21.1 Audit Sampling Risk and Sample Design
Key Takeaways
- Sampling lives in AUD Area III, Performing Further Procedures and Obtaining Evidence, weighted 30-40% of a section graded 50% MCQ and 50% task-based simulation.
- Sampling risk is the risk that a conclusion from a sample differs from the conclusion testing the entire population would produce; non-sampling risk comes from auditor error, not sample size.
- A valid sample requires a population that matches the assertion: occurrence of sales uses recorded entries, while completeness of liabilities uses unmatched receiving reports and subsequent disbursements.
- Sample size rises as tolerable misstatement falls, expected misstatement rises, or the auditor demands a lower risk of incorrect acceptance.
- Projected misstatement plus known misstatement plus an allowance for sampling risk must be compared to tolerable misstatement before the auditor concludes.
Where Sampling Sits on the 2026 AUD Exam
The 2026 Auditing and Attestation (AUD) section is four hours long, contains 78 multiple-choice questions and 7 task-based simulations, and is scored 50% on each format with a passing scaled score of 75. Audit sampling falls in Area III, Performing Further Procedures and Obtaining Evidence, weighted 30-40%, the heaviest area on the exam. Expect both MCQs that test direction-of-change reasoning and simulations that hand you a population, a tolerable misstatement, and sample results to evaluate.
Audit sampling, governed by AU-C 530, is the application of an audit procedure to less than 100% of a population so that the auditor can draw a conclusion about the whole population. It is used in tests of controls and substantive tests of details. It is not the same as haphazardly inspecting a handful of invoices. A defensible sample has a defined objective, a complete and relevant population, an unbiased selection method, and a conclusion that accounts for sampling risk.
Sampling Risk vs. Non-Sampling Risk
Sampling risk is the risk that the sample supports a conclusion different from the one testing the entire population would support. It has two aspect pairs the exam loves:
- Tests of controls: risk of overreliance (assessing control risk too low, the dangerous one because it impairs audit effectiveness) vs. risk of underreliance (assessing too high, which hurts efficiency).
- Substantive tests: risk of incorrect acceptance (concluding a materially misstated balance is fair, the effectiveness risk) vs. risk of incorrect rejection (the efficiency risk).
Non-sampling risk is unrelated to sample size. It arises from using the wrong procedure, misreading evidence, failing to recognize an exception, or drawing a poor conclusion from correct data. A larger sample lowers sampling risk but never cures a bad population or an irrelevant procedure. The CPA trap: candidates pick "increase the sample" when the real defect is a population that does not address the assertion.
Design Choices and the Population Trap
| Design choice | Test of controls | Substantive detail |
|---|---|---|
| Objective | Is the control operating effectively? | Is the balance or class misstated? |
| Population | Items subject to the control | Recorded or omitted items tied to an assertion |
| "Exception" means | Deviation from the prescribed control | Monetary misstatement or unsupported item |
| Tolerable level | Tolerable deviation rate | Tolerable misstatement |
| Output | Deviation rate, control-risk decision | Projected misstatement, balance conclusion |
Population design is the most common sampling trap. To test occurrence of recorded sales, the population is recorded sales entries (vouch from the ledger to shipping documents). To test completeness of liabilities, the recorded payable ledger is the wrong population, because it cannot reveal what was omitted. Instead, sample unmatched receiving reports, subsequent-period cash disbursements, open purchase orders, and vendor statements, then trace them into the recorded payables. Direction of testing follows the assertion.
What Moves Sample Size
Sample size increases when the auditor wants lower sampling risk, expects more exceptions, or sets a lower tolerable rate or tolerable misstatement. It decreases when acceptable risk is higher, expected exceptions are lower, or the population is stratified so high-value items are isolated.
| Factor | Change | Effect on sample size |
|---|---|---|
| Tolerable misstatement | Decrease | Increase |
| Expected misstatement | Increase | Increase |
| Acceptable risk of incorrect acceptance | Decrease | Increase |
| Population variability (standard deviation) | Increase | Increase |
| Population size (large populations) | Increase | Negligible effect |
Stratification splits a population into groups with similar characteristics. For accounts receivable, the auditor might examine 100% of individually significant balances, separately sample old past-due accounts, and sample small current balances at a lower rate. Monetary-unit sampling (MUS), a probability-proportional-to-size method, automatically gives larger balances a higher chance of selection, making it efficient for testing overstatement in receivables and inventory.
Evaluation Workflow
- State the objective and assertion.
- Define the population; verify it is complete and relevant for that objective.
- Choose a selection method: random, systematic (with a random start), monetary-unit, or unbiased haphazard.
- Perform the procedure and identify exceptions precisely.
- Project sample results to the population (e.g., a $40,000 misstatement in a $400,000 sample drawn from a $4,000,000 stratum projects to roughly $400,000).
- Compare projected misstatement + known misstatement + an allowance for sampling risk against tolerable misstatement.
- Decide on additional procedures, an adjustment, or a revised risk assessment.
The best AUD answer protects the conclusion. If exceptions exceed expectations, the auditor does not dismiss them because the sample was small. The auditor investigates the nature and cause of each exception, considers whether it signals a control deficiency or a systematic misstatement, revises risk if warranted, and extends procedures when the evidence no longer supports the original plan. A single deviation that reveals a fraudulent override is qualitatively significant even if the quantitative rate looks acceptable.
Attribute Sampling for Tests of Controls
For tests of controls the auditor usually uses attribute sampling and computes a deviation rate. Suppose the tolerable deviation rate is 7%, the expected population deviation rate is 1.5%, and the desired risk of overreliance is 5%. A sample table yields, say, 50 items; finding two deviations gives a sample deviation rate of 4% and, after adding an allowance for sampling risk, an upper deviation rate that the auditor compares to the 7% tolerable rate. If the upper deviation rate is at or below the tolerable rate, the auditor may rely on the control as planned.
If it exceeds the tolerable rate, the auditor lowers reliance, increases substantive testing, and considers whether a control deficiency exists. The exam rewards candidates who keep tolerable deviation rate separate from tolerable misstatement: deviation rates apply to controls, dollar misstatements apply to substantive tests.
An auditor wants to test the completeness of accounts payable. Which population is most responsive to that assertion?
In a substantive sample, which change would ordinarily increase the required sample size?