Auditors face a fundamental problem every busy season. Transaction populations run into the thousands, sometimes millions, and the team reviewing them is finite. Deadlines don’t move. Standards don’t bend.For decades, audit sampling has been the profession’s answer: a structured, standards-backed way to form confident conclusions without checking every item. Done well, it works. But the assumption underneath it, that manual review capacity sets the ceiling for what’s testable, is starting to shift. This guide covers how sampling works, where the standards land, and why the underlying conversation is changing.What Is Audit Sampling?Audit sampling is the application of audit procedures to less than 100% of items in a population of audit relevance, giving auditors a reasonable basis to draw conclusions about the full population. That definition holds across both major governing frameworks: PCAOB AS 2315 for public company audits, and AICPA AU-C Section 530 for non-public audits under U.S. GAAS.The core premise is consistent. A well-designed sample lets auditors form defensible conclusions about a full population without exhaustive review.Audit sampling applies whenever an auditor draws conclusions about a whole population from a tested subset. Not every audit procedure involves sampling. Inquiry, observation, analytical procedures, and 100% testing of small populations all fall outside the sampling definition.Why Auditors Use SamplingThe practical constraint is straightforward. Reviewing every transaction in a large population isn’t feasible under the time and resource pressures most audit teams operate under. Sampling is how the profession allocates testing capacity where risk is highest while still obtaining sufficient appropriate evidence.Both PCAOB AS 2315 and AICPA AU-C Section 530 explicitly recognize this tradeoff. The justification for accepting some uncertainty comes from the relationship between the cost of reviewing all data and the consequences of decisions based on a subset. The standards don’t treat sampling as a compromise. They treat it as a governed, professional methodology for reaching reasonable conclusions.Types of Audit SamplingStatistical samplingStatistical sampling uses probability theory to select items and measure sampling risk quantitatively. Every item in the population has a calculable chance of selection. Two primary subtypes apply in practice.Attribute sampling is used in tests of controls. It measures the rate of deviation; how often a control fails to operate as designed. The output is a conclusion about whether the deviation rate falls within the auditor’s tolerable range.Variables sampling is used in substantive tests of details. It estimates dollar amounts or error values in a population, helping auditors assess whether an account balance is materially misstated.Common selection methods include random number selection, systematic selection, and stratified selection. The key advantage: sampling risk is measurable. Auditors can express conclusions at stated confidence levels within defined precision ranges. For example, 95% confidence within a defined tolerance.Non-statistical samplingNon-statistical sampling relies on auditor judgment rather than probability methods. Items are selected based on professional assessment: high-value transactions, unusual entries, or items with specific risk characteristics.Results can’t be projected statistically to the full population. Common approaches include judgmental selection and haphazard selection. Non-statistical sampling fits smaller populations, highly stratified populations, or situations where risk-focused selection provides better coverage than random methods.The tradeoff is that sampling risk can’t be quantified in the same way.Statistical vs. non-statistical: which is better?Neither approach is inherently superior. AICPA AU-C Section 530 confirms that both statistical and non-statistical sampling, when properly applied, can provide sufficient evidential matter. PCAOB standards don’t mandate statistical methods either.Statistical approaches work well when a population is large and relatively homogeneous, and when the auditor needs to demonstrate sampling risk quantitatively. Non-statistical methods fit situations where populations are smaller or more stratified, or where professional judgment should drive item selection.In practice, many firms use a hybrid approach: statistical methods for high-volume controls testing, and non-statistical for complex substantive areas where judgment-based selection provides better risk coverage.Sampling Risk and How to Manage ItSampling risk is the probability that a conclusion drawn from a sample differs from what testing 100% of the population would show. Two types matter for audit conclusions.Risk of incorrect acceptance: Concluding that a control works, or that an account balance is clean, when it actually isn’t. This is the more consequential error in financial statement audits.Risk of incorrect rejection: Concluding there’s a problem when a full-population review would show there isn’t. This is generally a less critical error, but it does affect efficiency.Even a well-designed sample can miss isolated anomalies. As transaction volumes grow, the gap between sample coverage and full-population coverage widens. A sample calibrated for a population of 5,000 transactions covers a meaningfully smaller slice of a population of 500,000.It’s also worth distinguishing sampling risk from non-sampling risk – the possibility of error unrelated to which items were selected. That includes applying the wrong procedure, misinterpreting evidence, or failing to recognize a deviation. Larger samples don’t address non-sampling risk. That’s a matter of procedure design and auditor judgment.What’s Changing: Technology and the Path Toward 100% Population CoverageConsider what a controls test on a lease portfolio of 200,000 transactions typically looks like today. The team pulls a sample, works through it manually, documents findings, and projects conclusions to the full population. The sample is well-designed and the conclusions are defensible. But anomalies that fall outside the selected items go unexamined. That’s the tradeoff sampling was always built around.Technology changes the bottleneck that made that tradeoff necessary. When data extraction and matching can run across an entire population in the time it once took to process a sample, the question becomes less about what’s statistically sufficient and more about what’s now achievable within a reasonable time budget.The PCAOB has taken note. In June 2024, the Board updated its standards to clarify auditor responsibilities when using technology-assisted analysis, including when auditors use it to perform substantive procedures across an entire population. The framework for full-population testing now exists in the standards. It’s no longer a gap.That doesn’t mean sampling is going away or that full-population testing is required today. Most teams working under current PCAOB and AICPA frameworks will continue to use sampling as their primary methodology, and the standards fully support that. But the expectation of what’s achievable is shifting, particularly in high-volume, document-heavy workflows where manual review was the only constraint.The practical implication: audit teams that build their workflows around tools capable of full-population testing now won’t face a steep climb if requirements evolve. The infrastructure is already in place. It becomes a scope decision rather than an operational overhaul.How Trullion Supports Modern Audit TestingTrullion helps audit teams work more efficiently across document-heavy populations today, while building the foundation for broader coverage as the profession moves forward.In a typical audit workflow, that means auditors spend less time manually extracting data from source documents and more time doing what requires professional judgment: evaluating results, identifying anomalies that warrant investigation, and drawing defensible conclusions. Trullion’s data extraction pulls structured data from source documents at scale. Data matching validates that data against GL or other records across full populations. And every output traces back to the source document, so conclusions are as defensible as traditional sampling workpapers – and more comprehensive.Built by practitioners with Big Four backgrounds, Trullion fits into how audit teams actually work rather than asking them to change the professional framework they operate within. Sampling methodology, tolerable deviation rates, auditor judgment – all of that stays where it belongs. What changes is the time and effort required to cover the population those decisions are applied to.Book a demo to see how Trullion supports modern audit workflows.FAQsWhat is audit sampling in auditing?Audit sampling is the application of audit procedures to less than 100% of items in a population, giving auditors a reasonable basis to draw conclusions about the full population. PCAOB AS 2315 and AICPA AU-C Section 530 both govern how sampling must be planned, performed, and evaluated.What is the difference between statistical and non-statistical audit sampling?Statistical sampling uses probability-based selection and allows auditors to measure sampling risk quantitatively. Non-statistical sampling relies on auditor judgment for item selection and doesn’t produce mathematically projectable results. Both are acceptable under PCAOB and AICPA standards when properly applied.What is the difference between attribute sampling and variables sampling?Attribute sampling is used in tests of controls. It measures how often a control deviates from its intended operation. Variables sampling is used in substantive tests of details. It estimates dollar amounts or error values in a population to assess whether a balance is materially misstated.How do auditors determine the right sample size?Sample size depends on several factors: tolerable deviation rate or misstatement, assessed risk levels, expected error in the population, assurance obtained from other procedures, and whether the population is stratified. Higher risk and lower tolerable thresholds generally require larger samples.What is sampling risk, and how is it different from non-sampling risk?Sampling risk is the chance that a sample-based conclusion differs from what 100% testing would show. It takes two forms: risk of incorrect acceptance and risk of incorrect rejection. Non-sampling risk is the possibility of error unrelated to item selection, such as applying the wrong procedure or misreading evidence. Sample size can reduce sampling risk but doesn’t address non-sampling risk.What does PCAOB AS 2315 say about audit sampling?PCAOB AS 2315 establishes requirements for planning, performing, and evaluating audit samples. It recognizes both statistical and non-statistical methods, addresses how to set tolerable deviation rates and misstatement thresholds, and governs how auditors should evaluate results when deviations or misstatements are found in a sample.When should auditors not use sampling?Sampling doesn’t apply to all audit procedures. Inquiry, observation, and analytical procedures don’t involve sampling. Neither does 100% testing of a small population, or examination of a few items simply to understand a transaction class. Auditors may also decide to test certain items 100%. For example, items where a potential misstatement could individually equal or exceed tolerable misstatement.What are the best audit sampling tools for accounting teams?The right tools depend on engagement type and population size. For document-heavy workflows involving large transaction populations, purpose-built platforms like Trullion help audit teams work more efficiently, with traceable, workpaper-ready outputs and coverage that scales with the population.