Importance of sampling in audit process

 In a compliance audit process, forming an audit opinion or conclusion does not necessarily come from examining all the available data in scope. It may be impractical to conduct an audit on a high volume dataset or the entire dataset in scope to draw valid conclusions. This is when sampling comes into the picture of an audit process.

Audit Sampling is a technique widely adopted in different types of financial and non-financial audit processes. It is a technique that makes it possible for the auditor to obtain sufficient audit evidence to form valid conclusions and provide an opinion on the controls audited in the Compliance process.

The practice of audit sampling ensures efficient review and audit outcomes. In compliance audits for testing of controls, attribute sampling is typically used, where a sampling approach is an event or transaction. Elaborating more on this, we have covered in this article the purpose and importance of sampling in the audit process.

But before that let us first understand what is sampling in the audit process. 

What is Audit Sampling?

A sample is a subset of a larger population. So, basically in an audit sampling, a dataset of less than 100% of the larger population is used for examining in the audit process.  The auditor studies a small sample of the population to obtain reasonable assurance/understanding of the working effectiveness of the much larger population.

Further, it helps the auditor achieve their audit objectives without having to examine every single item which may otherwise require an impractical lot of time and resource investment. So, when the auditor decides to adopt audit sampling for their Compliance audit procedure, they either use statistical sampling audit process or non-statistical sampling to test the performance of controls and evaluate the results from the sample.

However, the auditor must ensure the sample selected for the compliance audit process is the exact representation of the population in the scope of compliance. Moreover, it also important to understand that at times the auditor may not adopt the audit sampling method for a specific audit.

This could be so because the auditor may deem 100% testing appropriate for a small number that makes up a population, or when there is a significant risk of misrepresentation of samples or considers that the sampling audit technique may not provide sufficient and appropriate audit evidence. Sometimes such as seen in standards such as PCI DSS, audit sampling technique is allowed only for those specific controls and is not really even a choice of the auditor.

Points to be considered when designing an Audit Sample

Sampling is a technique based on the assumption that every sample, by and large, has almost the same characteristics of the complete data that it represents. But, with this technique, there is always an uncertainty in the level of accuracy and deviation in its overall outcome for the entire class of data. For these reasons, auditors should be considering a few points for sample design, size, and selection of items for testing. So, when designing an audit sample, the auditor must consider- 

  • The purpose of the audit procedures and the characteristics of the population from which the sample is selected.
  • The auditor must determine a sample size sufficient to limit or reduce the sampling risk of deviation to an acceptable low level.
  • The auditor must select the sample in a way that each sampling unit in the population has a chance of selection. 

The auditor typically adopts the following methods for selecting samples from the entire class or population of data. This includes- 

  • Simple Random Sampling

     Simple random sampling is a method in which the auditor/assessors selects a certain representative sample at a regular interval from across the list of population. This is then accordingly used to draw conclusions about the population. For instance, if samples are selected from a list of individuals ordered by age, simple random sampling will result in a sample drawn from the entire age spectrum. This gives an equal opportunity to all populations from which samples are selected.

  • Systemic sampling

    Systematic sampling is a sampling method in which random samples are selected in a fixed period of interval. For instance, if samples are selected from a list of individuals ordered by age, systematic sampling will result in samples drawn from a specific age spectrum. This will probably result in selecting samples of only younger or older individuals. Having said that, the systematic sampling method should not be used for a population that is sequenced or ordered cyclically or periodically, as the samples may not guarantee to be representative of the population. 

  • Block Sampling

    Block sampling is a sampling technique wherein the auditor/assessor uses a sequential series of samples in the audit. For instance, an auditor using block sampling to examine transactions of a customer picks 50 transactions either from the recent past few months or randomly from over the period of last one year. With this random selection method, sampling from across the entire population can reduce the sampling risk. This is especially by selecting a large number of blocks of samples in the sampling process. This approach is very efficient since a large cluster of samples is representative of the entire population.

  • Stratified Random Sampling

    Stratified Random Sampling which is also known as random quota sampling is a type of probability sampling method wherein the auditor/assessor segregates the entire population into multiple homogenous groups and randomly selects samples from the various groups for the audit. This gives every sample an equal opportunity to be selected from the population across different groups. For instance, if samples are selected from a population that is listed in different groups with a mix of random age group individuals, it gives equal opportunity to all young aged, mid-aged and older aged individuals to be selected in audit sampling. This type of sampling process reduces cost and improves the efficiency of the audit.

  • Haphazard sampling

Haphazard sampling is a sampling method in which there is no systematic way of selecting samples. For instance, samples are randomly selected from an entire population of data across a system that has no specific sequence, or order cyclically or periodically. They will be a random set of numbers or data that may not necessarily be a representative of the entire population of data. So, this method gives you a very limited guarantee of the samples selected may be representative of the entire population of data.

Potential Risk of Sampling Technique in Compliance Audit 

In the sampling technique, there is always a degree of uncertainty that is implicit. This means when a test of controls or a substantive test is restricted to just the selected sample, there is always a possibility of deviation in the outcome. The auditor’s conclusion may be different from the conclusions he would reach if the test was applied to the entire class or population of data. For a sample of a specific design, and size, the sampling risk varies inversely. So, for instance, with a smaller sample size, there is a greater possibility of sampling risk. 

Adopting the technique of sampling in an audit depends on the acceptance of such uncertainties. The justification of accepting a certain level of deviation depends on the cost and time required to examine all of the data and the adverse consequences of possible incorrect decisions based on the outcome of examining only a sample of the entire class of data. If this does not justify the acceptance of uncertainty, it is best to examine the entire population or class of data. However, since this is seldom and the basic concept of sampling is well established in auditing practices, it is a technique most commonly adopted in the audit process. 

Why does an auditor use a sampling technique in the audit process?

Compliance audits are often conducted to verify an organization’s current security posture as per the given industry standards. It is important to ensure that entities are not misrepresenting their compliance stand and that relevant stakeholders do not make decisions based on faulty statements. It is important to establish trust and efficiency within the industry.

The information generated from the audit process is useful for relevant decision-makers. However, the information provided needs to be accurate and fairly presented. So, often sampling audit techniques are adopted to speed up the process of audit while ensuring the accuracy and fairness of the results. 

No matter what kind of audit is performed, when the data sets are large audit sampling technique must be adopted so that auditors can complete their audits without wasting resources on checking every single item in scope. The main purpose of the sampling audit can be as identified below- 

  • Gather evidence for a conclusive opinion
  • Optimize resource utilization 
  • Provide a basis for auditors to provide recommendation 
  • Detect any errors or fraud that can possibly occur
  • Complete the audit in time and in accordance with auditing standards

Specifically, when it comes to SOC Attestation, there are four types of audit sampling techniques used (Simple Random Sampling, Systemic Sampling, Haphazard Sampling, and Block Sampling). Depending on the type of population, the way it is generated, and the size of the population, it impacts the decision of selecting a specific type of audit sampling method. Ideally, the SOC auditors must review their sampling methods to ensure they are aligned with the AICPA guidelines when performing their SOC Audit process.

Conclusion 

The purpose of audit sampling is to appropriately test the right samples and determine the operating effectiveness of controls in the organization. But, before proceeding with this technique, the auditor should review and consider the sampling method, sample size, acceptable rate of deviation.

The auditor should consider the level of tolerable misstatement that the technique can lead to and the impact of misstatement. The auditor must investigate the possible effect on the purpose of the audit procedure and the other audit areas.

The auditor should also perform additional audit procedures to obtain substantial audit evidence that the misstatement or deviation does not affect the remainder of the population. The auditors should use their professional judgment to assess audit risk and establish appropriate procedures and methods for testing.

 

Narendra Sahoo
Narendra Sahoo

Narendra Sahoo (PCI QSA, PCI QPA, CISSP, CISA, and CRISC) is the Founder and Director of VISTA InfoSec, a global Information Security Consulting firm, based in the US, Singapore & India. Mr. Sahoo holds more than 25 years of experience in the IT Industry, with expertise in Information Risk Consulting, Assessment, & Compliance services. VISTA InfoSec specializes in Information Security audit, consulting and certification services which include GDPR, HIPAA, CCPA, NESA, MAS-TRM, PCI DSS Compliance & Audit, PCI PIN, SOC2 Compliance & Audit, PDPA, PDPB to name a few. The company has for years (since 2004) worked with organizations across the globe to address the Regulatory and Information Security challenges in their industry. VISTA InfoSec has been instrumental in helping top multinational companies achieve compliance and secure their IT infrastructure.