This article considers the requirements of ISA 330, The Auditor’s Responses to Assessed Risks. The main objective of ISA 330 is to give guidance on how auditors should obtain sufficient appropriate evidence regarding the assessed risks of material misstatement by designing and implementing appropriate responses to those risks. UK and Irish students should note that there are no significant differences between ISA 330 and the UK and Ireland version of this standard.
Of central importance to both ISA 315 (Revised 2019) and ISA 330 is the recognition that assessing risk is at the core of the audit process, and these two ISAs specify that the auditor is required to obtain an understanding of the risk relevant to the financial statements. Paragraph 6 of ISA 330 requires that:
‘The auditor shall design and perform further audit procedures whose nature, timing, and extent are based on and are responsive to the assessed risks of material misstatement at the assertion level.’
ISA 330 requires that auditors should carry out tests of control and substantive procedures, and paragraph 4 of the ISA gives the definitions shown in Table 1.
Students often find it quite difficult to comprehend what tests of control and substantive procedures are, to explain the difference between them, and also to give examples of both. One important difference between them is that tests of control are usually short, quick tests which generate either a ‘yes’ or a ‘no’ answer, where ‘yes’ is favourable (confirming the operation of an internal control), and ‘no’ is unfavourable (indicating that an internal control is not operating satisfactorily). Substantive procedures, however, as the name suggests, are more substantive and time consuming, requiring more detailed audit work to be carried out. The following examples, in the context of a purchases system, should help.
Consider when the auditor reviews a company’s purchases system and internal controls, and the assertion of occurrence (that recorded purchases represent goods and services received and which pertain to the entity). An appropriate internal control would be that purchase orders are raised for each purchase and are authorised by appropriate senior personnel.
Table 1: ISA 330 tests of control and substantive procedures definitions
Test of control
|An audit procedure designed to evaluate the operating effectiveness of controls in preventing, or detecting and correcting, material misstatements at the assertion level.||An audit procedure designed to detect material misstatements at the assertion level. Substantive procedures comprise tests of details (of classes of transactions, account balances and disclosures) and substantive analytical procedures.|
A test of control would be to examine a sample of purchase orders to ensure that they have been appropriately authorised. A ‘yes’ answer would confirm that the internal control requiring authorisation of purchase orders is working, whereas a ‘no’ answer would indicate that the internal control does not appear to be working, hence requiring further audit investigation.
Another example of a test of control for a purchases system would be to inspect a sample of goods received notes to confirm that stores inwards staff sign for goods received. Once again, a ‘yes’ answer is positive, confirming that staff have signed the goods received note and a ‘no’ answer would be negative, requiring further audit work to be carried out to determine why the goods received note had not been signed. This test of control would also help to confirm the occurrence assertion.
ISA 330 requires that the auditor shall always carry out substantive procedures on material items irrespective of the assessed risks of material misstatement, and that the auditor shall design and perform substantive procedures for each material class of transactions, account balance, and disclosure. According to the IAASB Glossary of Terms 1, substantive procedures fall into two categories, ‘tests of details’ and ‘substantive analytical procedures’ (or simply ‘analytical procedures’, as they are usually described). ISA 330 says that auditors must decide when it is most appropriate to use which type of substantive procedure. Analytical procedures are outside the scope of this current article and the examples given below are examples of tests of details.
Substantive procedures will invariably tend to involve more work than tests of control. Consider once again the example of the purchases system for a manufacturing company and the assertion of existence for account balances in the statement of financial position. Typical tests of detail would involve some physical verification of year-end balances outstanding, which would require obtaining and reviewing the closing purchase ledger account balances for a sample of purchase ledger accounts with selected suppliers. Typically, this could include agreeing the closing balance figure to the supplier’s statement, or even possibly requesting third party confirmation by the supplier of the amount outstanding.
Cut-off testing would also be typically carried out on year-end purchase ledger balances, which would involve obtaining a sample of pre- and post - year-end goods received notes and agreeing these to the matching pre- or post-year-end purchase invoices, to ensure that only goods received before the end of the accounting period were included. This test would also help to confirm the assertion of existence.
ISA 330 indicates that the auditor may perform tests of control or substantive procedures at an interim date or at the period end. If substantive testing is performed at an interim date then additional substantive procedures alone or combined with tests of control are required for the intervening period. This will provide a reasonable basis for extending the audit conclusions from interim date to the period end.
The standard also indicates that, in general, the extent of audit procedures increases as the risk of material misstatement increases.
ISA 330 lists the following overall responses that may be used by auditors in order to address the assessed risks of material misstatement at the financial statement level:
Assessing risk lies at the core of the audit process and this article has introduced and explained some of the terminology used by ISA 330, giving guidance to auditors on how to respond to assessed risks.
In general, tests of control are short, quick audit tests, whereas substantive procedures will require more detailed audit work. ISA 330 requires that, irrespective of the assessed risks of material misstatement, the auditor shall design and perform substantive procedures for each class of transactions, account balance and disclosure.
Finally, students should try to identify tests of control and substantive procedures for the main accounting systems.
(1) IAASB Auditing Handbook 2010, Glossary of Terms.