## Are All Controls Relevant to the Audit?
Not all of an entity's controls are relevant to the auditor. The auditor exercises judgment to determine which controls matter.
### Key Principle
There is a direct relationship between an entity's objectives and its controls, but not all objectives and controls are relevant to the auditor's risk assessment.
### Factors Determining Relevance — Mnemonic: MS² DANCeS
| Letter | Factor |
|---|---|
| M | Materiality |
| S² | Size of the entity |
| D | Diversity and complexity of operations |
| A | Applicable legal and regulatory requirements |
| N | Nature of the entity's business (organisation & ownership) |
| S | Whether the control prevents, or detects and corrects, material misstatement |
| S¹ | Significance of the related risk |
| C¹ | Circumstances and applicable component of internal control |
| C² | Nature and complexity of IT systems, including use of service organisations |
### Controls over Completeness and Accuracy of Information
Controls over completeness and accuracy of entity-produced information may be relevant if the auditor intends to use that information in further procedures.
> Example: When auditing revenue by applying standard prices to sales volume records, the auditor must consider the accuracy of price information and the completeness and accuracy of sales volume data.
### Controls over Safeguarding of Assets
- Auditor's consideration is generally limited to controls relevant to the reliability of financial reporting
- Relevant: Access controls (passwords) limiting access to cash disbursement programs
- Not relevant: Controls preventing excessive use of materials in production
### Evaluating Design vs. Implementation
| Step | What It Means | Why It Matters |
|---|---|---|
| Design evaluation | Is the control capable of preventing or detecting material misstatements? | Assessed first — no point assessing implementation of a poorly designed control |
| Implementation assessment | Is the control actually in use? | A designed-but-not-implemented control provides no assurance |
> An improperly designed control may represent a significant deficiency in internal control.
### Risk Assessment Procedures for Controls
| Procedure | Purpose |
|---|---|
| Inquiry of entity personnel | Understand how controls operate |
| Observation | Watch application of specific controls |
| Inspection | Review documents and reports |
| Tracing transactions | Follow transactions through the information system |
> Critical rule: Inquiry alone is NOT sufficient. Understanding controls ≠ testing their operating effectiveness.
### Manual Controls vs. Automated Controls
| Control Type | Evidence at a Point in Time | Implication |
|---|---|---|
| Manual | Does NOT provide evidence of effectiveness at other times | Must test operating effectiveness separately across the period |
| Automated | Due to inherent consistency of IT processing, may serve as a test of operating effectiveness | Subject to testing of IT general controls (e.g., program change controls) |