What is detection risk?
On about half the engagements we review, the risk assessment flags elevated risk of material misstatement (RoMM) at the assertion level, but the audit response looks identical to last year. The sample sizes are the same, the procedures are the same, the timing is the same. That gap between assessed risk and actual work is detection risk in its most common form. It is the single most frequent inspection finding, and it persists because the link between risk assessment and procedure design often becomes a tick box exercise rather than a genuine planning decision.
Detection risk is the risk that the procedures performed by the auditor will not detect a misstatement that exists and that could be material, either individually or in aggregate. It is the only component of the audit risk model that the auditor directly controls. Inherent risk and control risk exist independently of the audit. Only detection risk responds to what the auditor actually does on the engagement.
Under ISA 200 .A42, the auditor manages detection risk by designing and performing procedures under ISA 330 . The auditor adjusts four variables: the nature of procedures (tests of detail versus analytical procedures), the timing (year-end versus interim), the extent (sample sizes), and the combination of procedures applied to each assertion.
Detection risk can never reach zero. ISA 200 .A44 acknowledges inherent limitations in every audit, including sampling risk and the possibility that evidence is incomplete or misleading. This is why auditors provide reasonable assurance rather than absolute assurance.
Key Points
- Detection risk is the only controllable component. Inherent risk and control risk exist independently of the audit. Only detection risk is within the auditor's power to reduce through procedure design.
- It has an inverse relationship with RoMM. When assessed RoMM is high, acceptable detection risk must be low, requiring more persuasive and more extensive procedures.
- Four levers reduce it: nature (tests of detail vs. analytics), timing (year-end vs. interim), extent (larger samples), and the combination of procedures applied to each assertion.
- It can never be eliminated entirely. ISA 200 .A44 acknowledges inherent limitations including sampling risk, which is why audit opinions express reasonable (not absolute) assurance.
Why it matters in practice
If assessed RoMM is high but the auditor does not adjust the planned procedures accordingly, there is a detection risk problem. We have seen this on about half the engagements that come through review: the risk assessment flags elevated risk, but the audit response is SALY from a low-risk year. Nobody revisited the sample sizes or the procedure mix.
ISA 330.21 provides a specific example: for significant risks, substantive analytical procedures alone are not sufficient. The auditor must perform tests of detail (or a combination of tests of detail and substantive analytical procedures) to achieve a sufficiently low level of detection risk.
Detection risk also depends on execution quality. A well-designed procedure performed poorly (with vague selection criteria, incomplete populations, no follow-up on exceptions, or samples drawn from the wrong period) provides less assurance than intended. The actual detection risk ends up higher than the planned detection risk. That gap is invisible on paper, and it is the kind of thing that only surfaces during an inspection or, worse, after a restatement.
Key standard references
- ISA 200.13 (e) defines detection risk as the risk that procedures performed by the auditor will not detect a misstatement that exists and that could be material.
- ISA 200 .A42 through A44 explain detection risk within the audit risk model, including inherent limitations that prevent detection risk from reaching zero.
- ISA 330.7 requires the auditor to design and perform further audit procedures whose nature, timing, and extent are responsive to assessed RoMM at the assertion level.
- ISA 330.21 specifies that substantive analytical procedures alone are not sufficient for significant risks. Tests of detail are required.
- ISA 330.25 requires the auditor to evaluate whether the overall audit response adequately addresses assessed risks, including detection risk considerations.
Related terms
Related tools
Related reading
Frequently asked questions
How does the auditor reduce detection risk?
By changing four variables in the audit response: the nature of procedures (tests of detail are more persuasive than analytical procedures), the timing (year-end testing carries lower detection risk than interim), the extent (larger samples reduce the chance of missing a misstatement), and the combination of these. ISA 330.7(a) requires all four to be considered as an integrated response.
Can detection risk ever reach zero?
No. ISA 200.A44 acknowledges inherent limitations in every audit, including sampling risk and the possibility that evidence is incomplete or misleading. Detection risk can be reduced to a very low level but never eliminated. This is the fundamental reason audit opinions provide reasonable assurance rather than absolute assurance.
What is the relationship between detection risk and risk of material misstatement?
They have an inverse relationship. When the risk of material misstatement is high (the financial statements are more likely to contain errors), acceptable detection risk must be low (the auditor must do more work to find them). When RoMM is low, the auditor can accept higher detection risk and perform less extensive procedures.