FYI ICFR - Risk Assessment, in General—The auditor should use the same risk assessment process to focus attention on the areas of highest risk in the audit of ICFR and the audit of the entity's financial statements. Materiality— The auditor should use the same materiality for the audit of ICFR and for the audit of the entity's financial statements.

Use a “Top-Down Approach”— The auditor should (1) begin at the financial statement level; (2) use the auditor's understanding of the overall risks to internal control; (3) focus on “entity-level controls” (e.g., the control environment, the entity's risk assessment process, monitoring controls, etc.); (4) focus on significant classes of transactions, accounts, disclosures, and relevant assertions that have a reasonable possibility of material misstatement to the financial statements; (5) verify the auditor's understanding of the risks in the entity's processes (includes performing walkthroughs); and (6) select controls for testing based on the assessed risk of material misstatement to each relevant assertion.