Audit Sampling in a Tech-Driven World

Sampling has always been a core part of audit work, but in 2026, sampling in IT-heavy environments often cannot look like “classic audit sampling.” Why? Because a growing portion of business operations is executed by IT systems, and many controls are automated or semi-automated, not purely manual.

That’s why I appreciate that both ISACA and AICPA continue to publish guidance on sampling.

Photo: Freepik

Why sampling in IT audits is different

In technology-enabled processes, the population you are testing is rarely simple. You may be dealing with:

➡️ automated controls,

➡️ semi-automated controls,

➡️ manual controls operating inside digital workflows,

➡️ and control evidence that exists across IT systems.

In this context, sampling is not only “pick 25 items and test.” The sampling approach must reflect:

➡️ how the control actually operates,

➡️ whether it is truly repeatable,

➡️ where human judgment enters the process,

➡️ and whether the underlying population is complete and reliable.

ITAF sampling guidance

ISACA’s approach is very aligned with modern IT audit reality: sampling is a means to obtain sufficient and appropriate audit evidence, and the method must be appropriate for the nature of the control, the risk, and the reliability of the population.

AICPA aproach

AICPA sampling guidance reinforces the fundamentals auditors sometimes forget under schedule pressure:

➡️ sampling is part of the broader evidence strategy,

➡️ conclusions depend on population definition, sampling unit selection, and evaluation of deviations,

➡️ and professional judgment must be documented.

This is highly relevant in hasztag#SOC engagements too, because the quality of SOC work often depends on whether the auditor:

➡️ selected the right population,

➡️ ensured completeness and accuracy,

➡️ and tested enough instances to support a conclusion about operating effectiveness.

The key point: sampling must match the control type

If a control is truly automated and configuration-driven, evidence often should focus on:

➡️ design/configuration,

➡️ change management,

➡️ access controls around configuration,

➡️ and monitoring/alerting.

If a control is semi-automated or manual, sampling is often necessary, but must reflect:

➡️ frequency,

➡️ variability,

➡️ seasonality,

➡️ multiple performers,

➡️ and exception handling.

If evidence is generated by systems, sampling must account for:

➡️ integrity of the source system,

➡️ completeness of records,

➡️ and ability to trace evidence end-to-end.

Auditors must understand the complexity of the IT environment and the differences between automated, semi-automated, and manual controls. Only then can they select the right sampling methods to best represent the population and provide assurance that controls are not only well designed and exist, but also operate effectively.

Author: Sebastian Burgemejster