"How many items do I need to test?" is one of the most common and most fudged questions in audit. Too few and the conclusion is not defensible; too many and you burn hours you did not have. Audit sample size is driven by three things — your confidence level, your tolerable deviation rate, and the deviation rate you expect to find — not primarily by population size.
This guide gives you the actual numbers: a real attribute-sampling reference table and a frequency-based control-testing table you can drop into a workpaper, plus when to use each approach and how selection method affects whether the number holds up in review.
What Drives Audit Sample Size
For tests of controls, three inputs set the sample size:
- Confidence level — how sure you want to be that your conclusion is right. 90% and 95% are the common choices. Higher confidence means a larger sample.
- Tolerable deviation rate — the highest control failure rate you could observe and still conclude the control is reliable. A lower tolerable rate means a larger sample.
- Expected deviation rate — how many failures you actually expect to find. Expecting more failures means a larger sample, because you need more evidence to still conclude effectiveness.
Notice what is not on the list as a primary driver: population size. For large populations it barely moves the number. That surprises people, so it gets its own section below.
The Attribute Sampling Reference Table
This is the free tool. These are standard attribute-sampling sizes assuming zero expected deviations, for large populations. Treat them as a practical reference and confirm against your own methodology.
Sample size at 95% confidence (5% risk of overreliance), 0 expected deviations:
| Tolerable deviation rate | Sample size |
|---|---|
| 2% | 149 |
| 5% | 59 |
| 7% | 42 |
| 10% | 29 |
| 15% | 19 |
| 20% | 14 |
Sample size at 90% confidence (10% risk of overreliance), 0 expected deviations:
| Tolerable deviation rate | Sample size |
|---|---|
| 5% | 45 |
| 7% | 32 |
| 10% | 22 |
| 15% | 15 |
| 20% | 11 |
If you expect even one deviation, the sample size rises — often materially. That is why zero-expected-deviation sizes are the smallest defensible numbers and why finding an exception mid-test usually means expanding or concluding a deficiency.
The Control-Frequency Reference Table
When you are not sampling statistically — which is common for SOX manual control testing — practice uses a frequency-based reference instead. This maps how often a control operates to how many instances you test, assuming no expected exceptions.
| Control frequency | Approx. population | Typical sample size |
|---|---|---|
| Annual | 1 | 1 |
| Quarterly | 4 | 2 |
| Monthly | 12 | 2 to 5 |
| Weekly | 52 | 5 |
| Daily | ~250 | 15 to 25 |
| Multiple times per day | 250+ | 25 to 40 |
| Automated (benchmarked) | n/a | 1 instance + general IT controls |
We use this table in context in the free SOX control testing template, where it slots directly into the test plan.
Why Population Size Barely Matters
Here is the counterintuitive part. For a large population — say, anything over roughly 1,000 to 2,000 items — the attribute sample size is essentially flat regardless of whether the population is 5,000 or 500,000. The statistics depend on the proportion of deviations, not the raw count, so once the population is "large enough" the finite population correction stops mattering.
Population only reduces your sample meaningfully when it is small. If you have a population of 50 items and the table says test 59, you obviously cannot — you test the whole population or apply a finite population adjustment. A rough rule: below about 250 items, consider whether full-population testing (now cheap with data tools) beats sampling entirely.
Choosing Random vs. Haphazard vs. Judgmental Selection
Sample size is half the decision; selection method is the other half.
- Random / systematic: Every item has a known chance of selection. Required for statistical sampling and the most defensible. Document your seed or interval.
- Haphazard: No conscious bias, but not statistical. Acceptable for some non-statistical tests; document that it was haphazard, not statistical.
- Judgmental / targeted: Deliberately picking high-risk items (large dollar amounts, period-end entries, specific users). Powerful for finding problems, but you cannot project the results to the population — it is a directed test, not a representative sample. Often paired with a random sample.
A Quick Decision Guide
| Situation | Approach | Where to look |
|---|---|---|
| Test of a manual SOX control | Frequency-based | Control-frequency table above |
| Statistical control reliance conclusion | Attribute sampling | Attribute table above |
| Small population (under ~250) | Consider full-population testing | This guide, section above |
| Estimating a dollar misstatement | Variables / monetary unit sampling | Beyond scope here; use MUS |
| Hunting for known-risk items | Judgmental / targeted | Selection section above |
How Audvera Supports This
Sampling in a spreadsheet works right up until the sample, the evidence, and the conclusion live in three different files and the reviewer has to reconstruct how you got from population to conclusion. The defensibility gap is almost never the math — it is the traceability.
Audvera keeps the population, the sample, the per-item results, and the conclusion in one linked test step, so the row-level evidence ties back to the sample and the sample ties back to the risk. The reviewer sees the whole chain instead of piecing it together from tabs.
If you want to run real sampling against your own scope, start with a free risk assessment — it drafts the risk-to-procedure skeleton the sampling then plugs into.
