Goal: limit the risk of declaring the wrong winner
Much more efficient at meeting that goal than traditional percentage-based audits (e.g. California 1% manual tally)
An audit is risk-limiting if it has a pre-specified minimum chance of requiring a full hand count whenever the apparent outcome of the contest is wrong.
"Wrong" means that a hand count of the audit trail would show a different outcome. The "risk" is the chance that an outcome that is wrong will be certified anyway.
Risk-limiting audits can determine with precision how much hand counting is necessary to confirm election results with a high confidence
If the evidence from the hand counts does not limit the risk to the given risk level, a risk-limiting audit will lead to a full hand count
E.g. the California pilot program audits provide 90% confidence that the audit will require a full hand count if the voting system tally was so wrong that the incorrect winner was called.
The size of the initial sample of ballots depends on the margin of victory in the contest: the narrower the margin, the larger the initial sample.
For our reporting work, e.g. EML 510 and 520, even for election-night reporting, we should emphasize the need to report undervote and overvote counts, both overall and for each reporting unit. This is important not only for auditing, but as the most basic measure of election quality, the "residual vote".
The most efficient audits require cast vote records, or small batches with vote count data with subtotals for each
Most important: still just getting auditable data out of systems
If batches are very small, need to take care to preserve anonymity of the ballots, e.g. by combining batches, or not tying the data directly to a set of voters
Secrecy-preserving Observable Ballot-level Audit (SOBA), and related techniques, can be used to publish anonymous data that is still auditable
See EML 510 example at http://bcn.boulder.co.us/~neal/electionaudits/eml510-example-nostyle.xml
Cast Vote Records which can be linked back to the original paper ballot
Some systems that currently produce auditable Cast Vote Records:
Note volume of data e.g. Los Angeles County:
We need some real examples of EML 440 and 460, but I'd guess many gigabytes per Votes message (EML 460), even compressed
Consider various "binary XML" formats like EXI (Efficient XML Interchange), Fast Infoset.
Or a customized binary format which encodes ballot id, ballot style, and one bit per choice, along with a way to transform it to and from EML 460.
P1622 Audit use case: http://www.nist.gov/itl/vote/upload/audit_use_case-02.pdf
Principles and Best Practices for Post-Election Audits: http://electionaudits.org/principles
California's EAC-funded Post Election Risk-Limiting Audit Pilot Program: http://www.sos.ca.gov/voting-systems/oversight/risk-limiting-pilot.htm