• The auditor shall obtain an understanding of control activities relevant to the audit, being those the auditor judges it necessary to understand in order to assess the risks of material misstatement at the assertion level and design further audit procedures responsive to assessed risks. An audit does not require an understanding of all the control activities related to each significant class of transactions, account balance, and disclosure in the financial statements or to every assertion relevant to them.
  • In understanding the entity’s control activities, the auditor shall obtain an understanding of how the entity has responded to risks arising from IT.

Monitoring of controls

  • The auditor shall obtain an understanding of the major activities that the entity uses to monitor internal control over financial reporting, including those related to those control activities relevant to the audit, and how the entity initiates remedial actions to deficiencies in its controls.
  • If the entity has an internal audit function, the auditor shall obtain an understanding of the following in order to determine whether the internal audit function is likely to be relevant to the audit:
  1. The nature of the internal audit function’s responsibilities and how the internal audit function fits in the entity’s organizational structure; and
  2. The activities performed, or to be performed, by the internal audit function.

The auditor shall obtain an understanding of the sources of the information used in the entity’s monitoring activities, and the basis upon which management considers the information to be sufficiently reliable for the purpose.


ISA 315 – Definitions

ISA 315 – Requirements

ISA 315 – The information system,

You may like to read:

ISA 260

ISA 265