A
AcadiFi
RI
RiskScopeMina2026-05-20
ciaCIA Part 2Risk AssessmentScopeDue Professional Care

Does a full internal controls audit require testing every control?

39 upvotes
AcadiFi TeamVerified Expert
AcadiFi Certified Professional

No. A full internal controls audit should still be risk-based. The auditor considers materiality, regulatory exposure, operational impact, fraud risk, system dependence, prior findings, change activity, and management concern. High-risk processes receive deeper documentation and testing than low-risk processes.

For example, Harbor Vale Foods might prioritize procure-to-pay, inventory cycle counts, and privileged user access because they connect to cash, inventory accuracy, and system integrity. A low-risk office-supply approval process may be documented at a lighter level or deferred.

The exam trap is equating completeness with testing everything. Due professional care means designing work sufficient for the objective, not exhausting every possible control.

🔍

Master CIA Part 2 with our CIA Course

45 lessons · 90+ hours· Expert instruction

View Course — $199All-Access $49/mo
#scoping#materiality#risk-based-audit#control-testing

Related Questions

What should an auditor do if a supervisor weakens a supported finding?

cia·CIA Part 2·46 upvotes

How should auditors prepare for a technical exit meeting?

cia·CIA Part 2·35 upvotes

When should audit quality concerns be escalated beyond the engagement team?

cia·CIA Part 2·56 upvotes

How does business knowledge affect internal audit quality?

cia·CIA Part 2·51 upvotes

Where should an auditor begin a full-company internal control audit?

cia·CIA Part 2·51 upvotes

Related Articles

Full-Company Internal Control Audits: A Risk-Based Roadmap for CIA Candidates

8 min read

Practice Questions

Test your knowledge with our CIA question bank.

Try Practice Questions

Join the Discussion

Ask questions and get expert answers.

Join Now