Choose assurance procedures that respond to risk, materiality, and available evidence.
Assurance risk questions ask what could make the assurance conclusion wrong and what work should be done in response. In a CFE Day 3 short case, the answer should not become a full audit plan. It should identify the risk, explain why the supplied facts matter, choose a procedure or evidence response, and state the implication for the engagement or reader.
The key distinction is between a general business concern and an assurance risk. A business concern matters in assurance when it affects misstatement risk, evidence reliability, control reliance, reporting, scope, independence, or communication. If the case says sales are declining, the assurance issue may be inventory valuation, receivable collectability, going-concern disclosure, covenant pressure, or management bias depending on the facts.
| Assurance cue | What to identify | What to recommend |
|---|---|---|
| Unusual transaction | Assertion, account, disclosure, or estimate affected. | Procedure tied to the specific risk. |
| Weak or missing evidence | Whether evidence is sufficient and appropriate. | Additional document, confirmation, recalculation, inquiry, or inspection. |
| Materiality or significance | Whether the issue could affect user decisions. | More persuasive evidence or escalation where needed. |
| Management pressure | Bias, fraud risk, scope limitation, or reporting concern. | Stronger evidence and partner-level communication. |
| Incomplete facts | Assumption that controls the conclusion. | Follow-up fact or document needed before finalizing. |
flowchart TD
A["Case fact or request"] --> B["Account, disclosure, or engagement area affected"]
B --> C["Assertion or assurance concern"]
C --> D["Current evidence available"]
D --> E{"Evidence persuasive enough?"}
E -->|Yes| F["State implication for conclusion or communication"]
E -->|No| G["Choose targeted procedure"]
G --> H["Explain how result resolves the risk"]
This sequence keeps the answer from becoming a list of procedures.
A procedure is useful only if it answers a risk. “Review invoices” is weak unless the response explains what risk the invoices address. A stronger answer states that revenue cut-off is risky because shipments occurred near year-end, then recommends tracing a sample of sales around year-end to shipping documents and subsequent returns.
Risk statements should be specific. Instead of “inventory is risky,” identify whether the risk is existence, valuation, obsolescence, rights, completeness, or cut-off. Instead of “cash is risky,” identify whether the concern is unauthorized payments, bank reconciliation, restricted cash, or missing support.
Most assurance risk analysis becomes clearer when the risk is tied to an assertion or conclusion area. Assertions are not labels to memorize; they are ways to describe how a financial statement or subject matter could be wrong. A receivable may exist but not be collectible. Inventory may exist but be obsolete. Revenue may be complete but recorded in the wrong period. A disclosure may be present but not understandable enough for users.
| Risk area | Common case cue | Better assurance focus |
|---|---|---|
| Existence or occurrence | Balance or transaction may not be real. | Confirm with an external party, inspect support, or trace to underlying events. |
| Completeness | Items may be omitted. | Search for unrecorded items, inspect subsequent activity, or reconcile to independent records. |
| Accuracy or valuation | Amount may be wrong. | Recalculate, compare to supporting schedules, or evaluate assumptions. |
| Cut-off | Transaction may belong in a different period. | Test items around period end against shipment, receipt, service, or payment evidence. |
| Rights and obligations | Entity may not own asset or owe liability as recorded. | Inspect contracts, title documents, financing terms, or legal correspondence. |
| Presentation and disclosure | Users may not receive enough context. | Compare disclosure to facts, standards, covenants, related-party terms, or uncertainty. |
This level of detail improves the procedure. If the risk is cut-off, a confirmation alone may not be enough. If the risk is valuation, proof that the asset exists does not resolve the measurement issue.
Materiality in a short case is usually a judgment cue, not a long calculation. A dollar amount may be important because it affects profit, covenants, bonuses, compliance, or a sensitive disclosure. A small amount may still matter qualitatively if it involves fraud, related parties, illegal acts, independence, or governance.
When materiality or significance changes the work needed, say so. A minor unsupported expense may need only inquiry and documentation follow-up. A large unsupported revenue balance may require stronger external evidence, expanded testing, or reporting consideration. The response should match evidence effort to significance.
Materiality also affects communication. A small classification error may be corrected through management follow-up. A significant unresolved misstatement may require adjustment, governance communication, or report consideration. If a related-party transaction is small, explain why it still matters: disclosure, management bias, or user trust may be affected.
Evidence should be sufficient and appropriate. Sufficiency concerns quantity. Appropriateness concerns relevance and reliability. External evidence is often stronger than internal evidence, written evidence is often stronger than oral explanation, and evidence from a controlled system is stronger when controls are reliable. These are practical judgments, not mechanical rules.
Management representation can support a conclusion, but it should rarely be the only evidence for a significant issue. If a manager says a receivable is collectible, the response should consider subsequent cash receipts, customer correspondence, credit history, aging, or collection activity. If management says a lawsuit is unlikely, legal correspondence may be needed.
The strength of evidence depends on the question being answered. A bank confirmation is persuasive for a cash balance but not for whether restricted cash was properly disclosed. A purchase invoice may support the amount paid but not whether the asset is impaired. A signed contract may support legal terms but not whether performance obligations were satisfied in the period.
Choose the procedure that directly addresses the evidence gap. Inspection may address existence or terms. Confirmation may address balances or rights with third parties. Recalculation may address mathematical accuracy. Observation may address a process at a point in time. Analytical procedures may identify unexpected relationships. Inquiry may explain facts but often needs corroboration.
A good Day 3 procedure names the source and purpose. “Confirm selected receivable balances with customers to support existence and collectability” is stronger than “perform testing.” The procedure should be short but complete enough to show why it works.
Procedure wording should contain three elements: the population, the evidence source, and the purpose. “Select sales recorded just before and after year-end and trace them to shipping documents to assess revenue cut-off” is compact but complete.
Avoid procedures that are technically possible but not responsive. Observing a year-end inventory count may support existence, but it does not resolve obsolete inventory valuation. Asking management whether a control operated is not enough when the issue is evidence reliability.
In a short case, the best assurance response usually has one focused paragraph per issue:
| Sentence role | What it should do | Example structure |
|---|---|---|
| Risk | Name what could be wrong. | “Revenue cut-off is a risk because shipments occurred near year-end.” |
| Evidence gap | Explain why support is not enough. | “The sales report alone does not prove when control passed.” |
| Procedure | Choose a targeted action. | “Trace selected sales before and after year-end to shipping records and subsequent returns.” |
| Implication | Say what the result affects. | “If goods shipped after year-end, revenue should be deferred or corrected.” |
This structure avoids over-writing. The reader can see the professional logic without needing a full audit program. If the issue is significant, add one more sentence explaining escalation, expanded testing, or reporting effect.
| Pitfall | Better approach |
|---|---|
| Recommending procedures without naming the risk. | State risk first, then procedure. |
| Using generic procedure language. | Name the document, population, assertion, and purpose where possible. |
| Treating materiality as only a number. | Consider qualitative significance and user effect. |
| Accepting management explanations alone. | Corroborate significant issues with documents or external evidence. |
| Turning a short issue into a full audit program. | Select the one or two procedures that answer the case request. |
| Testing the wrong assertion. | Match the procedure to existence, completeness, valuation, cut-off, rights, or disclosure. |
| Ignoring what the engagement is trying to conclude. | Connect the risk to the report, conclusion, or user decision. |
Use a risk-evidence-procedure-implication pattern. Identify the risk, evaluate the current evidence, recommend the procedure, and state what the result would mean for the conclusion or communication. This pattern is short enough for Day 3 and specific enough to show professional judgment.
Assurance risk answers are strongest when the procedure feels inevitable from the risk. If the reader can see why that procedure was chosen, the response is doing its job.