General phases of control evaluation are:
Phase 1: Understand and document
• Understand the client's internal control
• Document the understanding of internal control
o Internal control questionnaire
o Narrative
o Accounting and control system flowcharts
Phase 2: Assess control risk (Preliminary)
Phase 3: Testing and reassessment
• Perform test of control audit procedures
• Re-assess control risk
(b) Following lines briefly describes each of the three phases identified above:
Phase 1: Understand and document:
The auditor must fully understand the control environment and procedures and properly documentation must be maintained for future reference. As the audit is programmed on the level of internal control maintained by the auditee, the more strict the internal control system the less efforts the auditors have to make. The auditor can use various methods according to the assignment like internal questionnaire, flowcharts and narratives.
Phase 2: Assess control risk:
The auditor will substantiate his work according the control risk inherent in the audit assignment. If according to auditor's judgement more risk is involved, then detailed audit procedures will be undertaken to fulfill the assignment.
Phase 3: Testing and reassessment:
A final testing and reassessment will help the auditor to control his work and carry on the assignment smoothly. Advances in technology and data analysis have led to the development of numerous tools which can automatically evaluate the effectiveness of internal controls. Used in conjunction with continuous auditing, continuous controls monitoring provides assurance on financial information flowing through the business processes.