Categories of audits
There are three general types of risk-limiting audits. Depending on the circumstances of the election and the auditing method, different numbers of ballots need to be hand-checked. For example, in a jurisdiction with 64,000 ballots tabulated in batches of 500 ballots each, an 8% margin of victory, and allowing no more than 10% of any mistaken outcomes to go undetected, method 1, ballot comparison, on average, needs 80 ballots, method 2, ballot polling, needs 700 ballots, and method 3, batch comparison, needs 13,000 ballots (in 26 batches). The methods are usually used to check computer counts, but methods 2 and 3 can also be used to check accuracy when the original results were hand-counted. The steps in each type of risk-limiting audit are: #Ballot comparison. Election computers provide their interpretation of each ballot ("cast vote record"); humans check computers' "cast vote records" against stored physical ballots in a random sample of ballots; an independent computer tabulates all "cast vote records" independently of earlier tabulations to get new totals; humans report any differences in interpretations and total tallies. #Ballot polling. Humans count a random sample of ballots; humans report any difference between manual percentage for the sample and computer percentage for the election. #Batch comparison. Election results provide total for each batch of ballots (e.g. precinct); in a random sample of batches humans hand-count all ballots; for 100% of batches humans check by manual addition or independent computer if the election's initial summation of batches was correct; humans report any difference between original tallies and audit tallies. All methods require: *Procedure to re-count all paper ballots more accurately if errors are detected. This is usually planned as a 100% manual count, but could involve fixing or replacing erroneous computers, doing a new computer count, and auditing that, until an audit shows no problem. *Auditing all types of ballots, including military, absentee, provisional, etc. *Clarifying which contests were audited and which were not, or auditing all contests or a large enough random sample of contests so the chance of missing erroneous results is acceptably low. *Auditing a large enough random sample of ballots so the chance of missing mistakes is acceptably low. *Selecting a random sample after initial results are public, because telling hackers in advance which contests and ballots will be in the sample, lets them freely hack other contests and ballots. *Selecting the random sample before results are final, so errors can be fixed. *Doing the manual check immediately when the sample is selected; if insiders have altered computer files, they could use any delay to change sampled ballots to match the erroneous computer files, thus hiding the errors. *Having enough security on the ballots during transportation and storage, so neither insiders nor outsiders can change them. *Having enough independent participants select different digits of the random number seed, so no one can control the seed and hence the random number series which selects the random sample. *Having the public see all steps, including the content of ballots and computer records while officials examine them, to know they are counted accurately. The last three items are hard in one-party states, where all participants may be swayed by the ruling party. Hand-checking ballots (method 1) identifies bugs and hacks in how election computers interpret each ballot, so computer processing can be improved for future elections. Hand-counting ballots (methods 2 and 3) bypasses bugs and hacks in computer counts, so it does not identify exactly what mistakes were made. Independently totaling cast vote records (method 1) or batch totals (method 3) identifies bugs and hacks in how election computers calculate totals. Method 2 does not need this independent totaling step, since it has a large enough sample to identify winners directly. Colorado uses method 1 in most counties, and method 2 in a few counties which use election machines which do not record and store "cast vote records". Colorado uses no audit method in two counties which hand-count ballots in the first place. Risk-limiting audits are a ''results audit'' to determine if votes were tabulated accurately, not a ''process audit'', to determine if good procedures were followed.Implementation
The process starts by selecting a "risk limit", such as 9% in Colorado, meaning that if there are any erroneous winners in the initial results, the audit will catch at least 91% of them and let up to 9% stay undetected and take office. Another initial step is to decide whether to audit: all contests; a random sample of contests, allowing a known risk that erroneous winners will take office; or a non-random sample, so no statistical confidence is available on the non-audited contests. Based on a formula, a sample size is determined for each contest being audited.Formulae are presented and explained in: * * * The size of the sample depends primarily on the margin of victory in the targeted contest. A random starting point (seed) is chosen by combining information from multiple independent people, to create a series of random numbers identifying specific ballots to pull from storage, such as the 23rd, 189th, 338th, 480th ballots in precinct 1, and other random numbers in other precincts. When storage is opened, records are checked to see if each sampled precinct still has the same number of ballots recorded during the election, if correct numbers appear on seals, if machines or containers have been tampered with in any way, and/or other methods to check if ballots have avoided intrusion. If ballots have not been stored successfully, advocates of risk-limiting audits say there should be a re-vote, or no result should be declared, which usually requires a re-vote, or results can be declared if "the number of questionable or missing audit records is small enough that they cannot alter the outcome of the contest." However, if storage or records are flawed, laws may require initial results to be accepted without audit. and North Carolina law: To provide an alternative to a re-vote, seven Florida counties back up the paper ballots by copying them the day after they are voted, with machines independent of election machines. While any copy can have flaws, comparing cast vote records to these independent backup copies would give an alternative to re-voting or skipping the audit when storage is not trustworthy. Florida does not hand-check this backup, which would be required by a risk-limiting audit. Instead Florida machine-audits 100% of votes and contests. They have found discrepancies of 1-2 ballots from official machines. Maryland has a less safe alternate approach. Maryland's election machines create and store ballot images during the election, separate from the cast vote records. Most election machines do so. Maryland compares cast vote records to these ballot images from the same election machines. Unlike Florida, this approach is not an independent backup or check. A hack or bug in the election machine can alter, skip, or double-count both image and cast vote record simultaneously. Maryland's semi-independent checking is better than no checking, since it has found and resolved discrepancies, such as folded ballots leaving fold lines on the images, which computers interpreted as write-in votes; sensor flaws which left lines on the images, interpreted asIssues
Sample size
Sample sizes rise rapidly for narrow margins of victory, with all methods. In a small city or county, with 4,000 ballots, method 1, ballot comparison, would need 300 ballots (300–600 minutes, as discussed inBallot transport and storage
Ballots are at risk when being transported from drop boxes and polling places to central locations, and may be protected byPublic monitoring
All the methods, when done for a state-wide election, involve manual work throughout the state, wherever ballots are stored, so the public and candidates need observers at every location to be sure procedures are followed. However, in Colorado and most states the law does not require any of the audit work to be done in public.Software dependence
All methods are designed to be independent of the election software, to ensure that an undetected error in the election software can be found by the audit. The audit in practice is dependent on its own software, separate from the election system. Election staff examine ballots and enter staff interpretations into an online software tool, which is supposed to handle the comparison to the voting system interpretation, report discrepancies, and tell staff whether to sample further. It is also hard to prepare the list of ballots to sample from (ballot manifest) without using information from the election system.Independent totals
Method 1, ballot comparison, requires a second step, besides checking the sample of ballots: 100% of the computer interpretations of ballots ("cast vote records") need to be re-tabulated by computers independent of the original election computers. This re-tabulation checks whether election computers tallied the cast vote records correctly. Like any computer step this independent tally is subject to hacks and bugs, especially when voting rules are complex, such as variations in the number of candidates from different districts to vote for. The reason for the re-tabulation step is that independently programming a different kind of machine provides an independent check on official election machines. While all methods require physical security on the paper ballots, method 1 also requires enough security on the cast vote records so no one can change them. This can be accomplished by computer-calculating, storing and comparing a hash code for each file of cast vote records: (a) right after the election, (b) when independent tabulation is done, and (c) when ballot comparison is done. Colorado says it has a system to do the independent count of cast vote records, but it is not yet publicly documented, so the chance of bugs or hacks affecting this independent computer at the Secretary of State's office along with one or more of the election machines is unknown. California's process for risk-limiting audits omits the step of independent totals. When it did a pilot, independent totals were calculated by a student on a university computer.Cost
Cost depends on pay levels and staff time needed, recognizing that staff generally work in teams of two or three (one to read and one or two to record votes). Teams of four, with two to read and two to record are more secure and would increase costs. Each minute per vote checked means 25 cents per vote at $15/hour, or $250 per thousand votes. Checking random ballots can take more time: pulling individual ballots from boxes and returning them to the same spot. It is relevant to methods 1 and 2.State variations
As of early 2017, about half the states require some form of results audit. Typically, these states prescribe audits that check only a small flat percentage, such as 1%, of voting machines. As a result, few jurisdictions have samples large or timely enough to detect and correct tabulation errors before election results are declared final. In 2017, Colorado became the first state to implement ballot comparison audits, auditing one contest, not randomly chosen, in each of 50 of its 64 counties, several days after the election. Following the 2018 General Election, Colorado will conduct audits in the 62 of its 64 counties that use automated vote counting equipment (the two remaining counties hand count the ballots). Rhode Island passed legislation requiring that state's Board of Elections to implement risk-limiting audits beginning in 2018. Individual jurisdictions elsewhere may be using the method on the local election clerks' initiative.Endorsements
In 2018 theSee also
* Election audits *References
{{reflist Types of auditing Elections Statistical methods Electoral fraud Elections in the United States