Entity's Risk Assessment Process, Information System, and Control Activities
## Component 2: Entity's Risk Assessment Process
### Auditor's Objective
The auditor shall obtain an understanding of whether the entity has a process for:
Step
Activity
Identify
Business risks relevant to financial reporting objectives
Estimate
Significance of those risks
Assess
Likelihood of occurrence
Decide
Actions to address those risks
Memory Aid: I-E-A-D
### Key Rule
If the entity's risk assessment process is appropriate, it assists the auditor in identifying ROMM — making the auditor's own risk assessment more efficient.
---
## Component 3: Information System Relevant to Financial Reporting
### What the Auditor Must Understand
The auditor must understand the information system covering:
1. Significant classes of transactions in entity operations
2. Transaction procedures — how transactions are:
Initiated → Processed → Recorded → Corrected
Posted to General Ledger → Reported in Financial Statements
3. Related accounting records and supporting information used to initiate, record, process, and report transactions
4. How information system captures events and conditions significant to the FS
5. Financial reporting process used to prepare the entity's financial statements
6. Controls surrounding journal entries (always a high-risk area)
---
## Component 4: Control Activities
### Definition
Control Activities = Policies + Procedures that ensure management directives are carried out.
### Auditor's Approach
The auditor shall obtain understanding of control activities relevant to the audit to assess ROMM
Important: The auditor only needs to understand control activities for assertions that were found relevant during the Risk Assessment Process (RAP)
Do NOT attempt to understand ALL control activities — focus on those tied to relevant assertions
### Practical Implication
If during RAP the auditor identifies that inventory existence is a relevant assertion, they focus on control activities around inventory counts, gate passes, and warehouse records — not necessarily payroll controls.
Worked example
### Example 1
During the audit of a retail chain, the auditor finds the entity has a formal risk register: (1) identified risk of inventory obsolescence, rated High; (2) assessed as occurring seasonally (high likelihood); (3) action: monthly slow-moving stock review. This entity risk assessment process is appropriate — it assists the auditor in identifying inventory valuation ROMM.
### Example 2
The auditor maps the revenue cycle: customer order → dispatch note → invoice → accounts receivable ledger → trial balance → financial statements. Understanding this information system (Component 3) reveals that invoices are manually entered into the accounting system. The manual entry step becomes an area of focus for control activities testing (Component 4), especially around completeness and accuracy assertions.
⚠️ Common exam mistakes
Auditing ALL control activities across the entity instead of focusing only on those relevant to the specific assertions identified during RAP — this wastes time and misses the audit objective
Confusing the entity's risk assessment process (Component 2) with the auditor's own risk assessment (SA 315) — these are distinct; the entity does its own risk management, the auditor evaluates whether it exists and is appropriate
Overlooking controls around journal entries — these are specifically required to be understood and are high-risk because manual journal entries are a common vehicle for fraud or error
Not tracing how transactions flow end-to-end from initiation to FS reporting — auditors sometimes focus on one step (recording) and miss risks in initiation or correction stages
Bare-Act text Paragraph 18 – Information System Relevant to Financial Reporting · SA 315 – Identifying and Assessing the Risks of Material Misstatement through Understanding the Entity and Its Environment (ICAI) · click to expand
The auditor shall obtain an understanding of the information system, including the related business processes, relevant to financial reporting, including the following areas: The classes of transactions in the entity's operations that are significant to the financial statements; The procedures, within both IT and manual systems, by which those transactions are initiated, recorded, processed, corrected as necessary, transferred to the general ledger and reported in the financial statements; The related accounting records, whether electronic or manual, supporting information and specific accounts in the financial statements that are used to initiate, record, process and report transactions; How the information system captures information about events and conditions, other than transactions, that are significant to the financial statements; The financial reporting process used to prepare the entity's financial statements, including significant accounting estimates and disclosures; Controls surrounding journal entries.