Final answer:
To set control risk at a lower level, an auditor identifies relevant general IT and specific controls and performs tests of controls. However, concluding on the achieved level of control risk is a result of these steps, not a prerequisite. Option D.
Step-by-step explanation:
To set the control risk at a lower level, an auditor must have a deep understanding of the company's internal controls, including both general IT controls and specific controls relevant to financial reporting.
However, one of the options provided in the question is not something that the auditor needs to do in the process of setting control risk. The correct answer is:
D) Conclude on the achieved level of control risk.
This is because concluding on the achieved level of control risk is actually a result of evaluating the effectiveness of the company's internal controls, rather than a prerequisite for setting the control risk level.
The auditor must first identify all general IT controls (A), which are the policies and procedures that help ensure the continued proper operation of an IT system. Next, the auditor needs to identify specific controls (B) that are relevant to the audit objectives and that they intend to rely upon.
This includes things like authorization of transactions, completeness and accuracy checks, and segregation of duties. Then, the auditor must perform tests of controls (C), which involve procedures to test the effectiveness of controls in preventing, detecting, and correcting material misstatements at the assertion level.
Option D.