Assess key operations, risks, controls, monitoring activities, and entity risk processes.
Entity risk assessment is the starting point for effective assurance work. Before the practitioner can design procedures, evaluate evidence, or communicate findings, the practitioner needs to understand how the entity operates and where the subject matter can become unreliable.
The practical task is to connect four layers: the entity’s operations, the risks arising from those operations, the controls that should respond to those risks, and the monitoring activities that show whether the controls continue to work.
This lesson focuses on how to:
Start with the entity’s real process, not with a memorized list of audit risks. Risk assessment is more persuasive when it follows the transaction or activity from initiation to reporting.
| Operation | Possible risk | Related control or response |
|---|---|---|
| Revenue ordering and billing | Revenue may be recorded before performance, or collection may be doubtful. | Approval, shipping or service evidence, billing reconciliation, and credit review. |
| Purchasing and payables | Purchases may be unauthorized, liabilities may be incomplete, or vendor records may be manipulated. | Purchase approvals, three-way match, vendor master controls, and accrual review. |
| Payroll | Fictitious employees, wrong rates, unauthorized overtime, or late terminations may affect payroll. | HR approval, payroll master-file access controls, supervisor approval, and payroll variance review. |
| Inventory or service delivery | Existence, valuation, theft, obsolescence, or service-quality failures may affect reported results. | Counts, access controls, costing review, ageing analysis, and exception reporting. |
| Financial close | Cut-off errors, unsupported estimates, late adjustments, or incomplete reconciliations may affect the statements. | Close checklist, account reconciliations, management review, and audit trail retention. |
A strong response does not stop at “revenue risk exists.” It identifies the operation creating the risk, the assertion or criterion affected, the control that should address it, and the evidence needed to assess the control or underlying balance.
An entity’s risk assessment process should be active and documented. It should identify risks before they produce errors, assign responsibility, and monitor whether controls still respond to changing operations.
| Process feature | Strong evidence | Weak evidence |
|---|---|---|
| Risk identification | Management maintains a risk register, documented process maps, or periodic risk assessment materials. | Risks are discussed informally only after failures occur. |
| Risk response | Controls are mapped to risks and owners are assigned. | Controls exist but no one can explain which risk they address. |
| Change monitoring | New systems, products, funding rules, regulations, or staff changes trigger reassessment. | Controls are not updated when operations change. |
| Reporting | Exceptions and trends are reported to management or the board. | Only successful control performance is reported. |
| Remediation | Deficiencies have owners, deadlines, and retesting. | Weaknesses are noted repeatedly with no follow-up. |
The quality of the process affects assurance planning. A mature process may support more focused risk assessment and control testing. A weak process may require more practitioner-driven understanding, broader procedures, and stronger communication of deficiencies.
When a case provides a walkthrough, the answer should show what was learned and why it matters. A walkthrough is not just a narrative of the client’s policy. It is evidence about whether the stated process is actually followed.
| Documentation item | Why it matters |
|---|---|
| Source of understanding | Identifies whether evidence came from inquiry, observation, inspection, or reperformance. |
| Process steps | Shows how transactions or subject matter move from initiation to reporting. |
| Control points | Identifies where errors or irregularities should be prevented or detected. |
| Evidence retained | Shows whether approvals, logs, reconciliations, or review notes support control performance. |
| Exceptions | Shows where the actual process differs from the stated process. |
| Assurance implication | Connects the walkthrough to risk assessment, procedure design, or communication. |
For example, a walkthrough may show that purchase orders are formally approved, but emergency purchases bypass approval and are later entered manually. That exception affects risk assessment because the control does not cover all relevant transactions. The response should identify the affected population and the additional work needed.
Monitoring is not the same as performing a control. A control operates when an employee reviews a reconciliation, approves a transaction, restricts system access, or investigates an exception. Monitoring asks whether controls continue to work over time and whether problems are corrected.
| Monitoring activity | Assurance implication |
|---|---|
| Management reviews exception reports. | The practitioner can assess whether issues are identified, investigated, and resolved. |
| Internal audit tests controls. | The practitioner may consider objectivity, competence, and work quality before using the work. |
| Board or audit committee receives control reports. | Significant deficiencies may require governance communication. |
| Corrective actions are tracked and retested. | Remediation may reduce planned risk only after evidence supports operating effectiveness. |
Remediation should be treated carefully. A new control, revised approval threshold, or system fix does not eliminate risk immediately. The practitioner should determine whether the change was implemented, whether staff were trained, whether the control operated for a sufficient period, and whether retesting supports reliance.
| Step | Question | Output |
|---|---|---|
| 1. Operation | Which process or activity creates the issue? | Key operation. |
| 2. Risk | What could go wrong in reporting or subject matter? | Risk and assertion or criterion. |
| 3. Control | What control exists or is missing? | Control assessment. |
| 4. Monitoring | How does management know the control works? | Monitoring or remediation assessment. |
| 5. Assurance effect | What should the practitioner do next? | Planning, procedure, documentation, or communication consequence. |
Use this sequence when a case gives an excerpt from a process memo, risk register, management report, internal audit file, or control walkthrough. The response should move from observed facts to engagement impact.
| Pitfall | Correction |
|---|---|
| Listing risks without operations. | Tie each risk to a process, transaction flow, or activity. |
| Naming controls without explaining the risk addressed. | State whether the control prevents, detects, or corrects the problem. |
| Treating monitoring as control operation. | Distinguish daily performance from management review and follow-up. |
| Assuming remediation eliminates risk immediately. | Require evidence of implementation and retesting. |
| Omitting the assurance implication. | Explain how risk affects planning, procedures, evidence, documentation, or communication. |