PSA 330 – The Auditor’s Responses to Assessed Risks

Further Audit Procedures:

1. Substantive procedures
o Designed to detect material misstatements at the assertion level
a. Test of details (of classes of transactions, account balances, and disclosures)
b. Analytical procedures
o Inspection, observation, confirmation, recalculation, analytical procedures, inquiries
2. Test of controls
o Designed to evaluate the operating effectiveness of controls in preventing, or detecting and correcting, material
misstatements at the assertion level.
o Inquiries, inspection, observation, reperformance

Overall Responses to Assessed Risks – example:

 Emphasizing the need to maintain professional skepticism
 Assigning more experienced staff or those with special skills or using experts
 Changes to the N, T, E of direction and supervision of members of the engagement team and the review of the work
performed
 Unpredictability in the selection of further audit procedures
 Changes to the overall audit strategy as required by PSA 300, or planned audit procedures. These may include changes
to:
o Performance materiality
o Plans to test the operating effectiveness of controls and the persuasiveness of audit evidence needed,
particularly when deficiencies in control environment or monitoring activities are identified
o NTE of substantive procedures (e.g. testing at or near year-end when RMM is assessed as higher)

Audit Procedures Responsive to Assessed RMM at the Assertion Level

The auditor shall design and perform audit procedures whose Nature, Timing, Extent are based on and are responsive to
assessed risks of material misstatements at the assertion level.

Audit approaches to specific assertions:

a. Only by performing TOC may the auditor effectively respond to assessed risks
b. Substantive tests only
o The auditor excludes the effect of controls from the assessment of the RMM.
o May be because auditor has not identified a risk for which substantive alone cannot provide sufficient
appropriate audit evidence, therefore, not required to test the operating effectiveness of controls
 Risks for which substantive alone cannot provide sufficient appropriate audit evidence refer to risks
relating to the inaccurate or incomplete recording of routine and significant classes of
transactions/account balances, which permit highly automated processing with little or no manual
intervention.
o Previous PSA 315:
o Auditor has not identified any effective controls relevant to the assertion or
o Testing controls would be inefficient
c. Combination of TOC and Substantive tests

 The auditor need not design and perform further audit procedures where the assessment of RMM is below the acceptably low
level

 However, irrespective of the approach selected and the assessed RMM, the auditor designs and performs substantive
procedures for each material class of transactions, account balance and disclosure.

In designing audit procedures, the auditor shall:

a. Consider the reasons for the assessment given to the RMM at the assertion level for each significant class of
transactions, account balance, and disclosure, including:
i. The likelihood and magnitude of misstatement due to particular characteristics of the significant class of
transaction, account balance and disclosure (inherent risk), and
ii. Whether the risk assessment takes into account controls that address the RMM (control risk) thereby requiring
obtaining evidence about whether they are operating effectively (that is, the auditor plans to test the operating
effectiveness of controls)

Nature of audit procedures

o purpose (i.e. TOC or substantive tests)
o type (i.e. Inspection, observation, inquiry, confirmation, recalculation, reperformance, analytical procedures)

Timing of audit procedures

o when it is performed, or the period or date to which the evidence apply
o Considerations when deciding when to perform audit procedures (e.g. interim or year-end)
 Control environment
 Availability of relevant information
 Nature of risk (e.g. fraud risk)
 The period or date to which the audit evidence relates
 Extent
o quantity to be performed or quantity of evidence to be obtained
o determined after considering materiality, assessed risk and degree of assurance the auditor plans to obtain.
o in general, extent increases as RMM increases o however, increasing the extent is effective only if the audit
procedure itself of relevant to the specific risk.
o use of CAATs may enable more extensive testing.

Consideration specific to smaller entities

o there may not be many controls present, or the extent of their operation or documentation may be limited. In
such case, it may be more efficient to design further procedures that are primarily substantive.
o Consider, however, whether that absence of controls or of components of the system of internal control may
make it impossible to obtain sufficient appropriate evidence.

b. Obtain more persuasive audit evidence the higher the auditor’s assessment of risk

Tests of Controls

 Performed when:
a. Assessment of RMM at the assertion level includes an expectation that controls are operating effectively (i.e. auditor
plans to test the operating effectiveness of controls in determining the NTE of substantive tests); or
b. Substantive procedures alone cannot provide sufficient, appropriate evidence at the assertion level

 The greater the reliance the auditor places on the effectiveness of controls, the more persuasive audit evidence should be
obtained from TOC.

 Nature and extent of TOC – the auditor shall

a. Perform other audit procedures in combination with inquiry (meaning inquiry alone is not sufficient), to obtain
evidence about operating effectiveness of controls, including:

i. How the controls were applied at relevant times during the period under audit
ii. Consistency with which they were applied
iii. By whom or by what means they were applied

 Nature of controls influences the type of procedures, for example:

o Documented controls may be tested by inspection
o Controls without documentation may be tested by inquiry + observation
o Controls are performed by computers may be tested by use of CAATs

 Matters considered in determining the extent of TOC:

o Degree of planned reliance on controls
o Frequency with which the controls are performed during the period
o Length of time during the audit period the auditor is relying on the operating effectiveness of the
controls
o Expected rate of deviation
o Quality (relevance and reliability) of the audit evidence obtained
o The extent to which evidence is obtained from tests of other controls

b. To the extent not already addressed, determine whether the controls to be tested depends on other (indirect)
controls, and if so, whether it is necessary to obtain evidence about the operating effectiveness of those indirect
controls

 Example of direct and indirect controls

o For instance, the auditor wants to test the effectiveness of a user review of exception reports detailing
sales in excess of authorized credit limits.
o The user review and related follow up is control directly relevant to the auditor.
o Controls over the accuracy of the exception reports are indirect controls.

 Timing of TOC
o Depends on the time/period for which the auditor intends to rely on the controls:
 May be for a particular time (such as testing control over physical inventory count at year end)
 May be throughout a period (such as controls over purchasing throughout the year)

o When evidence is obtained for TOC at an interim period, the auditor shall
 Obtain evidence about significant changes subsequent to the interim period tested
 Determine the additional evidence to be obtained for the remaining period, considering:
 Significance of assessed RMM
  Specific controls tested and significant changes since they were tested (including systems and
personnel)
 Degree to which evidence about the operating effectiveness was obtained
 Length of the remaining period
 Extent to which the auditor intends to further reduce substantive tests
 The control environment

 Use of audit evidence (on operating effectiveness of controls) obtained in previous audits
o Auditor shall consider:
 Effectiveness of other components of the entity’s system of internal control, including the control
environment, entity’s process to monitor the system of internal control, and the entity’s risk assessment
process;
 Risks arising from the characteristics of controls – including whether manual or automated
 Effectiveness of general IT controls;
 Effectiveness of the control and its application by the entity, including nature and extent of deviations,
and personnel changes;
 Whether the lack of a change in control poses a risk due to changing circumstances; and
 Risk of material misstatement and the extent of reliance on the control

o If the auditor plans to use evidence from previous audit, the auditor shall establish continuing relevance and
reliability of that evidence by obtaining evidence about whether significant changes have occurred subsequent to
the previous audit, by performing inquiry + observation or inspection

 If there have been significant changes that affect its continuing relevance, the auditor shall test the
controls in the current audit.

 If there have been no significant changes, the auditor shall test the controls at least once every third
audit, and shall test some controls each audit to avoid the possibility of testing all the controls on which
the auditor intends to rely in a single audit period with no testing of controls in the subsequent two audit
periods.

 For controls over significant risks which the auditor intends to rely on, the auditor shall test those
controls in the current period.

o In general, the higher the risk of material misstatement, or the greater the reliance on controls, the shorter the
time period elapsed, if any, is likely to be. Factors that may decrease the period for retesting a control, or result
in not relying on audit evidence obtained in previous audits at all, include the following:
 A deficient control environment.
 Deficient monitoring of controls.
 A significant manual element to the relevant controls.
 Personnel changes that significantly affect the application of the control.
 Changing circumstances that indicate the need for changes in the control.
 Deficient general IT-controls.

 Evaluating the operating effectiveness of controls

o When evaluating the operating effectiveness of controls upon which the auditor intends to rely, the auditor shall
evaluate whether misstatements that have been detected by substantive procedures indicate that controls are
not operating effectively.
o The absence of misstatements detected by substantive procedures, however, does not provide audit evidence
that controls related to the assertion being tested are effective.
 A material misstatement detected by the auditor’s procedures is a strong indicator of the existence of a
significant deficiency in internal control.

 If deviations from controls upon which the auditor intends to rely are detected, the auditor shall make specific inquiries to
understand these matters and their potential consequences, and shall determine whether:
a. The TOCs that have been performed provide an appropriate basis for reliance on the controls;
b. Additional TOCs are necessary; or
c. The RMM need to be addressed using substantive procedures.

Substantive Procedures
 Irrespective of assessed risk of material misstatement, the auditor shall design and perform substantive procedures
for each material class of transactions, account balance and disclosures.
o This is because (1) risk assessment is judgmental and the auditor may not be able to identify all RMM and (2)
there are inherent limitations to internal control, including management override.

 Substantive analytical procedures

o Depending on the circumstances, may be
 Substantive analytical procedures only
 Tests of details only
 Combination of substantive analytical procedures and tests of details
 Substantive analytics
- generally applicable to large volumes of transactions that tend to be predictable over time.

o Substantive procedures related to the Financial Statement Closing Process

 Shall include:
a. Agreeing or reconciling the financial statements with the underlying accounting records
b. Examining journal entries and other adjustments made during the course of preparing the financial
statements.

o Timing of substantive tests

 Factors that may influence whether to perform substantive tests at an interim date:
a. Control environment and other relevant controls
b. Availability at a later date of information necessary for the auditor’s procedures
c. Purpose of the substantive procedure
d. Assessed risk of material misstatement
e. Nature of the class of transactions or account balance and related assertions
f. Ability of the auditor to perform appropriate substantive tests or substantive tests combined with
TOC to cover the remaining period

 Generally, the higher the risk of material misstatements, the more likely the auditor is to design
substantive procedures closer to year-end.

 When substantive procedures are performed at an interim date, the auditor shall cover the remaining
period by performing:
a. substantive procedures, combined with tests of controls for the intervening period; or
b. if the auditor determines that it is sufficient, further substantive procedures only, that provide a
reasonable basis for extending the audit conclusions from the interim date to the period end.

 Performing substantive tests at an interim date without undertaking additional procedures at a later
date increases the risk that the auditor will not detect misstatements that may exist at the period
end (incremental audit risk). The risk increases as the remaining period is lengthened.

 Misstatements detected at an interim date:

If misstatements that the auditor did not expect when assessing the risks of material
misstatement are detected at an interim date, the auditor shall evaluate whether the related
assessment of risk and the planned nature, timing, or extent of substantive procedures covering the
remaining period need to be modified. This modification may include extending or repeating procedures
performed at the interim date at the period end.

Adequacy of Presentation and Disclosure

 The auditor shall perform audit procedures to evaluate whether the overall presentation of the financial statements,
including the related disclosures, is in accordance with the applicable financial reporting framework.
 This includes proper classification, description of financial information, form, arrangement, content, terminology used, the
amount of detail given, classification of items, bases of amounts.

Evaluating the Sufficiency and Appropriateness of Audit Evidence

 Shall evaluate before the conclusion of the audit whether the assessments of the risks of material misstatement at the
assertion level remain appropriate.
o The extent of misstatements that the auditor detects by performing substantive tests may alter the judgment
about risk assessments and may indicate significant deficiency in internal control.
o Analytical procedures at the overall review state may indicate a previously unrecognized RMM.
o The auditor cannot assume that an instance of fraud or error is an isolated occurrence.

 The auditor shall conclude whether sufficient appropriate audit evidence has been obtained. The auditor shall consider all
relevant audit evidence, regardless of whether it appears to corroborate or to contradict the assertions in the financial
statements.

 If the auditor has not obtained sufficient appropriate audit evidence related to relevant assertion, the auditor shall attempt
to obtain further audit evidence. If the auditor is unable to obtain sufficient appropriate audit evidence, the auditor shall
express a qualified opinion or a disclaimer of opinion.

Significant Risks
 Test of controls
o When the auditor plans to rely on controls over a significant risk, the auditor shall test those controls in the
current period.
 Substantive tests
o When the auditor has identified a significant risk, the auditor shall perform substantive procedures that are
responsive to that risk.
o When the auditor’s approach consists only of substantive procedures (no TOC), those procedures shall include
tests of details.