2.2 Core Workflows and Decision Points
Key Takeaways
- Risk-based audit planning uses Audit Risk = Inherent Risk × Control Risk × Detection Risk; detection risk is the only component the auditor controls.
- Compliance testing checks whether a control is operating (attribute sampling); substantive testing checks the integrity of data or balances (variable sampling).
- Statistical sampling uses probability and lets the auditor quantify sampling risk and confidence; non-statistical (judgmental) sampling relies on auditor judgment and cannot be statistically projected.
- Attribute sampling estimates the rate of occurrence of a control exception; variable sampling estimates a numeric value such as a total dollar amount.
- Evidence reliability follows a hierarchy: independent, externally sourced, auditor-obtained, and original evidence outranks internal, oral, or copied evidence.
The Audit Risk Model
Planning the nature, timing, and extent of testing starts with the audit risk model:
Audit Risk (AR) = Inherent Risk (IR) × Control Risk (CR) × Detection Risk (DR)
- Inherent risk — susceptibility to error or fraud before any controls (e.g., complex, high-volume financial transactions are inherently risky).
- Control risk — the risk that the organization's controls fail to prevent or detect an error.
- Detection risk — the risk that the auditor's own procedures fail to catch a material misstatement.
Inherent and control risk live inside the auditee; only detection risk is controlled by the auditor. When inherent and control risk are assessed as high, the auditor must lower detection risk by doing more or more rigorous testing. ISACA also recognizes business risk, technology risk, and the catch-all that auditors cannot reduce audit risk to zero — only to an acceptably low level.
Compliance vs. Substantive Testing
Two test types serve two different questions:
| Test type | Question answered | Typical sampling | Example |
|---|---|---|---|
| Compliance test | Is the control operating as designed? | Attribute | Were all privileged-access changes approved? |
| Substantive test | Is the data/balance accurate and complete? | Variable | Does the GL balance equal the sum of transactions? |
The sequencing rule matters on the exam: auditors often perform compliance testing first. If controls are found to be strong (low control risk), the auditor can reduce substantive testing. If compliance testing reveals controls are weak, the auditor must increase substantive testing because they can no longer rely on the controls. This direct trade-off — strong controls allow less substantive work — is a frequent best-answer pattern.
Sampling and Evidence Reliability
Sampling applies procedures to less than 100% of a population to draw a conclusion about the whole.
- Statistical sampling uses probability theory, so the auditor can quantify sampling risk and state a confidence level (e.g., 95%). Items are selected randomly.
- Non-statistical (judgmental) sampling relies on the auditor's judgment to pick items; results cannot be statistically projected to the population.
Two models map to the two test types:
- Attribute sampling estimates the rate of occurrence of an attribute (a control exception) — used for compliance testing. Variants include stop-or-go (minimizes sample size when few errors are expected) and discovery sampling (used when even one exception, such as fraud, is critical).
- Variable sampling estimates a numeric value (e.g., a total dollar amount) — used for substantive testing. Variants include stratified mean and difference estimation.
Evidence reliability hierarchy (more reliable at top): evidence from an independent external source > evidence obtained directly by the auditor > evidence whose source has strong internal controls > original documents over copies > written over oral. An auditor's own observation or recomputation outranks an auditee's verbal assurance.
Sampling Risk, Confidence, and Evidence-Gathering Techniques
Whenever an auditor samples instead of examining 100% of a population, they accept sampling risk — the risk that the sample is not representative and leads to a wrong conclusion. Two flavors matter: the risk of incorrect acceptance (concluding a control works when it does not — the more dangerous error) and incorrect rejection (concluding a control fails when it works — inefficient but safer). Statistical sampling lets the auditor set a confidence level and precision (tolerable error) in advance and measure sampling risk; judgmental sampling cannot.
Key sampling terms to know cold:
| Term | Meaning |
|---|---|
| Population | The entire set of items subject to the test |
| Sampling unit | The individual item selected (a transaction, a record) |
| Confidence level | Statistical assurance the sample reflects the population |
| Precision / tolerable error | The acceptable range or maximum error rate |
| Expected error rate | Anticipated exceptions, which drives sample size |
Beyond sampling, IS auditors gather evidence through several techniques: reviewing documentation, inquiry (interviews), observation of a process in action, re-performance or recalculation of a control, inspection of configurations, and CAATs/data analytics for full-population analysis. Re-performance and the auditor's direct observation are stronger than inquiry alone, because a verbal answer can be wrong or self-serving. Strong practice corroborates inquiry with at least one form of objective evidence before relying on it.
The practical workflow ties these ideas together. The auditor first assesses inherent and control risk, then decides how much they can rely on the organization's controls. Heavy reliance means more compliance testing of those controls; light reliance, or controls expected to be weak, means more substantive testing of the underlying data. The chosen sampling model follows directly: attribute sampling for the compliance tests, variable sampling for the substantive ones.
At every step the auditor asks whether the evidence gathered is both sufficient in quantity and appropriate in quality, because a large volume of weak, internally generated evidence does not outweigh a smaller body of independent, auditor-obtained evidence. That judgment about evidence quality versus quantity is exactly what separates a defensible conclusion from an unsupported one. Remember too that the auditor decides the nature, the timing, and the extent of procedures: nature is which test to run, timing is when in the period to run it, and extent is how much to test.
All three flex with assessed risk, so a higher-risk area pulls in stronger procedures, more of them, and testing closer to period end.
An auditor wants to verify whether a control — manager approval of every system change — is operating consistently. Which sampling method is most appropriate?
Inherent risk and control risk for a system are both assessed as high. To keep overall audit risk acceptably low, what should the auditor do?
Which of the following evidence sources would an IS auditor generally consider the MOST reliable?