“Audit sampling is the application of an audit procedure to less than 100 percent of the items …for the purpose of evaluating some characteristic…” (AICPA, Audit Sampling Guide 2.19).
Audit sampling is used in the context of a SAS 70 audit as a basis to form a conclusion on the operating effectiveness of controls for a Type II report. A walkthrough is generally considered insufficient to conclude that controls are operating effectively.
Service auditors need to consider three primary areas when performing audit sampling: 1) sample method, 2) sample size, and 3) tolerable rate of deviation.
There are four general methods of sampling that are used in a SAS 70 examination:
• Simple Random Sampling: Every unit has the same probability of being selected.
• Systematic Sampling: This method selects samples using internals which are a result of dividing the population of units by the sample size.
• Haphazard Sampling: Like simple; however, random number generators are not normally used.
• Block Sampling: Represents contiguous population items.
All Type II SAS 70 audits should follow one or more of these methods to test items in a population (eg, logical access rights for a sample of system users).
There are two aspects of sampling risk. First, over reliance on the control, or in other words, the control is in fact not operating effectively. Second, under reliance on the control. This second risk leads to audit inefficiencies and is a more acceptable risk than the former. The service auditor needs to takes these into consideration when deciding on a sample size. There are tables in Appendix A of the audit sampling guide that should be useful to the service auditor that follows a statistical approach (simple and systematic methods).
Overall, the guidance is extensive for audit sampling. Service auditors should take a careful look at their methods to make sure they are aligned with the guidance. Moreover, service organizations may question the approach of the service auditor if the service auditor is only performing walkthroughs for the Type II examination.