SSA 330 – The Auditor’s Responses to Assessed Risks

SSA 330 Summary

The SSA concerns the auditor’s responsibility to design and implement responses to ROMM at the financial statement (FS) level.

There are two types of testing: substantive procedures (test of details and substantive analytical procedures) and test of controls.

In deciding whether to perform further audit procedures, the auditor should look at likelihood of MM and whether the risk assessment takes account of relevant controls.

Auditor should test controls if auditor’s assessment of ROMM at the assertion level includes expectation that controls are operating effectively. They should also look at consistency of the controls and who applied the controls.

Test of controls are performed only on those controls that the auditor determined are suitably designed to prevent, or detect and correct, a material misstatement in an assertion. Inquiry alone is not sufficient to test operating effectiveness of controls and must be combined with inspection/re-performance of control.

Audit evidence obtained during an interim period can be used, but there needs to understand what are significant changes to these controls during the finals. If auditor wishes to rely on audit evidence from previous audits, same issue. Retesting controls must be done at least in every third year.

Controls over significant risks like revenue must be tested yearly. If there are deviation in controls, they may be a need to test additional controls or potential ROMM need to be addressed using substantive procedures (including test of details). There may be a need to perform more test of details if test of controls are unsatisfactory as the auditor cannot rely on such controls.

Substantive procedures need to be designed for every material class of transactions, and consider the need for external confirmation procedures. Substantive procedures should be extended to year end period if they were only performed during interim period.

Material FS assertions must be obtained, or if not, a qualified opinion might be issued.

In order to respond to ROMM, the auditor may provide more supervision, assign more staff, change the nature, extent and timing of audit procedures etc.

If the control environment is strong, more controls can be tested during interims as compared to finals.

For IT processing, it may not be necessary to increase the extent of testing of an automated control, due to inherent consistency of IT processing. However, there is a need to ensure that there are no unauthorised changes to program change controls etc. SSA530 concerns audit sampling.


SSA 320 – Materiality

Materiality in Planning and Performing an Audit Conforming Amendments to Other SSAs

This SSA concerns the auditor’s responsibility to apply the concept of materiality in planning and performing an audit on FS. Materiality (M) can help evaluate the effect of misstatements and uncorrected misstatements.

Misstatements are material if they can be expected to influence the economic decisions of users (as a group) taken on the basis of FS. Both the size and nature of misstatements matter.

Materiality is a matter of auditor’s judgment. It is assumed that users will know how to understand and interpret the financial statements and are able to make economic decisions based on information contained.

Materiality is usually determined at planning stage and it does not automatically mean that the aggregation of misstatements below the materiality are uncorrected misstatements. It depends on the nature as well.

Performance materiality (PM) is set at lower than materiality, so that the probability that aggregate of uncorrected misstatements and undetected misstatements exceeding materiality is sufficiently low.

Materiality is usually set at the FS level, although it can set at class of transactions etc. It can be adjusted during progress of the audit as well, for instance when the actual financial results are very different from interim financial results (when used to plan for the PM or M).

Both M and PM must be documented in the audit planning documents.

Usually, the M is based on a percentage of a benchmark (example: revenue, profit before tax, gross profit, total equity etc). The benchmark should not be too volatile. Determining a % depends on auditor’s professional judgment.

In an audit of public sector entity, total cost or net cost (expenses less revenues or expenditures less receipts) may be used. Alternatively, if entity has custody of public assets, assets may be appropriate.


SSA 315 – Identifying and Assessing ROMM through Understanding Entity and the Environment

Auditor needs to perform risk assessment procedures (includes inquiries of management (those charged with governance, employees etc), analytical procedures, observation and inspection of documents and reports) for the identification and assessment of ROMM at the FS and assertion levels.

Audit partner needs to discuss the susceptibility of the entity’s FS to MM and communicate with the team members not involved in the discussion.

Understanding the entity includes operations, governance structures, type of investments and how the entity is structured. For relevant controls relating to financial reporting, the auditor needs to evaluate the design and effectiveness of these controls. For the control environment, determine whether management has a culture of honest and ethical behaviour. If possible, auditor should obtain management assessment of business risks etc.

Basically, matters relating to financial reporting must be examined. In addition, it is important to understand risks relating to IT.

The auditor needs to understand the nature of IA function’s responsibilities, organisational status and the activities performed. If necessary, audit reports relating to findings on financial reporting should be read and understood. However, some IA do not focus on controls over financial reporting and hence, their reports may not be directly relevant. If IA looks at financial reporting areas, the auditor may want to modify the nature and timing and extent of their testing. If so, please apply SSA 610.

The auditor needs to identify risks and evaluate whether they concern the FS level or affect many assertions. The auditor needs to assess which are significant risks as well. There is a need to include planning matters as audit documentation.

The auditor might want to perform substantive procedures or test of controls to assess ROMM.

Analytical procedures can also be performed to examine trends between financial and non-financial information. However, such broad evidence may be inconclusive and the auditor might need to collaborate with other information.

Auditor needs to understand the information from prior audit periods and see whether it’s still applicable in the current period. By performing walkthroughs, one can get a better sense of whether there are any changes.

It Is necessary to understand industry factors like suppliers, the competitive environment, suppliers and customer relationships etc. The auditor can understand regulatory factors as well.

Understanding the entity includes understanding the business operations, investment activities, financing activities, financial reporting practices etc, entity’s selection and application of accounting policies.

Not all business risks give rise to material misstatements, but business risks might have financial consequences and increase the likelihood of identifying ROMM. This FRS covers issues and events that may indicate ROMM. Understanding the financial performance indicators can help the auditor understand the pressure management faces. Industry related information might also serve as useful trends.

There are limitations to internal control, which the auditor needs to understand. Controls can be override by management as well. The SSA divides internal control into 5 components: control environment (influence the effectiveness of internal controls and the auditor’s assessment of ROMM); risk assessment process; information system and related business process; control activities and monitoring of controls.

There are both manual and automated controls. However, the use of IT automated controls present risks such as inaccurate processing of data, unauthorised access to data, changes to master files, failure to make changes. Manuals controls are more suitable when judgment is involved. They are less suitable for voluminous transactions etc.

Some information required in the FS may not be stored in IT systems. Non-standard journal entries must be examined by the auditor. The auditor should understand how transactions are originated.

It is possible for the auditor to test the operating effectiveness of the control in determining the extent of substantive testing required. The auditor could focus activities for areas with higher ROMM. Main transaction cycle could include things like revenue, purchases and employment expenses.

Auditors need to understand both general and application controls in relation to financial systems for financial reporting. They also need to question the source of information from control monitoring activities and whether they are accurate.

SSA 705 talks about the issuance of a qualified opinion.

Some assertions for transactions could be occurrence, completeness, accuracy, cut-off, classification, presentation etc.

Some assertions for balances are existence, rights and obligations, completeness, accuracy valuation and allocation, classification, and presentation.



SSA 300 – Planning an Audit of Financial Statements

Good planning can really help to focus the audit and make it more efficient and effective.

The objective of the auditor is to plan the audit so that it will be performed in an effective manner.

Engagement partner and key members of the engagement shall plan and discuss the planning with the team.

The auditor needs to perform procedures on client relationship and engagement, evaluate compliance with ethical requirements and understand the terms of the engagement.

The audit plan shall include the nature, extent, timing of planned audit procedures and also the resources required to complete the audit. The audit strategy can be modified as the audit progresses. The extent of supervision also needs to be planned.

The audit plan and strategy must be part of audit documentation (can be memorandum form, checklists etc). Significant changes to the audit plan needs to be explained. Planning needs to consider things like analytical procedures, understanding of legal framework, materiality, involvement of experts etc.


SSA 265 – Communicating Deficiencies in Internal Control to those Charged with Governance and Management

SSA 265 Summary

The auditor is required to obtain an understanding of internal control relevant to the audit when identifying and assessing the risks of material misstatement. Auditor can consider internal control when developing audit procedures, but there is no need to express opinion on internal control effectiveness.

The auditor needs to communicate appropriately with those charged with governance (CWG) on any deficiencies (must explain potential effects) in internal control identified during the audit. This must be done in writing. However, it is okay if there is earlier communication orally. The level of detail in the communication depends on auditor’s professional judgment.

Auditor should clarify with appropriate level of management (one that has authority to evaluate deficiencies and take necessary remedial action) if one or more deficiencies in internal control are identified. If the finding calls into question management’s integrity/competence, it may not be appropriate to discuss it directly with management.

This SSA also indicates examples and indications of significant deficiencies in internal control.

If the significant deficiency is not rectified in prior years, the auditor can communicate the same deficiency in the current year.

The communication of other deficiencies (not significant) may be communicated to management orally only. Communication of this to those CWG is also optional and dependent on the auditor’s professional judgment.



SSA 260 – Communication with Those Charged with Governance

SSA 260 – Communication with Those Charged with Governance

This SSA 260 concerns auditor’s responsibility to communicate with those charged with governance (CWG) in an audit of Financial Statements.

SSA 265 talks about the requirements to communicate (in writing), in a timely manner, significant deficiencies to those CWG.

There is a need for two-way communication between the auditor and those CWG.

Management also needs to communicate important matters to those CWG.

Some of the things to be communicated by the auditor are auditor’s responsibilities (express opinion on the FS, significant risks etc), scope and timing of the audit. In additions, matters like accounting policies, accounting estimates and financial statement disclosures should be communicated. Other things include whether the firm has complied with relevant ethical requirements regarding independence, safeguards to eliminate threats of independence. Significant difficulties faced in the audit should also be highlighted.

A subgroup of those CWG could be the audit committee. Auditor must assess whether this must also be highlighted to the Board.

Good governance principles highlight that (i) Auditor will be invited to attend meetings of the AC; (ii) Chair of the AC and other members will liaise with the auditor periodically; (iii) AC will meet the auditor without management’s presence.

Often, critical accounting estimates and critical accounting policies or practices are required to be disclosed in the FS.


SSA 250 – Consideration of Laws and Regulations in an Audit of FS

This SSA is for periods after 15 Dec 2009.

This SSA concerns auditor’s responsibility to consider laws and regulations in an audit of FS.

There are many sorts of possible laws and regulations: regulated industries, OSH, equal employment opportunity. However, not all will affect the FS.

It is management’s responsibility, with the oversight of those charged with governance, to ensure entity’s operations are conducted in accordance with the provisions of laws and regulations.

This SSA will help the auditor to identify material misstatements of the FS due to non-compliance with laws and regulations. There is an inherent risk that auditor may not uncover all of them due to (i) many laws and regulations that affect operations and do not affect the FS; (ii) collusion or management override of controls; (iii) whether an act is a non-compliance should be determined by a court of law.

Generally, the auditor should be concerned with those laws/regulations that have a direct determination of material amounts and disclosures in the FS, like tax laws etc. For other laws/regulations, auditor only needs to consider those non-compliance that has material effect on FS.

Auditor is expected to maintain professional skepticism throughout the audit.

Auditor needs to obtain audit evidence regarding laws/regulations that have an impact on the FS.

Auditor needs to understand the entity and the environment and the legal regulatory framework for the entity/industry and how is the entity complying.

Written representations from management on compliance/non-compliance should be obtained.

If auditor suspects non-compliance, investigation into the effect on the FS must be performed. If insufficient evidence is obtained or management cannot demonstrate compliance, the auditor shall consider modifying the audit opinion.

There must be audit documentation on identified or suspected non-compliance and relevant correspondences.

Management can institute controls like monitoring of legal requirements, internal controls for systems, develop a code of conduct, ensuring employees are trained, monitor compliance with the code of conduct, engage legal advisors etc, in order to ensure compliance with laws and regulations.


audit financial company tax investigation process business accounting