Key Takeaways
- ISA 330 is the bridge between risk assessment (ISA 315) and audit evidence — it requires the auditor to design and implement responses to the assessed risks of material misstatement, both at the financial statement level and at the assertion level.
- At the financial statement level, the auditor designs overall responses — such as assigning more experienced staff, incorporating unpredictability, or emphasising professional skepticism.
- At the assertion level, the auditor designs further audit procedures: tests of controls (evaluating whether controls operate effectively) and/or substantive procedures (detecting material misstatements directly).
- Substantive procedures comprise tests of details and substantive analytical procedures. Irrespective of the assessed risk, the auditor must perform substantive procedures for every material class of transactions, account balance, and disclosure.
- The auditor chooses between a substantive approach (relying primarily on substantive procedures) or a combined approach (testing controls and performing reduced substantive procedures). The choice depends on the risk assessment and whether it is efficient to rely on controls.
- The higher the assessed risk, the more persuasive the audit evidence must be — this affects the nature (type of procedure), timing (when it is performed), and extent (sample size) of procedures.
- Before completing the audit, the auditor must perform a stand-back evaluation — assessing whether the risk assessments remain appropriate and whether sufficient appropriate evidence has been obtained.
What is ISA 330?
ISA 330, titled "The Auditor's Responses to Assessed Risks," is where audit planning meets audit execution. ISA 315 identifies and assesses the risks. ISA 330 determines what the auditor actually does about them.
The standard's fundamental principle is that audit procedures must be responsive to assessed risks — not formulaic. A high-risk area requires a qualitatively different response than a low-risk area: different types of procedures, different timing, larger sample sizes, more experienced personnel, and more rigorous evaluation of evidence. An audit where every area receives the same level of attention regardless of risk is, by definition, not compliant with ISA 330.
The Objective
ISA 330.3 states the objective:
The objective of the auditor is to obtain sufficient appropriate audit evidence regarding the assessed risks of material misstatement, through designing and implementing appropriate responses to those risks.
"Sufficient" relates to the quantity of evidence. "Appropriate" relates to its quality — relevance and reliability. Both are determined by the nature, timing, and extent of the audit procedures performed.
Overall Responses: Financial Statement Level
ISA 330.5 requires the auditor to design and implement overall responses to address assessed risks at the financial statement level. Financial statement-level risks are pervasive — they affect the financial statements as a whole rather than specific assertions. Examples include a weak control environment, management integrity concerns, or significant going concern doubt.
Overall responses may include:
| Response | When Applied |
|---|---|
| Emphasising professional skepticism to the team | When fraud risk or management integrity concerns exist |
| Assigning more experienced staff or those with special skills | For complex or high-risk engagements |
| Using experts | Where specialist knowledge is needed (valuations, actuarial, tax, IT) |
| Increasing supervision | Where team members are less experienced or risks are higher |
| Adding unpredictability | Varying the timing, nature, or selection of procedures — particularly to address fraud risk |
| Modifying the general nature, timing, or extent of procedures | For example, performing substantive procedures at year-end rather than interim, or modifying procedures to obtain more persuasive evidence |
Further Audit Procedures: Assertion Level
ISA 330.6–7 requires the auditor to design and perform further audit procedures whose nature, timing, and extent are based on, and responsive to, the assessed risks at the assertion level.
Nature
The "nature" of a procedure refers to its purpose (test of controls or substantive procedure) and its type (inspection, observation, inquiry, confirmation, recalculation, re-performance, or analytical procedure). Higher-risk assertions generally require procedures that provide more persuasive evidence — external confirmations rather than internal inquiries, physical inspection rather than document review, re-performance rather than inquiry alone.
Timing
"Timing" refers to when the procedure is performed and the period or date to which the audit evidence applies. For higher-risk assertions, the auditor may need to perform procedures at or near the period end rather than at an interim date. For fraud risks, the auditor may perform procedures at unpredictable times.
Extent
"Extent" refers to the quantity — sample sizes, the number of observations, the detail of analytical procedures. Higher-risk assertions require larger samples, more locations, or more detailed analysis. However, ISA 330.A15 notes that increasing extent is only effective if the procedure itself is relevant — performing more of an ineffective procedure does not improve audit quality.
Tests of Controls
ISA 330.8–14 governs tests of controls — procedures designed to evaluate the operating effectiveness of controls in preventing or detecting and correcting material misstatements.
When to test controls
The auditor tests controls when:
- The risk assessment includes an expectation that controls are operating effectively — if the auditor's assessment of control risk assumes the controls work, that assumption must be validated.
- Substantive procedures alone cannot provide sufficient appropriate evidence — in highly automated environments where transactions are initiated, processed, and recorded electronically with no paper trail, testing the controls embedded in the system may be the only feasible approach.
What testing involves
Tests of controls evaluate operating effectiveness — not just design. A control that is well-designed but not consistently operated provides no assurance. Testing involves a combination of inquiry, observation, inspection, and re-performance.
ISA 330.10 is explicit: inquiry alone is not sufficient to test the operating effectiveness of controls. The auditor must use inquiry in combination with other procedures such as inspection of evidence that the control operated, re-performance of the control, or observation of the control in action.
Using prior-year evidence
ISA 330.13–14 addresses the use of audit evidence about operating effectiveness obtained in previous audits. If the auditor plans to rely on controls that were tested in a prior period, they must: obtain evidence about whether significant changes in those controls have occurred since the last test, and test the controls at least once every third audit.
For significant risks, the auditor must test controls in the current period — prior-year reliance is not permitted.
Substantive Procedures
ISA 330.18–22 governs substantive procedures — designed to detect material misstatements directly at the assertion level.
The mandatory substantive testing requirement
ISA 330.18 requires substantive procedures for every material class of transactions, account balance, and disclosure — regardless of the assessed risk. This reflects two realities: the auditor's risk assessment is inherently judgmental and may not capture all risks, and internal controls have inherent limitations.
This means the auditor cannot adopt a purely controls-based approach that eliminates substantive testing. Even where controls are assessed as highly effective, some substantive procedures are always required for material items.
Types of substantive procedures
Tests of details — direct examination of specific items: inspecting documents, confirming balances with third parties, recalculating amounts, physically counting inventory, tracing transactions through the system.
Substantive analytical procedures — evaluating financial information through analysis of plausible relationships among both financial and non-financial data. These are most effective for large volumes of predictable transactions (e.g., payroll expense analysed by headcount and average salary, depreciation calculated from the fixed asset register). ISA 520 provides detailed guidance.
Choosing between substantive approaches
The choice between tests of details and substantive analytical procedures depends on the assertion and the nature of the account. Analytical procedures work well for accounts where the auditor can develop a precise expectation from independently corroborated data — payroll, rent, utilities, depreciation. They work poorly for accounts where the relationship is imprecise or the underlying data cannot be corroborated — provisions, fair values, one-off transactions. For high-risk assertions, tests of details are generally more persuasive than analytical procedures and may be the only appropriate approach.
Substantive approach vs. combined approach
The auditor's response to assessed risks typically follows one of two approaches:
Substantive approach — the auditor does not rely on controls and performs substantive procedures sufficient to address the risk. This is appropriate where: controls are weak or non-existent, the entity is small with limited segregation of duties, it is more efficient to perform substantive procedures than to test controls, or the auditor does not wish to rely on controls.
Combined approach — the auditor tests controls and, if controls are operating effectively, performs reduced substantive procedures. This is appropriate where: the entity has strong controls, the volume of transactions makes substantive testing alone impractical, or the auditor can gain efficiency by relying on controls for some assertions.
Dual-Purpose Testing
ISA 330.A23 recognises that the auditor may design a test of controls and a test of details to be performed concurrently on the same transaction — a dual-purpose test. For example, examining a purchase invoice to both verify that it was properly authorised (test of controls — occurrence) and confirm the amount is correctly recorded (test of details — accuracy).
Dual-purpose testing is efficient, but the results must be evaluated separately for each purpose. A deviation in the control does not necessarily mean the transaction is misstated, and a correctly stated amount does not necessarily mean the control operated.
Testing at Interim Dates
ISA 330.22–23 addresses the situation where substantive procedures are performed at an interim date — before the period end.
When substantive procedures are performed at interim, the auditor must cover the remaining period by performing either: additional substantive procedures for the remaining period, substantive procedures combined with tests of controls for the remaining period, or (if the auditor considers substantive procedures alone are sufficient) substantive procedures alone for the remaining period.
The key requirement: the auditor must have a reasonable basis for extending audit conclusions from the interim date to the period end. If the auditor identifies unexpected misstatements at the interim date, the auditor should consider whether the risk assessment and planned procedures for the remaining period need revision.
For fraud risks or risks at the higher end of the spectrum, performing procedures only at interim and rolling forward is generally not appropriate — the auditor should perform procedures at or near the period end.
The Stand-Back Evaluation
ISA 330.25–26 requires two critical evaluations before the audit concludes:
Assess the risk assessment. Based on the audit procedures performed and evidence obtained, the auditor must evaluate whether the assessments of the risks of material misstatement at the assertion level remain appropriate. If audit evidence from further procedures contradicts the original risk assessment, the auditor must revise the assessment and modify the planned procedures.
Conclude on sufficiency. The auditor must conclude whether sufficient appropriate audit evidence has been obtained. If the auditor has not obtained sufficient appropriate evidence for a material assertion, the auditor must attempt to obtain additional evidence. If additional evidence cannot be obtained, the auditor must express a qualified opinion or a disclaimer of opinion.
Documentation
ISA 330.28–30 requires documentation of:
- The overall responses to the assessed risks at the financial statement level.
- The nature, timing, and extent of the further audit procedures performed.
- The linkage between those procedures and the assessed risks at the assertion level.
- The results of the audit procedures, including the conclusions where these are not otherwise clear.
- For tests of controls: the conclusions about the operating effectiveness of the controls.
The linkage requirement is critical — regulators consistently cite the absence of a clear connection between assessed risks and designed procedures as a fundamental audit quality deficiency.
ISA 330 in Your Jurisdiction
Netherlands. COS 330 follows ISA 330 closely. The AFM's inspection findings repeatedly highlight the linkage between risk assessment and audit response as a key quality indicator. Specific findings include: responses that do not change despite changes in risk assessment, insufficient consideration of the nature of procedures (defaulting to standard tests regardless of risk), and inadequate coverage of the period between interim testing and year-end.
Germany. IDW PS 330 adapts ISA 330 for the German context. German practice places strong emphasis on substantive procedures, reflecting the tradition of Prüfungssicherheit (audit assurance) through detailed testing. The WPK's inspections examine whether audit responses are proportionate to assessed risks and whether the auditor has adequately considered the combined approach where controls are strong.
United Kingdom. ISA (UK) 330 is substantively aligned with ISA 330. The FRC's inspection findings consistently identify the response to assessed risks as a primary area of concern — particularly insufficient procedures for significant risks, over-reliance on management's explanations without corroborating evidence, and failure to modify procedures when risks change during the audit.
France. NEP 330 implements ISA 330 within the French statutory framework. French practice integrates the response to assessed risks with the specific programme de travail (work programme) developed for each engagement. The H3C's inspections focus on whether the work programme is responsive to the specific risks identified in the plan de mission and whether it is updated as the audit progresses.
Related Ciferi Content
Continue building your understanding of the ISA framework:
Put audit concepts into practice with these free tools:
Frequently Asked Questions
What is the difference between tests of controls and substantive procedures?
Tests of controls evaluate whether the entity's internal controls are operating effectively to prevent or detect misstatements. Substantive procedures directly detect material misstatements in the financial statements. The two serve different purposes: tests of controls test the system, substantive procedures test the numbers.
Can the auditor skip substantive testing if controls are strong?
No. ISA 330.18 requires substantive procedures for every material class of transactions, account balance, and disclosure — regardless of the assessed risk. Even if controls are assessed as highly effective and tests of controls confirm this, some level of substantive testing is always required.
How does the auditor decide between a substantive approach and a combined approach?
The decision depends on: the assessed risks, whether the entity has controls that are suitably designed and that the auditor considers testing, the efficiency of each approach (for high-volume transactions, testing controls may be more efficient than extensive substantive testing), and whether substantive procedures alone can provide sufficient evidence (in highly automated environments, they may not).
What does "more persuasive evidence" mean for higher risks?
It means evidence that is more relevant and reliable — obtained from independent external sources rather than internal sources, obtained directly by the auditor rather than indirectly, in documentary rather than oral form, and from original documents rather than copies. It may also mean larger sample sizes and procedures performed at or near the period end rather than at interim.
What happens if the auditor finds more misstatements than expected?
This may indicate that the risk assessment was not appropriate and that the planned procedures are insufficient. The auditor must consider revising the risk assessment, modifying the nature, timing, and extent of remaining procedures, and evaluating the effect of the findings on the audit opinion.
Further Reading and Source References
- IAASB Handbook 2024 — The authoritative source for the complete ISA 330 text, including all application material.
- ISA 315 (Revised 2019) — Identifying and Assessing the Risks of Material Misstatement — the standard that provides the risk assessments ISA 330 responds to.
- ISA 500 — Audit Evidence — the standard governing the quality and sufficiency of evidence obtained through ISA 330 procedures.
- ISA 520 — Analytical Procedures — detailed guidance on substantive analytical procedures.
- ISA 530 — Audit Sampling — guidance on sample sizes and evaluation for ISA 330 procedures.