This Auditing Standard deals with the auditor’s responsibility to design and implement responses to the risks of material misstatement identified and assessed by the auditor in accordance with ASA 315
Compilation Details
Auditing Standard ASA 330 The Auditor's Responses to Assessed Risks (as Amended)
This compilation takes into account amendments made up to and including 5 November 2021 and was prepared on 10 November 2021 by the Auditing and Assurance Standards Board (AUASB).
This compilation is not a separate Auditing Standard made by the AUASB. Instead, it is a representation of ASA 330 (October 2009) as amended by other Auditing Standards which are listed in the Table below.
Table of Standards
Standard |
Date made |
Operative Date |
ASA 330 [A] |
Financial reporting periods commencing on or after 1 January 2010 |
|
1 December 2015 |
Financial reporting periods ending on or after 15 December 2016 |
|
ASA 2020-1 [C] | 3 March 2020 | Financial reporting periods commencing on or after 15 December 2021* |
ASA 2021-5 [D] | 5 November 2021 | Financial reporting periods commencing on or after 15 December 2021 |
[A] Federal Register of Legislation– registration number F2009L04081, 12 November 2009
[B] Federal Register of Legislation – registration number F2015L02032, 16 December 2015
[C] Federal Register of Legislation – registration number F2020L00252, 13 March 2020
[D] Federal Register of Legislation – registration number F2021L01525, 8 November 2021
Table of Amendments
Paragraph affected |
How affected |
By … [paragraph] |
20 |
Amended |
ASA 2015-1 [110] |
Heading above paragraph 24 |
Amended |
ASA 2015-1 [111] |
Aus 21.1 |
Deleted |
ASA 2015-1 [112] |
24 |
Amended |
ASA 2015-1 [113] |
30 |
Amended |
ASA 2015-1 [114] |
A13 |
Amended |
ASA 2015-1 [115] |
A14 |
Amended |
ASA 2015-1 [116] |
A52 |
Amended |
ASA 2015-1 [117] |
Heading above paragraph A59 |
Amended |
ASA 2015-1 [118] |
A59 |
Amended |
ASA 2015-1 [119] |
1 Footnote 1 |
Amended |
ASA 2020-1 [69] |
6 |
Amended |
ASA 2020-1 [70] |
7 |
Amended |
ASA 2020-1 [71] |
8 |
Amended |
ASA 2020-1 [72] |
10 |
Amended |
ASA 2020-1 [73] |
13 |
Amended |
ASA 2020-1 [74] |
14 |
Amended |
ASA 2020-1 [75] |
15 |
Amended |
ASA 2020-1 [76] |
16 |
Amended |
ASA 2020-1 [77] |
17 |
Amended |
ASA 2020-1 [78] |
27 |
Amended |
ASA 2020-1 [79] |
A1 |
Amended |
ASA 2020-1 [80] |
A4 |
Amended |
ASA 2020-1 [81] |
A7 |
Amended |
ASA 2020-1 [82] |
A9 |
Amended |
ASA 2020-1 [83] |
A9 Footnote 3 |
Addition |
ASA 2020-1 [83] |
A10 |
Amended |
ASA 2020-1 [85] |
A18 |
Amended |
ASA 2020-1 [86] |
A20 |
Amended |
ASA 2020-1 [87] |
A24 and Footnote 4 |
Amended |
ASA 2020-1 [88] |
A27 |
Amended |
ASA 2020-1 [89] |
A29 |
Amended |
ASA 2020-1 [90] |
A30 |
Addition |
ASA 2020-1 [91] |
A31 and Footnote 6 |
Addition |
ASA 2020-1 [92] |
A32 |
Amended |
ASA 2020-1 [93] |
A31 of December 2015 version |
Deleted |
ASA 2020-1 [94] |
A33 |
Amended |
ASA 2020-1 [95] |
A36 |
Amended |
ASA 2020-1 [96] |
A37 |
Amended |
ASA 2020-1 [97] |
A39 |
Amended |
ASA 2020-1 [98] |
Sub-heading above A43 and A43 |
Amended |
ASA 2020-1 [99] |
A43 Footnote 7 |
Addition |
ASA 2020-1 [99] |
A44 |
Addition |
ASA 2020-1 [100] |
A47 |
Amended |
ASA 2020-1 [101] |
A48 |
Amended |
ASA 2020-1 [102] |
A58 |
Amended |
ASA 2020-1 [103] |
A59 |
Amended |
ASA 2020-1 [104] |
A62 and Footnote 10 |
Amended |
ASA 2020-1 [105] |
A64 |
Amended |
ASA 2020-1 [106] |
A65 |
Amended |
ASA 2020-1 [107] |
Renumbering of paragraphs and footnotes |
Amended |
ASA 2020-1 [108] |
Renumbering of paragraphs and references to these paragraphs |
Amended |
ASA 2021-5 [19] |
* Early adoption, in conjunction with ASA 315 Identifying and Assessing the Risks of Material Misstatement, permitted.
Preamble
Authority Statement
Auditing Standard ASA 330 The Auditor's Responses to Assessed Risks (as amended to 5 November 2021) is set out in paragraphs Aus 0.1 to A65.
This Auditing Standard is to be read in conjunction with ASA 101 Preamble to AUASB Standards, which sets out how AUASB Standards are to be understood, interpreted and applied. This Auditing Standard is to be read also in conjunction with ASA 200 Overall Objectives of the Independent Auditor and the Conduct of an Audit in Accordance with Australian Auditing Standards.
Conformity with International Standards on Auditing
This Auditing Standard conforms with International Standard on Auditing ISA 330 The Auditor's Responses to Assessed Risks issued by the International Auditing and Assurance Standards Board (IAASB), an independent standard‑setting board of the International Federation of Accountants (IFAC).
Paragraphs that have been added to this Auditing Standard (and do not appear in the text of the equivalent ISA) are identified with the prefix “Aus”.
Compliance with this Auditing Standard enables compliance with ISA 330.
AUDITING STANDARD ASA 330
The Auditing and Assurance Standards Board (AUASB) made Auditing Standard ASA 330 The Auditor's Responses to Assessed Risks pursuant to section 227B of the Australian Securities and Investments Commission Act 2001 and section 336 of the Corporations Act 2001, on 27 October 2009.
This compiled version of ASA 330 incorporates subsequent amendments contained in another Auditing Standard made by the AUASB up to and including 5 November 2021 (see Compilation Details).
Application
Aus 0.1
This Auditing Standard applies to:
- an audit of a financial report for a financial year, or an audit of a financial report for a half-year, in accordance with the Corporations Act 2001; and
- an audit of a financial report, or a complete set of financial statements, for any other purpose.
Aus 0.2
This Auditing Standard also applies, as appropriate, to an audit of other historical financial information.
Operative Date
Aus 0.3
This Auditing Standard is operative for financial reporting periods commencing on or after 1 January 2010. [Note: For operative dates of paragraphs changed or added by an Amending Standard, see Compilation Details.]
Introduction
Scope of this Auditing Standard
1
This Auditing Standard deals with the auditor’s responsibility to design and implement responses to the risks of material misstatement identified and assessed by the auditor in accordance with ASA 315[1] in an audit of a financial report.
Effective Date
2
[Deleted by the AUASB. Refer Aus 0.3]
See ASA 315 Identifying and Assessing the Risks of Material Misstatement.
Definitions
4
For the purposes of this Auditing Standard, the following terms have the meanings attributed below:
4(a)
Substantive procedure means an audit procedure designed to detect material misstatements at the assertion level. Substantive procedures comprise:
- Tests of details (of classes of transactions, account balances, and disclosures); and
- Substantive analytical procedures.
4(b)
Test of controls means an audit procedure designed to evaluate the operating effectiveness of controls in preventing, or detecting and correcting, material misstatements at the assertion level.
Requirements
Overall Responses
5
The auditor shall design and implement overall responses to address the assessed risks of material misstatement at the financial report level. (Ref: Para. A1-A3)
Audit Procedures Responsive to the Assessed Risks of Material Misstatement at the Assertion Level
6
The auditor shall design and perform further audit procedures whose nature, timing, and extent are based on and are responsive to the assessed risks of material misstatement at the assertion level. (Ref: Para. A4-A8, A43-A54)
7
In designing the further audit procedures to be performed, the auditor shall:
- Consider the reasons for the assessment given to the risk of material misstatement at the assertion level for each significant class of transactions, account balance, and disclosure, including:
- The likelihood and magnitude of misstatement due to the particular characteristics of the significant class of transactions, account balance, or disclosure (that is, the inherent risk); and
- Whether the risk assessment takes account of controls that address the risk of material misstatement (that is, the control risk), thereby requiring the auditor to obtain audit evidence to determine whether the controls are operating effectively (that is, the auditor plans to test the operating effectiveness of controls in determining the nature, timing and extent of substantive procedures); and (Ref: Para. A9-A18)
- Obtain more persuasive audit evidence the higher the auditor’s assessment of risk. (Ref: Para. A19)
Tests of Controls
8
The auditor shall design and perform tests of controls to obtain sufficient appropriate audit evidence as to the operating effectiveness of controls if:
- The auditor’s assessment of risks of material misstatement at the assertion level includes an expectation that the controls are operating effectively (that is, the auditor plans to test the operating effectiveness of controls in determining the nature, timing and extent of substantive procedures); or
- Substantive procedures alone cannot provide sufficient appropriate audit evidence at the assertion level. (Ref: Para. A20-A24)
9
In designing and performing tests of controls, the auditor shall obtain more persuasive audit evidence the greater the reliance the auditor places on the effectiveness of a control. (Ref: Para. A25)
Nature and Extent of Tests of Controls
10
In designing and performing tests of controls, the auditor shall:
- Perform other audit procedures in combination with enquiry to obtain audit evidence about the operating effectiveness of the controls, including:
- How the controls were applied at relevant times during the period under audit;
- The consistency with which they were applied; and
- By whom or by what means they were applied. (Ref: Para. A26-A30)
- To the extent not already addressed, determine whether the controls to be tested depend upon other controls (indirect controls), and if so, whether it is necessary to obtain audit evidence supporting the effective operation of those indirect controls. (Ref: Para. A32-A33)
Timing of Tests of Controls
11
The auditor shall test controls for the particular time, or throughout the period, for which the auditor intends to rely on those controls, subject to paragraphs 12 and 15 of this Auditing Standard, in order to provide an appropriate basis for the auditor’s intended reliance. (Ref: Para. A33)
Using audit evidence obtained during an interim period
12
If the auditor obtains audit evidence about the operating effectiveness of controls during an interim period, the auditor shall:
- Obtain audit evidence about significant changes to those controls subsequent to the interim period; and
- Determine the additional audit evidence to be obtained for the remaining period. (Ref: Para. A34-A35)
Using audit evidence obtained in previous audits
13
In determining whether it is appropriate to use audit evidence about the operating effectiveness of controls obtained in previous audits, and, if so, the length of the time period that may elapse before retesting a control, the auditor shall consider the following:
- The effectiveness of other components of the entity's system of internal control, including the control environment, the entity’s process to monitor the system of internal control, and the entity’s risk assessment process;
- The risks arising from the characteristics of the control, including whether it is manual or automated;
- The effectiveness of general IT-controls;
- The effectiveness of the control and its application by the entity, including the nature and extent of deviations in the application of the control noted in previous audits, and whether there have been personnel changes that significantly affect the application of the control;
- Whether the lack of a change in a particular control poses a risk due to changing circumstances; and
- The risks of material misstatement and the extent of reliance on the control. (Ref: Para. A36)
14
If the auditor plans to use audit evidence from a previous audit about the operating effectiveness of specific controls, the auditor shall establish the continuing relevance and reliability of that evidence by obtaining audit evidence about whether significant changes in those controls have occurred subsequent to the previous audit. The auditor shall obtain this evidence by performing enquiry combined with observation or inspection, to confirm the understanding of those specific controls, and:
- If there have been changes that affect the continuing relevance of the audit evidence from the previous audit, the auditor shall test the controls in the current audit. (Ref: Para. A37)
- If there have not been such changes, the auditor shall test the controls at least once in every third audit, and shall test some controls each audit to avoid the possibility of testing all the controls on which the auditor intends to rely in a single audit period with no testing of controls in the subsequent two audit periods. (Ref: Para. A38-A40)
Controls over significant risks
15
If the auditor intends to rely on controls over a risk the auditor has determined to be a significant risk, the auditor shall test those controls in the current period.
Evaluating the Operating Effectiveness of Controls
16
When evaluating the operating effectiveness of controls upon which the auditor intends to rely, the auditor shall evaluate whether misstatements that have been detected by substantive procedures indicate that controls are not operating effectively. The absence of misstatements detected by substantive procedures, however, does not provide audit evidence that controls related to the assertion being tested are effective. (Ref: Para. A41)
17
If deviations from controls upon which the auditor intends to rely are detected, the auditor shall make specific enquiries to understand these matters and their potential consequences, and shall determine whether: (Ref: Para. A42)
- The tests of controls that have been performed provide an appropriate basis for reliance on the controls;
- Additional tests of controls are necessary; or
- The risks of material misstatement need to be addressed using substantive procedures.
Substantive Procedures
18
Irrespective of the assessed risks of material misstatement, the auditor shall design and perform substantive procedures for each material class of transactions, account balance, and disclosure. (Ref: Para. A43-A49)
19
The auditor shall consider whether external confirmation procedures are to be performed as substantive audit procedures. (Ref: Para. A50-A53)
Substantive Procedures Related to the Financial Report Closing Process
20
The auditor’s substantive procedures shall include the following audit procedures related to the financial report closing process:
- Agreeing or reconciling information in the financial report with the underlying accounting records, including agreeing or reconciling information in disclosures, whether such information is obtained from within or outside of the general and subsidiary ledgers; and
- Examining material journal entries and other adjustments made during the course of preparing the financial report. (Ref: Para. A54)
Substantive Procedures Responsive to Significant Risks
21
If the auditor has determined that an assessed risk of material misstatement at the assertion level is a significant risk, the auditor shall perform substantive procedures that are specifically responsive to that risk. When the approach to a significant risk consists only of substantive procedures, those procedures shall include tests of details. (Ref: Para. A55)
22
If substantive procedures are performed at an interim date, the auditor shall cover the remaining period by performing:
- substantive procedures, combined with tests of controls for the intervening period; or
- if the auditor determines that it is sufficient, further substantive procedures only,
that provide a reasonable basis for extending the audit conclusions from the interim date to the period end. (Ref: Para. A56-A59)
23
If misstatements that the auditor did not expect when assessing the risks of material misstatement are detected at an interim date, the auditor shall evaluate whether the related assessment of risk and the planned nature, timing, or extent of substantive procedures covering the remaining period need to be modified. (Ref: Para. A60)
Adequacy of Presentation Disclosure of the Financial Report
24
The auditor shall perform audit procedures to evaluate whether the overall presentation of the financial report, is in accordance with the applicable financial reporting framework. In making this evaluation, the auditor shall consider whether the financial report is presented in a manner that reflects the appropriate:
- Classification and description of financial information and the underlying transactions, events and conditions; and
- Presentation, structure and content of the financial report. (Ref: Para. A61)
Evaluating the Sufficiency and Appropriateness of Audit Evidence
25
Based on the audit procedures performed and the audit evidence obtained, the auditor shall evaluate before the conclusion of the audit whether the assessments of the risks of material misstatement at the assertion level remain appropriate. (Ref: Para. A62-A63)
26
The auditor shall conclude whether sufficient appropriate audit evidence has been obtained. In forming an opinion, the auditor shall consider all relevant audit evidence, regardless of whether it appears to corroborate or to contradict the assertions in the financial report. (Ref: Para. A64)
27
If the auditor has not obtained sufficient appropriate audit evidence related to a relevant assertion about a class of transactions, account balance or disclosure, the auditor shall attempt to obtain further audit evidence. If the auditor is unable to obtain sufficient appropriate audit evidence, the auditor shall express a qualified opinion or disclaim an opinion on the financial report.
Documentation
28
The auditor shall include in the audit documentation:[2]
- The overall responses to address the assessed risks of material misstatement at the financial report level, and the nature, timing, and extent of the further audit procedures performed;
- The linkage of those procedures with the assessed risks at the assertion level; and
- The results of the audit procedures, including the conclusions where these are not otherwise clear. (Ref: Para. A65)
29
If the auditor plans to use audit evidence about the operating effectiveness of controls obtained in previous audits, the auditor shall include in the audit documentation the conclusions reached about relying on such controls that were tested in a previous audit.
30
The auditor’s documentation shall demonstrate that information in the financial report agrees or reconciles with the underlying accounting records, including agreeing or reconciling disclosures, whether such information is obtained from within or outside of the general and subsidiary ledgers.
ASA 230 Audit Documentation, paragraphs 8-11 and paragraph A6.
Application and Other Explanatory Material
Overall Responses
A1
Overall responses to address the assessed risks of material misstatement at the financial report level may include:
- Emphasising to the audit team the need to maintain professional scepticism.
- Assigning more experienced staff or those with special skills or using experts.
- Changes to the nature, timing and extent of direction and supervision of members of the engagement team and the review of the work performed.
- Incorporating additional elements of unpredictability in the selection of further audit procedures to be performed.
- Changes to the overall audit strategy as required by ASA 300, or planned audit procedures, and may include changes to:
- The auditor’s determination of performance materiality in accordance with ASA 320.
- The auditor’s plans to tests the operating effectiveness of controls, and the persuasiveness of audit evidence needed to support the planned reliance on the operating effectiveness of the controls, particularly when deficiencies in the control environment or the entity’s monitoring activities are identified.
- The nature, timing and extent of substantive procedures. For example, it may be appropriate to perform substantive procedures at or near the date of the financial report when the risk of material misstatement is assessed as higher.
A2
The assessment of the risks of material misstatement at the financial report level, and thereby the auditor’s overall responses, is affected by the auditor’s understanding of the control environment. An effective control environment may allow the auditor to have more confidence in internal control and the reliability of audit evidence generated internally within the entity and thus, for example, allow the auditor to conduct some audit procedures at an interim date rather than at the period end. Deficiencies in the control environment, however, have the opposite effect; for example, the auditor may respond to an ineffective control environment by:
- Conducting more audit procedures as of the period end rather than at an interim date.
- Obtaining more extensive audit evidence from substantive procedures.
- Increasing the number of locations to be included in the audit scope.
A3
Such considerations, therefore, have a significant bearing on the auditor’s general approach, for example, an emphasis on substantive procedures (substantive approach), or an approach that uses tests of controls as well as substantive procedures (combined approach).
Audit Procedures Responsive to the Assessed Risks of Material Misstatement at the Assertion Level
The Nature, Timing, and Extent of Further Audit Procedures (Ref: Para. 6)
A4
The auditor’s assessment of the identified risks of material misstatement at the assertion level provides a basis for considering the appropriate audit approach for designing and performing further audit procedures. For example, the auditor may determine that:
- Only by performing tests of controls may the auditor achieve an effective response to the assessed risk of material misstatement for a particular assertion;
- Performing only substantive procedures is appropriate for particular assertions and, therefore, the auditor excludes the effect of controls from the assessment of the risk of material misstatement. This may be because the auditor has not identified a risk for which substantive procedures alone cannot provide sufficient appropriate audit evidence and therefore is not required to test the operating effectiveness of controls. Therefore the auditor may not plan to test the operating effectiveness of controls in determining the nature, timing and extent of substantive procedures; or
- A combined approach using both tests of controls and substantive procedures is an effective approach.
The auditor need not design and perform further audit procedures where the assessment of the risk of material misstatement is below the acceptably low level. However, as required by paragraph 18, irrespective of the approach selected and the assessed risk of material misstatement, the auditor designs and performs substantive procedures for each material class of transactions, account balance, and disclosure.
A5
The nature of an audit procedure refers to its purpose (that is, test of controls or substantive procedure) and its type (that is, inspection, observation, enquiry, confirmation, recalculation, re-performance, or analytical procedure). The nature of the audit procedures is of most importance in responding to the assessed risks.
A6
Timing of an audit procedure refers to when it is performed, or the period or date to which the audit evidence applies.
A7
Extent of an audit procedure refers to the quantity to be performed, for example, a sample size or the number of observations of a control.
A8
Designing and performing further audit procedures whose nature, timing, and extent are based on and are responsive to the assessed risks of material misstatement at the assertion level provides a clear linkage between the auditor’s further audit procedures and the risk assessment.
Responding to the Assessed Risks at the Assertion Level (Ref: Para. 7(a))
Nature
A9
ASA 315 requires that the auditor’s assessment of the risks of material misstatement at the assertion level is performed by assessing inherent risk and control risk. The auditor assesses inherent risk by assessing the likelihood and magnitude of a misstatement taking into account how, and the degree to which the inherent risk factors affect the susceptibility to misstatement of relevant assertions.[3] The auditor’s assessed risks, including the reasons for those assessed risks, may affect both the types of audit procedures to be performed and their combination. For example, when an assessed risk is high, the auditor may confirm the completeness of the terms of a contract with the counterparty, in addition to inspecting the document. Further, certain audit procedures may be more appropriate for some assertions than others. For example, in relation to revenue, tests of controls may be most responsive to the assessed risk of material misstatement of the completeness assertion, whereas substantive procedures may be most responsive to the assessed risk of material misstatement of the occurrence assertion.
A10
The reasons for the assessment given to a risk are relevant in determining the nature of audit procedures. For example, if an assessed risk is lower because of the particular characteristics of a class of transactions without consideration of the related controls, then the auditor may determine that substantive analytical procedures alone provide sufficient appropriate audit evidence. On the other hand, if the assessed risk is lower because of the auditor plans to test the operating effectiveness of controls, and the auditor intends to base the substantive procedures on that low assessment, then the auditor performs tests of those controls, as required by paragraph 8(a). This may be the case, for example, for a class of transactions of reasonably uniform, non-complex characteristics that are routinely processed and controlled by the entity’s information system.
Timing
A11
The auditor may perform tests of controls or substantive procedures at an interim date or at the period end. The higher the risk of material misstatement, the more likely it is that the auditor may decide it is more effective to perform substantive procedures nearer to, or at, the period end rather than at an earlier date, or to perform audit procedures unannounced or at unpredictable times (for example, performing audit procedures at selected locations on an unannounced basis). This is particularly relevant when considering the response to the risks of fraud. For example, the auditor may conclude that, when the risks of intentional misstatement or manipulation have been identified, audit procedures to extend audit conclusions from interim date to the period end would not be effective.
A12
On the other hand, performing audit procedures before the period end may assist the auditor in identifying significant matters at an early stage of the audit, and consequently resolving them with the assistance of management or developing an effective audit approach to address such matters.
A13
In addition, certain audit procedures can be performed only at or after the period end, for example:
- Agreeing or reconciling information in the financial report with the underlying accounting records, including whether such information is obtained from within or outside of the general and subsidiary ledgers;
- Examining adjustments made during the course of preparing the financial report; and
- Procedures to respond to a risk that, at the period end, the entity may have entered into improper sales contracts, or transactions may not have been finalised.
A14
Further relevant factors that influence the auditor’s consideration of when to perform audit procedures include the following:
- The control environment.
- When relevant information is available (for example, electronic files may subsequently be overwritten, or procedures to be observed may occur only at certain times).
- The nature of the risk (for example, if there is a risk of inflated revenues to meet earnings expectations by subsequent creation of false sales agreements, the auditor may wish to examine contracts available on the date of the period end).
- The period or date to which the audit evidence relates.
- The timing of the preparation of the financial report, particularly for those disclosures that provide further explanation about amounts recorded in the statement of financial position, the statement of comprehensive income, the statement of changes in equity or the statement of cash flows.
Extent
A15
The extent of an audit procedure judged necessary is determined after considering the materiality, the assessed risk, and the degree of assurance the auditor plans to obtain. When a single purpose is met by a combination of procedures, the extent of each procedure is considered separately. In general, the extent of audit procedures increases as the risk of material misstatement increases. For example, in response to the assessed risk of material misstatement due to fraud, increasing sample sizes or performing substantive analytical procedures at a more detailed level may be appropriate. However, increasing the extent of an audit procedure is effective only if the audit procedure itself is relevant to the specific risk.
A16
The use of computer-assisted audit techniques (CAATs) may enable more extensive testing of electronic transactions and account files, which may be useful when the auditor decides to modify the extent of testing, for example, in responding to the risks of material misstatement due to fraud. Such techniques can be used to select sample transactions from key electronic files, to sort transactions with specific characteristics, or to test an entire population instead of a sample.
Considerations specific to public sector entities
A17
For the audits of public sector entities, the audit mandate and any other special auditing requirements may affect the auditor’s consideration of the nature, timing and extent of further audit procedures.
Considerations specific to smaller entities
A18
In the case of smaller entities, there may not be many control activities that could be identified by the auditor, or the extent to which their existence or operation have been documented by the entity may be limited. In such cases, it may be more efficient for the auditor to perform further audit procedures that are primarily substantive procedures. In some rare cases, however, the absence of controls or of components of the system of internal control may make it impossible to obtain sufficient appropriate audit evidence.
Higher Assessments of Risk (Ref: Para 7(b))
A19
When obtaining more persuasive audit evidence because of a higher assessment of risk, the auditor may increase the quantity of the evidence, or obtain evidence that is more relevant or reliable, for example, by placing more emphasis on obtaining third party evidence or by obtaining corroborating evidence from a number of independent sources.
Tests of Controls
Designing and Performing Tests of Controls (Ref: Para. 8)
A20
Tests of controls are performed only on those controls that the auditor has determined are suitably designed to prevent, or detect and correct, a material misstatement in a relevant assertion, and the auditor plans to test those controls. If substantially different controls were used at different times during the period under audit, each is considered separately.
A21
Testing the operating effectiveness of controls is different from obtaining an understanding of and evaluating the design and implementation of controls. However, the same types of audit procedures are used. The auditor may, therefore, decide it is efficient to test the operating effectiveness of controls at the same time as evaluating their design and determining that they have been implemented.
A22
Further, although some risk assessment procedures may not have been specifically designed as tests of controls, they may nevertheless provide audit evidence about the operating effectiveness of the controls and, consequently, serve as tests of controls. For example, the auditor’s risk assessment procedures may have included:
- Enquiring about management’s use of budgets.
- Observing management’s comparison of monthly budgeted and actual expenses.
- Inspecting reports pertaining to the investigation of variances between budgeted and actual amounts.
These audit procedures provide knowledge about the design of the entity’s budgeting policies and whether they have been implemented, but may also provide audit evidence about the effectiveness of the operation of budgeting policies in preventing or detecting material misstatements in the classification of expenses.
A23
In addition, the auditor may design a test of controls to be performed concurrently with a test of details on the same transaction. Although the purpose of a test of controls is different from the purpose of a test of details, both may be accomplished concurrently by performing a test of controls and a test of details on the same transaction, also known as a dual-purpose test. For example, the auditor may design, and evaluate the results of, a test to examine an invoice to determine whether it has been approved and to provide substantive audit evidence of a transaction. A dual-purpose test is designed and evaluated by considering each purpose of the test separately.
A24
In some cases, as discussed in ASA 315, the auditor may find it impossible to design effective substantive procedures that by themselves provide sufficient appropriate audit evidence at the assertion level.[4] This may occur when an entity conducts its business using IT and no documentation of transactions is produced or maintained, other than through the IT system. In such cases, paragraph 8(b) requires the auditor to perform tests of controls that address the risk for which substantive procedures alone cannot provide sufficient appropriate audit evidence.
Audit Evidence and Intended Reliance (Ref: Para. 9)
A25
A higher level of assurance may be sought about the operating effectiveness of controls when the approach adopted consists primarily of tests of controls, in particular where it is not possible or practicable to obtain sufficient appropriate audit evidence only from substantive procedures.
Nature and Extent of Tests of Controls
Other audit procedures in combination with enquiry (Ref: Para. 10(a))
A26
Enquiry alone is not sufficient to test the operating effectiveness of controls. Accordingly, other audit procedures are performed in combination with enquiry. In this regard, enquiry combined with inspection or re-performance may provide more assurance than enquiry and observation, since an observation is pertinent only at the point in time at which it is made.
A27
The nature of the particular control influences the type of procedure required to obtain audit evidence about whether the control was operating effectively. For example, if operating effectiveness is evidenced by documentation, the auditor may decide to inspect it to obtain audit evidence about operating effectiveness. For other controls, however, documentation may not be available or relevant. For example, documentation of operation may not exist for some factors in the control environment, such as assignment of authority and responsibility, or for some types of controls, such as automated controls. In such circumstances, audit evidence about operating effectiveness may be obtained through enquiry in combination with other audit procedures such as observation or the use of CAATs.
Extent of tests of controls
A28
When more persuasive audit evidence is needed regarding the effectiveness of a control, it may be appropriate to increase the extent of testing of the control. As well as the degree of reliance on controls, matters the auditor may consider in determining the extent of tests of controls include the following:
- The frequency of the performance of the control by the entity during the period.
- The length of time during the audit period that the auditor is relying on the operating effectiveness of the control.
- The expected rate of deviation from a control.
- The relevance and reliability of the audit evidence to be obtained regarding the operating effectiveness of the control at the assertion level.
- The extent to which audit evidence is obtained from tests of other controls related to the assertion.
ASA 530[5] contains further guidance on the extent of testing.
A29
Because of the inherent consistency of IT processing, it may not be necessary to increase the extent of testing of an automated control. An automated control can be expected to function consistently unless the IT application (including the tables, files, or other permanent data used by the IT application) is changed. Once the auditor determines that an automated control is functioning as intended (which could be done at the time the control is initially implemented or at some other date), the auditor may consider performing tests to determine that the control continues to function effectively. Such tests may include testing the general IT controls related to the IT application.
A30
Similarly, the auditor may perform tests of controls that address risks of material misstatement related to the integrity of the entity’s data, or the completeness and accuracy of the entity’s system-generated reports, or to address risks of material misstatement for which substantive procedures alone cannot provide sufficient appropriate audit evidence. These tests of controls may include tests of general IT controls that address the matters in paragraph 10(a). When this is the case, the auditor may not need to perform any further testing to obtain audit evidence about the matters in paragraph 10(a).
A31
When the auditor determines that a general IT control is deficient, the auditor may consider the nature of the related risk(s) arising from the use of IT that were identified in accordance with ASA 315 [6] to provide the basis for the design of the auditor’s additional procedures to address the assessed risk of material misstatement. Such procedures may address determining whether:
- The related risk(s) arising from IT has occurred. For example, if users have unauthorised access to an IT application (but cannot access or modify the system logs that track access), the auditor may inspect the system logs to obtain audit evidence that those users did not access the IT application during the period.
- There are any alternate or redundant general IT controls, or any other controls, that address the related risk(s) arising from the use of IT. If so, the auditor may identify such controls (if not already identified) and therefore evaluate their design, determine that they have been implemented and perform tests of their operating effectiveness. For example, if a general IT control related to user access is deficient, the entity may have an alternate control whereby IT management reviews end user access reports on a timely basis. Circumstances when an application control may address a risk arising from the use of IT may include when the information that may be affected by the general IT control deficiency can be reconciled to external sources (e.g., a bank statement) or internal sources not affected by the general IT control deficiency (e.g., a separate IT application or data source).
Testing of indirect controls (Ref: Para. 10(b))
A32
In some circumstances, it may be necessary to obtain audit evidence supporting the effective operation of indirect controls (e.g., general IT controls). As explained in paragraphs A29 to A31, general IT controls may have been identified in accordance with ASA 315 because of their support of the operating effectiveness of automated controls or due to their support in maintaining the integrity of information used in the entity’s financial reporting, including system-generated reports. The requirement in paragraph 10(b) acknowledges that the auditor may have already tested certain indirect controls to address the matters in paragraph 10(a).
Timing of Tests of Controls
Intended period of reliance (Ref: Para. 11)
A33
Audit evidence pertaining only to a point in time may be sufficient for the auditor’s purpose, for example, when testing controls over the entity’s physical inventory counting at the period end. If, on the other hand, the auditor intends to rely on a control over a period, tests that are capable of providing audit evidence that the control operated effectively at relevant times during that period are appropriate. Such tests may include tests of controls in the entity’s process to monitor the system of internal controls.
Using audit evidence obtained during an interim period (Ref: Para. 12(b))
A34
Relevant factors in determining what additional audit evidence to obtain about controls that were operating during the period remaining after an interim period, include:
- The significance of the assessed risks of material misstatement at the assertion level.
- The specific controls that were tested during the interim period, and significant changes to them since they were tested, including changes in the information system, processes, and personnel.
- The degree to which audit evidence about the operating effectiveness of those controls was obtained.
- The length of the remaining period.
- The extent to which the auditor intends to reduce further substantive procedures based on the reliance of controls.
- The control environment.
A35
Additional audit evidence may be obtained, for example, by extending tests of controls over the remaining period or testing the entity’s monitoring of controls.
Using audit evidence obtained in previous audits (Ref: Para. 13)
A36
In certain circumstances, audit evidence obtained from previous audits may provide audit evidence where the auditor performs audit procedures to establish its continuing relevance and reliability. For example, in performing a previous audit, the auditor may have determined that an automated control was functioning as intended. The auditor may obtain audit evidence to determine whether changes to the automated control have been made that affect its continued effective functioning through, for example, enquiries of management and the inspection of logs to indicate what controls have been changed. Consideration of audit evidence about these changes may support either increasing or decreasing the expected audit evidence to be obtained in the current period about the operating effectiveness of the controls.
Controls that have changed from previous audits (Ref: Para. 14(a))
A37
Changes may affect the relevance and reliability of the audit evidence obtained in previous audits such that there may no longer be a basis for continued reliance. For example, changes in a system that enable an entity to receive a new report from the system probably do not affect the relevance of audit evidence from a previous audit, however, a change that causes data to be accumulated or calculated differently does affect it.
Controls that have not changed from previous audits (Ref: Para. 14(b))
A38
The auditor’s decision on whether to rely on audit evidence obtained in previous audits for controls that:
- have not changed since they were last tested; and
- are not controls that mitigate a significant risk,
is a matter of professional judgement. In addition, the length of time between retesting such controls is also a matter of professional judgement, but is required by paragraph 14(b) to be at least once in every third year.
A39
In general, the higher the risk of material misstatement, or the greater the reliance on controls, the shorter the time period elapsed, if any, is likely to be. Factors that may decrease the period for retesting a control, or result in not relying on audit evidence obtained in previous audits at all, include the following:
- A deficient control environment.
- A deficiency in the entity's process to monitor the system of internal controls.
- A significant manual element to controls.
- Personnel changes that significantly affect the application of the control.
- Changing circumstances that indicate the need for changes in the control.
- Deficient general IT-controls.
A40
When there are a number of controls for which the auditor intends to rely on audit evidence obtained in previous audits, testing some of those controls in each audit provides corroborating information about the continuing effectiveness of the control environment. This contributes to the auditor’s decision about whether it is appropriate to rely on audit evidence obtained in previous audits.
Evaluating the Operating Effectiveness of Controls (Ref: Para. 16-17)
A41
A material misstatement detected by the auditor’s procedures is a strong indicator of the existence of a significant deficiency in internal control.
A42
The concept of effectiveness of the operation of controls recognises that some deviations in the way controls are applied by the entity may occur. Deviations from prescribed controls may be caused by such factors as changes in key personnel, significant seasonal fluctuations in volume of transactions and human error. The detected rate of deviation, in particular in comparison with the expected rate, may indicate that the control cannot be relied on to reduce risk at the assertion level to that assessed by the auditor.
A43
Paragraph 18 requires the auditor to design and perform substantive procedures for each material class of transactions, account balance, and disclosure. For significant classes of transactions, account balances and disclosures, substantive procedures may have already been performed because paragraph 6 requires the auditor to design and perform further audit procedures that are responsive to the assessed risks of material misstatement at the assertion level. Accordingly, substantive procedures are required to be designed and performed in accordance with paragraph 18:
- When the further audit procedures for significant classes of transactions, account balances or disclosures, designed and performed in accordance with paragraph 6, did not include substantive procedures; or
- For each class of transactions, account balance or disclosure that is not a significant class of transactions, account balance or disclosure, but that has been identified as material in accordance with ASA 315[7].
- This requirement reflects the facts that: (a) the auditor’s assessment of risk is judgemental and so may not identify all risks of material misstatement; and (b) there are inherent limitations to controls, including management override.
A44
Not all assertions within a material class of transactions, account balance or disclosure are required to be tested. Rather, in designing the substantive procedures to be performed, the auditor’s consideration of the assertion(s) in which, if a misstatement were to occur, there is a reasonable possibility of the misstatement being material, may assist in identifying the appropriate nature, timing and extent of the procedures to be performed.
Nature and Extent of Substantive Procedures
A45
Depending on the circumstances, the auditor may determine that:
- Performing only substantive analytical procedures will be sufficient to reduce audit risk to an acceptably low level. For example, where the auditor’s assessment of risk is supported by audit evidence from tests of controls.
- Only tests of details are appropriate.
- A combination of substantive analytical procedures and tests of details are most responsive to the assessed risks.
A46
Substantive analytical procedures are generally more applicable to large volumes of transactions that tend to be predictable over time. ASA 520[8] establishes requirements and provides guidance on the application of analytical procedures during an audit.
A47
The assessment of the risk or the nature of the assertion is relevant to the design of tests of details. For example, tests of details related to the existence or occurrence assertion may involve selecting from items contained in a financial report amount and obtaining the relevant audit evidence. On the other hand, tests of details related to the completeness assertion may involve selecting from items that are expected to be included in the relevant financial statement amount and investigating whether they are included.
A48
Because the assessment of the risk of material misstatement takes account of controls that the auditor plans to test, the extent of substantive procedures may need to be increased when the results from tests of controls are unsatisfactory. However, increasing the extent of an audit procedure is appropriate only if the audit procedure itself is relevant to the specific risk.
A49
In designing tests of details, the extent of testing is ordinarily thought of in terms of the sample size. However, other matters are also relevant, including whether it is more effective to use other selective means of testing. See ASA 500.[9]
Considering Whether External Confirmation Procedures Are to Be Performed (Ref: Para. 19)
A50
External confirmation procedures frequently are relevant when addressing assertions associated with account balances and their elements, but need not be restricted to these items. For example, the auditor may request external confirmation of the terms of agreements, contracts, or transactions between an entity and other parties. External confirmation procedures also may be performed to obtain audit evidence about the absence of certain conditions. For example, a request may specifically seek confirmation that no “side agreement” exists that may be relevant to an entity’s revenue cut-off assertion. Other situations where external confirmation procedures may provide relevant audit evidence in responding to assessed risks of material misstatement include:
- Bank balances and other information relevant to banking relationships.
- Accounts receivable balances and terms.
- Inventories held by third parties at bonded warehouses for processing or on consignment.
- Property title deeds held by lawyers or financiers for safe custody or as security.
- Investments held for safekeeping by third parties, or purchased from stockbrokers but not delivered at the balance sheet date.
- Amounts due to lenders, including relevant terms of repayment and restrictive covenants.
- Accounts payable balances and terms.
A51
Although external confirmations may provide relevant audit evidence relating to certain assertions, there are some assertions for which external confirmations provide less relevant audit evidence. For example, external confirmations provide less relevant audit evidence relating to the recoverability of accounts receivable balances, than they do of their existence.
A52
The auditor may determine that external confirmation procedures performed for one purpose provide an opportunity to obtain audit evidence about other matters. For example, confirmation requests for bank balances often include requests for information relevant to other financial report assertions. Such considerations may influence the auditor’s decision about whether to perform external confirmation procedures.
A53
Factors that may assist the auditor in determining whether external confirmation procedures are to be performed as substantive audit procedures include:
- The confirming party’s knowledge of the subject matter – responses may be more reliable if provided by a person at the confirming party who has the requisite knowledge about the information being confirmed.
- The ability or willingness of the intended confirming party to respond – for example, the confirming party:
- May not accept responsibility for responding to a confirmation request;
- May consider responding too costly or time consuming;
- May have concerns about the potential legal liability resulting from responding;
- May account for transactions in different currencies; or
- May operate in an environment where responding to confirmation requests is not a significant aspect of day-to-day operations.
In such situations, confirming parties may not respond, may respond in a casual manner or may attempt to restrict the reliance placed on the response.
- The objectivity of the intended confirming party – if the confirming party is a related party of the entity, responses to confirmation requests may be less reliable.
Substantive Procedures Related to the Financial Report Closing Process (Ref: Para. 20(b))
A54
The nature, and also the extent, of the auditor’s substantive procedures related to the financial statement closing process depends on the nature and complexity of the entity’s financial reporting process and the related risks of material misstatement.
Substantive Procedures Responsive to Significant Risks (Ref: Para. 21)
A55
Paragraph 21 of this Auditing Standard requires the auditor to perform substantive procedures that are specifically responsive to risks the auditor has determined to be significant risks. Audit evidence in the form of external confirmations received directly by the auditor from appropriate confirming parties may assist the auditor in obtaining audit evidence with the high level of reliability that the auditor requires to respond to significant risks of material misstatement, whether due to fraud or error. For example, if the auditor identifies that management is under pressure to meet earnings expectations, there may be a risk that management is inflating sales by improperly recognising revenue related to sales agreements with terms that preclude revenue recognition or by invoicing sales before shipment. In these circumstances, the auditor may, for example, design external confirmation procedures not only to confirm outstanding amounts, but also to confirm the details of the sales agreements, including date, any rights of return and delivery terms. In addition, the auditor may find it effective to supplement such external confirmation procedures with enquiries of non-financial personnel in the entity regarding any changes in sales agreements and delivery terms.
Timing of Substantive Procedures (Ref: Para. 23)
A56
In most cases, audit evidence from a previous audit’s substantive procedures provides little or no audit evidence for the current period. There are, however, exceptions, for example, a legal opinion obtained in a previous audit related to the structure of a securitisation to which no changes have occurred, may be relevant in the current period. In such cases, it may be appropriate to use audit evidence from a previous audit’s substantive procedures if that evidence and the related subject matter have not fundamentally changed, and audit procedures have been performed during the current period to establish its continuing relevance.
Using audit evidence obtained during an interim period (Ref: Para. 22)
A57
In some circumstances, the auditor may determine that it is effective to perform substantive procedures at an interim date, and to compare and reconcile information concerning the balance at the period end with the comparable information at the interim date to:
- Identify amounts that appear unusual,
- Investigate any such amounts, and
- Perform substantive analytical procedures or tests of details to test the intervening period.
A58
Performing substantive procedures at an interim date without undertaking additional procedures at a later date increases the risk that the auditor will not detect misstatements that may exist at the period end. This risk increases as the remaining period is lengthened. Factors such as the following may influence whether to perform substantive procedures at an interim date:
- The control environment and other controls.
- The availability at a later date of information necessary for the auditor’s procedures.
- The purpose of the substantive procedure.
- The assessed risk of material misstatement.
- The nature of the class of transactions or account balance and related assertions.
- The ability of the auditor to perform appropriate substantive procedures or substantive procedures combined with tests of controls to cover the remaining period in order to reduce the risk that misstatements that may exist at the period end will not be detected.
A59
Factors such as the following may influence whether to perform substantive analytical procedures with respect to the period between the interim date and the period end:
- Whether the period end balances of the particular classes of transactions or account balances are reasonably predictable with respect to amount, relative significance, and composition.
- Whether the entity’s procedures for analysing and adjusting such classes of transactions or account balances at interim dates and for establishing proper accounting cut-offs are appropriate.
- Whether the information system will provide information concerning the balances at the period end and the transactions in the remaining period that is sufficient to permit investigation of:
- Significant unusual transactions or entries (including those at or near the period end);
- Other causes of significant fluctuations, or expected fluctuations that did not occur; and
- Changes in the composition of the classes of transactions or account balances.
Misstatements detected at an interim date (Ref: Para. 23)
A60
When the auditor concludes that the planned nature, timing, or extent of substantive procedures covering the remaining period need to be modified as a result of unexpected misstatements detected at an interim date, such modification may include extending or repeating the procedures performed at the interim date at the period end.
Adequacy of Presentation of the Financial Report
A61
Evaluating the appropriate presentation, arrangement and content of the financial report, includes, for example, consideration of the terminology used as required by the applicable financial reporting framework, the level of detail provided, and the basis of amounts set forth.
Evaluating the Sufficiency and Appropriateness of Audit Evidence
A62
An audit of a financial report is a cumulative and iterative process. As the auditor performs planned audit procedures, the audit evidence obtained may cause the auditor to modify the nature, timing or extent of other planned audit procedures. Information may come to the auditor’s attention that differs significantly from the information on which the risk assessment was based. For example:
- The extent of misstatements that the auditor detects by performing substantive procedures may alter the auditor’s judgement about the risk assessments and may indicate a significant deficiency in internal control.
- The auditor may become aware of discrepancies in accounting records, or conflicting or missing evidence.
- Analytical procedures performed at the overall review stage of the audit may indicate a previously unrecognised risk of material misstatement.
In such circumstances, the auditor may need to re-evaluate the planned audit procedures, based on the revised consideration of assessed risks of material misstatement and the effect on the significant classes of transactions, account balances, or disclosures and their relevant assertions. ASA 315 contains further guidance on revising the auditor’s risk assessment.[10]
A63
The auditor cannot assume that an instance of fraud or error is an isolated occurrence. Therefore, the consideration of how the detection of a misstatement affects the assessed risks of material misstatement is important in determining whether the assessment remains appropriate.
A64
The auditor’s judgement as to what constitutes sufficient appropriate audit evidence is influenced by such factors as the following:
- Significance of the potential misstatement in the assertion and the likelihood of its having a material effect, individually or aggregated with other potential misstatements, on the financial report.
- Effectiveness of management’s responses and controls to address the risks.
- Experience gained during previous audits with respect to similar potential misstatements.
- Results of audit procedures performed, including whether such audit procedures identified specific instances of fraud or error.
- Source and reliability of the available information.
- Persuasiveness of the audit evidence.
- Understanding of the entity and its environment, the applicable financial reporting framework and entity’s system of internal control.
Documentation
A65
The form and extent of audit documentation is a matter of professional judgement, and is influenced by the nature, size and complexity of the entity and its system of internal control, availability of information from the entity and the audit methodology and technology used in the audit.
See ASA 315, paragraphs 31 and 34.
See ASA 315, paragraph 33.
See ASA 530 Audit Sampling.
See ASA 315, paragraph 26(c)(i).
See ASA 315, paragraph 36.
See ASA 520 Analytical Procedures.
See ASA 500 Audit Evidence, paragraph 10.
See ASA 315, paragraph 53.