Section 319, Consideration of Internal Control in a Financial Statement Audit, states that an auditor should obtain an understanding of each of the five components of the entity's internal control sufficient to plan the audit. This understanding may encompass controls placed in operation by the entity and by service organizations whose services are part of the entity's information system. In planning the audit, such knowledge should be used to—
- Identify types of potential misstatements.
- Consider factors that affect the risk of material misstatement.
- Design tests of controls, when applicable. Paragraphs 65 through 69 of SAS No. 55 discuss factors the auditor considers in determining whether to perform tests of controls
- Design substantive tests.
[As amended, effective for service auditor's reports covering descriptions as of or after January 1, 1997, by Statement on Auditing Standards No. 78. As amended, effective December 1999, by Statement on Auditing Standards No. 88. Revised, May 2001, to reflect conforming changes necessary due to the issuance of Statement on Auditing Standards No. 94.]