What is detection risk?
Detection risk is the only component of the audit risk model that the auditor directly controls. It represents the risk that the audit procedures performed will fail to detect a misstatement that exists in the financial statements and that could be material, either individually or in aggregate.
Under ISA 200.A42, the auditor manages detection risk by designing and performing procedures under ISA 330. The auditor adjusts four variables: the nature of procedures (e.g., tests of detail versus analytical procedures), the timing (year-end versus interim), the extent (sample sizes), and the combination of procedures applied to each assertion.
Detection risk can never reach zero. ISA 200.A44 acknowledges inherent limitations in every audit — including sampling risk, the possibility that evidence is incomplete or misleading, and the nature of audit evidence itself. This is why auditors provide reasonable assurance rather than absolute assurance.
Key Points
- Detection risk is the only controllable component. Inherent risk and control risk exist independently of the audit — only detection risk is within the auditor's power to reduce through procedure design.
- It has an inverse relationship with RoMM. When the assessed risk of material misstatement is high, acceptable detection risk must be low, requiring more persuasive and extensive procedures.
- Four levers reduce it. Nature (tests of detail vs. analytics), timing (year-end vs. interim), extent (larger samples), and the combination of procedures applied to each assertion.
- It can never be eliminated entirely. ISA 200.A44 acknowledges inherent limitations including sampling risk, which is why audit opinions express reasonable — not absolute — assurance.
Why it matters in practice
If the assessed risk of material misstatement is high but the auditor does not adjust the planned procedures accordingly, there is a detection risk problem. This is one of the most common inspection findings: the risk assessment indicates elevated risk, but the audit response remains unchanged from a low-risk scenario.
ISA 330.21 provides a specific example: for significant risks, substantive analytical procedures alone are not sufficient. The auditor must perform tests of detail (or a combination of tests of detail and substantive analytical procedures) to achieve a sufficiently low level of detection risk.
In practice, detection risk also depends on the quality of execution. A well-designed procedure performed poorly (e.g., with vague selection criteria, incomplete populations, or inadequate follow-up on exceptions) provides less assurance than intended — the actual detection risk is higher than the planned detection risk.
Key standard references
- ISA 200.13(e): Definition of detection risk as the risk that procedures performed by the auditor will not detect a misstatement that exists and that could be material.
- ISA 200.A42–A44: Explanation of detection risk within the audit risk model, including inherent limitations that prevent detection risk from reaching zero.
- ISA 330.7: Requirement to design and perform further audit procedures whose nature, timing, and extent are responsive to the assessed risks of material misstatement at the assertion level.
- ISA 330.21: Substantive analytical procedures alone are not sufficient for significant risks — tests of detail are required.
- ISA 330.25: Requirement to evaluate whether the overall audit response adequately addresses the assessed risks, including detection risk considerations.
Related terms
Related reading
Frequently asked questions
How does the auditor reduce detection risk?
By changing four variables in the audit response: the nature of procedures (tests of detail are more persuasive than analytical procedures), the timing (year-end testing carries lower detection risk than interim), the extent (larger samples reduce the chance of missing a misstatement), and the combination of these. ISA 330.7(a) requires all four to be considered as an integrated response.
Can detection risk ever reach zero?
No. ISA 200.A44 acknowledges inherent limitations in every audit, including sampling risk and the possibility that evidence is incomplete or misleading. Detection risk can be reduced to a very low level but never eliminated. This is the fundamental reason audit opinions provide reasonable assurance rather than absolute assurance.
What is the relationship between detection risk and risk of material misstatement?
They have an inverse relationship. When the risk of material misstatement is high (the financial statements are more likely to contain errors), acceptable detection risk must be low (the auditor must do more work to find them). When RoMM is low, the auditor can accept higher detection risk and perform less extensive procedures.