Sampling Techniques in Fraud Audits

A routine financial statement audit uses sampling to form a reasonable opinion on the accuracy of reported figures. Audit standards, such as ISA 530 (International Standard on Auditing on Audit Sampling) adopted across more than 120 countries, permit the auditor to accept some level of undetected misstatement as long as it is below the materiality threshold and the sampling approach is statistically sound. The implicit assumption is that errors are distributed throughout the population in a broadly representative way.

Fraud breaks that assumption. A payroll fraud affecting a single ghost employee may represent less than 1% of total transactions but nearly 100% of a specific cost centre. A procurement fraud built on a single shell vendor may affect a handful of invoices that are individually below the approval threshold that would trigger management review. In both cases, a representative random sample from the full population is likely to miss the fraud entirely, not because the sample is too small, but because the fraud is concentrated in a subpopulation that the random draw is unlikely to hit.

Fraud auditing standards and practitioner guidance, including the ACFE Fraud Examiners Manual and the UK Fraud Advisory Panel guidance, consistently hold that the sampling plan must incorporate the auditor's assessment of where fraud is likely to be concealed. This does not mean abandoning statistical rigour. It means treating statistical sampling and risk-directed selection as complementary tools: statistical sampling provides a defensible basis for population-level conclusions, while risk-directed selection ensures that the highest-risk items receive scrutiny regardless of whether chance places them in the random draw.

Attribute sampling is the standard method for testing whether internal controls are operating as intended. The auditor defines one attribute (for example, every payment over a specified threshold must bear two authorised signatures), selects a random sample from the population of transactions to which the control applies, and counts the number of exceptions. The result is projected to the population as an estimated deviation rate with a stated confidence interval.

Three parameters drive the sample size calculation. The confidence level (typically 90% or 95% in fraud contexts, versus 80% or 85% in routine audits) reflects the auditor's risk tolerance. The expected deviation rate is the auditor's prior estimate of how often the control fails; a higher expected rate requires a larger sample. The tolerable deviation rate (TDR) is the maximum failure rate the auditor will accept before treating the control as unreliable. The sample size formula, or the equivalent lookup in standard sampling tables, produces the minimum number of items that, if no more than TDR exceptions are found, allows the auditor to conclude at the stated confidence level that the true population deviation rate is at or below TDR.

In fraud audits, attribute sampling is most useful for procurement controls (dual-approval, vendor matching), payroll controls (new-hire authorisation, bank account change verification), and expense reimbursement controls (receipt requirements, manager approval). When the attribute test reveals a deviation rate above TDR, the auditor cannot rely on the control and must expand examination of the transactions that fall outside the control, using risk-directed selection to investigate the exceptions in detail.

Monetary unit sampling (MUS) is a probability-proportional-to-size method: each currency unit in the population is a potential sampling unit, and a transaction is selected if any of its currency units falls in the sample. A transaction worth 50,000 dollars is 50,000 times more likely to be selected than a transaction worth one dollar. This built-in overweighting of large transactions is not a bias; it is a design feature that aligns the sample with the auditor's concern about financial impact.

The MUS sample size is determined by dividing the population value by a sampling interval. The interval is calculated from the tolerable misstatement (the maximum error in currency the auditor can accept) and the confidence factor (a value derived from the Poisson distribution for the stated confidence level). For example, at 95% confidence with zero expected errors, the confidence factor is approximately 3. If the tolerable misstatement is 500,000 dollars, the sampling interval is 500,000 divided by 3, approximately 167,000 dollars. The auditor then selects every transaction whose cumulative monetary value crosses a multiple of the interval.

In fraud audits, MUS is particularly suited to accounts payable and revenue testing, where individual transaction values vary widely. A procurement fraud built on inflated invoices will produce transactions with values systematically higher than legitimate transactions, increasing their probability of selection in a MUS draw. A fraud built on many small transactions below an approval threshold, however, will be systematically underrepresented in a MUS sample, which is precisely why MUS must be supplemented by a separate targeted sample of small-value transactions when that fraud pattern is indicated.

Stratified sampling divides the population into subgroups before sampling. Each stratum is sampled independently, and the results can be combined into a population-level estimate or kept separate if the strata are to be assessed individually. The primary advantage is flexibility: the auditor can apply a high sampling intensity (small interval, large sample fraction) to the stratum carrying the most fraud risk and a lower intensity to lower-risk strata, keeping the total sample size manageable.

Common stratification bases in fraud audits include transaction size (top 5% by value, middle 45%, bottom 50%), vendor or payee category (related-party vendors, sole-source vendors, new vendors registered in the last 12 months), geographic location (regions with known control weaknesses), and approval pathway (items approved by a specific individual, items that bypassed standard workflows). The stratification variables should be chosen based on the fraud risk assessment rather than convenience.

In practice, many fraud auditors apply 100% examination to the highest-risk stratum when it is small enough to be practical. The 2020 ACFE Report to the Nations found that asset misappropriation schemes are the most frequent fraud type globally, and within that category, billing schemes and expense reimbursement schemes account for a large share. Both typically involve identifiable characteristics (unusual payee names, round-number amounts, missing supporting documents) that make stratification on those characteristics a direct detection strategy rather than a statistical exercise.

Judgmental sampling is not the same as arbitrary selection. When fraud auditors use judgmental selection, they are applying structured professional judgment based on explicit risk criteria. Data analytics tools, including Benford's Law analysis, duplicate payment detection, gap analysis in sequence-numbered documents, and velocity analysis of payee relationships, generate specific transaction flags. Each flagged item is a candidate for judgmental inclusion in the sample regardless of whether random selection would have reached it.

Judgmental selection must be documented. The auditor records the risk criteria applied, the number of items flagged, the number examined, and the results. Without documentation, a selection that looks targeted and purposeful in the working papers can appear arbitrary to a court, a regulator, or a peer reviewer. In jurisdictions where the fraud examiner's report may be used in evidence, including under the Bharatiya Sakshya Adhiniyam 2023 in India, the US Federal Rules of Evidence, and the UK Civil Procedure Rules, the methodology of selection is subject to scrutiny and must be defensible.

A combined sampling plan, used in major fraud investigations in both the public and private sectors, typically has three layers. The first layer is a statistical random sample of the general population, producing a population-level projection. The second layer is a stratified oversample of high-risk strata, producing stratum-level assessments. The third layer is a targeted judgmental sample of items flagged by analytics or informant information, producing case-specific evidence. The three layers address different evidentiary needs and should not be conflated in the working papers.

Sample size decisions in fraud audits must be documented with the same rigour as the examination itself. The working paper for each sampling plan should state the population definition and size, the sampling unit, the method of selection, the parameters used (confidence level, TDR or tolerable misstatement, expected rate or error), the resulting sample size, the actual items selected (with enough detail to reconstruct the selection), the examination results, and the conclusion or projection.

Statistical sampling projections require care in communication. An attribute sample result stating that the estimated deviation rate is 4.2% with a 95% confidence interval of 2.8% to 6.1% means different things to a forensic accountant, a corporate audit committee, a regulatory investigator, and a judge. The fraud examiner's report must translate the statistical conclusion into plain language that explains the practical significance without overstating the certainty. Courts in the United States, United Kingdom, and increasingly in India have accepted statistically derived sampling evidence, but expert witnesses have been challenged on the basis of sample size adequacy, selection bias, and projection methodology.

Professional standards across jurisdictions set minimum documentation requirements. In the US, PCAOB AS 2315 (Audit Sampling) and the AICPA's AU-C Section 530 require that the auditor document the basis for the sampling plan and the results. In the EU, the equivalent is ISA 530 as adopted by member-state audit regulators. In India, the ICAI's Standard on Auditing 530 mirrors ISA 530. Forensic engagements that may result in litigation or regulatory proceedings should apply the most stringent of the applicable standards.