Audit Sampling

This page provides a detailed overview of ISO 19011 2011 Annex B.3.

B.3.1. Introduction to Audit Sampling

Management system auditors must be able to reach valid conclusions
about large systems. However, it's often impractical or too costly to study
every single item in a large system. There may be just too many items to
examine or they may be spread over a large geographical area. As a
result, auditors must work with smaller samples.

A sample is a subset of a larger population. An audit sample is a data set
that is less than 100% of the items in a population. Auditors study small
samples in order to obtain evidence about some characteristic of much
larger populations. When done properly, this allows them to draw valid
conclusions about the entire population. It also allows them to achieve
their audit objectives without having to examine every single item.

Of course, when you're working with samples there's always the risk
that the sample may not accurately represent the population as a whole.
When this happens, conclusions that are based on such samples could
be biased-and bias is something you definitely want to avoid.

In addition, there's also the risk that your sample may contain inaccurate
or insufficient information. Needless to say, conclusions that are based
on defective samples will themselves be defective.

In order to help ensure that you draw valid audit conclusions,
your sampling process should include the following steps:

1. Develop a sampling plan.

1.1. Establish your sampling objectives.

1.2. Identify the population to be sampled.

1.2.1. Define the extent of the population.

1.2.2. Define the composition of the population.

1.3. Select a sampling method.

1.3.1. Select judgment-based sampling, or

1.3.2. Select statistical sampling.

1.4. Determine the sample size.

2. Carry out your sampling activities.

2.1. Select your audit samples.

2.2. Examine your audit samples.

3. Formulate your results and conclusions.

3.1. Compile and evaluate your results.

3.2. Document and report your results.

There are at least two ways of selecting a sample: you can
use judgment or you can use statistical sampling. These two
approaches are discussed below.

B.3.2. Introduction to Judgment-based Sampling

Judgment-based sampling depends on the knowledge, skill, and
experience of audit team members. When using this approach, auditors
use their personal judgment to select audit samples. When deciding
whether or not to use judgment-based sampling:

  1. Consider whether or not you have previous auditing experience
    within the same or similar audit scope. If you have, judgment-based
    sampling might be appropriate.

  2. Consider whether or not audit objectives and requirements
    are so complex that only a judgment-based sampling approach
    is reasonable.

  3. Consider whether or not management system processes
    and process interactions are so complex that special judgment
    must be used to select the most appropriate items for examination.

  4. Consider whether or not key risk areas or improvement
    opportunities were previously identified. If they have been,
    judgment-based sampling might be appropriate.

  5. Consider whether or not technologies, human factors,
    or management systems are changing very rapidly. If things
    are changing rapidly, judgment-based sampling might be
    your only option.

  6. Consider whether or not management system monitoring
    outputs make it clear what areas need to be examined. If you
    know exactly where to look, then judgment-based sampling might
    be your best approach. Of course, whenever judgment is used to
    select audit samples no statistical estimate of uncertainty can be
    used to quantify how much confidence you have in your audit
    findings and conclusions.

B.3.3. Introduction to Statistical Sampling

Statistical sampling starts with a plan. Your statistical sampling plan
should help you to achieve your audit objectives and should be based
on what is known about the characteristics that define the population
you intend to study.

Your sampling plan will be influenced by:

1. How big the auditee organization is

2. How much time you have to do the audit

3. How many audits will be done during the year

4. How many competent auditors you have on your team

5. How much confidence you need to have in your results

How much confidence you need to have is related to how much
risk you're willing to accept. For example, a confidence level of 95%
corresponds to a sampling risk of 5%. A sampling risk of 5% means that
you're willing to accept the risk that 5 out of 100 of your samples will not
accurately represent the entire population. An acceptable sampling risk
of 5% means you have an acceptable confidence level of 95%.

Your sampling plan should also describe the sampling techniques
you plan to use. ISO 19011 mentions two statistical sampling techniques:
attribute-based sampling and variable-based sampling. Attribute-based
is used when there are two possible outcomes (attributes) for
each sample: yes/no, pass/fail, correct/incorrect, presence/absence,
compliance/noncompliance, etc. Variable-based sampling is used
when outcomes occur along a range of values.

For example, if your audit objective is to determine whether or not a
procedure is being followed, attribute-based sampling could be used
because two outcomes are possible: follows procedure or does not
follow procedure. On the other hand, if your audit objective is to see
how many safety incidents or security breaches have occurred, a
variable-based approach would probably be more appropriate.
It all depends on your audit objectives.

If you decide to use statistical sampling, you should document the
work that was actually performed. This means that you should:

1. Describe the population that was sampled.

2. Describe the criteria used to define an acceptable sample.

3. Describe the samples and specify the number examined.

4. Describe the statistical methods and parameters used.

5. Describe the results that you obtained.

Praxiom Research


Annex B.1: Using Audit Methods

Annex B.2: Doing Document Reviews

Annex B.4: Preparing Working Documents

Annex B.5: Selecting Information Sources

Annex B.6: Conducting Onsite Audit Visits

Annex B.7: Performing Audit Interviews

Annex B.8: Generating Audit Findings

OTHER ISO 19011 2011 PAGES

Introduction to Auditing Standard

Plain English Auditing Definitions

Brief Overview of Auditing Standard

ISO 19011 2011 Audit Assessment Tool

ISO 19011 2011 Translated into Plain English

Annex A: Knowledge and Skills Auditors Should Have

Home Page

Our Libraries

A to Z Index


How to Order

Our Products

Our Prices


Praxiom Research Group Limited      780-461-4514

 Updated on July 12, 2014. First published on May 24, 2012.

Legal Restrictions on the Use of this Page
Thank you for visiting this page. You are, of course, welcome to view our
 material as often as you wish, free of charge. And as long as you keep intact
 all copyright notices, you are also welcome to print or make one copy of this
 page for your own personal, noncommercial, home use. But, you are not
 legally authorized to print or produce additional copies or to copy and paste
 any of our material onto another web site or to republish it in any way.

Copyright 2012 - 2014 by Praxiom Research Group Limited. All Rights Reserved.