The auditor may identify some risks that cannot be effectively tested by substantive tests alone. For example, when there are paperless transactions (perhaps using EDI - electronic data interchange). To address these risks, the auditor is required to
A) assess the design effectiveness of relevant controls and test them.
B) obtain an understanding of the controls and test them if reliance is intended.
C) obtain an understanding of the controls and assess their design effectiveness.
D) test the controls that address the paperless aspects of the transactions.

Question

Quizplus · Accepted Answer

When substantive tests alone are not sufficient, the auditor is required to obtain an understanding of the controls that address the risks and test them if reliance is intended. This is known as testing control effectiveness. The auditor may not need to test every control if they have identified a control environment that is effective and provides adequate protection against the identified risks. However, they must have a sufficient understanding of the controls to determine whether reliance can be placed on them. Choice A may be considered if the auditor intends to rely on relevant controls. Choice C focuses on assessing the design of controls, and choice D is not a comprehensive enough approach.

The Auditor May Identify Some Risks That Cannot Be Effectively