There are several resources that CPA firms can use to develop their sampling methodology for SOC 1 and SOC 2 audits. These included:
- The AICPA’s SOC 1 and 2 Audit Guides
- The AICPA’s Audit Sampling Guide
- AU-C Section 530: Audit Sampling
It is important to note that the AICPA does not require specific sample sizes to be used by SOC auditors, nor do any other governing bodies. The AICPA defines sampling as follows: “The selection and evaluation of less than 100 percent of the population of audit relevance such that the auditor expects the items selected (the sample) to be representative of the population and, thus, likely to provide a reasonable basis for conclusions about the population. In this context, representative means that evaluation of the sample will result in conclusions that, subject to the limitations of sampling risk, are similar to those that would be drawn if the same procedures were applied to the entire population.”
Following is a summary of the guidance that can be used to develop an effective SOC sampling methodology.
The AICPA’s SOC 1 and 2 Audit Guides
The AICPA’s SOC Audit Guides provides the following related to sampling:
“The service auditor may consider whether to use audit sampling to select items for testing the operating effectiveness of controls. When determining the extent of tests of controls and whether sampling is appropriate, consideration is given to (a) the characteristics of the population of the controls to be tested, including the nature of the controls; (b) whether the population is made up of homogenous items; (c) the frequency of the controls’ application; and (d) the expected deviation rate. AICPA Audit Guide Audit Sampling may be useful to the service auditor when performing sampling.
For tests of controls using sampling, the service auditor determines the tolerable rate of deviation and uses that rate to determine the number of items to be selected for a particular sample. In accordance with paragraph .32 of AT-C section 205, the service auditor’s selection of sample items should be reasonably expected to be representative of the population covering the reporting period. Random selection of items represents one means of obtaining such samples.”
The AICPA’s Audit Sampling Guide
The AICPA’s Audit Sampling Guide provides useful recommendations for sample sizes for small populations and infrequently operating controls:
Testing Operating Effectiveness of Small Populations
Control Frequency and Population Size | Items to Test |
Quarterly (4) | 2 |
Monthly (12) | 2-4 |
Semimonthly (24) | 3-8 |
Weekly (52 | 5-9 |
Firms can easily incorporate these recommendations for small populations into their sampling methodology for SOC 1 and SOC 2 audits. They can also use the AICPA’s guidance for larger sample sizes, but that guidance is much less specific and requires a great deal more judgment.
AU-C Section 530: Audit Sampling
AU-C 530 provides the following requirements for sample design, size and selection of items for testing:
When designing an audit sample, the auditor should consider the purpose of the audit procedure and the characteristics of the population from which the sample will be drawn. The auditor should determine a sample size sufficient to reduce sampling risk to an acceptably low level. The auditor should select items for the sample in such a way that the auditor can reasonably expect the sample to be representative of the relevant population and likely to provide the auditor with a reasonable basis for conclusions about the population.
There are also requirements related to the completeness and accuracy of the populations from which samples are selected, which are not covered in this paper.
Conclusion
Sampling methodologies used by SOC auditors require judgment to ensure that they are representative. More judgment is required for samples of larger populations. Once a sampling methodology is developed, reviewed by independent 3rd parties (i.e., peer reviewers) and approved, it should be applied consistently unless the risk profile of a specific engagement requires a modification. This should be a rare occurrence and should be approved by the firm’s leadership.