Determine whether evidence obtained from previous audits on the effectiveness of controls can be relied upon.
First, focus on whether the control is a control designed to mitigate particular risks (e.g., whether it is an anti-fraud control);If so, evidence from previous audits, i.e., "special risk assessments", should not be relied upon, regardless of whether there has been a change in the current period (provided that the control is to be relied upon).
Second, if it is not a control designed to mitigate particular risk, further focus on whether that control has changed since the last test;In the event of a significant change, evidence obtained from previous audits should not be relied upon. If there is no change or no significant change, evidence obtained from previous audits can be relied upon, provided that "controls are tested at least once every three years". Examples of controls that have not undergone a significant change are those in which the auditee has upgraded its systems, but this change only allows the auditee to obtain reports in the new format, which usually does not affect the relevance of evidence obtained from previous audits, and CPAs can still use previously obtained audit evidence.
Finally, the presence of certain factors (e.g., a weak control environment in the audited entity) may lead the CPA to shorten the interval between tests, but not necessarily lead to an inability to rely on evidence obtained from previous audits.