What would be the proper sequence of steps for an internal auditor to take in order to draw a conclusion on internal control effectiveness and adequacy after ascertaining the key controls?
A.
Evaluate the adequacy of the controls and then test the controls for effectiveness.
B.
Test the controls for effectiveness and then evaluate the adequacy of the controls.
C.
Identify risks and then evaluate the controls for effectiveness.
D.
Evaluate the controls for effectiveness and then assess the risks in the area.
The proper sequence is to first evaluate the adequacy of the controls to ensure they are appropriately designed to mitigate risks. After confirming their design, the next step is to test the controls to verify they are operating effectively in practice. References:
IIA Standard 2120: Risk Management.
COSO Internal Control-Integrated Framework.
Contribute your Thoughts:
Chosen Answer:
This is a voting comment (?). You can switch to a simple comment. It is better to Upvote an existing comment if you don't have anything to add.
Submit