What is essential for auditors when testing the effectiveness of a company's internal controls?

Auditors must evaluate both the design and operating effectiveness of a company's internal controls to gain a comprehensive understanding of how well those controls mitigate risks and prevent fraud. Assessing design effectiveness involves examining whether the controls are appropriately designed to address the risks identified within the company’s processes. However, this alone is not enough; auditors must also test operating effectiveness to confirm that these controls are functioning as intended in real-world scenarios.

This dual focus is crucial because a control can be perfectly designed (theoretically sound) but may fail to operate effectively due to various factors, such as inadequate training, lack of compliance, or changes in the business environment. By considering both aspects, auditors can provide a more thorough evaluation of controls and ensure they are not only present but also effective in safeguarding the organization's assets and ensuring compliance with regulations.

The other options do not encompass the complete approach auditors need. Simply assessing written policies neglects the practical application of those policies. Focusing solely on financial transactions ignores the broader scope of controls that may be in place, such as operational and compliance controls. Gathering employee feedback can provide valuable insights, yet it cannot substitute for the methodical testing necessary to verify both design and operational effectiveness.