ISA 315








            • Stipulates that the auditor shall obtain an understanding of
                internal control relevant to the audit. Internal control is designed

                and implemented to deal with identified business risks that
                threaten the achievement of any of the above objectives. When
                the auditor obtains an understanding of internal control, he/she

                has to (ISA 315, par 13) do the following:

                    • Evaluate the design of those controls. Does a control (individually or in
                       combination with others) effectively prevent, or detect and correct
                       material misstatements?
                    • Determine whether these controls have been implemented. It is no
                       use having brilliant controls in theory if they are not implemented and
                       used effectively by the entity. Inquiry from the entity’s personnel alone
                       is not sufficient. Other procedures (e.g. observation, inspection, etc)
                       have to be performed as well.

                    It is a matter of the auditor’s professional judgement whether a control,
                    individually or in combination with others, is relevant to the audit.