Launch offer — 25% off with code LAUNCH-25 See plans →
Try now → N
📚 Learn/ / Risk Assessment
Microlesson · 5-min read

Documenting the Risk Assessment

## Documenting the Risks — SA 315 Requirement

### Overview

Documentation of risk assessment is a mandatory requirement under SA 315. It provides evidence that the auditor properly understood the entity and its environment before designing further audit procedures.

---

### Four Elements the Auditor Must Document

ElementWhat to Document
(a) Engagement team discussionThe discussion among the engagement team and the significant decisions reached
(b) Understanding obtainedKey elements of understanding regarding each aspect of the entity and its environment, including each internal control component; sources of information; risk assessment procedures performed
(c) Identified and assessed risksRisks of material misstatement identified and assessed — both at the financial statement level and at the assertion level
(d) Controls identifiedThe risks identified and related controls about which the auditor obtained an understanding

---

### Why This Matters

  • Documentation supports quality review and regulatory inspection.
  • Links the risk identification process to the design of further audit procedures.
  • Demonstrates professional skepticism was applied.
  • Assertion-level documentation directly maps to which substantive procedures are selected.

Worked example

### Example 1

Example — Documenting revenue recognition risk:

During the engagement team discussion, the team identifies that the company uses percentage-of-completion method for long-term contracts — a complex estimate susceptible to management bias.

Documentation should include: (a) the team discussion minutes noting this as a significant risk; (b) the understanding of the revenue recognition policy, how estimates are prepared, and controls over the estimation process; (c) the assessed risk of material misstatement at the assertion level — specifically 'accuracy' and 'cut-off' for revenue; (d) the controls identified over project cost estimation and management review.

⚠️ Common exam mistakes

  • Documenting only the identified risks without documenting the understanding that led to the risk identification — all four elements must be present.
  • Treating financial-statement-level and assertion-level risks as the same — they are distinct: FS-level risks are pervasive (e.g., management override), while assertion-level risks are specific to a balance or class of transactions.
  • Failing to document 'significant decisions reached' from team discussions — the discussion itself is not enough; the conclusions and how they shaped the audit approach must be recorded.
Reference:
Now that you've read this — what's next?
Move from understanding → mastery in 3 clicks. Each option below picks up from this lesson's topic.
🔥 Drill 5 Qs on this → ✍️ Adaptive practice →
Start 15-min diagnostic