An Enity's Risk Assessment Process and Its Control Activities
Risks at the entity level may come from external factors such as changes in technology, customer’s needs, competition, regulations or laws and the economy. At the entity level, risks also arise from internal factors such as information systems failures, personnel practices affecting the quality of employees, access to assets and the susceptibility of an entity’s operations to fraud.
At the activity level, risk assessment involves business operations and financial reporting. Analyzing operational reports, financial and non-financial data and observations of employees’ activities may bring risks to management’s attention.
Control activities that are established in response to perceived risks relate to management’s representations (assertions) in the entity’s financial statements. The assertions from SAS No. 106 can be organized in this way:
• Occurrence and cut-off
• Valuation and accuracy
• Disclosure and Presentation
Control activities are the heart of the risk assessment process. As we discussed above, not only is the evaluation of internal control required by auditing standards, it results in the determination of control deficiencies and potential risks of material misstatements.
by Larry Perry, CPA, CPA Firm Support Services, LLC - Larry has over 40 years experience as a CPA practitioner, author of accounting and auditing manuals, author and presenter of live staff training seminars and author of webcast and self-study CPE programs. He is co-founder of CPA Firm Support Services, LLC (www.cpafirmsupport.com), an organization providing resources, training and consulting to smaller CPA firms. Larry writes a weekly blog on AccountingWEB.com focusing on small audits, reviews and compilations. He is currently developing documentation manuals and handbooks for small audits, reviews and compilations and related electronic practice aids.