For nonissuers – you are not required to do TOC- only obtain an understanding of them…however, if you were contracted to audit their controls, you must test them in order to form an opinion on them.
For issuers – I will copy and paste from notes and hope it helps lol:
Internal Control
*You MUST have an understanding of I/C relevant to an entity's financial reporting objective!
*Document key elements of the understanding of the entity & its environment, including each of the 5 components of I/C
*Observation/Inspection is the most reliable method
*The ultimate purpose in assessing CR>> to contribute to the auditor's evaluation of the risk that MM exist in the FS!!
*LOGIC: TOC helps the auditor assess CR and determine the RMM
– Use the knowledge provided by the understanding of I/C and the RMM to determine the NET of SUB tests
-1st- Understand I/C, 2nd-Identify types of potential Mistatements, 3rd-TOC!, 4th-Assess CR, 5th-Determine RMM. 6th-determine NET of SUB testing!–>Might decide not to do only SUB
*The operating efficiency of I/C is not important to an auditor; the auditor is only concerned w/ operating effectiveness. You are NOT required to assess operating effectiveness during planning
*I/C is relevant to the entire entity, or to any its operating units or business functions
*Establishing Budgets and forecasts is a good way for mgmt to supervise
*Firm's Control Environment: overall attitude and awareness of BoD about I/C
*The ultimate purpose of assessing CR is to contribute to evaluate of Risk that MM exist in FS (RMM!)
.