I agree with the 5 common missteps. Assuming the system of internal controls equals compliance itself is dangerous. Instead of critically evaluating the controls and having reasonable assurance that the financials were accurate, the auditors checked the controls, everything worked, they got sign off and went on their way. Its very easy to skip over fundamentals internally if internal audit, compliance managers, or finance assume compliance mitigates fraud risk and dont credibly evaluate the risk of fraud. The auditor uses the understanding of the entities internal control to identify the types of potential misstatements, ascertain factors that affect the risk of material misstatement, and design tests of controls and substantive procedures. Auditors have the foremost responsibility of obtaining audit evidence about the clients relevant controls by observing the client implementing these controls, inspecting documents and reports, and tracing relevant transactions through the clients financial reporting system. The risk of assessing control risk too high is the risk that the assessed level of control risk based on the sample is greater than the true operating effectiveness of the control. After the auditor has determined the risks of material misstatement due to deficient controls, they must design and perform further audit procedures to respond to the clients specific control-related risks