Auditing and Corporate Governance

ISA 330: The Auditor’s Responses to Assessed Risks

Understand how ISA 330 guides auditors from risk assessment to action, detailing the design of a responsive audit strategy to address specific threats.

International Standard on Auditing (ISA) 330 provides a framework for how an auditor responds to risks identified during an audit’s planning phase. After assessing a company’s potential for material misstatements in its financial statements, as guided by ISA 315, ISA 330 dictates the subsequent actions. The standard is about moving from assessment to action, ensuring the auditor designs and performs procedures to gather sufficient, appropriate evidence.

Overall Responses to Assessed Risks

Overall responses are broad adjustments to the audit strategy, designed to address risks that could affect the financial statements as a whole. These are high-level changes to the audit’s conduct rather than specific tests on individual transactions. These responses set the tone and intensity for the engagement.

One common overall response is to modify the audit’s staffing. An engagement with higher assessed risks may warrant assigning more experienced auditors or those with specialized skills. For instance, if complex financial instruments are a source of risk, a specialist in that area might be added to the team.

Another response involves a heightened emphasis on professional skepticism, meaning the audit team approaches the engagement with a questioning mind and does not simply accept management’s explanations. The audit plan might also incorporate unpredictability by varying the timing of certain tests or selecting items for testing using unanticipated methods. Increased supervision of the audit team is another tactic, ensuring that work is reviewed more thoroughly.

Designing and Performing Further Audit Procedures

Further audit procedures are the specific actions an auditor takes to address risks at the assertion level, relating to individual account balances, classes of transactions, and disclosures. These procedures are divided into two main categories: tests of controls and substantive procedures. The selection of these procedures is tailored to the specific risks identified.

Tests of controls are audit procedures performed to evaluate the operating effectiveness of a company’s internal controls, which are the policies the company has in place to prevent or correct misstatements. An auditor performs these tests when intending to rely on the controls to reduce other testing. For example, if a control requires a manager’s signature on purchase orders over $5,000, the auditor might examine a sample of orders to verify the signature is present.

Substantive procedures are designed to detect material misstatements directly in the financial data, and performing them for all relevant assertions is mandatory. These procedures include tests of details, which involve examining individual transactions and balances. An example is vouching a sample of sales transactions to shipping documents and invoices to confirm they occurred.

Substantive analytical procedures involve evaluations of financial information by studying plausible relationships among financial and non-financial data. For instance, an auditor might analyze the relationship between a hotel’s occupancy rates and its revenue. If revenue increased significantly while occupancy rates remained flat, it could indicate a risk of misstatement requiring further investigation. Such procedures can be effective in identifying inconsistent fluctuations or relationships.

Determining the Nature, Timing, and Extent of Procedures

An auditor must determine the specific characteristics of their audit procedures by deciding on their nature, timing, and extent. These decisions are directly influenced by the assessed level of risk, as higher risk demands more persuasive audit evidence.

The nature of an audit procedure refers to its purpose (to test a control or substantiate a balance) and its type. The type of procedure can include:

  • Inspection of records
  • Observation of a process
  • Inquiry of personnel
  • External confirmation with third parties
  • Recalculation
  • Reperformance of a company’s procedure

For a high-risk area, an auditor will choose procedures that provide more reliable evidence, such as obtaining a confirmation from a bank rather than inquiring with company management about a cash balance.

Timing refers to when the audit procedures are performed, either at an interim date or at the period end. Performing tests at an interim date may be efficient, but it introduces risk that misstatements could arise in the remaining period. If an auditor tests controls at an interim date and plans to rely on them, they must perform additional procedures to cover the intervening period.

The extent of a procedure refers to the quantity of items tested, often determined by a sample size. The extent of testing is directly linked to the risk of material misstatement and the desired level of assurance. For example, in response to a high risk of inventory obsolescence, an auditor would increase the number of inventory items they physically inspect. A higher perceived risk requires a larger sample size to gather sufficient evidence.

Documentation Requirements

ISA 330 specifies what must be documented regarding the responses to assessed risks. This documentation creates a clear trail of the auditor’s work, linking the identified risks to the procedures performed and the conclusions reached, which serves as evidence that the audit was performed in accordance with professional standards.

The auditor must document the overall responses implemented to address risks at the financial statement level. This includes recording strategic decisions, such as assigning more experienced staff or increasing professional skepticism. The documentation should explain the rationale for these high-level responses and how they address the identified risks.

The auditor must also document the nature, timing, and extent of the further audit procedures for each assertion. This includes documenting the linkage between these procedures and the specific risks they were designed to address. For example, the audit file should show that specific substantive procedures were performed to mitigate the assessed risk of revenue overstatement.

Finally, the results of all audit procedures, including both tests of controls and substantive procedures, must be documented. If procedures were performed at an interim date, the auditor must also document the additional work performed to cover the remaining period and the conclusions reached. This record provides the basis for the auditor’s final opinion on the financial statements.

Previous

AS 2101: Requirements for Planning an Audit

Back to Auditing and Corporate Governance
Next

What Is a Single Audit Under Uniform Guidance?