Question: How does the understanding of internal control differ for assertions where the auditor plans a lower assessed level of control risk approach versus a primary substantive approach? How would you as the auditor, document this understanding of an entity's internal controls? Is there such a thing as a "good" control or a "bad" control other than being effective?