ISA 330: The Auditor's Responses to Assessed Risks: Complete Guide

What is ISA 330?

ISA 330, titled “The Auditor’s Responses to Assessed Risks,” is where audit planning meets audit execution. ISA 315 identifies and assesses the risks. ISA 330 determines what the auditor actually does about them.

The principle is simple. Audit procedures have to be responsive to the assessed risks. Not formulaic. A higher-risk area demands a qualitatively different response than a low-risk area: different types of procedures, different timing, larger sample sizes, more experienced personnel. An audit where every area gets the same attention regardless of risk is not compliant with ISA 330. That is what the AFM, FRC, and PCAOB keep writing up in their inspection reports, year after year.

The objective

ISA 330.3 states the objective:

The objective of the auditor is to obtain sufficient appropriate audit evidence regarding the assessed risks of material misstatement, through designing and implementing appropriate responses to those risks.

“Sufficient” relates to the quantity of evidence. “Appropriate” relates to its quality (relevance and reliability). Both are determined by the nature, timing, and extent of the audit procedures performed.

Overall responses: financial statement level

ISA 330.5 requires the auditor to design and implement overall responses to address assessed risks at the financial statement level. Financial-statement-level risks are pervasive. They affect the financial statements (FS) as a whole rather than specific assertions. A weak control environment or management integrity concerns are the classic examples.

Overall responses may include:

Further audit procedures: assertion level

ISA 330.6–7 requires the auditor to design and perform further audit procedures whose nature, timing, and extent are based on, and responsive to, the assessed risks at the assertion level.

Nature of procedures

The “nature” of a procedure refers to its purpose (test of controls or substantive procedure) and its type (inspection, observation, inquiry, confirmation, recalculation, re-performance, or analytical procedure). In our experience, higher-risk assertions are the ones reviewers check for more persuasive evidence: external confirmations rather than internal inquiries, physical inspection rather than document review.

Timing of procedures

“Timing” refers to when the procedure is performed and the period or date to which the audit evidence applies. For higher-risk assertions, the auditor may need to perform procedures at or near the period end rather than at an interim date. For fraud risks, the auditor may perform procedures at unpredictable times.

Extent of procedures

“Extent” is the quantity. Sample sizes, number of observations, depth of the analytical procedure. Higher-risk assertions require larger samples, more locations, or more detailed analysis. ISA 330.A15 notes that increasing extent only helps if the procedure itself is actually relevant. Performing more of an ineffective procedure does not improve audit quality.

Tests of controls

ISA 330.8–14 governs tests of controls (procedures designed to evaluate the operating effectiveness of controls in preventing or detecting and correcting material misstatements).

When to test controls

The auditor tests controls when:

• The risk assessment includes an expectation that controls are operating effectively. If the auditor’s assessment of control risk assumes the controls work, that assumption must be validated.
• Substantive procedures alone cannot provide sufficient appropriate evidence. In highly automated environments where transactions are initiated, processed, and recorded electronically with no paper trail, testing the controls embedded in the system may be the only feasible approach.

What testing involves

Tests of controls evaluate operating effectiveness, not just design. A control that is well-designed but not consistently operated provides no assurance. Testing involves a combination of inquiry, observation, inspection, and re-performance.

ISA 330.10 is explicit: inquiry alone is not sufficient to test the operating effectiveness of controls. The auditor must use inquiry in combination with inspection of evidence that the control operated, re-performance of the control, or observation of the control in action. Inquiry on its own is a tick box exercise that reviewers will mark down on sight.

Using prior-year evidence

ISA 330.13–14 addresses the use of audit evidence about operating effectiveness obtained in previous audits. If the auditor plans to rely on controls that were tested in a prior period, they have to obtain evidence about whether significant changes in those controls have occurred since the last test, and test the controls at least once every third audit.

For significant risks, the auditor must test controls in the current period. Prior-year reliance is not permitted.

Substantive procedures

ISA 330.18–22 governs substantive procedures, designed to detect material misstatements directly at the assertion level.

The mandatory substantive testing requirement

ISA 330.18 requires substantive procedures for every material class of transactions, account balance, and disclosure, regardless of the assessed risk. This reflects two realities. The auditor’s risk assessment is inherently judgmental and may not capture all risks, and internal controls have inherent limitations.

Types of substantive procedures

Tests of details. Direct examination of specific items. Inspecting documents, confirming balances with third parties, recalculating amounts, physically counting inventory.

Substantive analytical procedures. Evaluating financial information through analysis of plausible relationships among financial and non-financial data. These work best for large volumes of predictable transactions (for example, payroll expense analysed by headcount and average salary, depreciation calculated from the fixed asset register). ISA 520 has the detailed guidance.

Substantive approach vs. combined approach

The auditor’s response to assessed risks typically follows one of two approaches.

Substantive approach. The auditor does not rely on controls and performs substantive procedures sufficient to address the risk. Appropriate where controls are weak or non-existent, the entity is small with limited segregation of duties, it is more efficient to perform substantive procedures than to test controls, or the auditor simply does not wish to rely on controls.

Combined approach. The auditor tests controls and, if the controls are operating effectively, performs reduced substantive procedures. Appropriate where the entity has strong controls, the volume of transactions makes substantive testing alone impractical, or the auditor can gain efficiency by relying on controls for some assertions.

Dual-purpose testing

ISA 330.A23 recognises that the auditor may design a test of controls and a test of details to be performed concurrently on the same transaction (a dual-purpose test). For example, examining a purchase invoice to both verify that it was properly authorised (test of controls, occurrence assertion) and confirm the amount is correctly recorded (test of details, accuracy assertion).

Dual-purpose testing is efficient. The results have to be evaluated separately for each purpose, though. A deviation in the control does not necessarily mean the transaction is misstated, and a correctly stated amount does not necessarily mean the control operated.

Testing at interim dates

ISA 330.22–23 addresses the situation where substantive procedures are performed at an interim date (before the period end).

When substantive procedures are performed at interim, the auditor must cover the remaining period by performing either additional substantive procedures for the remaining period, substantive procedures combined with tests of controls, or (if the auditor considers substantive procedures alone are sufficient) substantive procedures alone for the remaining period.

The key requirement: the auditor must have a reasonable basis for extending audit conclusions from the interim date to the period end. If the auditor identifies unexpected misstatements at the interim date, the auditor should consider whether the risk assessment and planned procedures for the remaining period need revision.

For fraud risks or risks at the higher end of the spectrum, performing procedures only at interim and rolling forward does not work. In our experience, this is where monitoring visits find the most problems: interim work done in October, rolled forward to a 31-December year-end on a single walkthrough of Q4 movements, with no fresh substantive testing.

The stand-back evaluation

ISA 330.25–26 requires two critical evaluations before the audit concludes.

Assess the risk assessment. Based on the procedures performed and evidence obtained, the auditor has to evaluate whether the assessments of RMM at the assertion level remain appropriate. If audit evidence from further procedures contradicts the original risk assessment, the auditor has to revise the assessment and modify the planned procedures.

Conclude on sufficiency. The auditor concludes whether sufficient appropriate audit evidence has been obtained. If the auditor has not obtained it for a material assertion, the auditor must attempt to obtain additional evidence. If none can be obtained, the auditor must express a qualified opinion or a disclaimer.

Documentation requirements

ISA 330.28–30 requires documentation of:

• The overall responses to the assessed risks at the financial statement level.
• The nature, timing, and extent of the further audit procedures performed.
• The linkage between those procedures and the assessed risks at the assertion level.
• The results of the audit procedures, including the conclusions where these are not otherwise clear.
• For tests of controls: the conclusions about the operating effectiveness of the controls.

The linkage requirement is the one that trips teams up. An experienced auditor with no prior connection to the engagement should be able to open the file and trace every procedure back to a specific assessed risk. The file should tell a story. Regulators consistently cite the absence of that connection between assessed risks and designed procedures as a fundamental audit quality deficiency. It is also the finding that generates the most review notes on a mid-tier inspection visit.

ISA 330 in your jurisdiction

Netherlands. COS 330 follows ISA 330 closely. The AFM’s inspection findings repeatedly highlight the linkage between risk assessment and audit response as a key quality indicator. Specific findings include: responses that do not change despite changes in risk assessment, insufficient consideration of the nature of procedures (defaulting to standard tests regardless of risk), and inadequate coverage of the period between interim testing and year-end.

Germany. IDW PS 330 adapts ISA 330 for the German context. German practice places strong emphasis on substantive procedures, reflecting the tradition of Prüfungssicherheit (audit assurance) through detailed testing. The WPK’s inspections examine whether audit responses are proportionate to assessed risks and whether the auditor has adequately considered the combined approach where controls are strong.

United Kingdom. ISA (UK) 330 is substantively aligned with ISA 330. The FRC’s inspection findings consistently identify the response to assessed risks as a primary area of concern, particularly insufficient procedures for significant risks, over-reliance on management’s explanations without corroborating evidence, and failure to modify procedures when risks change during the audit.

France. NEP 330 implements ISA 330 within the French statutory framework. French practice integrates the response to assessed risks with the specific programme de travail (work programme) developed for each engagement. The H3C’s inspections focus on whether the work programme is responsive to the specific risks identified in the plan de mission and whether it is updated as the audit progresses.

Frequently asked questions

What is the difference between tests of controls and substantive procedures?

Tests of controls evaluate whether the entity’s internal controls are operating effectively to prevent or detect misstatements. Substantive procedures directly detect material misstatements in the financial statements. The two serve different purposes: tests of controls test the system, substantive procedures test the numbers.

Can the auditor skip substantive testing if controls are strong?

No. ISA 330.18 requires substantive procedures for every material class of transactions, account balance, and disclosure, regardless of the assessed risk. Even if controls are assessed as highly effective and tests of controls confirm this, some level of substantive testing is always required.

How does the auditor decide between a substantive approach and a combined approach?

The decision depends on: the assessed risks, whether the entity has controls that are suitably designed and that the auditor considers testing, the efficiency of each approach (for high-volume transactions, testing controls may be more efficient than extensive substantive testing), and whether substantive procedures alone can provide sufficient evidence (in highly automated environments, they may not).

What does “more persuasive evidence” mean for higher risks?

It means evidence that is more relevant and reliable. Evidence obtained from independent external sources rather than internal sources, obtained directly by the auditor rather than indirectly, in documentary rather than oral form, and from original documents rather than copies. It may also mean larger sample sizes and procedures performed at or near the period end rather than at interim.

What happens if the auditor finds more misstatements than expected?

This may indicate that the risk assessment was not appropriate and that the planned procedures are insufficient. The auditor must consider revising the risk assessment, modifying the nature, timing, and extent of remaining procedures, and evaluating the effect of the findings on the audit opinion.

Further reading and source references

• IAASB Handbook 2024: ISA 330 full text. The authoritative source including all application material.
• ISA 315 (Revised 2019): Identifying and Assessing the Risks of Material Misstatement. The standard that provides the risk assessments ISA 330 responds to.
• ISA 500: Audit Evidence. The standard governing the quality and sufficiency of evidence obtained through ISA 330 procedures.
• ISA 520: Analytical Procedures. Detailed guidance on substantive analytical procedures.
• ISA 530: Audit Sampling. Guidance on sample sizes and evaluation for ISA 330 procedures.

This guide reflects the ISA 330 text as published in the IAASB 2024 Handbook. National implementations may include additional requirements. Always consult the applicable national standard alongside the international text. This content is for educational purposes and does not constitute legal or professional advice.

Related ciferi content

Related guides:

Put audit concepts into practice with these free tools: