles is to start off with a risk of material misstatement assessment for a particular assertion of a balance, for example, five.
• Reduce it by one, to four, because of strong overall controls.
• Planned procedures to address the remaining risk of four are to perform substantive analytical review procedures with a risk factor of one, and to test internal controls with a risk factor of three.

The firm policy will dictate sample sizes for tests of control at different risk factors, dependent on the frequency of the controls (daily/weekly/monthly).

For substantive tests, the risk factor used in the formula determining the sample size for different risk factors must be set out.

Therefore, it is simpler to refer to ‘risk assessment’ when performing initial risk assessments, and ‘remaining risk’ when determining risk factors after considering the other tests.

Fraud Risk

A good habit to get into, is to consider fraud risk wherever risk of misstatement is considered. Therefore, with all the above procedures, consider and conclude on ‘risk and fraud risk’, instead of just ‘risk’. Fraud risks lead to significant risks, for which the required additional procedures are fuzzy, but common sense dictates that one performs more work substantively and when testing controls. This should, therefore, be reflected in the sample sizes.

In Summary

The practical steps set out above should guide auditors on how to formulate appropriate risk-based sample sizes. If you have any queries, please feel free to contact LEAF, which stands ready to assist you with practical advice and solutions.


1. IAASB: ISA 315 (Revised 2019), Identifying and Assessing the Risks of Material Misstatement
2. IAASB: ISA 240, The Auditor’s Responsibilities Relating to Fraud in an Audit of Financial Statements


Leave your comments below. We welcome your feedback!


LEAF can assist through audit quality, technical, training and other services to provide you with practical guidance.

Upcoming Events