Assess risk at financial statement, project, assertion, transaction, balance, and disclosure levels.
Risk assessment translates entity facts into assurance work. The practitioner must decide which risks affect the engagement overall, which risks affect specific assertions or subject-matter criteria, and how those risks change procedures.
The practical task is to identify the risk fact, classify its level, connect it to an assertion or criterion, and explain the response in nature, timing, and extent.
This lesson focuses on how to:
Classify the level before selecting procedures. The same case fact can affect the whole engagement, a specific balance, a control process, or a non-financial criterion.
| Risk level | Meaning | Example response |
|---|---|---|
| Engagement-wide or financial-statement-level risk | Risk affects the overall reliability of reporting or the engagement environment. | Increase professional skepticism, senior involvement, unpredictability, and overall evidence quality. |
| Assertion-level risk | Risk affects a specific transaction, balance, disclosure, or subject-matter criterion. | Design targeted procedures for the affected assertion or criterion. |
| Control risk | Controls may not prevent, detect, or correct errors or exceptions. | Test controls if relying on them or increase substantive work if not. |
| Fraud risk | Incentive, opportunity, rationalization, or suspicious facts suggest intentional misstatement or exception. | Add unpredictable, persuasive, and targeted procedures; consider communication. |
| Compliance or project risk | Subject matter may not comply with criteria or project objectives. | Map procedures to criteria and evidence sources. |
For example, management integrity concerns may affect the reliability of evidence across the engagement. Obsolete inventory risk is narrower and usually affects valuation of inventory. A new government funding requirement may affect compliance criteria rather than a financial statement assertion.
Use case facts, not generic risk lists. A risk indicator is useful only when the answer explains what could go wrong and where it matters.
| Case fact | Possible risk implication |
|---|---|
| Debt covenant pressure | Management may bias estimates, classification, or cut-off to avoid breach. |
| Rapid growth | Systems, controls, staffing, and working capital may not keep up. |
| New system implementation | Processing, access, conversion, and report reliability risks may increase. |
| Complex estimates | Valuation uncertainty, management bias, and disclosure risk may increase. |
| Prior errors or deficiencies | Recurring issues may affect current planning. |
| High staff turnover | Controls, competence, and documentation may weaken. |
| Unstable supply or demand | Inventory valuation, revenue forecasts, impairment, and going concern may be affected. |
| Related-party transactions | Completeness, disclosure, valuation, and authorization risks may increase. |
The risk statement should usually include the cause, the affected area, and the possible error or exception. “Revenue is risky” is weak. “Pressure to meet a lender covenant increases cut-off and occurrence risk for year-end revenue” is useful because it points to specific procedures.
This distinction changes the response. Broad risks affect the overall approach. Assertion-level risks require targeted procedures.
| If the risk is | It usually affects | Stronger response |
|---|---|---|
| Management integrity concern | Overall engagement and many areas. | Reassess acceptance, increase skepticism, and consider whether evidence can be reliable. |
| Weak financial close process | Multiple balances and disclosures. | Increase supervision, review reconciliations, and expand year-end procedures. |
| Obsolete inventory | Valuation of inventory. | Inspect ageing, sales after year end, write-downs, and management estimates. |
| Unrecorded liabilities | Completeness of payables and expenses. | Search for unrecorded liabilities, inspect subsequent payments, and review accruals. |
| Revenue cut-off pressure | Occurrence and cut-off of revenue. | Test shipments or service evidence around period end. |
| Missing disclosure | Presentation and disclosure. | Compare disclosure requirements to draft statements and supporting evidence. |
When a risk affects more than one area, say so. A new system may create an overall risk over report reliability and a specific risk over converted receivables, inventory, or payroll records.
Fraud risk requires explicit reasoning. The practitioner should consider incentives or pressures, opportunities, and rationalization, then connect the risk to procedures and communication.
| Fraud or bias signal | Assurance response |
|---|---|
| Bonus, covenant, financing, or sale pressure | Increase skepticism over estimates, cut-off, classification, and unusual transactions. |
| Weak segregation of duties or access controls | Test privileged activity, manual adjustments, and management override indicators. |
| Unusual journal entries | Test entries near period end, unusual accounts, round amounts, or entries posted by senior staff. |
| Unsupported management explanations | Corroborate with independent evidence and escalate unresolved contradictions. |
| Prior misstatements or repeated exceptions | Reassess risk, expand testing, and consider control or governance communication. |
Fraud indicators do not always prove fraud, but they do change the work. The response should identify the additional evidence, supervision, or communication needed.
Risk assessment should change the work. If the planned procedures stay the same after risk increases, the risk assessment has not been applied.
| If risk increases | Procedure design response |
|---|---|
| Evidence reliability concern | Use more independent external evidence or corroborating sources. |
| Period-end manipulation risk | Perform more work near or after period end. |
| Control weakness | Reduce reliance on controls and expand substantive work. |
| Complex estimate risk | Use specialist input, retrospective review, sensitivity analysis, and source testing. |
| Fraud risk | Add unpredictability, journal-entry testing, management override procedures, and focused communication. |
| Broad engagement risk | Increase senior review, supervision, and skepticism across the engagement. |
Risk may also lower materiality or significance, change sample size, increase documentation expectations, or require consultation when the matter is complex or sensitive.
| Step | Question | Output |
|---|---|---|
| 1. Fact | What case fact creates risk? | Risk trigger. |
| 2. Risk conclusion | Why does it matter? | Risk of misstatement, exception, fraud, control failure, or evidence limitation. |
| 3. Level | Is it broad or specific? | Engagement-wide or assertion-level classification. |
| 4. Affected area | Which assertion, balance, disclosure, control, or criterion is affected? | Target area. |
| 5. Response | How should nature, timing, or extent change? | Procedure response. |
Use this framework when a case provides an engagement-planning memo, prior-year issue, new client fact, fraud indicator, control weakness, business change, or user concern.
| Pitfall | Correction |
|---|---|
| Listing risks without affected areas. | Link each risk to an assertion, disclosure, control, or criterion. |
| Treating all risks as assertion-level. | Identify broad engagement risks separately. |
| Ignoring fraud indicators. | Address incentive, opportunity, rationalization, and management override where relevant. |
| Using prior-year results mechanically. | Consider whether prior issues are resolved or circumstances changed. |
| Failing to change procedures. | Explain nature, timing, and extent effects. |