Page 189 - Auditing Standards
P. 189

As of December 15, 2017
                controls are effective);  16


                The complexity of the control and the significance of the judgments that must be made in connection
                with its operation;

                The planned degree of reliance on the control;


                The nature, timing, and extent of procedures performed in past audits;

                The results of the previous years' testing of the control;


                Whether there have been changes in the control or the process in which it operates since the
                previous audit; and


                For integrated audits, the evidence regarding the effectiveness of the controls obtained during the
                audit of internal control.


       Assessing Control Risk


       .32        The auditor should assess control risk for relevant assertions by evaluating the evidence obtained
       from all sources, including the auditor's testing of controls for the audit of internal control and the audit of

       financial statements, misstatements detected during the financial statement audit, and any identified control
       deficiencies.


       .33        Control risk should be assessed at the maximum level for relevant assertions (1) for which controls

       necessary to sufficiently address the assessed risk of material misstatement in those assertions are missing
       or ineffective or (2) when the auditor has not obtained sufficient appropriate evidence to support a control risk
       assessment below the maximum level.



       .34        When deficiencies affecting the controls on which the auditor intends to rely are detected, the auditor
       should evaluate the severity of the deficiencies and the effect on the auditor's control risk assessments. If the
       auditor plans to rely on controls relating to an assertion but the controls that the auditor tests are ineffective

       because of control deficiencies, the auditor should:


           a.   Perform tests of other controls related to the same assertion as the ineffective controls, or


           b.   Revise the control risk assessment and modify the planned substantive procedures as necessary in
                light of the increased assessment of risk.



                     Note: AS 2201 establishes requirements for evaluating the severity of a control deficiency and
                     communicating identified control deficiencies to management and the audit committee in an
                     integrated audit. AS 1305, Communications About Control Deficiencies in an Audit of Financial

                     Statements, establishes requirements for communicating significant deficiencies and material



                                                            186
   184   185   186   187   188   189   190   191   192   193   194