Thanks for helping me to understand.

I see now that if I give a user read only permission and they attempt to update a table, it will log a failure. This is very good.

The confusion was when I was expecting a user who runs a bad query such as a select of a table that does not exist that it would record that as well. But technicly as you say, it is a successful select but of non existant data. These type of things are not logged by SQL Server Audit but would help us to detect anyone who was fishing for data.

Thanks again.