Launch offer — 25% off with code LAUNCH-25 See plans →
Try now → N
📚 Learn/ / Audit Concepts / SAs
Microlesson · 5-min read

Auditor's Responses to Assessed Risks (SA 330)

## Auditor's Responses to Assessed Risks — SA 330

### Objective

The auditor's objective is to obtain sufficient appropriate audit evidence about assessed ROMMS by designing and implementing appropriate responses to those risks.

---

### Two Levels of Response

#### Level 1 — Financial Statement Level (Overall Responses)

The auditor designs and implements overall responses to address ROMMS at the financial statement level.

Examples of overall responses:

  • Assigning more experienced staff to high-risk engagements
  • Increasing overall unpredictability in audit procedures
  • Making more extensive use of professional skepticism

#### Level 2 — Assertion Level (Further Audit Procedures)

The auditor designs further audit procedures whose:

  • Nature — type of procedure (test of control or substantive; inspection, inquiry, confirmation, recalculation, re-performance, analytical)
  • Timing — when the procedure is performed (interim vs. year-end)
  • Extent — quantity (sample sizes, number of locations)

...are based on and responsive to the assessed ROMMS at the assertion level.

---

### Designing Further Audit Procedures — Two Key Considerations

#### Consideration 1 — Reasons Behind the Risk Assessment

For each class of transactions, account balance, and disclosure, the auditor considers:

Risk ComponentQuestion to AskImplication
Inherent RiskCould material misstatement occur due to the characteristics of this item?Drives the nature of substantive procedures
Control RiskDoes the risk assessment rely on controls operating effectively?If yes, auditor must test those controls

#### Consideration 2 — Persuasiveness of Evidence

> The higher the assessed risk, the more persuasive the audit evidence required.

  • High risk → External confirmations, auditor's own recalculations, year-end testing
  • Lower risk → Internal documents, analytical procedures, interim testing acceptable

---

### The Risk-Response Linkage

```

Risk Assessment (RAP) → Assessed ROMMS → Designed Responses

Financial Statement Level: Overall Responses

+

Assertion Level: Further Audit Procedures

(Nature + Timing + Extent)

```

The audit plan must demonstrate a clear, documented linkage between each identified risk and the procedure designed to address it.

Worked example

### Example 1

Example — Overall Response at FS Level:

The auditor assesses a pervasive risk of management override at a family-owned company. As an overall response, the auditor:

  • Assigns the engagement manager to personally perform journal entry testing (rather than delegating)
  • Introduces unannounced procedures not disclosed in the audit plan
  • Applies heightened professional skepticism across all areas

### Example 2

Example — Assertion Level Response Linked to Inherent Risk:

For a construction company using the percentage-of-completion method, inherent risk for revenue is HIGH (complex estimates, management judgment). The auditor's response:

  • Nature: Independent recalculation of completion percentages using engineering reports; external confirmation of contract terms
  • Timing: Year-end (not interim — results could shift significantly)
  • Extent: Test all contracts above ₹1 crore; stratified sampling for smaller contracts

### Example 3

Example — Assertion Level Response Linked to Control Risk:

The auditor assesses control risk for payroll as LOW based on automated system controls. To rely on this, the auditor MUST test those controls (e.g., test IT general controls over access to the payroll system). If the controls test confirms they operate effectively, substantive procedures on payroll can be reduced in extent.

⚠️ Common exam mistakes

  • Designing a single standard audit program for all clients instead of tailoring responses to the specific assessed risks — SA 330 requires responses to be responsive to assessed risks
  • Confusing the two levels: overall responses (FS level) address pervasive risks; further audit procedures (assertion level) address specific identified risks — both are required
  • Relying on controls without testing them — if the risk assessment 'takes into account relevant controls,' the auditor MUST test those controls to obtain evidence they operate effectively
  • Treating higher assessed risk as only requiring more of the same procedures — higher risk may require a change in the NATURE of procedures (more persuasive), not just a larger sample size
Bare-Act text SA 330, Para 5-6 · SA 330 — The Auditor's Responses to Assessed Risks · click to expand
The auditor shall design and implement overall responses to address the assessed risks of material misstatement at the financial statement level. The auditor shall design and perform further audit procedures whose nature, timing and extent are based on and are responsive to the assessed risks of material misstatement at the assertion level.
← Previous
Audit vs Review vs Assurance v
Next →
Automated Environment — IT Aud
Now that you've read this — what's next?
Move from understanding → mastery in 3 clicks. Each option below picks up from this lesson's topic.
🔥 Drill 5 Qs on this → ✍️ Adaptive practice →
Start 15-min diagnostic