ISA 400 provided a description of internal control and the types of internal controls, as well as the factors and procedures included in each type.
One of management's responsibilities is to ensure that there are adequate internal controls implemented in an entity. What is required of the auditor is to have a "sufficient understanding of the internal control" as such an understanding will mean a more efficient and effective audit planning and audit approach". According to Ricchiute (2003), in actual application, to obtain such an understanding, the auditor will need to perform the following: (1) perform a preliminary review of the internal control system through the "review of prior-year audit working papers", inquiries of management and personnel and observations; (2) document the internal controls found in the system and identify transaction cycles, either through a flowchart or a "narrative memorandum"; (3) perform a walk-through of a sample transaction; and, (4) identify controls that will reduce to an acceptable or low level the risk of material misstatements (Ricchiute, 2003, p. 214 - 220). In number 4, the auditor may opt to perform only a walkthrough of a transaction or a walkthrough of the transactions and the related controls and test of controls. The choice depends on the auditor's assessment of control risk. If the assessment is high, the auditor will just do a walkthrough of a sample transaction and go directly to substantive testing. If the assessment is low, the auditor will have to perform a more detailed walkthrough, not only of the transaction but also of the related controls, and test the controls the auditor thinks will support the lower risk assessment. The understanding of the internal control system and the subsequent walkthrough or testing is critical to the external auditor since this will dictate the substantive audit procedures that will be done subsequently. This is because a lower level of control risk assessment will decrease the level of detection risk of an auditor. This generally means less extensive and persuasive substantive audit procedures that could be done during the interim rather than during the year-end, resulting to earlier completion of the audit work (Ricchiute, 2003, p. 232).
What about fraud concerns, as these is one of the purposes for setting up the internal control system, in the first place' An external auditor's procedures "cannot be expected to detect immaterial frauds". If a fraudulent transaction or event results to a material misstatement in the financial statements, the external auditor's audit procedures may discover the fraud incident. However, "there is certainly no guarantee of detection" as the "perpetrator(s) may go to extensive lengths to deceive the auditor and hide the defalcation" (Tedd).
Lastly, one of the concerns regarding ISA 400 (and the other auditing standards) is that this may