While risk assessment procedures (procedures to gain an understanding of the entity and its environment, including internal control) help the financial statement auditor obtain information to make an initial assessment of controlrisk, tests of controls must be performed to support an assessment of controlrisk that is below maximum. The purpose of tests of controls is to obtain evidence regarding the effectiveness of controls in support of an assessment ofcontrol risk below maximum. If controls are found to be effective and functioning, the substantive evidence may be reduced. Substantive evidence is obtained to reduce detection risk. Substantive evidence includes evidence from substantive tests of transactions, analytical procedures, and tests of details of balances.
For audits of internal control over financial reporting, the auditor onlyperforms the first two types of audit tests:procedures to obtain an understandingof internal control and tests of controls. Because a public company auditor must issue a report on internal control over financial reporting, the extent of the auditor’s tests of controls must be sufficient to issue an opinion about the operating effectiveness of those controls. That generally requires a significant amount of testing of controls over financial reporting