AUD Risk Assessment, Internal Control, and Audit Planning

AUD risk-assessment coverage for entity understanding, internal control, risk identification, and audit planning.

This part covers the planning logic of an audit. The goal is to understand the entity, assess internal control, identify where material misstatements could arise, and turn that understanding into a coherent audit response rather than a checklist of procedures.

In This Part

Understanding the Entity, Industry Pressures, and Fraud-Risk Context explains how business, market, governance, and fraud context shape audit risk.
Internal Control Frameworks, IT Controls, and Control Documentation covers control design, control environment, IT controls, walkthroughs, and known control limits.
Identifying Risks of Material Misstatement, Assertions, and Materiality connects entity understanding and controls to formal risk assessment and threshold setting.
Planning Audit Strategy, Procedures, and Use of Others translates assessed risk into the actual structure of the engagement.

Risk assessment is the logic layer that explains why later audit work changes. The auditor gathers an understanding, identifies where misstatement could occur, evaluates control design and implementation, sets materiality, and then designs responses. AUD questions often punish answers that jump directly to testing without explaining the risk basis for the work.

Risk Assessment Workflow Lens

Planning step	What the auditor is deciding	Common AUD trap
Understand the entity	Which business, industry, regulatory, and fraud factors create risk?	Treating background facts as filler instead of risk indicators.
Understand internal control	Are controls designed and implemented to address relevant risks?	Assuming documented controls are operating effectively without testing.
Identify assertions at risk	Which financial statement assertions could be materially misstated?	Naming a generic account risk without connecting it to an assertion.
Set and apply materiality	What threshold guides planning, performance materiality, and evaluation?	Using materiality as a mechanical percentage without considering qualitative factors.
Plan responses	How should nature, timing, extent, staffing, and use of others change?	Choosing standard procedures that do not respond to the assessed risk.

Audit Planning Sequence

Step	What to do	Why it matters on AUD
1. Understand the entity and environment	Identify industry, operations, regulation, strategy, governance, and fraud pressures.	Planning starts with facts that create misstatement risk.
2. Understand internal control design	Evaluate control environment, IT controls, process controls, and implementation evidence.	Controls shape risk assessment before reliance is tested.
3. Identify assertion-level risks	Link accounts and disclosures to existence, completeness, valuation, rights, obligations, cutoff, and presentation risks.	Procedures should respond to specific assertions.
4. Set materiality and performance materiality	Use quantitative and qualitative factors to plan testing and evaluate misstatements.	Materiality guides the nature and extent of work.
5. Design the audit response	Adjust timing, staffing, procedures, use of specialists, and control reliance based on assessed risk.	Planning is complete only when risk changes the audit strategy.

How to Use This Part

Read these chapters in order because planning decisions build on earlier understanding.
Focus on how the facts change the risk assessment, not only on definitions of risk terms.
Revisit this part whenever an AUD question turns on why a procedure or strategy was selected in the first place.

In this section

Understanding the Entity, Industry Pressures, and Fraud-Risk Context
AUD entity-understanding coverage for industry factors, economic conditions, governance, and fraud-risk context.
- Assessing Industry and Regulatory Influences on Audit Risk
  How industry conditions, laws, and regulatory oversight shape inherent risk and audit planning.
- Evaluating Economic and Market Conditions in Audit Planning
  How macroeconomic and market conditions affect audit risk, assertions, estimates, and planning.
- Understanding Corporate Governance and Sarbanes-Oxley Considerations
  How governance structure, audit committees, and SOX requirements influence audit risk and oversight.
- Recognizing Fraud Risk Factors in the Planning Stage
  How incentives, opportunities, rationalization, and red flags shape fraud-risk assessment in audit planning.
Internal Control Frameworks, IT Controls, and Control Documentation
AUD control-framework coverage for COSO, entity-level controls, IT controls, walkthroughs, and control limitations.
- Applying the COSO Internal Control Framework in Audit Planning
  How the COSO framework supports internal-control understanding in AUD.
- Evaluating Entity-Level Controls and the Control Environment
  How entity-level controls and control environment design influence audit planning.
- Understanding IT General Controls and Application Controls
  How IT general controls and application controls affect data reliability and audit strategy.
- Using Walkthroughs, Flowcharts, and Narratives to Document Controls
  How auditors document control understanding through walkthroughs, flowcharts, and narratives.
- Recognizing the Limits of Internal Control and Management Override
  Why internal control has unavoidable limits and how management override affects risk.
Identifying Risks of Material Misstatement, Assertions, and Materiality
AUD risk-identification coverage for assertions, inherent versus control risk, fraud risk, and materiality.
- Linking Significant Accounts, Transactions, and Assertions
  How auditors connect significant balances, transaction classes, and disclosures to assertion-level risks.
- Distinguishing Inherent Risk from Control Risk in Audit Planning
  How auditors separate inherent risk from control risk and use both to assess risk of material misstatement.
- Responding to Fraud Risks Through Detection, Response, and Documentation
  How fraud-risk brainstorming, tailored responses, unpredictability, and documentation affect audit planning.
- Setting Materiality and Performance Materiality in the Audit
  How auditors set, revise, and apply overall materiality, performance materiality, and qualitative materiality.
Planning Audit Strategy, Procedures, and Use of Others
AUD planning coverage for strategy, procedure selection, group audits, use of others, and technology in planning.
- Building the Overall Audit Strategy from Assessed Risk
  How overall audit strategy reflects financial-statement and assertion-level risk.
- Selecting Audit Procedures by Nature, Timing, and Extent
  How risk drives the nature, timing, and extent of audit procedures.
- Planning Group Audits, Component Auditors, and Consolidations
  How the group engagement team plans component work, supervises component auditors, and evaluates consolidation evidence.
- Deciding When to Rely on Internal Audit, Specialists, and Others
  How external auditors evaluate internal audit work, specialists, and service organization evidence without giving up audit responsibility.
- Using Data Analytics and Emerging Technologies in Audit Planning
  How auditors use data analytics, automation, AI, and emerging technology to refine risk assessment and audit planning.

Revised on Monday, June 15, 2026

1. Introduction & Foundations

3. Further Procedures & Evidence

Browse Auditing and Attestation (AUD)