## Documenting Risks and Reporting Audit Findings

### Documenting Risks (SA 315 Principle)

The auditor must document:

1. Team discussion – the discussion among the engagement team and significant decisions reached

2. Understanding of the entity – key elements of understanding of the entity and its environment, each internal control component, sources of information, and risk assessment procedures performed

3. Assessed risks – identified and assessed risks of material misstatement at:

Financial statement level
Assertion level

4. Risks and related controls – identified risks and the related controls about which the auditor obtained an understanding

---

### Assessing and Reporting Audit Findings (IT Environment)

At the conclusion of audit, findings/exceptions in IT environment and IT controls must be assessed and reported to:

Management (Internal Controls Memo / Management Letter)
Those Charged with Governance (Board of Directors, Audit Committee) – significant deficiencies must be communicated in writing

Key questions when assessing findings:

1. Are there any weaknesses in IT controls?

2. What is the impact of these weaknesses on the overall audit?

3. Are these deficiencies, significant deficiencies, or material weaknesses?

---

### Hierarchy of Control Deficiencies

Classification	Description
Control Deficiency	A control is missing or not operating effectively
Significant Deficiency	Important enough to merit attention of those charged with governance
Material Weakness	Reasonable possibility that a material misstatement will not be prevented or detected

---

### Communication Requirements

Finding Type	To Whom	How
All deficiencies	Management	ICM / Management Letter
Significant deficiencies	Those Charged with Governance (Audit Committee, Board)	In writing
Material weaknesses	Auditor's Report	Public disclosure (listed entities)

Worked example

### Example 1

Documentation example: During audit of a manufacturing company, the engagement team discusses that the company's ERP does not have automated controls over inventory write-offs – any user can post a write-off without approval. This risk discussion, the team's conclusion (significant risk of misstatement in inventory), and the decision to perform extended substantive testing on inventory write-offs are all documented in the working papers under 'Identified Risks and Related Controls'.

### Example 2

Reporting example: The auditor identifies that the company has no password complexity policy (users can set single-character passwords). This is reported as a 'significant deficiency' in the Management Letter to management, and the auditor also communicates it in writing to the Audit Committee, noting that it increases the risk of unauthorized access to financial data.

⚠️ Common exam mistakes

Stating that significant deficiencies are communicated only verbally – the standard requires written communication to those charged with governance.
Confusing the audience: Management Letter/ICM goes to management; written communication of significant deficiencies goes to those charged with governance (Audit Committee, Board) – these are different communications to different parties.
Omitting 'assertion level' when listing what must be documented for assessed risks – risks must be documented at both the financial statement level AND the assertion level.
Forgetting that documentation must include 'sources of information' from which understanding was obtained – not just the understanding itself.

Reference:

Now that you've read this — what's next?

Move from understanding → mastery in 3 clicks. Each option below picks up from this lesson's topic.

🔥 Drill 5 Qs on this → ✍️ Adaptive practice →