Connect operations, entity risk, and controls to financial reporting reliability in Core 1 assurance scenarios.
Entity risk assessment links the business to the reliability of its reporting. Before selecting procedures or recommending controls, identify how the entity earns revenue, buys goods or services, pays people, manages cash, uses technology, and reports to stakeholders. Those operations create risks that may become financial reporting risks.
In Core 1, assurance topics usually support financial reporting. The answer should not be a generic audit paragraph. It should explain how a fact about operations, systems, management, or controls affects the reliability of a statement balance, transaction stream, disclosure, or recommendation.
| Risk source | Reporting implication | Evidence to inspect |
|---|---|---|
| Revenue model | Cut-off, collectability, returns, estimates, and fraud risk may affect revenue and receivables. | Contracts, invoices, shipping records, sales reports, receivable aging. |
| Purchasing and inventory | Completeness of liabilities, inventory existence, valuation, and obsolescence may be affected. | Purchase orders, receiving reports, supplier invoices, inventory counts. |
| Payroll and compensation | Accruals, bonuses, remittances, and related-party compensation may be misstated. | Payroll registers, employment agreements, bonus approvals, remittance records. |
| Financing | Debt classification, covenants, interest, liquidity, and going concern may be affected. | Loan agreements, covenant calculations, bank confirmations, cash forecasts. |
| Technology and data | Source reports may be incomplete, duplicated, overridden, or unsupported. | System access, report logic, change logs, spreadsheet controls. |
| Management incentives | Bias may affect estimates, timing, classification, or disclosure. | Bonus targets, lender covenants, investor communications, board minutes. |
| Regulatory or tax exposure | Filings, provisions, compliance costs, or disclosure may be affected. | Assessments, correspondence, tax schedules, legal advice. |
The risk assessment should connect facts to reporting areas. “There is business risk” is too broad.
Operational risk is the risk that the business does not perform as intended. Financial reporting risk is the risk that statements or notes are wrong or misleading because of the operation.
| Operational fact | Possible reporting risk |
|---|---|
| A new product launch is behind schedule. | Development costs, inventory, revenue forecasts, or impairment assumptions may be wrong. |
| A key customer is slow to pay. | Receivables and allowance for doubtful accounts may be misstated. |
| A warehouse count is informal. | Inventory existence and completeness may be unreliable. |
| One employee controls purchasing, receiving, and payment. | Unauthorized purchases or unrecorded liabilities may occur. |
| A spreadsheet calculates revenue allocations. | Formula errors or unapproved overrides may affect revenue. |
The Core 1 answer should usually move from operational fact to financial reporting consequence.
Management should identify risks that affect operations and reporting, then design responses. In a case, the weakness may be that management has not connected obvious business changes to financial reporting.
Watch for:
If management’s risk assessment misses these facts, recommend a specific improvement: update the risk register, document the process, assign monitoring responsibility, reconcile source reports, or review the affected estimate.
A walkthrough follows a transaction from initiation to recording and reporting. Core 1 cases often provide compact process notes. Use them to understand what actually happens, not what policy says should happen.
| Walkthrough question | Why it matters |
|---|---|
| Who initiates the transaction? | Identifies authorization and segregation risks. |
| What source document is created? | Shows evidence for recognition and measurement. |
| Who approves it? | Shows whether control is preventive or merely informal. |
| How is it entered into the system? | Identifies data-entry and system-access risks. |
| What reconciliation or review occurs? | Shows whether errors are detected before reporting. |
| What report feeds the statements? | Links process reliability to financial reporting. |
If the process described differs from the formal policy, analyse the process actually used.
Use this order for entity-risk questions:
This sequence prevents broad risk commentary and keeps the response useful.
| Pitfall | Better approach |
|---|---|
| Listing generic business risks. | Connect each risk to a statement area, disclosure, or evidence need. |
| Treating operational risk and reporting risk as the same. | Explain how the operation could create a misstatement or misleading note. |
| Ignoring management incentives. | Consider covenant, bonus, financing, or tax pressures when estimates look biased. |
| Describing controls without evaluating them. | State whether the control prevents, detects, or fails to address the risk. |
| Forgetting the actual process. | Use walkthrough facts rather than assuming the policy is followed. |