Sampling Techniques in Auditing: 5 Essential Rules for Sample Size

Sampling Techniques in Auditing: When "No Exceptions Found" Is Not the Same as "Enough"

Sampling techniques in auditing sit at the center of a question most small firm auditors don't answer explicitly: how many items do I need to test before I can conclude? At BusAcTa Advisors, we support audit documentation and workpaper preparation for US CPA partners across private-company engagements, and the sampling documentation gap we see most consistently is not that your teams chose the wrong method. It's that they haven't documented why their chosen sample size is sufficient to support their conclusion. "Selected 25 items, no exceptions found" is a description of what was done. It is not a conclusion about whether the evidence obtained is sufficient under AU-C 530.

This guide walks through the five essential rules for getting audit sampling right, from the statistical versus non-statistical choice through the projection of exceptions and the workpaper conclusion. The AU-C 530 sampling standard governs all of this. The goal isn't to make every engagement a statistics exercise. It's to ensure that when your team concludes a control is effective or a balance is not materially misstated, the sample that supports that conclusion was sized to actually support it.

Rule 1: Know Whether You Are Sampling Statistically or Not, and Document Your Choice

AU-C 530 permits both statistical and non-statistical sampling approaches for audit procedures. Both are acceptable under US GAAS. The difference is not in how many items your team selects , it is in how your team determines sample size and evaluates results.

Statistical sampling uses probability theory to:

• Quantify sampling risk (the audit sampling risk incorrect acceptance threat, which is the risk that your sample-based conclusion differs from the conclusion you would reach by examining 100% of the population)

• Determine a mathematically defensible minimum sample size based on your risk parameters

• Allow the auditor to project results to the population with a stated confidence level

Non-statistical sampling uses professional judgment to determine sample size and evaluate results. It is faster and simpler in practice, but it does not allow the auditor to mathematically quantify sampling risk. Under AU-C 530, when non-statistical sampling is used, the auditor must still consider the same factors that would drive a statistical sample size calculation, such as tolerable rate or tolerable misstatement, expected error, and population characteristics. Choosing non-statistical sampling is not a license to select a round number of items without considering those factors.

What your workpapers must document for either approach: the nature of the sampling application (statistical or non-statistical), the population definition (what items are included and why), the sampling method used (systematic, random, MUS), and the basis for concluding the sample size is sufficient. The statistical vs non-statistical audit sampling choice must be explicitly documented. Does your firm's sampling template require a statement of why the sample size is appropriate, or does it simply record how many items were selected?

Rule 2: Size Attribute Samples Around Deviation Rates, Not Tradition

Attribute sampling deviation rate analysis answers the key controls question: at what rate does this control deviate from its prescribed operation? Attribute sampling is used for tests of controls. The sample must be sized to detect a deviation rate at or above your tolerable rate with sufficient confidence. The sample size audit testing parameters that drive attribute sampling are four inputs:

1. Tolerable deviation rate: The maximum rate of control failure your engagement can accept while still concluding the control is effective enough to reduce control risk. Typical range is 5% to 10% depending on the control's significance and the level of assurance sought.

2. Expected deviation rate: Your prior estimate of how often the control already fails, based on prior year results, inquiry, or a pilot sample. The closer expected is to tolerable, the larger your required sample.

3. Confidence level: Typically 95% for controls your team is relying on to reduce substantive procedures. If your risk-of-incorrect-acceptance tolerance is 5%, your confidence is 95%.

4. Population size: Significant for small populations (under 500) but has relatively little impact once the population exceeds about 2,000 items.

Using the AICPA Audit Sampling Guide tables at 95% confidence: if your tolerable deviation rate is 5% and your expected deviation rate is 1%, your minimum sample is approximately 77 items. If your expected rate is 0% (a strong control with no known prior failures), the minimum drops to around 58. A judgment-based sample of 25 items for the same control is not adequate at those parameters, and cannot be defended as providing 95% confidence at a 5% tolerable rate. If your team selects 25 items non-statistically, the workpapers must explain what tolerable rate and confidence level that sample supports, not merely record that 25 items were selected and no exceptions were found.

The number your team lands on by tradition or habit may or may not be defensible. The number derived from the deviation rate parameters always is, and can be explained if reviewed. Does your firm's control testing documentation record the tolerable deviation rate and expected deviation rate that drove your sample size, or just the sample size itself?

Rule 3: Use Monetary Unit Sampling for Substantive Tests, and Size It to Tolerable Misstatement

Monetary unit sampling audit professionals use most widely, also called Probability Proportional to Size or MUS, is the standard method for substantive testing of account balances in private-company audits. Under MUS, every dollar in the population is a sampling unit. Items are selected by generating random dollar amounts within the population's range, and the item containing that dollar is chosen. The practical effect is that larger-dollar items have proportionally higher selection probability, which concentrates audit attention where the most dollar exposure exists.

Your MUS sample size is driven by three parameters:

• Tolerable misstatement sampling input: Your planning materiality threshold allocated to this account, or the amount of misstatement the engagement can accept without affecting your overall conclusion on the financial statements. This is the most important input. A lower tolerable misstatement requires a larger sample.

• Expected misstatement: Your estimate of the likely error in the account based on prior year results, analytical procedures, or identified risks. Higher expected misstatement requires a larger sample.

• Risk of incorrect acceptance: The probability you are willing to accept that your sample will lead you to conclude the account is not materially misstated when it actually is. This is your sampling risk for substantive tests. At 5% risk of incorrect acceptance (95% confidence), sample sizes are larger than at 10%.

A simplified MUS sample size formula: Sample size = (Population value / Tolerable misstatement) multiplied by the reliability factor for your chosen confidence level. At 95% confidence with zero expected misstatement, the reliability factor is approximately 3.0. A $1,000,000 accounts receivable balance with $50,000 tolerable misstatement yields a minimum sample of about 60 items at this confidence level.

Rule 4: Projection Is Not Optional When Exceptions Are Found

When your team identifies a misstatement within a sample, the exception cannot be evaluated in isolation. AU-C 530 requires the auditor to project the misstatements found in the sample to the population as a whole, and to evaluate whether the projected misstatement, combined with the likely total of misstatements in the population, is below tolerable misstatement.

Under MUS, misstatement projection follows a specific procedure. For each error found:

• If the sampled item is smaller than the sampling interval: the projected misstatement equals the error percentage times the sampling interval.

• If the sampled item is larger than the sampling interval: the projected misstatement equals the actual error amount in that item.

The most common exception-handling error in small firm substantive workpapers is treating a found misstatement as isolated and immaterial without projecting it. "One invoice for $1,200 was overstated by $120 (10%); immaterial" is not a projection. The projection requires you to apply that 10% error rate to the sampling interval, which might be $20,000 in a typical MUS application, producing a projected misstatement of $2,000 for that error alone. If there are multiple errors, each is projected separately, then combined. Only after projection can your team conclude whether the account is or is not likely to contain a material misstatement.

The same projection logic applies to attribute sampling. If your team tests 77 controls and finds three deviations, the best estimate of the population deviation rate is 3/77 or approximately 3.9%. Before concluding the control is effective, your team must evaluate whether 3.9% falls within your tolerable deviation rate, and what the upper deviation limit is at your chosen confidence level given three deviations in 77 items. Has your team projected control test deviations to the population deviation rate on every engagement where exceptions were found?

Rule 5: Document the Sufficiency Conclusion, Not Just the Procedure

The question the peer reviewer or regulator will ask is not "how many items did you select?" It is "why was that number sufficient to support your conclusion?" Your sampling workpapers must answer the second question, not just the first. A complete sampling documentation package for any engagement test includes:

• Population definition and completeness: What is the full population being sampled? How was completeness of the population confirmed? A sample drawn from an incomplete population can yield a clean result on a subset while the excluded items contain the misstatement.

• Sampling method and random number source: How were sample items selected? Random number table, computer-generated random numbers, systematic selection? The selection method must be documented because it determines whether the sample is representative.

• Sample size basis: What tolerable rate, expected rate, confidence level, or tolerable misstatement drove the sample size? If the approach is non-statistical, what professional judgment basis supports the conclusion that the chosen size provides sufficient evidence?

• Results and projection: Number of exceptions found, dollar amount of exceptions (for substantive tests), projected misstatement or deviation rate, and comparison to tolerable threshold.

• Sufficiency conclusion: An explicit statement that the results, after projection, support (or do not support) the planned reduction in substantive procedures or the conclusion that the balance is not materially misstated. This sentence is what the peer reviewer is looking for and what is most commonly missing from small firm workpapers.

You can see how we integrate sampling documentation support into the broader offshore audit workflow on the how it works page. Our offshore accounting service covers sampling workpaper preparation including population definition, MUS calculation, deviation rate analysis, and projection documentation. Our quality control framework includes a sampling documentation review step on every engagement we support. For firms building or updating their audit sampling methodology templates, our advisory service can run a gap analysis of your current workpapers against AU-C 530 requirements.

For the full AU-C 530 standard and the AICPA Audit Sampling Guide with sample size tables, see the AICPA AU-C 530 standard document, which is the authoritative source for audit sampling requirements under US GAAS.

When "Enough" Is Actually Enough

"Enough" in sampling techniques in auditing means your sample was sized for your stated parameters, the results were projected to the population, the projected result is below your tolerable threshold, and your workpapers say so explicitly. It does not mean you tested until you ran out of time, selected a round number based on habit, or found no exceptions and called it done. The sample documentation that satisfies a peer review is the same documentation that would survive the question: "if this engagement is ever challenged, can you demonstrate that your sample size was defensible and your conclusion was supported?"

If you'd like to discuss how we support sampling methodology documentation for CPA partners' private-company audit engagements, book a scoping call with BusAcTa Advisors, and we'll walk your team through the workpaper framework before you commit to anything.