11-21 (Assessing control risk)
An auditor is required to obtain a sufficient understanding of each of the components of an entity's system of internal control to plan the audit of the entity's financial statements and to assess control risk for the assertions embodied in the account balance, transaction class, and disclosure components of the financial statements.
Required
a.Explain the reasons an auditor may assess control risk at the maximum level for one or more assertions embodied in an account balance.

• Controls are unlikely to pertain to an assertion.
• Controls are unlikely to be effective.
• It would be inefficient for the auditor to evaluate the effectiveness of the entity’s controls.
b. What must an auditor do to support assessing control risk at less than the maximum level when the auditor has determined that controls have been placed in operation?

• The auditor should identify those specific controls that affect specific financial statement assertions.
• The auditor should perform tests of controls to evaluate the effectiveness of the design and operation of those controls in
preventing or detecting material misstatements in the financial statement assertions.
• The auditor should conclude on the assessed level of control risk.

c. What should an auditor consider when seeking a further reduction in the planned assessed level of control risk?

• Whether additional tests of controls would provide additional evidence.
• Whether it would be efficient to perform these additional tests of controls.
If, after considering the two factors above, the auditor performs additional tests of controls for specific assertions, he determines the assessed level of control risk that the results of the tests support.Then, the auditor uses this assessed level of control risk in determining the nature, timing, and extent of substantive tests for those assertions.

d. What are an auditor's documentation requirements concerning an entity's system of internal control and the assessed level of control risk?
AICPA (adapted)

An auditor should document the obtained basic understanding of the risk assessment, control environment, monitoring, information and communication, and important control activities.
The auditor is required to document his assessment of the level of control risk for each significant financial statement assertion, as follows:
• Control risk is assessed at the maximum level—For those assertions for which control risk is assessed at the maximum level, the auditor is required to document that conclusion, but need not document the basis for the conclusion.Therefore, no evidence is required to be gathered to justify the auditor’s judgment.
• Control risk is assessed at below the maximum level—For those assertions for which the assessed level of control risk is below the maximum level, the auditor is required to document that control risk is assessed below the maximum and the basis for that conclusion.However, the auditor is not required to document a specific assessed level of control risk below maximum, such as moderate or low.The specific nature and extent of this documentation is not prescribed.However, documentation in the workpapers should include, at a minimum,
(1) a description of the tests of controls that the auditor has performed;
(2) the results obtained including findings regarding any deficiencies noted;
(3) the auditor’s evaluation of the effectiveness of controls; and
(4) the effect on the nature, timing, and extent of substantive audit procedures.
It should be noted that regardless of the assessed level of control risk , the auditor should perform substantive tests for significant account balances and transaction classes.