Artículo 7. Obtaining an Understanding of Internal Control Over Financial Reporting

.18 The auditor should obtain a sufficient understanding of each component 8 of internal control over financial reporting ("understanding of internal control") to (a) identify the types of potential misstatements, (b) assess the factors that affect the risks of material misstatement, and (c) design further audit procedures. .19 The nature, timing, and extent of procedures that are necessary to obtain an understanding of internal control depend on the size and complexity of the company; 9 the auditor's existing knowledge of the company's internal control over financial reporting; the nature of the company's controls, including the company's use of IT; the nature and extent of changes in systems and operations; and the nature of the company's documentation of its internal control over financial reporting. Note: The auditor also might obtain an understanding of certain controls that are not part of internal control over financial reporting, e.g. , controls over the completeness and accuracy of operating or other nonfinancial information used as audit evidence. 10 .20 Obtaining an understanding of internal control includes evaluating the design of controls that are relevant to the audit and determining whether the controls have been implemented. Note: Procedures the auditor performs to obtain evidence about design effectiveness include inquiry of appropriate personnel, observation of the company's operations, and inspection of relevant documentation. Walkthroughs, as described in paragraphs .37-.38, that include these procedures ordinarily are sufficient to evaluate design effectiveness. Note: Determining whether a control has been implemented means determining whether the control exists and whether the company is using it. The procedures to determine whether a control has been implemented may be performed in connection with the evaluation of its design. Procedures performed to determine whether a control has been implemented include inquiry of appropriate personnel, in combination with observation of the application of controls or inspection of documentation. Walkthroughs, as described in paragraphs .37-.38, that include these procedures ordinarily are sufficient to determine whether a control has been implemented. .21 Internal control over financial reporting can be described as consisting of the following components: 11 The control environment, The company's risk assessment process, Information and communication, Control activities, and Monitoring of controls. .22 Management might use an internal control framework with components that differ from the components identified in the preceding paragraph when establishing and maintaining the company's internal control over financial reporting. In evaluating the design of controls and determining whether they have been implemented in an audit of financial statements only, the auditor may use the framework used by management or another suitable, recognized framework. 12 For integrated audits, AS 2201, states, "The auditor should use the same suitable, recognized control framework to perform his or her audit of internal control over financial reporting as management uses for its annual evaluation of the effectiveness of the company's internal control over financial reporting." 13 If the auditor uses a suitable, recognized internal control framework with components that differ from those listed in the preceding paragraph, the auditor should adapt the requirements in paragraphs .23-.36 of this standard to conform to the components in the framework used.