What is attribute sampling?
Most controls testing files we review share the same weakness: a clean sample of 25 items, zero deviations recorded, and a conclusion that the control is operating effectively. Nobody ever asks what 25 clean items at 95% confidence actually implies about a population of 20,000. The answer is a true deviation rate of up to 11.3%, which for most controls is not effective operation.
Attribute sampling is the standard method for tests of controls under ISA 530 . Each item in the sample is classified in binary terms: the prescribed control procedure was either followed (no deviation) or not followed (deviation). The output is a deviation rate (the proportion of items where the control did not operate as designed).
The auditor sets a tolerable deviation rate before testing ( ISA 530.5 (e)), representing the maximum rate the auditor is willing to accept while still concluding the control operates effectively. ISA 330.10 requires that when reliance is planned on controls, the tests cover a representative period. Testing only the first quarter and extrapolating to the full year is insufficient unless the control demonstrably operated the same way through the rest of the year.
Attribute sampling is different from MUS and variables sampling. Those methods estimate monetary amounts. Attribute sampling estimates a rate. It answers "how often does this control fail?" not "how much money is misstated?" The evaluation methodology, the statistical tables, and the conclusions drawn are all structured around rates, not values.
Key Points
- Answers how often the control fails. The output is a deviation rate (e.g., 2 deviations in 40 items = 5% sample deviation rate), not a monetary misstatement.
- Result is a deviation rate, not money. Attribute sampling is used for tests of controls. For substantive testing of monetary amounts, use MUS or variables sampling.
- Must set tolerable deviation rate before testing. ISA 530.5 (e) requires the auditor to determine the tolerable rate in advance. This drives the sample size and the evaluation threshold.
- Zero deviations does not prove perfection. A clean sample of 25 items at 95% confidence with a 10% tolerable rate means there is still up to a 5% probability the true deviation rate exceeds the tolerance.
Why it matters in practice
A recurring PCAOB and FRC finding is the confusion between a deviation and a deficiency. A deviation is a factual observation: in this specific instance, the control did not operate as prescribed. A deficiency is a conclusion: the control's design or operation is insufficient to prevent or detect misstatement. One deviation is not automatically a deficiency. The attribute sampling evaluation gives the rate. The auditor's judgement under ISA 265 determines whether that rate constitutes a deficiency worth reporting.
The second common issue is testing only part of the period. ISA 330.10 requires the auditor to obtain evidence that the control operated effectively throughout the period of intended reliance. If the control was tested only for January through June but the team plans to rely on it for the full year, the gap from July to December is untested reliance. That gap is a documentation and logic failure regulators consistently flag.
In our experience, the failure mode on sample size is almost always PIOOMA dressed up as methodology. The team picks 25 items because the audit program says 25, not because anyone has worked through what 25 items at a given tolerable rate actually buys in statistical confidence. Nobody enjoys recalculating sample sizes engagement by engagement, but just roll it forward is how the FRC's 2024 thematic on controls reliance produced its most pointed findings.
Key standard references
- ISA 530.5 (e): Definition of tolerable rate of deviation from a prescribed control procedure.
- ISA 530.5 –15: Core requirements for audit sampling including design, selection, and evaluation.
- ISA 330.10 : Requirement to test controls throughout the period of intended reliance.
- ISA 265 : Communicating deficiencies in internal control to those charged with governance and management.
Related terms
Related tools
Related tools
Related reading
Frequently asked questions
What question does attribute sampling answer?
One question: how often does the control fail? The result is a deviation rate, not a monetary amount. It tells the auditor whether to rely on the control for the planned reduction in substantive testing.
What is the difference between a deviation and a deficiency?
A deviation is a departure from the prescribed procedure in a specific instance. A deficiency is a conclusion about the design or operation of the control. One deviation is not automatically a deficiency. The attribute sampling evaluation provides the rate; the auditor's judgment determines whether that rate constitutes a deficiency under ISA 265.
What inputs determine the sample size?
Four inputs: the expected deviation rate in the population, the tolerable deviation rate (ISA 530.5(e)), the desired confidence level, and the population size (though population size has minimal impact once it exceeds a few hundred items).