SSA 330 Summary
The SSA concerns the auditor’s responsibility to design and implement responses to ROMM at the financial statement (FS) level.
There are two types of testing: substantive procedures (test of details and substantive analytical procedures) and test of controls.
In deciding whether to perform further audit procedures, the auditor should look at likelihood of MM and whether the risk assessment takes account of relevant controls.
Auditor should test controls if auditor’s assessment of ROMM at the assertion level includes expectation that controls are operating effectively. They should also look at consistency of the controls and who applied the controls.
Test of controls are performed only on those controls that the auditor determined are suitably designed to prevent, or detect and correct, a material misstatement in an assertion. Inquiry alone is not sufficient to test operating effectiveness of controls and must be combined with inspection/re-performance of control.
Audit evidence obtained during an interim period can be used, but there needs to understand what are significant changes to these controls during the finals. If auditor wishes to rely on audit evidence from previous audits, same issue. Retesting controls must be done at least in every third year.
Controls over significant risks like revenue must be tested yearly. If there are deviation in controls, they may be a need to test additional controls or potential ROMM need to be addressed using substantive procedures (including test of details). There may be a need to perform more test of details if test of controls are unsatisfactory as the auditor cannot rely on such controls.
Substantive procedures need to be designed for every material class of transactions, and consider the need for external confirmation procedures. Substantive procedures should be extended to year end period if they were only performed during interim period.
Material FS assertions must be obtained, or if not, a qualified opinion might be issued.
In order to respond to ROMM, the auditor may provide more supervision, assign more staff, change the nature, extent and timing of audit procedures etc.
If the control environment is strong, more controls can be tested during interims as compared to finals.
For IT processing, it may not be necessary to increase the extent of testing of an automated control, due to inherent consistency of IT processing. However, there is a need to ensure that there are no unauthorised changes to program change controls etc. SSA530 concerns audit sampling.