In meeting the second generally accepted auditing standard of fieldwork, the auditor is required to obtain sufficient understanding of each component of the entity's internal controls to plan the audit of the entity's financial statements.
The auditor requires the knowledge of what the management's philosophy and operating style should be, he should also know what the organizational and authorization polices should be, knowledge of what is acceptable technology and human resource policies and the standard polices of the audit committee.
The auditor should assess the management's risk aversion, the manner in which payments are authorized, the security system of the information system and the integrity of the human resource polices and if there is a large number of independent non-executive members on the audit committee. Usually, the control risks observed at this stage need to be documented. For instance if the auditor finds that payments are not ...
Internal control is discussed very comprehensively in this explanation.