It's all well and good for internal auditors to be trained on and have experience in identifying issues that will add value to the management system, but there also needs to be a baseline for that. Too often I see documented processes with no related metrics.
If the documented procedure is followed but the desired results are not being achieved, that can spark several discussions.
If the results are being achieved but the documented procedure is not being followed, that's a different conversation.
If both are spot on, yay!
If both are not where they could be, well, now there's a big discussion to be held.
Getting back to the original topic of sample size, it's basic stats here. If the first record I pull is perfect, odds are the majority of the records will be good. Yes, I'll check more than one to verify this.
If the first record I pull is not so good, odds are the majority of the records will be not so good. And yes, I'll check more than one to verify this.
For an internal audit - at least to 9001/14001 - there is no prescribed rule for sample size. Although, it is a sample...so 100% review cannot be called a "sample". I'd probably call a 100% check a witch hunt, non-value-added, nitpicking and a few other choice terms that are not positive.
An audit - be it internal or external - is a snap shot in time. It is a picture of a moment within the organization's creation of a product/service. A sample of records is the same.
No organization is perfect 100% of the time. There will be things missed. This is a reality. As an auditor, what I look for is a mechanism to self-identify and self-correct such discrepancies, depending on the level of risk.
To use the signed training records as an example, if I found some that were not signed, yet the procedure said they were to be signed, there would be a discussion on how the oversight occurred AND the value of signing them in the first place AND if there is a mechanism in place to verify the signatures if this is considered a critical activity. The result of those conversations would help me to create a meaningful finding (if appropriate). It also helps the organization start the journey of improving the process's effectiveness beyond "We retrained folks to follow the procedure."
To simply say, "Hey, ya'll aren't following your procedure for signing off on training records" is like sitting in a meeting room and saying "Oh, it's dark in here" if the power goes out.