Why Sampling Is the Core Skill Every Auditor Needs
You cannot look at everything. That is the reality of auditing. Whether you are conducting a one day internal audit of a single process or a multi day certification audit across a large site, you will always be working with a subset of the available evidence. How you choose that subset determines whether your audit conclusions are trustworthy.
On this page
Audit sampling is the structured approach auditors use to select records, activities, interviews, and observations from a larger population. Done well, it gives you a reasonable basis for drawing conclusions about the whole system. Done poorly, it creates blind spots that let real problems go undetected, or worse, leads to findings that do not fairly represent what is actually happening.
This article explains the main audit sampling techniques, when to use each one, how to decide on sample size, and the practical judgements experienced auditors make on the floor. If you are new to auditing or preparing for lead auditor training, understanding sampling will sharpen every other skill you have.
What Audit Sampling Actually Means
ISO 19011 defines audit sampling as the selection of a subset of a population with the intent of providing information about that population and allowing a conclusion to be drawn. That definition sounds straightforward, but the application requires genuine judgement.
The population might be all corrective action reports raised in the last 12 months, all purchase orders issued to critical suppliers, all training records for operators in a particular work area, or all inspection records for a production line. You cannot review every one. You select a sample and use what you find to form a view about the whole.
The key word is reasonable. Your sample needs to be large enough and varied enough to give you a reasonable basis for your conclusion. It does not need to be statistically perfect. Most ISO audits use what the standard calls non statistical sampling, which relies on auditor judgement rather than formal probability calculations. Statistical sampling exists, but it is used far more commonly in financial auditing and quality control than in management system auditing.
The Main Audit Sampling Techniques
Judgement Based Sampling
This is the most common approach in ISO auditing. The auditor selects records or activities based on their professional judgement about where risk is highest, where problems have occurred before, or where the evidence is most likely to reveal whether the system is working.
For example, if you are auditing a supplier evaluation process and you know from the opening meeting that the organisation recently onboarded three new critical suppliers, you would almost certainly pull those records rather than randomly selecting from a list of 40 established suppliers. That is judgement based sampling. You are directing your attention to where it is most likely to matter.
The strength of judgement based sampling is that it is efficient and responsive to context. The weakness is that it can introduce bias. If you always gravitate toward the same areas, you will miss emerging problems in areas you consider low risk. Good auditors are conscious of this and deliberately broaden their sample over time.
Random Sampling
Random sampling means every item in the population has an equal chance of being selected. In practice, this might mean asking for a numbered list of records and selecting every fifth one, or using a random number generator to pick items from a database.
Random sampling is useful when you want to test whether a process is consistently applied across a large, uniform population. If a company processes 2,000 customer orders per month and you want to know whether contract review is being completed for all of them, a random sample gives you a defensible basis for your conclusion.
The limitation is that random sampling can miss concentrated problems. If there is a specific product line or shift where the process breaks down, a random sample might not land on those records at all. This is why experienced auditors often combine random sampling with targeted sampling rather than relying on one approach alone.
Systematic Sampling
Systematic sampling means selecting every nth item from a population. If you have 100 calibration records and want to review 10, you select every 10th one. It is simple to apply and removes the manual effort of making individual judgements about each item.
This technique works well for large populations of similar records where you are testing consistency rather than hunting for specific problems. It is also easy to document and explain, which matters when you need to justify your sample selection in the audit report.
Watch out for patterns in the population that align with your sampling interval. If records are filed weekly and you select every seventh, you might always land on the same day of the week, which could skew your findings if that day has different characteristics to the rest.
Stratified Sampling
Stratified sampling means dividing the population into subgroups and sampling from each one. This is particularly useful when the population is not uniform and you want to make sure your sample represents the full range of variation.
Imagine you are auditing training records for an organisation with three distinct business units: operations, administration, and technical services. Each unit has different roles, different training requirements, and different levels of compliance risk. If you randomly sampled from the combined population of 200 employees, you might end up with mostly administrative records by chance. Stratified sampling ensures you pull records from each group in proportion to its size, or in proportion to its risk if you are weighting by risk.
This approach is more structured than pure judgement sampling and gives you better coverage. It takes a little more planning, but for complex organisations it is worth the effort.
Opportunity or Convenience Sampling
This is the technique auditors should be most cautious about. Opportunity sampling means selecting whatever is easiest to access: the records that are already on the desk, the people who happen to be in the room, the processes that are running when you walk through the facility.
It is not inherently wrong to audit what is in front of you. Sometimes the most revealing evidence comes from what you observe spontaneously rather than what you planned to look at. But if convenience becomes your primary selection method, your sample will be biased toward the parts of the system that are most visible and most prepared, which is exactly where problems are least likely to be hiding.
Use opportunity sampling as a supplement, not a strategy.
How to Decide on Sample Size
This is the question auditors ask most often, and the honest answer is that there is no universal rule. ISO 19011 does not prescribe specific sample sizes. The guidance is that the sample should be sufficient to provide confidence in the audit conclusion, taking into account the size and complexity of the organisation, the risk associated with the area being audited, and the time available.
In practice, experienced auditors use a combination of factors.
Population Size
The larger the population, the larger the sample you generally need, but the relationship is not linear. Reviewing 10 records from a population of 50 gives you 20 percent coverage. Reviewing 10 records from a population of 5,000 gives you 0.2 percent coverage, but may still be sufficient if the process is uniform and low risk. For small populations, try to review a higher proportion. For large populations, focus more on the quality and diversity of your sample than on the raw number.
Risk
Higher risk areas warrant larger samples. If you are auditing emergency response procedures at a site that handles hazardous chemicals, you want more evidence than if you are checking meeting minutes for a routine management review. Risk based sampling is explicitly endorsed by ISO 19011 and is the approach most certification bodies expect to see applied.
You can read more about how risk shapes audit planning in our article on risk based audit scheduling.
Prior Audit History
If an area has generated nonconformities in previous audits, increase your sample. If the same finding has been raised repeatedly and the corrective action has not been effective, you need more evidence to determine whether the root cause has genuinely been addressed. Conversely, if an area has a strong track record of conformity over multiple audit cycles, a smaller sample may be justified.
Complexity and Variability
Processes with high variability, many exceptions, or multiple responsible parties need larger samples. A simple, highly automated process with one operator and one output is more predictable. A complex process with multiple handoffs, seasonal variation, and different requirements for different customers needs broader coverage.
Practical Sampling in Action: A Real Audit Scenario
Consider an internal audit of the purchasing process at a mid sized manufacturing company. The process covers around 300 purchase orders per month, spread across 40 suppliers ranging from critical raw material suppliers to low value consumable providers.
A poor sampling approach would be to pull the five most recent purchase orders from the top of the pile and call it done. That gives you a convenience sample from one week, probably from the same supplier, with no coverage of the supplier evaluation process, the approval authority requirements, or the handling of non conforming deliveries.
A better approach would look something like this. First, stratify the supplier list by criticality. Select two or three purchase orders from critical suppliers, one or two from medium risk suppliers, and one from a low risk supplier. Then cross reference those orders against the supplier evaluation records to verify the suppliers were approved before the orders were placed. Check the approval signatures against the documented authority matrix. Pull one or two goods receipt records to see whether incoming inspection was completed. Ask the purchasing officer to walk you through a recent order that had a problem.
That sample is still small, perhaps eight to ten records, but it covers multiple dimensions of the process, tests the linkages between sub processes, and is weighted toward higher risk. It gives you a far more defensible basis for your conclusion than a convenience sample of five.
Documenting Your Sampling Approach
Auditors often focus so much on what they find that they forget to record how they chose their sample. This matters more than most people realise. If a finding is challenged, the first question will be about how the sample was selected. If you cannot explain your rationale, the finding becomes harder to defend.
Your audit working papers should record the population size, the sampling technique used, the number of items selected, and the basis for that selection. This does not need to be lengthy. A brief note such as
Selected 8 corrective action reports from a population of 34 raised in the last 12 months. Sample weighted toward the 6 reports raised against the production process following the May nonconformity, plus 2 randomly selected from other areas.is sufficient and completely defensible.
For guidance on how evidence gathering and documentation work together, see our article on gathering audit evidence: sampling, interviews and document review done well.
Common Sampling Mistakes and How to Avoid Them
Only Sampling What Is Offered
Auditees will often present the records they are most comfortable with. If you simply accept what is placed in front of you, your sample is being controlled by the auditee, not by you. Always ask for specific records by reference number, date range, or category. Request records from periods that were not specifically prepared for the audit.
Ignoring the Tails
Problems often concentrate at the edges of a population: the oldest records, the newest records, the smallest orders, the most complex jobs, the busiest periods. Sampling only from the comfortable middle of the distribution means you miss the places where the system is most likely to break down.
Treating a Sample as a Census
Finding three conforming records does not mean the entire process is conforming. Your conclusions should be proportionate to your sample. Use language like the sample reviewed indicated or based on the records examined rather than making absolute statements about the whole population. This is both more accurate and more defensible.
Not Adjusting the Sample When Something Goes Wrong
If your first few records reveal a problem, expand your sample. A single nonconforming record might be an isolated exception. Five nonconforming records from a sample of eight suggests a systemic issue. The sample size you planned at the start of the audit is a starting point, not a constraint. Experienced auditors follow the evidence.
This connects directly to how you write up what you find. Our article on how to write nonconformities that hold up explains how to frame findings so they are grounded in evidence rather than impression.
Sampling Across Different Audit Types
The sampling approach you use will vary depending on the type of audit you are conducting.
For internal audits, you have the advantage of ongoing access to the system. You can build your sample across multiple audit cycles, covering different areas each time. The annual audit programme should be designed so that, taken together, the samples across all audits give reasonable coverage of the whole system.
For certification and surveillance audits, the pressure is higher and the time is shorter. Certification body auditors are expected to apply risk based sampling that focuses on the areas most likely to affect conformity and the achievement of intended outcomes. They will typically sample more heavily in high risk areas and use prior audit history to guide their selection.
For supplier audits, sampling is often constrained by what the supplier will make available. Focus your sample on the records most directly relevant to the products or services you receive, and be explicit about what you were and were not able to review. This protects you if problems emerge later.
You can find more on how supplier audits work in practice in our guide on how to conduct a supplier audit: a step by step guide.
Building Sampling Confidence Through Training
Sampling is one of those skills that sounds simple in theory but takes real practice to apply well. Knowing which technique to use, how large a sample to take, when to expand your sample, and how to document your rationale are all judgements that develop through experience and through exposure to how experienced auditors work.
If you are working toward your internal auditor or lead auditor credentials, look for training that includes practical exercises where you actually apply sampling techniques to realistic scenarios, not just read about them. The difference between an auditor who can recite the definition of stratified sampling and one who can apply it confidently on the floor is practice.
At Audit Workshop, our internal auditor and lead auditor courses for ISO 9001, ISO 14001, and ISO 45001 include practical audit exercises that cover sampling decisions, evidence gathering, and finding formulation. Whether you are just starting out or building on existing experience, the courses are designed to develop the kind of judgement that makes audits genuinely useful.
