An audit is an assessment against specified criteria. Proper planning is a crucial factor for effective outcomes. While planning, we need to consider certain aspects, such as availability of resources, audit location, travel time, complexity, and risks of the areas to be audited. These factors guide the audit planners in developing a sampling strategy. The sampling strategy typically comes with its complications. There are some routine questions frequently asked by business owners and NDIS service providers:
How many sites should be selected for each audit?
How many files should be reviewed by the auditors?
In what period of time, the whole elements of the standard must be audited?
How many staff or managers should be interviewed?
This article will outline some basic rules about sampling as per the guidelines of auditing management systems ISO 19011:2018. This article is only a guide, and the businesses should develop a planning and sampling method that works best for them and meet their specific needs and requirements.
Audit sampling takes place when it is not practical or cost-effective to examine all available information during an audit. For instance, on the occasion where the number of records is too high or too dispersed geographically to justify the examination of every item in the population. Audit sampling of a large data set (population) is the process of selecting less than 100 % of the items within the total available population to obtain and evaluate evidence about some characteristic of that population, in order to form a conclusion concerning the population.
The audit sampling goal is to provide enough information for the auditor to have confidence that the audit objectives can or will be achieved.
The risk associated with sampling is that the samples may not be fully representative of the population from which they are selected. Thus, the auditor's conclusion may be biased or be different from that which would be reached if the whole population was examined. There may be other risks depending on the variability of the population to be sampled and the sampling method selected.
Audit sampling typically involves the following steps:
Now that we understand the steps involved in sampling, we can look at each step in more detail!
1.Establishing the objectives of sampling
Usually, the objective of the sampling ties with the audit objectives. As an auditor, you must ensure that the samples you picked to review during the audit are in line with the audit's scope and criteria. For instance, when you plan to conduct an audit on the organization's leadership, you need to ensure that the organization's leaders are part of the audit plan.
2.Selecting the extent and composition of the population to be sampled
Identifying the population to be sampled is the next step. You cannot audit every single process or interview every single manager within an organization. Although this might be possible for small companies, this is mainly applicable for mid-size to large-size organizations. Consider the risks of the scope and criteria of the area to be audited when you work on the extent of sampling.
3.Selecting a sampling method
The auditor can use either judgment-based sampling or statistical sampling methods for a given dataset.
Judgment-based sampling relies on the competence and experience of the audit team.
For judgment-based sampling, the following should be considered:
If the decision is made to use statistical sampling, the sampling plan should be based on the audit objectives and what is known about the characteristics of the overall population from which the samples are to be taken.
Statistical sampling design uses a sample selection process based on probability theory. Attribute-based sampling is used when there are only two possible sample outcomes for each sample such as correct/incorrect or pass/fail.
4.Determining the sample size to be taken
Sampling size is determined by the time you have as an auditor. Your time is always limited, and it is not professional to ask for extra time for every single session. Evaluate your time and come up with a realistic sample size. You cannot audit the ten top managers of an organization if you have only hours to audit the organization's leadership.
5.Conducting the sampling activity
Conducting the sampling audit is the last step. Bear in mind that the audit plan is not set in stone, and you as an auditor must ensure the audit integrity is kept at all times using the strategies you select during the audit. You can change the plan and sampling if you think your strategy is not working, or it’s not the best method to conduct the audit. Consult with the auditees before making any changes to ensure they are on the same page with you.
To establish a proper sampling approach, you need to consider all the relevant factors, such as any risks in the area that you are going to audit, the standard you are complying with, and legislative or other relevant requirements. To set bulletproof planning that meets the intent of the requirements and works for your organization, you must have good knowledge about the audit process, the systems you are auditing, and how they work. The more you build up your knowledge of audit, the more effective planning you will be. Eventually, this will avoid any unnecessary administration errors or delays that may impact the effectiveness of your organization's management systems.
LMS TRG is an Exemplar Global Recognised Training Provider for courses in Management Systems Auditing. We come together from various specialist backgrounds to produce unique online learning experiences. Our team is composed of auditors, management systems consultants and providers, with over fifteen years of experience in delivering high-level quality training. We were founded with the policy of being pioneers in fully online and smart training solutions. To learn more click here.
Our email content is full of value, void of hype, tailored to your interests whenever possible, never pushy, and always free.