Hot topic #2. In conducting a risk-based audit, auditors are required to understand the components of internal controls as specified in Extant CAS 315. The standard also requires the auditor to understand the design and implementation of control activities, whether or not controls are being relied upon.