What is sampling risk?
You test 80 revenue items, find nothing wrong, and sign off. Six months later the regulator re-performs the test on the full population and finds a material overstatement sitting in the 2,260 items you didn't look at. That gap between your sample conclusion and the full-population truth is sampling risk. Every engagement that uses sampling carries it.
ISA 530.5 (c) defines sampling risk as the risk that a sample-based conclusion diverges from what a 100% test would show. ISA 530 .A1 splits this into two directions that carry very different consequences.
The risk of incorrect acceptance (for tests of details, or the risk of assessing control risk too low for tests of controls) is the one that matters for audit quality. If the auditor concludes that a balance is not materially misstated when it actually is, the opinion is wrong. This is the direction that inspection bodies focus on.
The risk of incorrect rejection works the other way. The auditor concludes there is a problem when there is not. This wastes time (more testing and unnecessary conversations with the client) but doesn't produce a wrong opinion. It affects efficiency, not effectiveness.
ISA 530.7 requires the auditor to design the sample so that sampling risk is reduced to an acceptably low level. "Acceptably low" is not defined numerically in the standard. At firms we've worked with, teams set this through the confidence level: 95% confidence means 5% acceptable sampling risk, 90% means 10%. The choice flows from the risk assessment under ISA 315 (Revised), not from a default.
Key Points
- Sampling risk exists on every engagement that uses sampling. The auditor controls it, not eliminates it.
- ISA 530 .A1 identifies two directions: the risk of incorrect acceptance and the risk of incorrect rejection.
- Incorrect acceptance is the dangerous direction because it leads to an unmodified opinion on materially misstated financial statements.
- Increasing sample size is the primary mechanism for reducing sampling risk.
Why it matters in practice
The FRC's 2022 audit quality inspection report noted that several firms failed to evaluate sampling results against both tolerable misstatement and the expected misstatement used at planning. ISA 530 .A22 requires this dual evaluation. If projected errors exceed the expected misstatement used to size the sample, the sampling risk may be higher than what the auditor planned for, even if projected errors are below tolerable misstatement.
Teams often document sampling risk as a single number (e.g., "sampling risk: 5%") without specifying which direction they're controlling. ISA 530 .A1 distinguishes the risk of incorrect acceptance from the risk of incorrect rejection. The file should state which direction is relevant for the test and why. We've seen seniors pull the sample size out of thin air (internally known as a "PIOOMA" number) and then back-fill the confidence level to make the maths work. Nobody learns anything from that exercise, and it's the kind of thing that falls apart the moment a reviewer asks how the R-factor was derived.
Worked example: Rheintal Maschinenbau GmbH
Client: German precision engineering subsidiary, FY2024, revenue EUR 112M, HGB reporter (parent reports IFRS).
The population is 2,340 revenue transactions totalling EUR 112M, tested for occurrence.
Step 1: identify the sampling risk direction
The engagement team is testing whether recorded revenue transactions occurred. The relevant direction is the risk of incorrect acceptance (concluding that revenue is not materially overstated when it actually is).
Step 2: set the acceptable level
The risk of material misstatement for revenue occurrence is assessed as elevated (fraud risk under ISA 240.26 ). The team sets acceptable sampling risk at 5% (confidence level 95%, R-factor 3.0).
Step 3: calculate the sample and test
Using monetary unit sampling (MUS) with performance materiality of EUR 3.4M as tolerable misstatement and expected misstatement of EUR 150K, the sample size is (112,000,000 x 3.0) / 3,400,000 = 99 items. The team selects 100 items. Testing identifies two misstatements totalling EUR 47K.
Step 4: evaluate the result
The team projects the known errors across the population using the MUS tainting method. Projected misstatement is EUR 198K. That falls below tolerable misstatement of EUR 3.4M. The sample result supports the conclusion that revenue is not materially misstated, at the 95% confidence level.
Sampling risk here is controlled at 5% because the sample was sized for that level and the results fell within tolerance. If the team had accepted 10% sampling risk without linking that choice to the risk assessment, the smaller sample (67 items instead of 100) might have missed the two errors entirely.
Key standard references
- ISA 530.5 (c) defines sampling risk as the risk that the auditor's conclusion based on a sample may differ from the conclusion reached if the entire population were tested.
- ISA 530 .A1 identifies the two types: risk of incorrect acceptance and risk of incorrect rejection (for tests of details), or risk of assessing control risk too low and risk of assessing it too high (for tests of controls).
- ISA 530.7 requires the auditor to determine a sample size sufficient to reduce sampling risk to an acceptably low level.
- ISA 530 .A22 requires the evaluation of results to compare projected misstatement against both tolerable and expected misstatement.
Related terms
Related tools
Related reading
Frequently asked questions
What are the two types of sampling risk?
ISA 530.A1 identifies risk of incorrect acceptance (dangerous, leads to wrong opinion) and risk of incorrect rejection (wastes time but doesn't produce wrong opinion).
How is sampling risk controlled?
Primarily by increasing sample size. The acceptable level is set through the confidence level, which flows from the risk assessment.