Launch offer — 25% off with code LAUNCH-25 See plans →
Try now → N
📚 Learn/ / Internal Control
Microlesson · 5-min read

Entity's Risk Assessment Process

## Component 2: Entity's Risk Assessment Process

The auditor must obtain an understanding of whether the entity has a formal process for managing business risks relevant to financial reporting.

### Four Steps the Entity Should Have:

1. Identifying business risks relevant to financial reporting objectives

2. Estimating the significance of those risks

3. Assessing the likelihood of their occurrence

4. Deciding about actions to address those risks

### Auditor's Perspective

  • If the entity has a robust risk assessment process, the auditor can use it as input when identifying risks of material misstatement.
  • If no such process exists or it is poorly designed, this is itself a control deficiency that the auditor must consider.
  • The absence of a risk assessment process in situations where one would ordinarily be expected is a significant deficiency.

Worked example

### Example 1

Entity with strong risk assessment: A bank has a Risk Management Committee that quarterly identifies credit, market, and operational risks, scores them by likelihood and impact, and assigns mitigation owners. The auditor reviews the risk register and finds it comprehensive — this reduces the auditor's work in identifying areas of risk independently.

### Example 2

Entity without risk assessment process: A mid-size manufacturing company has no documented risk assessment. The auditor identifies this as a control deficiency, since the entity cannot demonstrate it proactively manages financial reporting risks (e.g., obsolete inventory, warranty provisions). The auditor increases substantive testing for these areas.

⚠️ Common exam mistakes

  • Confusing the entity's risk assessment process (an internal control component) with the auditor's own risk assessment procedures — these are related but distinct concepts.
  • Assuming a risk assessment process must be formal and documented — for smaller entities, even an informal process counts, but the auditor must still evaluate its effectiveness.
  • Forgetting all four steps: students often cite only 'identifying' and 'assessing' risks, omitting 'estimating significance' and 'deciding actions'.
Reference:
← Previous
Control Activities
Next →
Information System, Related Bu
Now that you've read this — what's next?
Move from understanding → mastery in 3 clicks. Each option below picks up from this lesson's topic.
🔥 Drill 5 Qs on this → ✍️ Adaptive practice →
Start 15-min diagnostic