Before we look at the definition of non-sampling risk, let’s understand the background why we are even discussing this question i.e. why we even have something with the name “non-sampling risk”
In order to express an opinion, auditor needs sufficient appropriate audit evidence. To obtain audit evidence, auditor applies range of audit procedures.
But due to limited time and resources and also to conduct audit efficiently, auditor does not apply audit procedures to the whole population in consideration. Instead, he carefully selects reasonably small proportion, which is called sample, from such population and apply audit procedures on the selected sample and the conclusions drawn from such sample are later used to assess the risk in the whole population. In simple words, in order to understand the whole population, small part (which is representative of whole population) is selected and assessed. And on the basis of assessment of this small part, whole population is judged. This technique i.e. applying audit procedures to less 100% items inside a relevant population is called sampling.
As auditor will NOT assess every item inside population, it is possible that auditor might understand population incorrectly and his decision might have been different if the whole population was assessed instead of just a sample from population. This is sampling risk.
But while applying sampling approach any wrong conclusion reached by auditor is NOT always because of sampling. Auditors might draw wrong inferences because of such reasons which are not connected with sampling technique itself.
For example, auditor applied sampling technique, got the audit evidence and the audit evidence was reported correctly but auditor’s interpretation about the evidence was wrong. Now, wrong interpretation is auditor’s own fault and is not a fault of sampling and such mistake cannot be termed as sampling risk.
Therefore, the risk that auditor will reach conclusion for any reasons not because of the sampling technique and sampling risk is called Non-sampling risk.
Examples of non-sampling risk include:
- application of inappropriate audit procedures – even if the sample is good, thus reaching wrong conclusion
- misinterpretation of audit evidence – even if the audit procedures gave correct evidence but auditor is unable to understand audit evidence and thus reach wrong conclusion.
- failure to recognize misstatements – as misstatement was present, but auditor (due to any reason) fail to recognize the existence of misstatement(s).
By looking at the examples of non-sampling risk we can understand that auditor might end up expressing wrong opinion, therefore, non-sampling risk is definitely a part of audit risk. Now audit risk is a function of risk of material misstatement and detection risk. We should know to which component sampling and non-sampling risk belong.
To be very precise about non-sampling risk and its relationship with audit risk, we can safely say that sampling and non-sampling risks are part of (or components of) detection risk.
I concluded this on the basis of last sentence of para A5 of ISA 450 – Evaluation of Misstatements Identified During Audit which states:
“Undetected misstatements could exist because of the presence of sampling risk and non-sampling risk “
So, it is understood that these risks cause detection risk and for the same reason these are components of detection risk.
Special thanks to Asfar Khan for assisting in answering this question.
what is the risk,
if among the pre-numbered invoices
we found one invoice kept as blank