Obtaining an understanding of internal control allows auditor's to identify the types of material misstatements that could occur in the financial statements, consider the factors that affect the risk of material misstatements, and design substantive tests. An auditor obtains the understanding from researching the clients business. An auditor will take inquires from management and personnel, observe client activities and operations, walk-through the business, and inspect client documents and records. Gathering that information and understanding it will help the auditor plan the audit. The purpose of obtaining an understanding of internal controls allows the auditor to both assess control risk and then detection risk, and determine the nature, extent and timing of substantive tests.
When assessing the control risk below the maximum level the auditor will need to identify the controls (polices and procedures) that affects a financial statement assertion. There can be a pervasive effect on many assertions, or a specific effect on an individual assertion. Next, the auditor will evaluate how effectively the controls prevent or detect material misstatements in that assertion. He or she needs to test the controls to determine how the procedure is designed and how it operates. When an auditor determines a control risk at below the maximum level documentation is required. They need tests of control, results of the tests, and the auditor's evaluation of the effectiveness of the controls. They also need the evidential matter that is sufficient to support a specific assessed level of control risk. Evidential matter varies substantially in the assurance it provides to the auditor as he or she develops an ass ...