SA 330 - The Auditor's Responses to Assessed Risks

# SA 330 — The Auditor's Responses to Assessed Risks

## Auditor's Responsibility

The auditor must design and implement responses to the ROMM identified and assessed under SA 315.

In designing Further Audit Procedures (FAP), the auditor shall:

• Consider reasons for the risk assessment at the assertion level for each CAD — including both inherent risk and control risk
• Obtain more persuasive audit evidence when the auditor's assessment of risk is higher

## When Must the Auditor Perform Tests of Controls (TOC)?

TOC must be performed to obtain SAAE about operating effectiveness of controls when:

1. The auditor's assessment of ROMM at assertion level includes an expectation that controls are operating effectively (i.e. the auditor intends to rely on controls), OR

2. Substantive procedures alone cannot provide SAAE at the assertion level (e.g. highly automated processing with no paper trail).

> When the audit approach consists mainly of TOC (because substantive procedures alone are insufficient), a higher level of assurance about IC operating effectiveness is required.

> When more persuasive evidence is needed about IC effectiveness → increase the extent of TOC and the degree of reliance on controls.

## Matters Determining Extent of TOC

• Relevance and reliability of audit evidence on operating effectiveness
• Extent to which evidence is obtained from tests of other controls
• Length of time the auditor is relying on operating effectiveness
• Frequency of performance of the control during the period
• Expected rate of deviation from the control

## Using Audit Evidence Obtained in Previous Audits

To decide whether evidence from prior periods can be used, consider:

• ROMM and the extent of reliance on the control
• Risks from nature of control — manual vs automated
• Effectiveness of the control and its application — including nature of deviations
• Effectiveness of general IT-controls
• Effectiveness of other IC elements — control environment, monitoring, RAP
• Whether lack of change in the control poses risk due to changing circumstances

## Deviations Detected During TOC

When deviations are detected, the auditor shall make specific inquiries and determine whether:

• TOC performed provide an appropriate basis for relying on controls
• Additional TOCs are necessary, OR
• The potential ROMM needs to be addressed using substantive procedures

## Substantive Procedures

Substantive procedure = an audit procedure designed to detect material misstatement (MM) at the assertion level. It comprises:

### A. Tests of Details (TOD)

• Tests of transactions — i.e. vouching
• Tests of balances — i.e. verification

### B. Substantive Analytical Procedures (SAP)

• Governed by SA 520

## Mandatory Substantive Procedures — Even at Low Assessed Risk

The auditor must perform substantive procedures even when assessed ROMM is LOW, because:

• The auditor's assessment of risk is judgmental and may not identify all ROMM.
• IC has inherent limitations (collusion, management override, human error).

## Mix of Substantive Procedures — Auditor's Judgment

Depending on circumstances, the auditor may decide:

• Only SAP is sufficient to reduce audit risk to an acceptably low level
• Only TOD are appropriate
• A combination of SAP and TOD is most responsive

> Extent of substantive procedures is INCREASED when results of TOC are UNSATISFACTORY (because controls cannot be relied upon).

## Relationship: ROMM ↔ Audit Evidence

## Quick Summary Map

```

SA 315 (identify & assess ROMM)

↓

SA 330 (respond to ROMM)

↓

┌────┴────┐

TOC Substantive Procedures (mandatory)

┌──────┴──────┐

TOD SAP (SA 520)

(Vouching +

Verification)

```