Risk and materiality
The Risk Assessment
Understand the entity and its controls first, and identify what rises to a significant risk.
How the exam words it
- -The stem is about understanding the entity, its environment, or its information system.
- -It asks which COSO component a control or gap belongs to.
- -It asks whether risk assessment procedures are required, or what counts as one.
- -A factor, such as a large anomaly or related parties, may be a significant risk.
The playbook
- 1Understanding internal control is required in every audit, testing controls is not.
- 2Risk assessment procedures (inquiry, analytics, observation and inspection) are all required, and alone they do not support the opinion.
- 3Map the item to its COSO component (control environment is the foundation, monitoring watches the others), and flag inherent risks near the top of the range as significant.
The trap
Thinking testing controls is required in every audit. Only understanding controls is required, testing is a choice.
How the exam varies it
The same pattern, re-skinned along these axes:
Understanding the entity, a COSO component, or a significant riskManagement's own risk assessment versus the auditor's proceduresWhich risk assessment procedure is at issue
Drill this pattern
8 questions of The Risk Assessment from across the AUD topics. Clear it by getting 5 right with a streak of 3.