- Understanding internal control and assessing control risk are steps which may be performed concurrently in an audit. The evidence collected to achieve one objective may also be used for the other objective. For
- example, inquiries and information gathered about management's use of budgets in order to understand the control environment may also be used as a test of control over the effectiveness and operation of the
- budgeting control.
Evidence about the operation of controls in prior audits is factor impacting an auditor's current year assessment of control risk.
The basis for an auditor's conclusions about the assessed level of control risk must be documented regardless of the level of control risk assessed.
The lower the assessed level of control risk, the MORE assurance evidence must provide that the controls are operating effectively. An assessment of control risk below maximum must be supported by the collection of evidence indicating the controls are operating effectively. An assessment of control risk at maximum does not require the collection of evidence about the operation of the controls; however, it does require documentation of the basis for the assessment at maximum.