Audit Sampling Methods for Financial Firms
Audit sampling is a core technique in financial auditing that allows examiners to draw conclusions about an entire population of transactions or records by testing a representative subset. For financial firms operating under regulators such as the SEC, PCAOB, and FDIC, the rigor and defensibility of sampling methodology directly affects the reliability of audit opinions. This page covers the major classification types of audit sampling, how each method operates mechanically, the scenarios in which each is appropriate, and the decision criteria that govern method selection under authoritative auditing standards.
Definition and scope
Audit sampling, as defined by the AICPA in AU-C Section 530, is the application of an audit procedure to less than 100% of items within an account balance or class of transactions, such that all sampling units have a chance of selection, and the auditor expects to use the results to form a conclusion about the entire population. The scope of this definition excludes procedures applied to every item in a population (complete testing) and also excludes procedures where the auditor selects items based solely on judgment without intending to project results to the full population.
Two high-level categories govern all sampling in financial auditing:
- Statistical sampling — uses laws of probability to select samples and to measure sampling risk quantitatively. Results can be expressed with a defined confidence level and precision interval.
- Non-statistical (judgmental) sampling — relies on auditor judgment for both selection and evaluation. Sampling risk cannot be mathematically quantified, though professional standards still require it to be controlled.
Both categories are permitted under PCAOB Auditing Standard AS 2315 and under the AICPA's generally accepted auditing standards. Neither approach is inherently superior; the choice must be appropriate to the audit objective and population characteristics. For a broader grounding in applicable standards, see GAAS – Generally Accepted Auditing Standards and PCAOB Standards for Financial Audits.
How it works
Regardless of the sampling category chosen, the process follows a defined sequence of phases:
-
Define the objective — Determine whether the test is a test of controls (attribute sampling) or a substantive test of details (variables sampling). Tests of controls measure the rate at which a control failure occurs; substantive tests estimate a monetary error amount.
-
Define the population — Specify the complete set of items from which the sample will be drawn: account balance, transaction class, period, and any stratification boundaries.
-
Determine sample size — For statistical sampling, sample size is calculated using three inputs: desired confidence level (commonly 90% or 95%), tolerable misstatement or tolerable deviation rate, and expected misstatement or expected deviation rate. For non-statistical sampling, professional judgment governs, but the same risk factors must be considered qualitatively.
-
Select sample items — Selection methods include:
- Random selection — every item has an equal and known probability of selection; typically implemented via a random number generator.
- Systematic selection — items are selected at a fixed interval (every nth item) after a random start point.
- Probability-proportional-to-size (PPS) — also called monetary unit sampling; each dollar in the population is the sampling unit, giving larger-dollar transactions a proportionally higher chance of selection.
-
Haphazard selection — the auditor selects without a structured technique, but without deliberate bias; permissible only under non-statistical sampling and disfavored by most regulatory exam standards.
-
Apply the procedure and evaluate results — Errors or deviations found in the sample are projected to the population. For variables sampling, the projected misstatement is compared to tolerable misstatement. For attribute sampling, the upper deviation rate is compared to the tolerable deviation rate. If projected error exceeds tolerable thresholds, the auditor must either expand testing or modify the audit opinion.
Risk-based auditing in financial services directly informs step 1 and step 3 — higher assessed risk of material misstatement typically compresses tolerable misstatement and drives larger sample sizes.
Common scenarios
Loan portfolio testing at banks — Examiners and external auditors testing loan credit quality frequently use PPS (monetary unit sampling) because the population is dollar-denominated and auditors are most concerned about overstatement. Under FDIC audit requirements for banks, loan-level documentation must be traceable, which makes PPS selection operationally straightforward.
Controls testing under SOX Section 404 — For public companies and their auditors complying with Sarbanes-Oxley Section 404, attribute sampling is standard for testing the operating effectiveness of internal controls. PCAOB AS 2315 specifies that the auditor must evaluate both the sample deviation rate and the statistical upper limit when using statistical attribute sampling.
Revenue transaction testing — Auditors testing completeness or accuracy of a large volume of small-dollar revenue transactions (such as fee income at a broker-dealer) often stratify the population — separating high-dollar items for complete testing or separate sampling — and apply systematic random selection within each stratum.
Anti-money-laundering transaction monitoring — Firms subject to Bank Secrecy Act audit obligations often use judgmental sampling focused on flagged alerts, high-risk customers, or specific transaction corridors, rather than probabilistic sampling across the full transaction population. Because this is non-statistical, findings cannot be projected numerically but still support qualitative conclusions.
Decision boundaries
The selection between statistical and non-statistical sampling, and the choice among specific selection techniques, depends on identifiable decision factors:
| Factor | Implication |
|---|---|
| Need to quantify sampling risk | Requires statistical sampling |
| Small population (under ~50 items) | Complete testing often more efficient than sampling |
| High variance in transaction size | Stratification or PPS preferred |
| High assessed risk of material misstatement | Reduces tolerable misstatement; increases required sample size |
| Regulatory exam scrutiny (e.g., PCAOB inspection) | Statistical documentation reduces defensibility risk |
| Limited auditor access to randomization tools | May constrain statistical options in field conditions |
PCAOB inspections have repeatedly cited inadequate sample sizes and undocumented selection rationale as deficiencies (PCAOB Inspections of Financial Services Auditors). The audit materiality threshold set at the engagement level feeds directly into the tolerable misstatement figure used in sample size calculations — those two parameters cannot be set independently.
For tests of controls, a commonly referenced table in auditing literature links desired confidence levels to sample sizes: at 95% confidence with a 5% tolerable deviation rate and 0% expected deviation, the indicated sample size is 59 items (AICPA Audit Guide: Audit Sampling). Increasing the expected deviation rate to 2% raises the required sample to 181 items at the same confidence and tolerable rate — illustrating the sensitivity of sample size to population quality assumptions.
Audit evidence standards in financial services govern how sample results must be documented and retained, including the basis for population definition, the selection method, and the auditor's evaluation logic. Documentation of sampling decisions is not discretionary under either PCAOB or AICPA standards.
References
- AICPA AU-C Section 530 – Audit Sampling
- AICPA Audit Guide: Audit Sampling
- PCAOB Auditing Standard AS 2315 – Audit Sampling
- PCAOB – Auditing Standards
- FDIC – Audit and Examination Standards
- SEC – Office of the Chief Accountant
- FinCEN – Bank Secrecy Act Regulations