Skip to main content

Lesson 11 of 25

Sampling Methodology: Statistical vs. Judgmental

4 min read · CAMS-Audit

One of the most testable skills on the exam. Distinguish statistical from judgmental sampling, choose by the conclusion you need, size by risk, and avoid over-projecting a small judgmental sample.

Why we sample at all

  • Populations are too large to test entirely
  • A sample lets you infer about the whole
  • Goal: enough evidence to support a conclusion
  • Sampling risk — the sample may mislead

AML populations are enormous, millions of transactions, tens of thousands of customer files. You rarely test every item, so you sample: examine a subset and draw a conclusion about the whole. The aim is sufficient, reliable, relevant evidence to support the engagement's conclusion, no more and no less.

But sampling carries an unavoidable cost called sampling risk, the chance that the sample doesn't represent the population and leads you to the wrong conclusion. You can't eliminate sampling risk without testing everything, but you can manage it through how you design the sample. The two main approaches are statistical and judgmental, and the exam wants you to choose the right one for the purpose.

Statistical sampling

  • Random selection; every item has a known chance
  • Lets you quantify confidence and project results
  • Defensible and objective; reduces selection bias
  • Needs a clean population and statistical method

Statistical sampling uses random selection, so every item in the population has a known, non-zero chance of being picked. Its great strength is that it lets you quantify your confidence and project the results to the whole population with a stated margin of error. If you test a statistical sample and find a two percent error rate, you can make a defensible statement about the likely error rate across the entire population.

It's objective, it reduces selection bias, and it stands up well to challenge. The price is rigor: you need a complete, clean population to sample from and a sound statistical method to size and select the sample and interpret the result.

Judgmental sampling

  • Auditor deliberately targets items by risk
  • Pick the high-risk, unusual, or material items
  • Fast and focused — but can't be projected statistically
  • Risk: selection bias and over-generalizing

Judgmental sampling, also called nonstatistical, lets the auditor deliberately choose items based on risk and professional judgment. You target the high-risk customers, the unusual transactions, the largest dollar amounts, the items most likely to reveal a problem. It's fast, focused, and efficient when you want to probe specific concerns.

But it has two limits the exam loves. First, you cannot statistically project a judgmental sample to the whole population, because the selection wasn't random; finding zero issues in your hand-picked sample does not prove the population is clean. Second, it carries selection bias.

So judgmental sampling is excellent for hunting known risks and dangerous when used to claim broad population assurance.

Choosing — and sizing — the sample

  • Need to project to the population? Go statistical
  • Targeting specific known risks? Judgmental fits
  • Sample size grows with risk and desired confidence
  • Often combine: judgmental probe plus statistical base

So how do you choose? Ask what conclusion you need. If you must make a defensible statement about the whole population, say the overall accuracy of beneficial-ownership data, use statistical sampling.

If you're probing specific, known high-risk items, judgmental sampling fits. On size, the higher the risk and the greater the confidence you need, the larger the sample; a tiny sample over a high-risk population gives false comfort. In practice, auditors often combine both: a judgmental probe to chase the obvious risks, plus a statistical base sample to support a population-level conclusion.

The mistake the exam punishes is using a small judgmental sample and then over-claiming, treating it as if it proved the whole population sound.

Interpreting sample results

  • An exception is a deviation — investigate, don't ignore
  • Distinguish an isolated error from a systemic pattern
  • High error rate may mean expanding the sample
  • One exception can still point to a control failure

Finding issues in a sample is the point, so know how to interpret them. When a sampled item fails, that's an exception, a deviation from the expected control outcome, and the first move is to investigate why, not to wave it away as a one-off. The key judgment is whether the exception is isolated, a genuine fluke, or symptomatic of a systemic pattern likely repeated across the population.

If your error rate is high, the right response is often to expand the sample to understand the true extent, or to conclude the control is failing. And here's a subtlety the exam tests: in a statistical sample even a single exception can be significant, because projected across a large population it may represent many failures, and in a high-risk control one failure may be one too many. So don't dismiss exceptions by their raw count; evaluate what they imply about the population and the control.

A clean conclusion drawn while ignoring uncomfortable exceptions is not a sound conclusion.

Recap and next

  • Sampling manages, never eliminates, sampling risk
  • Statistical — random, projectable, defensible
  • Judgmental — risk-targeted, focused, not projectable
  • Next — evidence types, documentation, testing strategy

Recapping: we sample because full populations are too large, and sampling always carries sampling risk we manage but can't erase. Statistical sampling uses random selection and lets you project a confident, defensible conclusion to the whole population. Judgmental sampling targets known risks efficiently but can't be projected, so don't over-claim from it.

Choose by the conclusion you need, and size by risk and required confidence. Next, we widen out to evidence itself, what counts as reliable, how to rank it, and how to build a documented testing strategy. Take the sampling practice questions first; this topic shows up often.

Sources

  • IIA International Professional Practices Framework — sufficient, reliable, relevant evidence and sampling
  • AICPA audit sampling concepts (statistical vs. nonstatistical)
  • FFIEC BSA/AML Examination Manual — transaction testing

Test your knowledge

A few CAMS-Audit questions on this material — pick an answer to see the explanation.

  1. Q1. An auditor re-rates a sample of 30 legal-entity customers using the institution's documented risk-rating methodology and finds that 12 are rated 'medium' by the system but score 'high' under the same methodology when applied correctly. What is the MOST appropriate characterization?

  2. Q2. An audit of the sanctions-screening program finds that the SDN list is loaded into the screening engine, but the list has not been updated for 14 days despite multiple OFAC additions during that period. What is the risk and the finding?

  3. Q3. An auditor samples 40 investigations that resulted in a no-file decision (no SAR filed) and finds 8 where the activity clearly met the regulatory threshold for suspicious activity. What is the finding and its significance?

  4. Q4. The SAR filing rule generally requires filing within how many days of initial detection of suspicious activity, and how many days when no suspect is identified?

Ready to practice?

Put this lesson to work on real CAMS-Audit questions.

Drill the full CAMS-Audit bank →