Scope and objectives
The Auditing standards provides guidance to auditors on their responsibilities in designing and implementing responses to the risks of material misstatement identified in a financial statement audit. The effective date of this SA 330 is for audits of financial statements for periods beginning on or after April 1, 2008. The objective of the auditor is to obtain sufficient appropriate audit evidence about the assessed risks of material misstatement by designing and implementing appropriate responses to those risks.
The SA 330 provides definitions of two types of audit procedures: substantive procedures and tests of controls. Substantive procedures are designed to detect material misstatements at the assertion level, which can be achieved by performing tests of details or substantive analytical procedures. On the other hand, tests of controls are designed to evaluate the operating effectiveness of controls in preventing, or detecting and correcting, material misstatements at the assertion level.
The auditor is required to design and implement overall responses to address the assessed risks of material misstatement at the financial statement level. These responses may include emphasizing the need for professional scepticism, assigning more experienced staff or those with special skills, providing more supervision, incorporating additional elements of unpredictability in the selection of further audit procedures, and making general changes to the nature, timing, or extent of audit procedures. For instance, performing substantive procedures at the period end instead of at an interim date or modifying the nature of audit procedures to obtain more persuasive audit evidence.
The auditor’s assessment of the risks of material misstatement at the financial statement level is affected by the control environment. An effective control environment may allow the auditor to have more confidence in internal control and the reliability of audit evidence generated internally within the entity. Therefore, the auditor may conduct some audit procedures at an interim date rather than at the period end. Conversely, deficiencies in the control environment require the auditor to conduct more audit procedures, obtain more extensive audit evidence, or increase the number of locations to be included in the audit scope.
The auditor’s approach depends on such considerations and may emphasize substantive procedures or use tests of controls as well as substantive procedures. In summary, the SA 330 provides guidance to auditors to design and implement appropriate responses to the risks of material misstatement identified in a financial statement audit by considering the control environment and implementing overall responses to address the assessed risks of material misstatement at the financial statement level.
Audit Procedures Responsive to the Assessed Risks of Material Misstatement at the Assertion Level
The audit procedures that are responsive to the risks of material misstatement at the assertion level. Assertion-level risks refer to the risks that financial statement assertions contain misstatements that could be material to the overall accuracy of the financial statements. The auditor is required to design and perform further audit procedures that are based on and responsive to the assessed risks of material misstatement at the assertion level.
The auditor’s assessment of identified risks at the assertion level provides a basis for considering the appropriate audit approach for designing and performing further audit procedures. The auditor may decide to perform tests of controls, substantive procedures, or a combination of both, depending on the specific risks identified. The nature, timing, and extent of audit procedures should be responsive to the assessed risks of material misstatement.
The nature of an audit procedure refers to its purpose and type, such as inspection, observation, inquiry, confirmation, recalculation, reperformance, or analytical procedure. The timing of an audit procedure refers to when it is performed, or the period or date to which the audit evidence applies. The extent of an audit procedure refers to the quantity to be performed, such as a sample size or the number of observations of a control activity.
The auditor must consider the reasons for the assessment given to the risk of material misstatement at the assertion level for each class of transactions, account balance, and disclosure. This includes the likelihood of material misstatement due to the inherent characteristics of the relevant class of transactions, account balance, or disclosure, and whether the risk assessment takes into account the relevant controls, requiring the auditor to obtain audit evidence to determine whether the controls are operating effectively.
The auditor’s assessed risks may affect both the types of audit procedures to be performed and their combination. For example, when an assessed risk is high, the auditor may decide to confirm the completeness of the terms of a contract with the counterparty, in addition to inspecting the document. Certain audit procedures may be more appropriate for some assertions than others. For example, in relation to revenue, tests of controls may be most responsive to the assessed risk of misstatement of the completeness assertion, whereas substantive procedures may be most responsive to the assessed risk of misstatement of the occurrence assertion.
The timing of audit procedures is also important. The auditor may perform tests of controls or substantive procedures at an interim date or at the period end. The higher the risk of material misstatement, the more likely it is that the auditor may decide it is more effective to perform substantive procedures nearer to, or at, the period end rather than at an earlier date. On the other hand, performing audit procedures before the period end may assist the auditor in identifying significant matters at an early stage of the audit, and consequently resolving them with the assistance of management or developing an effective audit approach to address such matters.
The auditor must design and perform further audit procedures that are responsive to the assessed risks of material misstatement at the assertion level, taking into account the nature, timing, and extent of the audit procedures. The auditor’s assessment of identified risks at the assertion level provides a basis for considering the appropriate audit approach for designing and performing further audit procedures.
Tests of Controls
The requirements and guidelines for designing and performing tests of controls during an audit. Tests of controls are performed to obtain sufficient appropriate audit evidence about the operating effectiveness of relevant controls when the auditor intends to rely on the controls in determining the nature, timing, and extent of substantive procedures or when substantive procedures alone cannot provide sufficient appropriate audit evidence.
The auditor must design and perform tests of controls only on those controls that they have determined are suitably designed to prevent, detect, and correct material misstatements in an assertion. If substantially different controls were used at different times during the period under audit, each control is considered separately.
The auditor may decide to test the operating effectiveness of controls at the same time as evaluating their design and implementation to increase efficiency. Additionally, risk assessment procedures may also provide audit evidence about the operating effectiveness of controls and can serve as tests of controls.
The auditor may also design a dual-purpose test of controls to be performed concurrently with a test of details on the same transaction. In some cases, the auditor may find it impossible to design effective substantive procedures that provide sufficient appropriate audit evidence, and in such cases, tests of relevant controls must be performed.
In designing and performing tests of controls, the auditor must obtain more persuasive audit evidence the greater the reliance they place on the effectiveness of a control. A higher level of assurance may be sought about the operating effectiveness of controls when the approach adopted consists primarily of tests of controls, in particular where it is not possible or practicable to obtain sufficient appropriate audit evidence only from substantive procedures.
The nature of the control influences the type of procedure required to obtain audit evidence about whether the control was operating effectively. Inquiry alone is not sufficient to test the operating effectiveness of controls, and other audit procedures must be performed in combination with inquiry. The extent of tests of controls may also need to be increased depending on the degree of reliance on controls and other factors, such as the frequency of control performance, length of time of reliance, expected rate of deviation from a control, and relevance and reliability of the audit evidence obtained. SA 530, “Audit Sampling,” provides further guidance on the extent of testing.
SA 330 also mentions that the inherent consistency of IT processing may not require an increase in the extent of testing of an automated control, and that the auditor may consider the degree of reliance placed on the IT control in determining the extent of testing.
Timing of Tests of Controls
The timing of tests of controls and how an auditor should use audit evidence obtained during an interim period or in previous audits.
The auditor is required to test controls for the particular time or throughout the period for which the auditor intends to rely on those controls to provide an appropriate basis for the intended reliance. If the auditor intends to rely on a control over a period, tests that are capable of providing audit evidence that the control operated effectively at relevant times during that period are appropriate. Such tests may include tests of the entity’s monitoring of controls.
When the auditor obtains audit evidence about the operating effectiveness of controls during an interim period, the auditor is required to obtain audit evidence about significant changes to those controls subsequent to the interim period and determine the additional audit evidence to be obtained for the remaining period. The relevant factors in determining what additional audit evidence to obtain about controls that were operating during the period remaining after an interim period include the significance of the assessed risks of material misstatement at the assertion level, the specific controls that were tested during the interim period, and significant changes to them since they were tested, including changes in the information system, processes, and personnel, the degree to which audit evidence about the operating effectiveness of those controls was obtained, the length of the remaining period, the extent to which the auditor intends to reduce further substantive procedures based on the reliance of controls, and the control environment.
It also discusses using audit evidence obtained in previous audits. In determining whether it is appropriate to use audit evidence about the operating effectiveness of controls obtained in previous audits and, if so, the length of the time period that may elapse before retesting a control, the auditor shall consider factors such as the effectiveness of other elements of internal control, the risks arising from the characteristics of the control, the effectiveness of general IT-controls, the effectiveness of the control and its application by the entity, whether the lack of a change in a particular control poses a risk due to changing circumstances, and the risks of material misstatement and the extent of reliance on the control.
If the auditor plans to use audit evidence from a previous audit about the operating effectiveness of specific controls, the auditor shall establish the continuing relevance of that evidence by obtaining audit evidence about whether significant changes in those controls have occurred subsequent to the previous audit. If there have been changes that affect the continuing relevance of the audit evidence from the previous audit, the auditor shall test the controls in the current audit. If there have not been such changes, the auditor shall test the controls at least once in every third audit, and shall test some controls each audit to avoid the possibility of testing all the controls on which the auditor intends to rely in a single audit period with no testing of controls in the subsequent two audit periods.
Overall, It provides guidance to auditors on when and how to test controls, and when it is appropriate to use audit evidence obtained during an interim period or in previous audits.
Substantive Procedures
The requirements and guidelines for auditors to design and perform substantive procedures during an audit. Substantive procedures refer to audit procedures that are designed to obtain audit evidence to detect material misstatements in the financial statements, regardless of the assessed risks of material misstatement. The purpose of substantive procedures is to ensure that the financial statements are free from material misstatement.
The auditor is required to perform substantive procedures for each material class of transactions, account balance, and disclosure. The auditor is also required to consider the nature and extent of substantive procedures based on the circumstances of the audit. The auditor may choose to perform only substantive analytical procedures or only tests of details, or a combination of both, depending on the assessed risks of material misstatement.
Substantive analytical procedures are generally more applicable to large volumes of transactions that tend to be predictable over time. The nature of the risk and assertion is relevant to the design of tests of details. The extent of substantive procedures may need to be increased when the results from tests of controls are unsatisfactory. In designing tests of details, the extent of testing is ordinarily thought of in terms of the sample size, but other matters are also relevant.
The auditor is required to consider whether external confirmation procedures are to be performed as substantive audit procedures. External confirmation procedures may provide relevant audit evidence relating to certain assertions, but there are some assertions for which external confirmations provide less relevant audit evidence. The auditor may determine that external confirmation procedures performed for one purpose provide an opportunity to obtain audit evidence about other matters.
It also discusses the auditor’s substantive procedures related to the financial statement closing process, which include agreeing or reconciling the financial statements with the underlying accounting records and examining material journal entries and other adjustments made during the course of preparing the financial statements. The nature and extent of the auditor’s examination of journal entries and other adjustments depend on the nature and complexity of the entity’s financial reporting.
Timing of Substantive Procedures
The timing of substantive procedures in auditing. It explains that in most cases, audit evidence from a previous audit’s substantive procedures is not relevant for the current period. However, in some exceptional cases where the subject matter has not fundamentally changed, previous audit evidence may be appropriate to use.
When substantive procedures are performed at an interim date, the auditor must cover the remaining period by performing further substantive procedures combined with tests of controls or by performing further substantive procedures alone. Performing substantive procedures only at an interim date without undertaking additional procedures at a later date increases the risk of not detecting misstatements that may exist at the period end.
Factors such as the control environment, availability of information, assessed risk of material misstatement, and the nature of transactions may influence the decision to perform substantive procedures at an interim date. If unexpected misstatements are detected at an interim date, the auditor should evaluate whether the planned nature, timing, or extent of substantive procedures covering the remaining period needs modification, which may include extending or repeating the procedures performed at the interim date at the period end.
Adequacy of Presentation and Disclosure
The auditor’s responsibilities with regards to evaluating the overall presentation of the financial statements, including the related disclosures, to ensure that they are in accordance with the applicable financial reporting framework.
The auditor is required to perform audit procedures to assess whether the individual financial statements are presented in a manner that accurately reflects the appropriate classification and description of financial information, and whether the form, arrangement, and content of the financial statements and their appended notes are appropriate. This includes an evaluation of the terminology used, the amount of detail given, the classification of items in the statements, and the bases of amounts set forth.
The auditor is responsible for ensuring that the financial statements are presented in a clear, accurate, and informative manner, in compliance with the applicable financial reporting framework.
Evaluating the Sufficiency and Appropriateness of Audit Evidence
An auditor must take to evaluate the sufficiency and appropriateness of the audit evidence obtained during an audit.
Firstly, the auditor must evaluate whether the initial assessment of the risks of material misstatement at the assertion level remain appropriate based on the audit procedures performed and the evidence obtained. The audit is a cumulative and iterative process, and as new information comes to light during the audit, the auditor may need to revise the planned audit procedures and reassess the risks of material misstatement.
If the auditor identifies discrepancies or errors during the audit, they must consider how these affect the assessed risks of material misstatement. The auditor must also consider all relevant audit evidence in forming their opinion, even if it appears to contradict the financial statement assertions.
The auditor’s judgment as to what constitutes sufficient appropriate audit evidence is influenced by various factors such as the significance and likelihood of potential misstatements, management’s responses and controls, previous audit experiences, audit procedures performed, source and reliability of available information, persuasiveness of audit evidence, and understanding of the entity and its environment.
If the auditor has not obtained sufficient appropriate audit evidence for a material financial statement assertion, they must attempt to obtain further evidence. If the auditor is unable to obtain sufficient appropriate audit evidence, they must express a qualified opinion or a disclaimer of opinion.
Documentation
The auditor is required to document the overall responses taken to address the assessed risks of material misstatement at the financial statement level, including the nature, timing, and extent of the further audit procedures performed. This documentation must also include the linkage of the audit procedures performed with the assessed risks at the assertion level, and the results of the audit procedures performed, including any conclusions reached.
The form and extent of the audit documentation are matters of professional judgment and should be influenced by the nature, size, and complexity of the entity being audited, as well as the availability of information from the entity and the audit methodology and technology used in the audit.
If the auditor plans to use audit evidence about the operating effectiveness of controls obtained in previous audits, the auditor must document the conclusions reached about relying on such controls that were tested in a previous audit.
Finally, the auditor’s documentation must demonstrate that the financial statements agree or reconcile with the underlying accounting records. This is important to ensure that the financial statements are reliable and accurate.
The Auditor’s Responses to Assessed Risks
The Application Section of ISA 330 used to deal with the application of the requirements of ISA 330 to the audits of public sector entities. However, this specific reference to the applicability of the standard to public sector entities has been deleted. The reason for this is that the standards issued by the Auditing and Assurance Standards Board apply equally to all entities, regardless of their form, nature, and size.
SA 330 also highlights that even in the case of non-public sector entities, there may be special considerations that affect the auditor’s consideration of the nature, timing, and extent of further audit procedures. For example, the auditor may be required to give special considerations due to the terms of their appointment or any other special reporting requirements under the statute or regulation under which the entity operates. Therefore, the text explains that the fact that the auditor’s consideration of the nature, timing, and extent of further audit procedures may be affected by the audit mandate or any other special auditing requirements has been retained.
Quiz: The Auditor’s Responses to Assessed Risks
1. What is the objective of the auditor in relation to the assessed risks of material misstatement?
a) To prevent material misstatements in financial statements.
b) To obtain sufficient appropriate audit evidence.
c) To detect all risks of material misstatement.
d) To design and implement overall responses to risks.
Answer: b)
2. What are the two types of audit procedures defined in SA 330?
a) Inherent procedures and control procedures.
b) Substantive procedures and tests of controls.
c) Risk assessment procedures and analytical procedures.
d) Compliance procedures and substantive analytical procedures.
Answer: b)
3. What is the purpose of substantive procedures in an audit?
a) To evaluate the operating effectiveness of controls.
b) To assess the overall control environment.
c) To obtain audit evidence to detect material misstatements.
d) To design and implement responses to assessed risks.
Answer: c)
4. When may an auditor decide to perform tests of controls?
a) When substantive procedures alone are not sufficient.
b) When the control environment is effective.
c) When the risks of material misstatement are low.
d) When the financial statements are complex.
Answer: a)
5. How does the auditor’s assessment of risks affect the timing of audit procedures?
a) High-risk assessments require performing procedures at an interim date.
b) Low-risk assessments require performing procedures at the period end.
c) Risk assessments have no impact on the timing of procedures.
d) The timing of procedures is determined solely by the control environment.
Answer: a)
6. What is the purpose of tests of controls in an audit?
a) To detect material misstatements at the assertion level.
b) To evaluate the overall presentation of the financial statements.
c) To assess the effectiveness of internal controls.
d) To provide persuasive audit evidence about assertions.
Answer: c)
7. When may an auditor use audit evidence obtained in previous audits?
a) When the control environment has changed significantly.
b) When substantive procedures are not applicable.
c) When the auditor intends to rely on controls.
d) When the risks of material misstatement are low.
Answer: c)
8. What are the auditor’s responsibilities regarding the presentation and disclosure of financial statements?
a) To prepare the financial statements in accordance with the applicable framework.
b) To ensure the financial statements are accurate and error-free.
c) To evaluate the overall presentation and compliance with the reporting framework.
d) To classify and describe financial information accurately.
Answer: c)
9. What factors influence the auditor’s judgment regarding the sufficiency and appropriateness of audit evidence?
a) Significance and likelihood of potential misstatements.
b) Management’s responses and controls.
c) Previous audit experiences.
d) All of the above.
Answer: d)
10. What should the auditor do if they have not obtained sufficient appropriate audit evidence for a material financial statement assertion?
a) Modify the assessed risks of material misstatement.
b) Issue a qualified opinion or a disclaimer of opinion.
c) Reassess the initial assessment of risks.
d) Revise the planned audit procedures.
Answer: b)
Additional question:
11. What are some examples of overall responses an auditor may implement to address assessed risks of material misstatement at the financial statement level?
a) Conducting additional substantive procedures at an interim date.
b) Assigning more experienced staff or those with special skills.
c) Incorporating unpredictability in the selection of further audit procedures.
d) All of the above.
Answer: d)
12. How does the control environment influence the auditor’s assessment of risks of material misstatement?
a) An effective control environment reduces the need for audit procedures.
b) Deficiencies in the control environment require additional audit procedures.
c) The control environment has no impact on risk assessment.
d) The control environment only affects the timing of audit procedures.
Answer: b)
13. What factors should the auditor consider in determining the appropriate audit approach for designing and performing further audit procedures?
a) The nature of the risks identified.
b) The extent of controls in place.
c) The assessed risks of material misstatement.
d) All of the above.
Answer: d)
14. Which type of audit procedure is most responsive to the assessed risk of misstatement of the completeness assertion for revenue?
a) Tests of controls.
b) Substantive procedures.
c) Analytical procedures.
d) Inquiry procedures.
Answer: a)
15. When is it more effective to perform substantive procedures at the period end rather than at an earlier date?
a) When the risk of material misstatement is low.
b) When unexpected misstatements are detected at an interim date.
c) When the control environment is highly effective.
d) When the financial statements are simple and straightforward.
Answer: b)
16. What should the auditor consider when determining the timing of tests of controls?
a) The availability of information.
b) The control environment.
c) The assessed risks of material misstatement.
d) All of the above.
Answer: d)
17. How does the extent of tests of controls relate to the auditor’s reliance on controls?
b) The extent of testing is not influenced by reliance on controls.
c) The extent of testing is solely determined by the assessed risks.
a) The greater the reliance on controls, the higher the extent of testing.
d) Reliance on controls is not relevant to the extent of testing.
Answer: a)
18. What should the auditor do if they plan to use audit evidence from a previous audit about the operating effectiveness of specific controls?
a) Retest all controls in the current audit.
b) Test the controls at least once in every third audit.
c) Establish the continuing relevance of the audit evidence.
d) Rely solely on the previous audit evidence without further testing.
Answer: c)
19. Why is it important for the auditor to consider all relevant audit evidence, even if it appears to contradict the financial statement assertions?
a) To ensure consistency with management’s responses and controls.
b) To provide a comprehensive assessment of the risks of material misstatement.
c) To support the reliability and accuracy of the financial statements.
d) To avoid revising the planned audit procedures.
Answer: b)
20. What should the auditor’s documentation include regarding the assessed risks of material misstatement?
a) The nature, timing, and extent of further audit procedures performed.
b) The auditor’s judgment on the sufficiency of audit evidence.
c) The qualifications and disclaimers of opinion issued.
d) The linkage between the audit procedures and the financial statement assertions.
Answer: d)
Statement on Auditing Standards – SA 210
Statement on Auditing Standards – SA 220
Statement on Auditing Standards – SA 230
Statement on Auditing Standards – SA 240
Statement on Auditing Standards – SA 250
Statement on Auditing Standards – SA 260
Statement on Auditing Standards – SA 265
Statement on Auditing Standards – SA 299
Statement on Auditing Standards – SA 300
Statement on Auditing Standards – SA 315
Statement on Auditing Standards – SA 320
Statement on Auditing Standards – SA 330
Statement on Auditing Standards – SA 402
Statement on Auditing Standards – SA 450
Statement On Auditing Standards – SA 500
Statement on Auditing Standards – SA 501
Statement on Auditing Standards – SA 505
Statement on Auditing Standards – SA 510
Statement on Auditing Standards – SA 520
Statement on Auditing Standards – SA 530
Statement on Auditing Standards – SA 540
Statement on Auditing Standards – SA 560
Statement on Auditing Standards – SA 570
Statement on Auditing Standards – SA 580
Statement on Auditing Standards – SA 600
Statement on Auditing Standards – SA 610
Statement on Auditing Standards – SA 620
Statement on Auditing Standards – SA 700
Statement on Auditing Standards – SA 701
Statement on Auditing Standards – SA 705
Statement on Auditing Standards – SA 706
Statement on Auditing Standards – SA 710
Statement on Auditing Standards – SA 720
Statement on Auditing Standards – SA 800
Statement on Auditing Standards – SA 805
Statement on Auditing Standards – SA 810
Statement on Auditing Standards – SAE 3400
Statement on Auditing Standards – SAE 3402
Statement on Auditing Standards – SRE 2400
Statement on Auditing Standards – SRE 2410
Statement on Auditing Standards – SRS 4400
Statement on Auditing Standards – SRS 4410
