Understanding Your SOC 1 Report: How Does Sampling Work?

by Joseph Kirkpatrick / January 31st, 2018

Sampling During a SOC 1 Audit

When an auditor performs a test of control during a SOC 1 audit, it may be appropriate to apply sampling. Sampling is applying audit procedures to less than 100% of a population. The types of populations that could need to be tested include new hire training forms, employee acknowledgements of policies and procedures, antivirus reports, or access control logs. The PCAOB states that sampling requires, “that the auditor use professional judgment in planning, performing, and evaluating a sample and in relating the evidential matter produced by the sample to other evidential matter when forming a conclusion about the related account balance or class of transactions.”

If the sample size of a population is large in number, let’s say a quantity of 100, an auditor might take a random sample of 30 in that situation. If a population size is 10 or less, they may take a minimum of three. By and large, our sample size is 10% of a population, with a maximum of 30 and a minimum of three.

More questions about SOC 1 reports? View more of our SOC 1 video resources or contact us today.

When an auditor performs a test of control for an SSAE 16 (SOC 1) report, it may be appropriate to apply sampling. If the sample size of a population is large in number, let’s say a quantity of 100, an auditor might take a random sample of 30 in that situation. If a population size is 10 or less, they may take a minimum of three. By and large, our sample size is 10% of a population, with a maximum of 30 and a minimum of three.

An example of a population that would have to be tested would be new hire training forms, employee acknowledgements of certain policies and procedures, antivirus reports, or access control logs. These kinds of things are determined by what kind of sampling could be applied in those situations where it is appropriate to do so.