Launch offer — 25% off with code LAUNCH-25 See plans →
Try now → N
📚 Learn/ Paper 5 — Auditing & Ethics/ Core Audit Concepts
Microlesson · 5-min read

Components of Internal Control — Risk Assessment Process and Information System

## Component 2: Entity's Risk Assessment Process

This is the entity's own internal process for identifying and managing business risks — distinct from the auditor's risk assessment.

### What the Auditor Understands

The auditor obtains an understanding of whether the entity has a process for:

StepAction
1. IdentifyIdentifying business risks relevant to financial reporting objectives
2. EstimateEstimating the significance of each risk
3. AssessAssessing the likelihood (probability) of occurrence
4. DecideDeciding on actions to address those risks

> Mnemonic: I-E-A-DIdentify → Estimate → Assess → Decide

---

## Component 3: Information System, Business Processes & Communication

### What the Auditor Understands — Six Areas

AreaDetail
Significant transaction classesWhich transactions are material to financial statements
Transaction flowHow transactions are initiated, recorded, processed, corrected, transferred to GL, and reported
Backup recordsData retention and recovery mechanisms
Capturing events/conditionsHow the system captures significant events affecting FS
Financial reporting processHow financial statements are prepared
Journal entry controlsControls surrounding journal entries (key fraud risk area)

### Communication — Financial Roles and Responsibilities

The auditor understands how the entity communicates:

TypeExamples
InternalBetween management and TCWG
ExternalWith regulatory authorities

Additional considerations:

  • Policy manuals and financial reporting manuals
  • Open communication channels
  • Small entities: less structured but communication tends to be easier due to smaller size

Worked example

### Example 1

Risk assessment process (Component 2): Galaxy Pharmaceuticals identified currency fluctuation as a risk to raw material costs (Identify). They estimated it could cause a 15% cost variance (Estimate). They assessed 70% probability given current market volatility (Assess). They decided to hedge 50% of foreign currency purchases (Decide). The auditor documents this I-E-A-D process to understand how well the entity manages financial reporting risks.

### Example 2

Information system (Component 3): The auditor at a retail chain traces a sale: POS records transaction → inventory balance auto-reduces → nightly batch feeds into GL revenue account → month-end process maps GL to P&L line items in FS. Examining this flow, the auditor also checks journal entry controls (are manual entries reviewed and approved?) because management can manipulate results through unsupported journals.

⚠️ Common exam mistakes

  • Confusing the entity's risk assessment process (an IC component the auditor understands) with the auditor's own risk assessment under SA 315 — they are related but separate; the entity's process is what the auditor examines
  • Omitting journal entry controls when listing areas covered under the information system — ICAI specifically highlights this because it is a key fraud risk area targeted in SA 240
  • Ignoring backup records as part of the information system component — students routinely miss this point in exam answers
Reference:
← Previous
Components of Internal Control
Next →
Comptroller and Auditor Genera
Now that you've read this — what's next?
Move from understanding → mastery in 3 clicks. Each option below picks up from this lesson's topic.
🔥 Drill 5 Qs on this → ✍️ Adaptive practice →
Start 15-min diagnostic