What is audit sampling?
Open almost any inspection report and the sampling findings read the same way. Sample size picked from a table, no link to assessed risk, no projection of the errors found. In our experience, about half of first-round file reviews on substantive sampling come back with a PIOOMA flag on sample size. The number is defensible. The reasoning behind it is not documented.
Audit sampling is the process of selecting and testing fewer than 100% of items in a population to form a conclusion about the entire population. ISA 530 governs how auditors design, select, and evaluate samples for both tests of controls and substantive procedures. The fundamental principle is that every sampling unit in the population must have a chance of being selected. This does not mean every item has an equal chance (stratification and monetary unit sampling deliberately weight selection toward higher-value or higher-risk items), but no item can be systematically excluded from the possibility of selection.
Sampling exists because testing 100% of transactions is rarely practical. The trade-off is sampling risk: the risk that the auditor's conclusion based on a sample differs from the conclusion they would reach if the same procedure were applied to the entire population. The auditor manages this risk through the sample size and the selection method, then evaluates the results against tolerable misstatement.
Key Points
- Every item must have a chance of selection. Whether using random, systematic, or monetary unit selection, no part of the population can be excluded from the sampling frame.
- Sample size is driven by risk. Lower tolerable misstatement, higher expected misstatement, and lower acceptable sampling risk all increase the required sample size.
- Misstatements must be projected. ISA 530.14 requires the auditor to project sample misstatements to the entire population, not just report the raw amount found.
- Both statistical and non-statistical approaches are permitted. ISA 530 does not require statistical sampling, but whichever method is used must provide sufficient appropriate audit evidence.
Why it matters in practice
Worked example: Van Dijk Logistics
Van Dijk Logistics BV has 4,200 trade receivable balances totalling EUR 18.6 million. The audit team sets performance materiality (PM) at EUR 200,000 and tolerable misstatement for receivables at the same amount. Expected misstatement, based on prior-year results, is EUR 30,000.
Using a statistical formula (confidence factor approach), the team calculates a sample size of 40 items. They use monetary unit sampling to weight selection toward larger balances. External confirmations are sent for all 40 items.
Three confirmations return with differences totalling EUR 8,400. The team investigates and determines all three are genuine misstatements (not timing differences). The projected misstatement is EUR 8,400 x (18,600,000 / 7,440,000 sampled value) = EUR 21,000. This is well below tolerable misstatement of EUR 200,000, so the team concludes the receivables balance is not materially misstated.
What reviewers catch
Sampling is one of the most frequently cited areas in regulatory inspection findings. Nobody enjoys redoing a sample mid-fieldwork when the review note lands, but skipping the documentation up front is how files get flagged. Common issues include:
- Population completeness not tested. The auditor sampled from a report that did not include all items in the population (e.g., sampling from a receivables listing that excluded credit balances or intercompany items).
- No projection of misstatements. The file reported only the raw misstatements found in the sample without projecting them to the full population, as required by ISA 530.14 .
- Haphazard selection mistaken for random selection. The auditor selected items "at random" by scrolling through a listing and picking items, which is haphazard selection and does not qualify as a valid statistical sampling method.
- Sample size not linked to risk assessment. The file contained no documentation showing how the sample size was determined or how it related to the assessed RoMM. This is where teams most often just roll it forward from prior year instead of rebuilding the calculation.
Statistical vs non-statistical sampling
Statistical sampling uses mathematical probability to select items and evaluate results. It gives the auditor a quantifiable confidence level (e.g., 95% confidence that the population misstatement does not exceed tolerable misstatement). It requires random selection and formal projection of results. The main advantage is defensibility. The conclusion is mathematically supported rather than left to the reviewer's faith in the preparer.
Non-statistical sampling relies on the auditor's professional judgement for selection and evaluation. It is more flexible and often faster to execute, but the auditor cannot quantify sampling risk. ISA 530 .A22 notes that when non-statistical sampling is used, the auditor uses professional judgement to determine that the sample is representative and the results provide sufficient appropriate evidence.
Neither approach is inherently superior. The choice depends on the population, the audit objective, the firm's methodology, and the reviewer's comfort with each approach. Many firms use statistical sampling for large, homogeneous populations (e.g., trade receivables confirmations) and non-statistical sampling for smaller or more varied populations (e.g., testing journal entries).
Key standard references
- ISA 530.5 –6: Definitions of audit sampling, sampling risk, non-sampling risk, tolerable misstatement, and anomalous misstatement.
- ISA 530.7 –8: Requirements for designing the sample, including determining sample size sufficient to reduce sampling risk to an acceptably low level.
- ISA 530.12 –13: Performing audit procedures on selected items and investigating the nature and cause of deviations or misstatements identified.
- ISA 530.14 : Projecting misstatements found in the sample to the population.
- ISA 530 .A22: Guidance on the use of non-statistical sampling and the role of professional judgement in evaluating sample results.
Related terms
Related tools
Related tools
Related reading
Jurisdiction notes
ISA 530 is adopted with identical substantive requirements across most jurisdictions, but regulators focus on different deficiencies. In the United Kingdom, ISA (UK) 530 is issued by the FRC; inspection reports have highlighted insufficient sample sizes relative to assessed risk and failure to project misstatements found in samples to the population (ISA (UK) 530.A20). In the Netherlands, NV COS 530 permits both statistical and non-statistical sampling ( NV COS 530 .A11); the AFM has questioned whether non-statistical sample sizes provide equivalent assurance. In Australia, ASA 530 mirrors the base ISA; ASIC expects auditors to document how items were selected to demonstrate sample representativeness.
In the United States, audit sampling follows AU-C 530 for non-public entity audits and PCAOB AS 2315, Audit Sampling, for SEC registrant audits. AS 2315 requires the auditor to determine sample sizes sufficient to reduce sampling risk to an acceptably low level, factoring in tolerable misstatement (as determined under AS 2105), the expected amount and frequency of misstatements, and the assessed level of risk. AS 2315.22–26 require projection of sample misstatements to the population and evaluation of whether projected misstatement plus sampling risk exceeds tolerable misstatement. PCAOB inspection findings have frequently cited sample sizes that are too small, failure to project misstatements, and insufficient documentation of the sampling rationale. AU-C 530 mirrors ISA 530 closely, and the AICPA Audit Guide Audit Sampling provides extensive sample size tables based on confidence levels and expected error rates.
Frequently asked questions
What is the difference between statistical and non-statistical sampling?
Statistical sampling uses random selection and probability theory to evaluate results, allowing the auditor to quantify sampling risk. Non-statistical sampling relies on the auditor's judgement for both selection and evaluation. ISA 530 permits either approach — both can provide sufficient appropriate audit evidence. The key difference is measurability: statistical sampling gives a mathematically defensible confidence level, while non-statistical sampling requires the auditor to use professional judgement to assess whether the sample results support the conclusion.
How does the auditor determine sample size?
Sample size depends on four factors: the acceptable level of sampling risk (typically 5% for substantive tests), the tolerable misstatement (derived from performance materiality), the expected misstatement in the population, and the population characteristics. A higher tolerable misstatement or lower expected misstatement reduces the required sample size. ISA 530.A11 notes that the auditor may use statistical formulas or professional judgement to determine the appropriate size.
What happens when misstatements are found in a sample?
The auditor must project the misstatements found in the sample to the entire population (ISA 530.14). For example, if testing 40 items from a population of 2,000 and finding EUR 5,000 in misstatements, the projected misstatement is EUR 250,000 (EUR 5,000 x 2,000/40). The auditor then compares this projected amount to tolerable misstatement. If the projected misstatement exceeds tolerable misstatement, the auditor concludes the population contains a material misstatement and must perform additional procedures or request management to adjust.