An auditor is assessing control risk for a nonissuer's revenue cycle. The auditor identifies that the entity uses a complex IT system where sales orders are automatically processed, credit limits are checked via an algorithm, and invoices are generated without manual intervention. In this environment, which of the following strategies is MOST appropriate?

Perform only substantive procedures because testing automated controls is too costly for a nonissuer.

Test the design and operating effectiveness of the automated controls and/or IT general controls, as substantive procedures alone may not provide sufficient appropriate audit evidence.

Rely on the service organization's SOC 1 Type 1 report to reduce control risk.

Increase the sample size for confirmation of accounts receivable to compensate for the lack of control testing.