Attribute Sampling Plans

A simple statistical application may dramatically improve the reliability of internal control testing.


A reliability assessment of the organization's internal control system involves deciding how much evidence to gather. Because an examination of all underlying control data is not always feasible, auditors must often draw samples, audit the items selected, and extrapolate the results to the larger population.

Either a statistical or nonstatistical approach to sampling is acceptable under The IIA's International Standards for the Professional Practice of Internal Auditing and The American Institute of Certified Public Accountants' (AICPA's) Professional Auditing Standards. The use of statistics, however, will help auditors develop sample plans more efficiently and assess sample results more objectively than nonstatistical methods alone. Even a well-designed nonstatistical sample cannot measure the risk that the sample is not representative of the population - a distinct advantage of statistically based sampling plans. Moreover, increased regulatory requirements to provide greater assurance over internal accounting controls and company demands for greater productivity from their audit shops make statistical sampling a necessary part of the internal auditor's tool kit. Fortunately, auditors can use statistical sampling techniques without any detailed knowledge of classical statistical theory and still accomplish their audit objectives.


Attribute sampling plans represent the most common statistical application used by internal auditors to test the effectiveness of controls and determine the rate of compliance with established criteria. The results of these plans provide a statistical basis for the auditor to conclude whether the controls are functioning as intended, reflecting either control compliance or noncompliance - a binary (yes/no) proposition.

In developing an attribute sampling plan, the auditor must first define the audit test objective, population involved, sampling unit, and control items to be tested. For example, if the auditor's objective is to determine the percentage of sales orders lacking credit approval, the population will consist of all sales orders within a given period. Each sales order becomes the sampling unit, and sales order credit approval represents the control attribute to be tested.


The auditor must consider four statistical parameters to determine an appropriate sample size to select for the planned control test: confidence level, expected deviation rate, tolerable rate, and population. Although guided by assessed risk, inquiries of the audit client, and prior audit experience, each parameter is ultimately based on professional auditor judgment.

Confidence Level

The sample's confidence level refers to the reliability the auditor places on the sample results. Confidence levels of 90 percent to 99 percent are common. A 95 percent confidence level means the auditor assumes the risk that five out of 100 samples will not reflect the true values in the population.

The auditor's assessment of the control environment contributes to the level of risk the auditor is willing to assume. At a 95 percent confidence level, 5 percent — the complement of the confidence level — reflects the auditor's risk of "assessing control risk too low."

Expected Deviation Rate

The expected deviation rate represents the auditor's best estimate of the actual failure rate of a control in a population. The rate usually is based on client inquiries, changes in personnel, process observations, prior year test results, or even the results of a preliminary sample.

Tolerable Rate

The tolerable rate defines the maximum rate of noncompliance the internal auditor will "tolerate" and still rely on the prescribed control. Many auditors will coordinate with their audit client before establishing a tolerable level. Client control objectives help determine the nature and frequency of deviations that can occur and still allow reliance on the control.


The population contains all items to be considered for testing. Each must have an unbiased chance of selection to ensure the final sample is representative of the population. For large populations containing thousands of items, population size will cause little impact on total sample size and is often irrelevant for audit sample planning.


In a test of sales orders for appropriate credit approval, suppose the auditor estimates a 1.5 percent expected deviation rate of missing credit approvals relative to total sales orders, establishes a tolerable rate of 6 percent, and accepts a 95 percent confidence level that the sample results will reflect missing credit approvals fairly in the population. To calculate sample size, the auditor could use a variety of tools and techniques, including manual computations, statistical tables, and commercial software packages. For the statistical parameters provided, a sample size of 103 sales orders would be needed based on the "Statistical Sample Sizes for Test of Controls" chart below.

Each of the sales orders selected for audit must be randomly drawn to prevent bias in the sample results. Simple random sampling, such as choosing sales orders based on a random-number table, is the most common selection technique. Systematic selection - picking every nth sales order - is also acceptable if the first item sampled is randomly selected, though the results may be skewed if missing credit approvals occur in a systematic pattern. Because the random nature of the selection process will protect the validity of the statistical inferences, simple random sampling is normally the preferred method.

After selecting a sample of sales orders, the auditor would compare the documented credit approvals against the operating procedures in place, noting exceptions and performing other audit steps as necessary in light of sales order protocols unique to the business. Special consideration should be given to data anomalies resulting from the selection process. For example, missing sales order documentation should be treated as an audit exception because the condition implies that control over credit approvals has not been applied as prescribed. Alternatively, voided sales orders should be replaced by orders that have not been voided. Mere voiding of a sales order does not alone suggest a weakness in control over credit approval. 

Based on these procedures, suppose four sales orders lacked appropriate credit approval in the sample test. The auditor would project these results to the sales order population by calculating the upper deviation rate, a statistical estimate of the maximum deviation rate in the population. This rate can be determined using a simple statistical table or a manual or computer-generated computation. Based on the sample size and number of deviations found, the upper deviation rate in the sales example would be approximately 9 percent based on the "Statistical Sampling Results Evaluation Table for Tests of Controls" chart below.


To form a statistical conclusion about the control tested, the auditor must compare the upper deviation rate to the tolerable rate in the sampling plan. If the upper deviation rate is less than the auditor's tolerable rate, the auditor would consider the control effective. Alternatively, if the upper deviation rate exceeds the auditor's tolerable rate, the auditor would consider the control ineffective. In the sales order example, the upper deviation rate(9 percent) exceeds the auditor's tolerable rate (6 percent). Therefore, the auditor would advise management not to rely on the control, concluding with 95 percent certainty that the rate of missed credit approvals exceeds the tolerable rate.

All audit sampling plans use the upper deviation rate as the basis for an audit conclusion because it includes an allowance for sampling risk, which provides protection against undetected deviations. For nonstatistical sampling plans, only the sample deviation rate can form the basis for an audit conclusion - a limitation of the nonstatistical approach.  


As with all audit procedures, the auditor must appropriately document the work performed. For a statistical sampling plan, the auditor's workpapers should include the essential elements, including the nature of the control tested (in the earlier example, sales order credit compliance with organizational procedure); details of the population and sampling unit (prior-year sales orders and related credit approvals); the control deviation (missing credit approvals); the statistical parameters used (including the deviation and tolerable rates); the sample size; and the evaluation of results. The auditor's documentation should also describe how the audit test steps were performed, and should provide a list of the actual deviations found (namely, in our example, the missing credit approvals).


Regardless of the sampling approach used, professional auditor judgment must always govern the quality of the audit evidence. Even with statistical sampling, auditors must exercise judgment in determining the appropriate statistical parameters to use for a valid audit conclusion. Nonetheless, a statistical approach to evidence gathering, such as attribute-based sampling, will normally provide a more objective basis for evaluating sample results than nonstatistical techniques and enhance the quality of auditors' reporting to management.

Statistical Sample Sizes for Tests of Controls

Statistical Sampling Results Evaluation Table for Tests of Controls

To comment on this article, e-mail the author at



Share This Article:    

interval confidence
how to find a 95% confidence intercal with a population of 540 loans?
Posted By: Kathy Russell
2013-08-07 3:30 PM
statistical theory
It seems the tables are based on normal distribution (z statistics). In my opinion, it is more precise to use Clopper-Pearson method. Here is a page that will give you a very good and comprehensible background: And here are excel formulas to calculate: i) the upper limit for number of errors > 1 =1-BETAINV((1-B1)/2,B2-B3+1,B3) where B1 = confidence level (e.g.95%) where B2 = sample size where B3 = number of errors in the sample and ii) the upper limit for number of errors = 0 =1-BETAINV((1-B1)/2),B2+1,1) where B1 = confidence interval where B2 = sample size Jamie Carrillo: Jamie, my guess is that it stands for the "margin of error" (length of confidence interval). Rick D: Rick, once you test your sample and know the sample error rate you need to use the correct statistical formula (not the tables) to estimate the population error rate. Than, it does not matter what your initial guess about the population was.
Posted By: Petr V.
2012-11-28 9:25 AM
If I overestimate the expected deviation rate (i.e, 50% vs. 30% observed during testing) when calculating a sample size does that make my test results less reliable. A co-worker contends that the observed deviation rate must fall within the 5% +/- of the expected deviation for the results to be valid. Thanks.
Posted By: Rick D
2012-07-31 4:37 PM
Tolerable Deviation Rate
Hello, what does the tolerable deviation rate equate to statistically? Is it a standard deviation?
Posted By: Jamie Carrillo
2012-06-10 3:32 PM
audit planning
i want aclear planning procedure can you help me
Posted By: nasser abdo
2012-03-19 7:30 AM
sample size adjustment formula
For known populations you can use this formula to adjust the table result for a finite population. This ajusment can lend to more efficiency when 5% or more of the population is being sampled, based on the tables. Written in Excel formula: new ss = ss/ (1+ ((ss - 1) / population))) where ss = the computed sample size.
Posted By: Howard Brady
2011-10-23 12:18 PM
sample size
The larger the sample size the better the estimate will be.. the population of 100, the sample size should be around 55 to 60 for random selection.
Posted By: aman
2011-07-08 2:16 PM
Very high confidence level regarding a low tolerable rate
In a very special attribute sampling application, I needed extremely high confidence level (99.9% or preferably 99.99%) that a particular attributed existed in at least a low percentage (say 50%) of the population. I had an extremely hard time finding any guidance as to sample sizes regarding this application before the Internet, and I'm not having much more luck now. Do you have any suggestions as to where to look?
Posted By: Jack
2011-05-09 9:41 AM
Hi Dennis, since your table is based on large populations, does this mean that if I have a population of 100, I should not use a sample size of 25 if I will be doing random selection? If my population size is 100, what should my sample size be if I want 95% confidence? Thanks!
Posted By: Natalie Flick
2011-03-30 3:57 PM


Internal Auditor is pleased to provide you an opportunity to share your thoughts about the articles posted on this site. Some comments may be reprinted elsewhere, online, or offline. We encourage lively, open discussion and only ask that you refrain from personal comments and remarks that are off topic. Internal Auditor reserves the right to edit/remove comments.





To make something bold:
<strong>Text to bold</strong>

To make something italic:
<em>Text to italicize</em>

To make a hyperlink:
<a href="URL">Text to link</a>


Subscribe_June 2014 



IIA Vision University  

IIA Academic_Nov 2013




facebook IAO