Risk-limiting audit

[2][3] Advantages of an RLA include: samples can be small and inexpensive if the margin of victory is large;[2] there are options for the public to watch and verify each step;[1] and errors found in any step lead to corrective actions, including larger samples, up to a 100% hand count if needed.

The approach does not assume that all ballots, contests or machines were handled the same way, in which case spot checks could suffice.

The sample sizes are designed to have a high chance of catching even a brief period when a scratch or fleck of paper blocks one sensor of one scanner, or a bug or hack switches votes in one precinct or one contest, if these problems affect enough ballots to change the result.

[1] The steps in each type of risk-limiting audit are: All methods require: The last three items are hard in one-party states, where all participants may be swayed by the ruling party.

Hand-counting ballots (methods 2 and 3) bypasses bugs and hacks in computer counts, so it does not identify exactly what mistakes were made.

Method 2 does not need this independent totaling step, since it has a large enough sample to identify winners directly.

[11] The process starts by selecting a "risk limit", such as 9% in Colorado,[12] meaning that if there are any erroneous winners in the initial results, the audit will catch at least 91% of them and let up to 9% stay undetected and take office.

In most jurisdictions, risk-limiting audits use an incremental system to recount as many randomly selected ballots as are needed to verify the counted votes.

A hack or bug in the election machine can alter, skip, or double-count both image and cast vote record simultaneously.

[23] Maryland's semi-independent checking is better than no checking, since it has found and resolved discrepancies, such as folded ballots leaving fold lines on the images, which computers interpreted as write-in votes; sensor flaws which left lines on the images, interpreted as overvotes; and double-feeds where two ballots overlap in the scanner, and one is uncounted.

Large numbers of contests on a ballot raise the chances that these small margins and large samples will occur in a jurisdiction, which is why no place does risk-limiting audits on all contests, leaving most local government races unaudited, though millions of dollars are at stake in local spending[25] and land use decisions.

The power of the sample also depends on staff expanding the audit after any discrepancy, rather than dismissing it as a clerical error,[28] or re-scanning problematic ballots to fix just them.

[8] Ballots are at risk when being transported from drop boxes and polling places to central locations, and may be protected by GPS tracking,[30] guards, security systems,[31] and/or a convoy of the public.

Insider threats and the difficulty of following all security procedures are usually under-appreciated, and most organizations do not want to learn their vulnerabilities.

[22] All the methods, when done for a state-wide election, involve manual work throughout the state, wherever ballots are stored, so the public and candidates need observers at every location to be sure procedures are followed.

This can be accomplished by computer-calculating, storing and comparing a hash code for each file of cast vote records:[43] (a) right after the election, (b) when independent tabulation is done, and (c) when ballot comparison is done.

[needs update] As of early 2017, about half the states[broken anchor] require some form of results audit.

[40] Typically, these states prescribe audits that check only a small flat percentage, such as 1%, of voting machines.

Rhode Island passed legislation[52] requiring that state's Board of Elections to implement risk-limiting audits beginning in 2018.

In 2018 the American Statistical Association, Brennan Center for Justice, Common Cause, Public Citizen and several election integrity groups endorsed all three methods of risk-limited audits.

Their first five criteria are:[1] In 2014, the Presidential Commission on Election Administration recommended the methods in broad terms: By selecting samples of varying sizes dictated by statistical risk, risk-limiting audits eliminate the need to count all the ballots to obtain a rapid test of the outcome (that, is, who won?

Sample sizes depend on: winning margin, number of ballots voted, confidence level, and type of audit.
Colorado elections in 2017, sample sizes needed for risk-limiting audits
When sample sizes are limited by budget, they still have some likelihood of catching errors.