Next Steps Possible Risks Proposed Internal Control $/$ Description Type of Control Frequency? How to test the control? What occurs if the control is working properly and what audit standard applies? What happens if the control is not working? What audit standard$($s$)$ apply? How does the control improve operating effectiveness? Preventive$/$

Detective Manual$/$

Automated Next Steps Identify the next steps and related financial statement risks $($Existence or Occurrence, Completeness, Valuation, Rights and Obligations, Presentation and Disclosure, Accuracy, Classification, Cutoff$)$ that are applicable. Identify the control objective and description of procedures in place that is relevant to mitigate the identified risk of material misstatement and achieve the objective. Include a detailed description of the control procedures noting the following:

$1)$ Who performs the control procedures?

$2)$ How is$/$are the procedure$($s$)$ performed?

$3)$ How is the performance of the control activity documented $($i$.$e$.,$ what forms are used$)?$

$4)$ How is performance of the control activity evidenced $($i$.$e$.,$ signature and date on form$)?$ Note whether control is preventive $($i$.$e$.,$ acts before error, omission, or misstatement may occur$)$ or detective $($acts after error$/$misstatement has occurred$).$ Identify whether the control activity is performed manually $($e$.$g$.,$ manual authorization or review of a reconciliation$),$ is automated $($i$.$e$.,$ system edit checks, system access restrictions and authorizations, automated review and approvals, etc.$),$ or performed manually using system generated information $($i$.$e$.,$ physically verifying existence of inventory using system generated inventory report$).$ Indicate the frequency in which the control takes place $($e$.$g$.,$ annual, quarterly, monthly, daily, every time a transaction is processed$).$ Indicate whether the control is designed effectively $($i$.$e$.,$ is the control, individually or in combination with other controls, capable of effectively$$ mitigating the key risk$($s$)$ of material misstatement and achieving the control objective?$).$ What outcomes occur if the control works effectively?$$ What outcomes occur if the control is not working properly or is deficient?

Note: Design deficiency occurs when the control is not effectively designed to meet its objective $($e$.$g$.,$ the control, individually or in combination with other controls, is not capable of effectively preventing or detecting and correcting material misstatements$).$ What applicable Statement of Standards for Attestation Engagements apply? Indicate how the control improves operating effectiveness.

$1.$ Reviewing the draft audit report $2.$ Asking questions about auditor's findings $3.$ Evaluating any recommendations before they are presented to the board in the final report $$