CA
Tax Tutor
A

SA 330 — The Auditor's Responses to Assessed Risks

Once you've assessed the risks of material misstatement (that's SA 315's job), you can't just stop there — you have to do something about them. SA 330 is that 'doing something' standard. Think of it this way: SA 315 is the doctor's diagnosis, SA 330 is writing the prescription.

SA 330 requires the auditor to design and perform audit procedures whose nature, timing, and extent are directly linked to the assessed risk level. This works at two levels. First, overall responses — these are broad changes to how the audit is conducted regardless of any specific area. For example, if you assess the entity's control environment as weak (say, Mr. Kapoor's family-run firm where the owner signs everything himself), you might assign more experienced staff, increase unpredictability in your procedures, or apply more professional skepticism across the board. Second, specific responses — these are targeted at individual risk assessments for particular assertions.

For specific responses, the auditor chooses between two types of procedures. Tests of controls check whether the client's internal controls are actually working. You use these when you plan to rely on those controls to reduce your substantive work. But — and this is exam gold — SA 330 says you must always perform substantive procedures for each material class of transactions, account balance, and disclosure. You cannot skip substantive procedures even if controls look perfect. Substantive procedures themselves split into two: substantive analytical procedures (comparing numbers, ratios, trends) and tests of details (vouching individual transactions, confirming balances). For higher-risk areas, you lean harder on tests of details.

The standard also stresses timing — doing procedures closer to year-end gives more relevant evidence for higher-risk areas. If you test inventory in October for a December year-end entity, you'll need to cover the gap period too. Finally, after all procedures are done, SA 330 requires the auditor to evaluate whether sufficient appropriate evidence has been obtained. If a gap remains, you must perform additional procedures or modify your opinion. This evaluation links directly to SA 700 (forming the audit opinion).

📊 Worked example

Example 1 — Deciding between tests of controls vs. substantive procedures

Rajesh & Co. Pvt. Ltd. has a well-documented purchase approval system: every purchase above ₹50,000 requires dual authorization. During risk assessment, you identify the risk of unauthorized purchases as low because controls appear strong.

Question: What audit response does SA 330 require?

Working:

  • Step 1: Since risk is assessed as low (due to strong controls), you plan to rely on controls → perform Tests of Controls.
  • Step 2: Test a sample of, say, 25–30 purchase transactions above ₹50,000. Verify dual authorization signatures exist on each.
  • Step 3: Even though controls tested fine, SA 330 mandates you still perform substantive procedures. So you also reconcile the purchase ledger to creditor statements and vouch 10 large invoices to GRNs.
  • Final answer: Both tests of controls AND substantive procedures are required. Skipping substantive procedures entirely is never permissible under SA 330.

---

Example 2 — Adjusting extent of procedures for higher risk

Ms. Iyer is auditing a standalone trader with revenue of ₹8 crore. Risk assessment flags revenue recognition as a high-risk area (year-end sales of ₹1.2 crore look inflated).

Working:

  • Step 1: High inherent risk → cannot rely on controls alone; increase tests of details.
  • Step 2: Sample size increases. Instead of vouching ₹50 lakh worth of sales, you vouch ₹90 lakh (75% of flagged amount).
  • Step 3: Perform external confirmations for debtors totalling ₹75 lakh (top 15 customers).
  • Step 4: Perform cutoff testing — check 20 transactions either side of 31 March.
  • Final answer: Audit evidence gathered = confirmations + vouching + cutoff tests. The higher the risk, the greater the nature, timing, and extent of procedures required.

⚠️ Common exam mistakes

  • Students confuse SA 315 and SA 330 — SA 315 is about identifying and assessing risks; SA 330 is about responding to them. In the exam, if the question asks 'what procedures would you design?', that's SA 330, not SA 315.
  • Thinking you can skip substantive procedures if controls are strong — Wrong. SA 330 explicitly says substantive procedures are mandatory for every material item. Don't write 'since controls are effective, no substantive testing needed' — you will lose marks.
  • Mixing up 'nature, timing, and extent' — Many students list these but can't explain them. Nature = type of procedure (inspection, confirmation, etc.). Timing = when (interim vs. year-end). Extent = how much (sample size). Memorise these three with examples.
  • Forgetting the evaluation step — SA 330 doesn't end at performing procedures. You must conclude whether sufficient appropriate evidence was obtained. Exam answers that stop at 'procedures performed' without this final evaluation are incomplete.
  • Treating overall responses and specific responses as the same thing — Overall responses affect the whole audit (e.g., changing staff or adding unpredictability). Specific responses target individual risk areas. Questions sometimes ask you to 'distinguish' — make sure you can write two clear separate points for each.
📖 Reference: SA 330 — Institute of Chartered Accountants of India
Test yourself
Practice questions on this section, AI-graded with citations.
⚡ Practice now →