AUDITOR’S RESPONSE TO ASSESSED RISK (ISA 330, ISA 500)

9.2 INTRODUCTION
Evidence-gathering procedures in auditing are directed by the assessment of risk of material
misstatement. ISA 330 states, “The objective of the auditor is to obtain sufficient appropriate
audit evidence regarding the assessed risks of material misstatement, through designing and
implementing appropriate responses to those risks.
 Audit Procedures Responsive to the Assessed Risks of Material Misstatement at the
Assertion Level
To meet this objective of obtaining sufficient appropriate audit evidence, the auditor
must design and perform audit procedures whose nature, timing and extent are based
on, and are responsive to, the assessed risks. The nature of an audit procedure refers to
its purpose (that is, test of controls or substantive procedure) and its type (that is,
inspection, observation, inquiry, confirmation, recalculation, re-performance or
analytical procedure). The nature of the audit procedures is of most importance in
responding to the assessed risks. Timing of an audit procedure refers to when it is
performed, or the period or date to which the audit evidence applies. Extent of an audit
procedure refers to the quantity to be performed, for example a sample size or the
number of observations of a control activity.
Designing and performing further audit procedures whose nature, timing and extent are
based on and are responsive to the assessed risks of material misstatement at the
assertion level provides a clear linkage between the auditor’s further audit procedures
and the risk management.
The auditor’s assessment of the identified risks at the assertion level provides a basis for
considering the appropriate audit approach for designing and performing further audit
procedures. For example, the auditor may determine that only by performing tests of
controls she can achieve an effective response to the assessed risk of misstatement for a
particular assertion. Or the auditor may find that performing only substantive
procedures is appropriate for particular assertions and, therefore, she excludes the
effect of controls from the relevant risk assessment. This may be because the auditor’s
risk assessment procedures have not identified any effective controls relevant to the
assertion, or because testing controls would be inefficient and therefore the auditor
does not intend to rely on the operating effectiveness of controls in determining the
nature, timing and extent of substantive procedures. Of course, the auditor may try a
combined approach using both tests of controls and substantive procedures.
Irrespective of the approach selected, however, the auditor designs and performs
substantive procedures for each material class of transactions, account balance and
disclosure.
Overall responses to address the assessed risks of material misstatement at the financial
statement level may include:
  Emphasizing to the engagement team the need to maintain professional
skepticism.
 Assigning more experienced staff or those with special skills or using experts.
 Providing more supervision.
 Incorporating additional elements of unpredictability in the selection of further
audit procedures to be performed.
 Making general changes to the nature, timing or extent of audit procedure, for
example: performing substantive procedures at the period end instead of at an
interim date, or modifying the nature of audit procedures to obtain more
persuasive audit evidence.
 Reasons for Risk Assessment
When she designs these audit procedures to be performed, the auditor should consider
the reasons for the assessment including: the likelihood of material misstatement due
to inherent risk and whether the risk assessment takes account of relevant controls
(that is, the control risk), thereby obtaining audit evidence to determine whether the
controls are operating effectively. Such considerations have a significant bearing on the
auditor’s general approach; for example, an emphasis on substantive procedures
(substantive approach), or an approach that uses tests of controls as well as substantive
procedures (combined approach). By using an approach of gathering evidence by testing
controls, the auditor is lowering the control risk. This allows the auditor to accept a
higher detection risk, which allows the auditor to reduce the evidence needed from
substantive procedures. This also applies the other way around. The auditor can accept
a high control risk by not testing controls. This needs to be compensated by reducing
the detection risk. In order to have a low detection risk, the auditor needs to gather
relatively more evidence from performing substantive procedures.
The assessment of the risks of material misstatement at the financial statement level,
and thereby the auditor’s overall responses, is affected by the auditor’s understanding
of the control environment. An effective control environment may allow the auditor to
have more confidence in internal control and the reliability of audit evidence generated
internally within the entity and thus, for example, allow the auditor to conduct some
audit procedures at an interim date rather than at the period end. Deficiencies in the
control environment, however, have the apposite effect; for example, the auditor may
respond to an ineffective control environment by:
 Conducting more audit procedures as of the period end rather than at an interim
date
 Obtaining more extensive audit evidence from substantive procedures
 Increasing the number of locations to be included in the audit scope
The higher the auditor’s assessment of risk, the more persuasive audit evidence she
needs. When obtaining more persuasive audit evidence because of a higher assessment
of risk, the auditor may increase the quantity of the evidence, or obtain evidence that is
 more relevant or reliable, for example by placing more emphasis on obtaining third-
party evidence or by obtaining corroborating evidence from a number of independent
sources.
The auditor must consider all relevant audit evidence, regardless of whether it appears
to corroborate or to contradict the assertions in the financial statements (completeness
of expense, existence of revenue, etc.). If the auditor is unable to obtain sufficient
appropriate audit evidence, the auditor must express a qualified opinion or disclaim an
opinion on the financial statements.
9.3 THE BASIS OF EVIDENCE
Evidence is anything that can make a person believe that a fact, proposition or assertion is true
or false. Audit evidence is information used by the auditor in arriving at the conclusions on
which the auditor’s opinion is based. Audit evidence includes both information contained in the
accounting records underlying the financial statements and other information. Auditors are not
expected to address all information that may exist. Audit evidence, which is cumulative in
nature, includes audit evidence obtained from audit procedures performed during the course of
the audit and may include audit evidence obtained from other sources such as previous audits
and a firm’s quality control procedures for client acceptance and continuance. Audit evidence is
different from the legal evidence required by forensic accounting.
Evidence for proof of audit assertions is different from evidence in a legal sense. Audit evidence
needs only to prove reasonable assurance, whereas in a legal environment there is a more
rigorous standard of proof and documentation.
 Electronic Evidence
Some of the entity’s accounting data and other information may be available only in
electronic form. For example, entities may use electronic data interchange (EDI) or
image processing systems. In EDI, the entity and its customers or suppliers use
communication links to transact business electronically. Purchase, shipping, billing, cash
receipt and cash disbursement transactions are often consummated entirely by the
exchange of electronic messages between the parties. In image processing systems,
documents are scanned and converted into electronic images to facilitate storage and
reference, and the source documents may not be retained after conversation. Certain
electronic information may exist at a certain point in time, but may not be retrievable
after a specified period of time if files are changed and if back-up files do not exist. The
electronic nature of the accounting documentation usually requires that the auditor use
computer-assisted audit techniques (CAATs).
9.4 FINANCIAL STATEMENT ASSERTION
Management is responsible for the fair presentation of financial statements so that they reflect
the nature and operations of the company based on the applicable financial reporting
framework (IAS, GAAP, etc.). Management prepares the financial statements based upon the
accounting records and other information, such as minutes of meetings, confirmations from
third parties, analysts’ reports, comparable data about competitors (benchmarking), and
controls manuals. The auditor is likely to use the accounting records and that other information
as audit evidence. In representing that the financial statements are in accordance with the
applicable financial reporting framework, management implicitly or explicitly makes assertions
regarding the recognition, measurement, presentation and disclosure of the various elements
of financial statements and related disclosures.
Management makes assertions that can be grouped into three groups: (1) assertions about
classes of transactions and events for the period under audit, (2) assertions about account
balances at the period end, and (3) assertions about presentation and disclosure. Assertions are
representation by management, explicit or otherwise, that are embodied in the financial
statements, as used by the auditor to consider the different types of potential misstatements
that may occur. The standard assertions are occurrence, completeness, accuracy, cut-off,
classification, existence, rights and obligations, valuation and allocation, and understandability.
The auditor assesses risks of potential misstatements based on these assertions and designs
audit procedures to discover sufficient appropriate evidence.
9.5 TEST OF CONTROLS
Test of controls are audit procedures designed to evaluate the operating effectiveness of
controls in preventing, or detecting and correcting, material misstatements ate the assertion
level. Designing tests of controls to obtain relevant audit evidence includes identifying
conditions (characteristics or attributes) that indicate performance of a control, and deviation
conditions which indicate departures from adequate performance. The presence or absence of
those conditions can then be tested by the auditor. The auditor must design and perform tests
of controls to obtain sufficient appropriate audit evidence as to the operating effectiveness of
relevant controls if she assumes that the controls are operating effectively or substantive
procedures alone would be inadequate to get sufficient evidence.
The auditor will perform other audit procedures in combination with inquiry to obtain audit
evidence about the operating effectiveness of the controls including details about how the
controls were applied at relevant times during the period under audit; the consistency with
which they were applied, and by whom or by what means they were applied. The auditor must
also determine whether the controls to be tested depend upon other controls (indirect
controls), and, if so, whether it is necessary to obtain audit evidence supporting the effective
operation of those indirect controls.
The auditor tests controls for the particular time, or throughout the period, for which the
auditor intends to rely on those controls. Audit evidence pertaining only to a point in time may
be sufficient for the auditor’s purpose, for example, when testing controls over the entity’s
physical inventory counting at the period end. If, on the other hand, the auditor intends to rely
on a control over a period, tests of the control at relevant times during that period are
appropriate. Such tests may include tests of the entity’s monitoring of controls.
When evaluating the operating effectiveness of relevant controls, the auditor must evaluate
whether misstatements that have been detected by substantive procedures indicate that
controls are not operating effectively. The absence of misstatements detected by substantive
procedures, however, does not mean that controls related to the assertion being tested are
effective. A material misstatement detected by the auditor’s procedures is a strong indicator of
the existence of a significant deficiency in internal control.
If deviations from controls upon which the auditor intends to rely are detected, the auditor
must make specific inquiries and determine whether the tests of controls that have been
performed provide an appropriate basis for reliance on the controls. He must also determine if
additional tests of controls are necessary or potential risks of misstatement need to be
addressed using substantive procedures.
The concept of effectiveness of the operation of controls recognizes that some deviations in the
way controls are applied may occur. Deviations from prescribed controls may be caused by such
factors as changes in key personnel, significant seasonal fluctuations in volume of transactions
and human error. The detected rate of deviation, in particular in comparison with the expected
rate, may indicate that the control cannot be relied on to reduce risk at the assertion level to
that assessed by the auditor.
 Designing and Performing Tests of Controls
Tests of controls are performed only on those controls that the auditor has determined
are suitably designed to prevent, or detect and correct, a material misstatement in an
assertion. If substantially different controls were used at different times during the
period under audit, each is considered separately. In designing and performing tests of
controls, the auditor shall obtain more persuasive audit evidence the greater the
reliance the auditor places on the effectiveness of a control.
Testing the operating of effectiveness of controls is different from obtaining an
understanding of and evaluating the design and implementation of controls. The same
types of audit procedures are used. The auditor may test the operating effectiveness of
controls at the same time as evaluating their design and implementation. Although
some risk assessment procedures may not have been specifically designed as tests of
controls, they may nevertheless provide audit evidence about the operating
effectiveness of the controls and, consequently, serve as tests of controls.
 Nature and Extent of Tests of Controls
The nature of the particular control influences the type of procedure required to obtain
audit evidence about whether the control was operating effectively. For example, if
operating effectiveness is evidenced by documentation, the auditor may decide to
inspect the documents. For other controls, however, documentation may not be
available or relevant. For example, documentation of operation may not exist for some
 factors such as assignment of authority and responsibility, or for some types of control
activities, such as control activities performed by a computer. In such circumstances,
audit evidence about operating effectiveness may be obtained through inquiry in
combination with other audit procedures such as observation or the use of computer
assisted audit techniques (CAATs).
Inquiry alone is not sufficient to test the operating effectiveness of controls so other
audit procedures are performed in combination with inquiry, for instance inquiry
combined with inspection or re-performance may provide more assurance.
When more persuasive audit evidence is needed regarding the effectiveness of a
control, the auditor increases the extent of testing of the control. As well as the degree
of reliance on controls, matters the auditor may consider in determining the extent of
tests of controls include the frequency of the performance of the control during the
period, the expected rate of deviation from a control, the relevance and reliability of the
audit evidence, and the extent to which audit evidence is obtained from tests of other
controls.
Because of the inherent consistency of IT processing, it may not be necessary to
increase the extent of testing of an automated control. An automated control can be
expected to function consistently unless the program (including the tables, files or other
permanent data used by the program) is changed. Once the auditor determines that an
automated control is functioning as intended (which could be done at the time the
control is initially implemented or at some other date), the auditor may consider
performing tests to determine that the control continues to function effectively. Such
tests might include determining that changes to the program are not made without
being subject to the appropriate program change controls and the authorized version of
the program is used for processing transactions.
 Using Previous Audit Evidence
In certain circumstances, audit evidence obtained from previous audits may provide
audit evidence where the auditor may perform audit procedures to establish its
continuing relevance. For example, in a previous audit, the auditor may have
determined that an automated control was functioning as intended. The auditor may
obtain about evidence to determine whether changes to the automated control have
been made that affect its continued effective functioning through, for example, inquiries
of management and the inspection of logs to indicate what controls have been changed.
Changes may affect the relevance of the audit evidence obtained in previous audits such
that there may no longer be a basis for continued reliance. For example, changes in a
system that enable an entity to receive a new report from the system probably do not
affect the relevance of audit evidence from a previous audit, however, a change that
causes data to be accumulated or calculated differently does affect it.
The auditor depends on professional judgement in deciding on whether to rely on audit
evidence obtained in previous audits for controls that have not changed since they were
last tested and are not controls that mitigate a significant risk. However, ISA 330
 requires controls to be retested at least once in every third year. Factors that may
decrease the period for retesting a control, or result in not relying on audit evidence
obtained in previous audits at all, include the following:
 A deficient control environment
 Deficient monitoring of controls
 A significant manual element to the relevant controls
 Personnel changes that significantly affect the application of the control
 Changing circumstances that indicate the need for changes in the control
 Deficient general IT controls
9.6 SUBSTANTIVE PROCEDURES
The main work an auditor is to find evidence using test procedures. A substantive procedure is
an audit procedure designed to detect material misstatement at the assertion level. Substantive
procedures comprise: (1) tests of details (of classes of transactions, account balances and
disclosures), and (2) substantive analytical procedures.
Audit evidence is the information used by the auditor in arriving at the conclusions on which
the audit opinions is based. Audit evidence consists of source documents and accounting
records underlying the financial statements and corroborating information from other sources
and can be gathered by tests of controls as well as substantive procedures.
Substantive procedures are tests performed to obtain audit evidence to detect material
misstatements or significant misstatements that may in aggregate be material in the financial
statements. Substantive procedures are responses to the auditor’s assessment of the risk of
material misstatement. The higher the assessed risk, the more likely the extent of the
substantive procedures will increase and the timing of procedures will be performed close to
the project.
 Nature of Substantive Procedures
The nature of substantive procedures includes tests of details (of transactions and of
balances) and substantive analytical procedures. The auditor’s substantive procedures
include agreeing the financial statements to the accounting records, examining material
adjustments made during the course of preparing the financial statements, and other
procedures relating to the financial reporting closing process. Substantive analytical
procedures are generally more applicable to large volumes of transactions that tend to
be predictable over time. Tests of details are ordinarily more appropriate to obtain audit
evidence regarding certain financial statement assertions, including existence and
valuation.
A substantive test usually performed on accounts payable is a search for unrecorded
liabilities. This test may be part of the closing procedures or done in concert with the
confirmation of accounts payable. This test provides evidence as to completeness and
some evidence as to valuation. To search for unrecorded liabilities, the auditor reviews
 disbursements made by the client for a period after the balance sheet date, sometimes
to the date of the completion of field work.
9.7 SUFFICIENT APPROPRIATE AUDIT EVIDENCE
According to ISA 500, the objective of the auditor is to design and perform audit procedures in
such a way as to be enable the auditor to obtain sufficient appropriate audit evidence to be
able to draw reasonable conclusions on which to base the auditor’s opinion. As explained in ISA
200, reasonable assurance is obtained when the auditor has obtained sufficient appropriate
audit evidence to reduce audit risk (that is, the risk that the auditor expresses an inappropriate
opinion when the financial statements are materially misstated) to an acceptably low level.
The sufficiency and appropriateness of audit evidence are interrelated. Sufficiency is the
measure of the quantity of audit evidence. The quantity of audit evidence needed is affected by
the auditor’s assessment of the risks of misstatement (the higher the assessed risks, the more
audit evidence is likely to be required) and also by the quality of such audit evidence (the higher
the quality, the less may be required). Obtaining more audit evidence, however, may not
compensate for its poor quality. Appropriateness is the measure of the quality of audit
evidence, that is, its relevance and its reliability in providing support for the conclusions on
which the auditor’s opinion is based. The reliability of evidence is influenced by its source and
by its nature, and is dependent on the individual circumstances under which it is obtained.
ISA 330 requires the auditor to conclude whether sufficient appropriate audit evidence has
been obtained. Whether sufficient appropriate audit evidence has been obtained to reduce
audit risk to an acceptably low level, and thereby enable the auditor to draw reasonable
conclusions on which to base the auditor’s opinion, is a matter of professional judgment. The
auditor’s judgement as to what constitutes sufficient appropriate audit evidence is influenced
by such factors as:

 The significance of the potential misstatement in the assertion and the likelihood of its
having a material effect, individually or aggregated with other potential misstatements,
on the financial statements: the more material the item, the greater the required
sufficiency and appropriateness of evidence
 The effectiveness of management’s responses and controls to address the risks: strong
controls reduce evidence requirements
 Results of audit procedures performed, including whether such audit procedures
identified specific instances of fraud or error
 Source and reliability of the available information
 Persuasiveness of the audit evidence
 Understanding of the entity and its environment, including its internal control
Summarises the considerations for determining whether audit evidence is ‘sufficient
appropriate evidence’.
 When designing and performing audit procedures, the auditor must consider the
relevance and reliability of the information to be used as audit evidence. Reliability is the
quality of information when it is free from material error and bias and can be depended upon
by users to represent faithfully that which it either purports to represent or could reasonably be
expected to represent. Relevance of evidence is the appropriateness (pertinence) of the
evidence to the audit objective being tested. The quantity (relevance and reliability) of audit
evidence needed is affected by the risk of misstatement (the greater the risk, the more audit
evidence is required) and also by the quality of the audit evidence (the higher the quality of
evidence, the less is required).
 Relevance
Relevance deals with the logical connection with, or bearing upon, the purpose of the
audit procedure and the assertion under consideration. The relevance of information to
be used as audit evidence may be affected by the direction of testing (overstatement or
understatement of the account). For example, if the purpose of an audit procedure is to
test for overstatement of accounts payable, testing the recorded accounts payable may
be a relevant audit procedure. On the other hand, when testing for understatement of
accounts payable, testing the recorded accounts payable would not be relevant, but
testing such information as subsequent disbursement, unpaid invoices, suppliers’
statements and unmatched receiving reports may be relevant.
Tests of controls are designed to evaluate the operating effectiveness of controls in
preventing, or detecting and correcting, material misstatements at the assertion level.
Designing tests of controls to obtain relevant audit evidence includes identifying
conditions (characteristics or attributes) that indicate performance of a control, and
deviation conditions which indicate departures from adequate performance. The
presence or absence of those conditions can then be tested by the auditor.
Substantive procedures are designed to detect material misstatements at the assertion
level. They comprise tests of details and substantive analytical procedures. Designing
substantive procedures includes identifying conditions relevant to the purpose of the
test that constitute a misstatement in the relevant assertion.
 Reliability
The reliability of information to be used as audit evidence, and therefore of the audit
evidence itself, is influenced by its source and its nature, and the circumstances under
which it is obtained, including the controls over its preparation and maintenance where
relevant.
While recognizing that exceptions may exist, the following generalisations about the
reliability of audit evidence may be useful
 The reliability of audit evidence is increased when it is obtained from
independent sources outside the entity
  The reliability of audit evidence that is generated internally is increased when
the related controls, including those over its preparation and maintenance,
imposed by the entity are effective
 Audit evidence obtained directly by the auditor is more reliable than audit
evidence obtained indirectly or by inference.
 Audit evidence in documentary form, whether paper, electronic or other
medium, is more reliable than evidence obtained orally
 Audit evidence provided by original documents is more reliable than audit
evidence provided by photocopies or facsimiles, or documents that have been
filmed, digitized or otherwise transformed into electronic form, the reliability of
which may depend on the controls over their preparation and maintenance.
 Persuasive Evidence
Persuasive evidence has the power or ability to persuade based on logic or reason, often
depending on the use of inductive or deductive reasoning. Evidence may be persuasive
based on the character, credibility or reliability of the source. Unlike legal evidence,
audit evidence does not have to be useful.
Audit evidence is more persuasive when there is consistency between items from
different sources or of a different nature. Evidence is usually more persuasive for
balance sheet accounts when it is obtained close to the balance sheet date. For income
statements, evidence is more persuasive if it is a sample from the entire period. A
random sample from the entire period is more persuasive than a sample from the first
six month.
 Cost/Benefit
The auditor also needs to think about the relationship between the cost of obtaining
audit evidence and the usefulness of the information obtained. The matter of difficulty
and expense involved is not in itself a valid basis for omitting a necessary procedure. If
an auditor is unable to obtain sufficient appropriate audit evidence, he should express a
qualified opinion or a disclaimer of opinion.
If the auditor has not obtained sufficient appropriate audit evidence as to a material
financial statement assertion, he should attempt to obtain further audit evidence. If the
auditor is unable to obtain sufficient appropriate audit evidence, he should express a
qualified opinion or a disclaimer of opinion.