What is sampling risk?

ISA 530.5(c) defines sampling risk as the risk that a sample-based conclusion diverges from what a 100% test would show. ISA 530.A1 splits this into two directions that carry very different consequences.

The risk of incorrect acceptance (for tests of details) or the risk of assessing control risk too low (for tests of controls) is the one that matters for audit quality. If the auditor concludes that a balance is not materially misstated when it actually is, the opinion is wrong. This is the direction that inspection bodies focus on.

The risk of incorrect rejection works the other way. The auditor concludes there is a problem when there is not. This wastes time (more testing, more investigation) but does not produce a wrong opinion. It affects efficiency, not effectiveness.

ISA 530.7 requires the auditor to design the sample so that sampling risk is reduced to an acceptably low level. "Acceptably low" is not defined numerically in the standard. In practice, firms set this through the confidence level: 95% confidence means 5% acceptable sampling risk, 90% means 10%. The choice flows from the risk assessment under ISA 315 (Revised), not from a default.

Key Points

  • Sampling risk exists on every engagement that uses sampling. The auditor controls it, not eliminates it.
  • ISA 530.A1 identifies two directions: the risk of incorrect acceptance and the risk of incorrect rejection.
  • Incorrect acceptance is the dangerous one because it leads to an unmodified opinion on materially misstated financial statements.
  • Increasing sample size is the primary mechanism for reducing sampling risk.

Why it matters in practice

The FRC's 2022 audit quality inspection report noted that several firms failed to evaluate sampling results against both tolerable misstatement and the expected misstatement used at planning. ISA 530.A22 requires this dual evaluation. If projected errors exceed the expected misstatement used to size the sample, the sampling risk may be higher than what the auditor planned for, even if projected errors are below tolerable misstatement.

Teams often document sampling risk as a single number (e.g., "sampling risk: 5%") without specifying which direction they are controlling. ISA 530.A1 distinguishes the risk of incorrect acceptance from the risk of incorrect rejection. The file should state which direction is relevant for the test and why.

Worked example: Rheintal Maschinenbau GmbH

Client: German precision engineering subsidiary, FY2024, revenue EUR 112M, HGB reporter (parent reports IFRS).

Population: 2,340 revenue transactions totalling EUR 112M, tested for occurrence.

Step 1 — Identify the sampling risk direction: The engagement team is testing whether recorded revenue transactions occurred. The relevant direction is the risk of incorrect acceptance: concluding that revenue is not materially overstated when it actually is.

Step 2 — Set the acceptable level: The risk of material misstatement for revenue occurrence is assessed as elevated (fraud risk under ISA 240.26). The team sets acceptable sampling risk at 5% (confidence level 95%, R-factor 3.0).

Step 3 — Calculate the sample and test: Using MUS with performance materiality of EUR 3.4M as tolerable misstatement and expected misstatement of EUR 150K: sample size = (112,000,000 x 3.0) / 3,400,000 = 99 items. The team selects 100 items. Testing identifies two misstatements totalling EUR 47K.

Step 4 — Evaluate the result: The team projects the known errors across the population using the MUS tainting method. Projected misstatement is EUR 198K. This is below tolerable misstatement of EUR 3.4M. The sample result supports the conclusion that revenue is not materially misstated, at the 95% confidence level.

Conclusion: The sampling risk is controlled at 5% because the sample was sized for that level and the results fell within tolerance. If the team had accepted 10% sampling risk without linking that choice to the risk assessment, the smaller sample (67 items instead of 100) might have missed the two errors entirely.

Key standard references

  • ISA 530.5(c): Definition of sampling risk — the risk that the auditor's conclusion based on a sample may differ from the conclusion reached if the entire population were tested.
  • ISA 530.A1: The two types of sampling risk — risk of incorrect acceptance and risk of incorrect rejection (tests of details) or risk of assessing control risk too low/too high (tests of controls).
  • ISA 530.7: The auditor shall determine a sample size sufficient to reduce sampling risk to an acceptably low level.
  • ISA 530.A22: Evaluation of results requires comparing projected misstatement to both tolerable and expected misstatement.

Related terms

Non-Sampling RiskConfidence Level in Audit SamplingSample Size DeterminationTolerable MisstatementStratification in Audit Sampling

Related tools

ISA 530 Sampling Calculator
ISA 530

Related reading

ISA 530: Audit Sampling — A Complete Guide
Blog guide
How to Design an Audit Sampling Plan
Blog guide

Frequently asked questions

What are the two types of sampling risk?

ISA 530.A1 identifies risk of incorrect acceptance (dangerous, leads to wrong opinion) and risk of incorrect rejection (wastes time but doesn't produce wrong opinion).

How is sampling risk controlled?

Primarily by increasing sample size. The acceptable level is set through the confidence level, which flows from the risk assessment.

This glossary entry is for educational purposes and does not constitute legal or professional advice. Always consult the applicable standard text for authoritative guidance.

Last reviewed: March 2026 · Standards version: IAASB 2024 Handbook