Risks at the entity level may come from external factors such as changes in technology, customer’s needs, competition, regulations or laws and the economy. At the entity level, risks also arise from internal factors such as information systems failures, personnel practices affecting the quality of employees, access to assets and the susceptibility of an entity’s operations to fraud.
At the activity level, risk assessment involves business operations and financial reporting. Analyzing operational reports, financial and non-financial data and observations of employees’ activities may bring risks to management’s attention.
Control activities that are established in response to perceived risks relate to management’s representations (assertions) in the entity’s financial statements. The assertions from SAS No. 106 can be organized in this way:
• Occurrence and cut-off
• Valuation and accuracy
• Disclosure and Presentation
Control activities are the heart of the risk assessment process. As we discussed above, not only is the evaluation of internal control required by auditing standards, it results in the determination of control deficiencies and potential risks of material misstatements.