Launch offer — 25% off with code LAUNCH-25 See plans →
Try now → N
📚 Learn/ Paper 5 — Auditing & Ethics/ Core Audit Concepts
Microlesson · 5-min read

Control Activities Relevant to the Audit

## Control Activities Relevant to the Audit

Not all control activities need to be understood by the auditor — only those relevant to the audit matter.

### Which Control Activities Are Relevant?

The auditor focuses on control activities that fall into any of the following three categories:

CategoryDescription
Significant Risk ControlsControls that relate to significant risks, OR controls where substantive procedures alone do not provide sufficient appropriate audit evidence
Auditor's JudgmentControls considered relevant in the auditor's professional judgment
Significant Risk IdentificationAs part of risk assessment, the auditor determines whether any identified risk is, in the auditor's judgment, a significant risk

### Key Principle

The auditor is not required to evaluate all control activities — only those relevant given the audit context. This is driven by risk assessment results.

Worked example

### Example 1

Example: A company processes thousands of sales invoices daily through an automated billing system. Manual approval of each invoice is not feasible, so automated controls (e.g., system checks that invoice amounts match purchase orders) are the primary control. The auditor identifies this as a significant risk area. Since substantive procedures alone cannot efficiently cover all transactions, the automated approval control is relevant to the audit and must be understood and tested.

### Example 2

Example: A small manufacturing firm has a manual bank reconciliation done by the owner monthly. The auditor judges this to be relevant because misstatements in cash could be material. Even though it is not a 'significant risk' per se, the auditor's judgment makes it a relevant control activity.

⚠️ Common exam mistakes

  • Thinking ALL control activities must be evaluated — only relevant ones need to be understood.
  • Confusing 'significant risk' (a specific audit concept) with 'important control' — significant risk is determined during risk assessment, not simply based on materiality alone.
  • Forgetting that controls where 'substantive procedures alone are insufficient' are automatically relevant, even without a significant risk classification.
Reference:
← Previous
Conducting a Bank Audit — 18 K
Next →
Controls Relevant to the Audit
Now that you've read this — what's next?
Move from understanding → mastery in 3 clicks. Each option below picks up from this lesson's topic.
🔥 Drill 5 Qs on this → ✍️ Adaptive practice →
Start 15-min diagnostic