What is attribute sampling?
Attribute sampling is the standard method for tests of controls under ISA 530. Each item in the sample is classified in binary terms: the prescribed control procedure was either followed (no deviation) or not followed (deviation). The result is a deviation rate — the proportion of items where the control did not operate as designed.
The auditor sets a tolerable deviation rate before testing (ISA 530.5(e)), representing the maximum rate of deviation the auditor is willing to accept while still concluding the control is operating effectively. ISA 330.10 requires that when reliance is planned on controls, the tests cover a representative period — testing only the first quarter and extrapolating to the full year is insufficient unless the control operated consistently throughout the period.
Attribute sampling differs fundamentally from MUS and variables sampling. Those methods estimate monetary amounts. Attribute sampling estimates a rate. It answers "how often does this control fail?" not "how much money is misstated?" This distinction matters because the evaluation methodology, the statistical tables, and the conclusions drawn are all structured around rates, not values.
Key Points
- Answers how often the control fails. The output is a deviation rate (e.g., 2 deviations in 40 items = 5% sample deviation rate), not a monetary misstatement.
- Result is a deviation rate, not money. Attribute sampling is used for tests of controls. For substantive testing of monetary amounts, use MUS or variables sampling.
- Must set tolerable deviation rate before testing. ISA 530.5(e) requires the auditor to determine the tolerable rate in advance — this drives the sample size and the evaluation threshold.
- Zero deviations does not prove perfection. A clean sample of 25 items at 95% confidence with a 10% tolerable rate means there is still up to a 5% probability the true deviation rate exceeds the tolerance.
Why it matters in practice
A recurring PCAOB and FRC finding is the confusion between a deviation and a deficiency. A deviation is a factual observation: in this specific instance, the control did not operate as prescribed. A deficiency is a conclusion: the control's design or operation is insufficient to prevent or detect misstatement. One deviation is not automatically a deficiency. The attribute sampling evaluation provides the rate; the auditor's professional judgement under ISA 265 determines whether that rate constitutes a deficiency worth reporting.
The second common issue is testing only part of the period. ISA 330.10 requires the auditor to obtain evidence that the control operated effectively throughout the period of intended reliance. If the control was tested only for January through June but the auditor plans to rely on it for the full year, the gap from July to December represents untested reliance — a documentation and logic failure that regulators consistently flag.
Key standard references
- ISA 530.5(e): Definition of tolerable rate of deviation from a prescribed control procedure.
- ISA 530.5–15: Core requirements for audit sampling including design, selection, and evaluation.
- ISA 330.10: Requirement to test controls throughout the period of intended reliance.
- ISA 265: Communicating deficiencies in internal control to those charged with governance and management.
Related terms
Related tools
Related reading
Frequently asked questions
What question does attribute sampling answer?
One question: how often does the control fail? The result is a deviation rate, not a monetary amount. It tells the auditor whether to rely on the control for the planned reduction in substantive testing.
What is the difference between a deviation and a deficiency?
A deviation is a departure from the prescribed procedure in a specific instance. A deficiency is a conclusion about the design or operation of the control. One deviation is not automatically a deficiency. The attribute sampling evaluation provides the rate; the auditor's judgment determines whether that rate constitutes a deficiency under ISA 265.
What inputs determine the sample size?
Four inputs: the expected deviation rate in the population, the tolerable deviation rate (ISA 530.5(e)), the desired confidence level, and the population size (though population size has minimal impact once it exceeds a few hundred items).