ISO 19011:2018 - Guidelines for auditing management systems

Annex A

(informative)

Additional guidance for auditors planning and conducting audits

A.6 Sampling

A.6.1 General

Audit sampling takes place when it is not practical or cost effective to examine all available information during an audit, e.g. records are too numerous or too dispersed geographically to justify the examination of every item in the population. Audit sampling of a large population is the process of selecting less than 100 % of the items within the total available data set (population) to obtain and evaluate evidence about some characteristic of that population, in order to form a conclusion concerning the population.

The objective of audit sampling is to provide information for the auditor to have confidence that the audit objectives can or will be achieved.

The risk associated with sampling is that the samples may not be representative of the population from which they are selected. Thus, the auditor's conclusion may be biased and be different from that which would be reached if the whole population was examined. There may be other risks depending on the variability within the population to be sampled and the method chosen.

Audit sampling typically involves the following steps:

a) establishing the objectives of sampling;

b) selecting the extent and composition of the population to be sampled;

c) selecting a sampling method;

d) determining the sample size to be taken;

e) conducting the sampling activity;

f) compiling, evaluating, reporting and documenting results.

When sampling, consideration should be given to the quality of the available data, as sampling insufficient and inaccurate data will not provide a useful result. The selection of an appropriate sample should be based on both the sampling method and the type of data required, e.g. to infer a particular behaviour pattern or draw inferences across a population.

Reporting on the sample selected could take into account the sample size, selection method and estimates made based on the sample and the confidence level.

Audits can use either judgement-based sampling (see A.6.2) or statistical sampling (see A.6.3).

A.6.2 Judgement-based sampling

Judgement-based sampling relies on the competence and experience of the audit team (see Clause 7).

For judgement-based sampling, the following can be considered:.

a) previous audit experience within the audit scope;.

b) complexity of requirements (including statutory and regulatory requirements) to achieve the audit objectives;.

c) complexity and interaction of the organization’s processes and management system elements;.

d) degree of change in technology, human factor or management system;.

e) previously identified significant risks and opportunities for improvement;.

f) output from monitoring of management systems..

A drawback to judgement-based sampling is that there can be no statistical estimate of the effect of uncertainty in the findings of the audit and the conclusions reached.

A.6.3 Statistical sampling

If the decision is made to use statistical sampling, the sampling plan should be based on the audit objectives and what is known about the characteristics of overall population from which the samples are to be taken.

Statistical sampling design uses a sample selection process based on probability theory. Attribute-based sampling is used when there are only two possible sample outcomes for each sample (e.g. correct/incorrect or pass/fail). Variable-based sampling is used when the sample outcomes occur in a continuous range.

The sampling plan should take into account whether the outcomes being examined are likely to be attribute-based or variable-based. For example, when evaluating conformity of completed forms to the requirements set out in a procedure, an attribute-based approach could be used. When examining the occurrence of food safety incidents or the number of security breaches, a variable-based approach would likely be more appropriate.

Elements that can affect the audit sampling plan are:

a) the context, size, nature and complexity of the organization;

b) the number of competent auditors;

c) the frequency of audits;

d) the time of individual audit;

e) any externally required confidence level;

f) the occurrence of undesirable and/or unexpected events.

When a statistical sampling plan is developed, the level of sampling risk that the auditor is willing to accept is an important consideration. This is often referred to as the acceptable confidence level. For example, a sampling risk of 5 % corresponds to an acceptable confidence level of 95 %. A sampling risk of 5 % means the auditor is willing to accept the risk that 5 out of 100 (or 1 in 20) of the samples examined will not reflect the actual values that would be seen if the entire population was examined.

When statistical sampling is used, auditors should appropriately document the work performed. This should include a description of the population that was intended to be sampled, the sampling criteria used for the evaluation (e.g. what is an acceptable sample), the statistical parameters and methods that were utilized, the number of samples evaluated and the results obtained.