Whenever a sampling approach is used (as opposed to testing an entire population) sampling risk is introduced. Sampling risk arises from the possibility that the conclusions that the auditor draws from testing the audit sample may be different from the conclusions that they would draw if the entire population had been tested.
In an audit context we are usually testing a population to determine whether an account balance is materially misstated. Sampling risk can be split into two areas, the risk of incorrect acceptance and the risk of incorrect rejection.
The risk of incorrect acceptance is the risk that the conclusion drawn from the audit sample is that the account balance is not materially misstated, when the population is actually materially misstated. The risk of incorrect rejection is the risk that the conclusion drawn from the audit sample is that the account balance is materially misstates, when in reality the population is not materially misstated.
Sampling risk can also be thought of in terms of detection risk - the possibility that the audit sample will not detect a misstatement that exceeds the maximum tolerable error (materiality). Detection risk is a planning concept and the auditor specifies it before selecting and testing the audit sample. It is one of the factors that must be considered in determining the sample size. It is easiest to explain this with the help of an example:
If you have a population of 10 items, and are selecting a sample of 2 from this population there are 45 possible combinations that you could select. If there is one "bad item" in the population, there are 9 possible combinations that you could select that contain the bad item, or 36 possible combinations that do not contain the bad item.
In this very simple situation the risk of selecting a sample that does not contain the bad item is 36/45 or 80% - far higher than the 10% you might assume given that there is only 1 bad item out of the population of 10.
This example also highlights the impact of the audit sample size on the detection risk. If we sample 3 items, there are 120 possible combinations and 84 possible combinations that do not contain the bad item. In this case the sampling risk is 84/120 or 70%.
In practice the auditor will specify the level of detection risk that they are comfortable with, and use this to determine the audit sample size.