Audit Sample Size: Free Guide + Reference Table hero illustration
Audit Operations

Audit Sample Size: Free Guide + Reference Table

How many items should you test? A free internal audit sampling guide with a real sample-size reference table by population, confidence, and expected deviation rate.

·13 min read
By Audvera Team

"How many items do I need to test?" is one of the most common and most fudged questions in audit. Too few and the conclusion is not defensible; too many and you burn hours you did not have. Audit sample size is driven by three things — your confidence level, your tolerable deviation rate, and the deviation rate you expect to find — not primarily by population size.

This guide gives you the actual numbers: a real attribute-sampling reference table and a frequency-based control-testing table you can drop into a workpaper, plus when to use each approach and how selection method affects whether the number holds up in review.

What Drives Audit Sample Size

For tests of controls, three inputs set the sample size:

  1. Confidence level — how sure you want to be that your conclusion is right. 90% and 95% are the common choices. Higher confidence means a larger sample.
  2. Tolerable deviation rate — the highest control failure rate you could observe and still conclude the control is reliable. A lower tolerable rate means a larger sample.
  3. Expected deviation rate — how many failures you actually expect to find. Expecting more failures means a larger sample, because you need more evidence to still conclude effectiveness.

Notice what is not on the list as a primary driver: population size. For large populations it barely moves the number. That surprises people, so it gets its own section below.

The Attribute Sampling Reference Table

This is the free tool. These are standard attribute-sampling sizes assuming zero expected deviations, for large populations. Treat them as a practical reference and confirm against your own methodology.

Sample size at 95% confidence (5% risk of overreliance), 0 expected deviations:

Tolerable deviation rateSample size
2%149
5%59
7%42
10%29
15%19
20%14

Sample size at 90% confidence (10% risk of overreliance), 0 expected deviations:

Tolerable deviation rateSample size
5%45
7%32
10%22
15%15
20%11

If you expect even one deviation, the sample size rises — often materially. That is why zero-expected-deviation sizes are the smallest defensible numbers and why finding an exception mid-test usually means expanding or concluding a deficiency.

The Control-Frequency Reference Table

When you are not sampling statistically — which is common for SOX manual control testing — practice uses a frequency-based reference instead. This maps how often a control operates to how many instances you test, assuming no expected exceptions.

Control frequencyApprox. populationTypical sample size
Annual11
Quarterly42
Monthly122 to 5
Weekly525
Daily~25015 to 25
Multiple times per day250+25 to 40
Automated (benchmarked)n/a1 instance + general IT controls

We use this table in context in the free SOX control testing template, where it slots directly into the test plan.

Why Population Size Barely Matters

Here is the counterintuitive part. For a large population — say, anything over roughly 1,000 to 2,000 items — the attribute sample size is essentially flat regardless of whether the population is 5,000 or 500,000. The statistics depend on the proportion of deviations, not the raw count, so once the population is "large enough" the finite population correction stops mattering.

Population only reduces your sample meaningfully when it is small. If you have a population of 50 items and the table says test 59, you obviously cannot — you test the whole population or apply a finite population adjustment. A rough rule: below about 250 items, consider whether full-population testing (now cheap with data tools) beats sampling entirely.

Choosing Random vs. Haphazard vs. Judgmental Selection

Sample size is half the decision; selection method is the other half.

  • Random / systematic: Every item has a known chance of selection. Required for statistical sampling and the most defensible. Document your seed or interval.
  • Haphazard: No conscious bias, but not statistical. Acceptable for some non-statistical tests; document that it was haphazard, not statistical.
  • Judgmental / targeted: Deliberately picking high-risk items (large dollar amounts, period-end entries, specific users). Powerful for finding problems, but you cannot project the results to the population — it is a directed test, not a representative sample. Often paired with a random sample.

A Quick Decision Guide

SituationApproachWhere to look
Test of a manual SOX controlFrequency-basedControl-frequency table above
Statistical control reliance conclusionAttribute samplingAttribute table above
Small population (under ~250)Consider full-population testingThis guide, section above
Estimating a dollar misstatementVariables / monetary unit samplingBeyond scope here; use MUS
Hunting for known-risk itemsJudgmental / targetedSelection section above

How Audvera Supports This

Sampling in a spreadsheet works right up until the sample, the evidence, and the conclusion live in three different files and the reviewer has to reconstruct how you got from population to conclusion. The defensibility gap is almost never the math — it is the traceability.

Audvera keeps the population, the sample, the per-item results, and the conclusion in one linked test step, so the row-level evidence ties back to the sample and the sample ties back to the risk. The reviewer sees the whole chain instead of piecing it together from tabs.

If you want to run real sampling against your own scope, start with a free risk assessment — it drafts the risk-to-procedure skeleton the sampling then plugs into.

Frequently Asked Questions

How do I determine audit sample size?

Sample size is driven by three inputs: the confidence level you need (how sure you want to be), the tolerable deviation rate (the highest error rate you would accept and still rely on the control), and the deviation rate you expect to find. Higher confidence, a lower tolerable rate, or a higher expected error rate all increase the sample. The reference tables in this guide give you the numbers for common combinations.

How many items should I test in an audit?

It depends on whether you are sampling statistically or using a frequency-based approach for controls. For statistical attribute sampling at 95% confidence with zero expected deviations, common sizes are about 59 items for a 5% tolerable rate and 29 for a 10% tolerable rate. For control testing by frequency, a common reference is 25 items for a daily control. The tables in this article cover both.

Does population size affect sample size?

Less than most people expect. For large populations (over roughly 1,000 to 2,000 items), attribute sample size is driven almost entirely by confidence, tolerable rate, and expected deviations — not by population size. Population only meaningfully reduces the sample for small populations, where a finite population correction applies. This is why testing 60 items can be appropriate whether the population is 5,000 or 500,000.

What is attribute sampling?

Attribute sampling is a statistical method used in tests of controls to estimate the rate at which a control fails (deviates). Each sampled item either passes or fails the control attribute, and the results let you conclude, at a stated confidence level, whether the true deviation rate is below your tolerable rate. It answers 'is this control operating effectively enough to rely on?'

What is the difference between attribute sampling and variables sampling?

Attribute sampling tests a yes/no characteristic — did the control operate or not — and is used for tests of controls. Variables sampling estimates a numeric amount, such as the total dollar misstatement in a balance, and is used in substantive testing. Monetary unit sampling (MUS) is a common variables approach that gives larger dollar items a higher chance of selection.

What happens if I find a deviation in my sample?

One or more deviations increase the required sample size and reduce your ability to conclude the control is effective at your target confidence. You either expand the sample per your methodology or conclude the control is deficient and evaluate severity. This is why sample sizes assuming zero expected deviations are the smallest; expecting even one deviation raises the count significantly.

Encrypted data in transit and at restPCAOB · IIA · SOX · GAAS · COSO workflow alignmentAI outputs include disclosure and reviewer controls

Ready to modernize your audit process?

See how Audvera supports planning through reporting in one platform.