Engagement Risk Management Checklist

Search Karbon, Canopy, or TaxDome for prior or current relationships with the prospect, its owners, and related parties. Common misses: a partner's spouse on the board, a referring attorney who is also a tax client, or a subsidiary the firm bookkeeps for.

For attest engagements (audit, review, compilation with assurance), apply the full AICPA independence standard. Watch for nonattest services like bookkeeping or 401(k) administration that breach independence on review or audit clients. SSARS preparation engagements have a reduced standard but still require disclosure.

Required for new audit engagements. Obtain client consent in writing, then ask the predecessor about disagreements with management, fraud or illegal-act concerns, and reasons for the change. Skipping this step is a peer-review finding.

Risk-rate the engagement (low / moderate / high) considering industry, ownership complexity, going-concern indicators, and prior preparer disputes. Managing partner signs off on any moderate-or-higher engagement before the engagement letter goes out.

For conditional acceptance, record the specific safeguards required: concurring partner review, expanded scope, fee escrow, or a kill-switch clause in the engagement letter. The acceptance memo names each safeguard and who owns it.

Pull last year's risk register, management letter, and unresolved review notes from the engagement file. Recurring issues (e.g., late bank recs, weak revenue cutoff, unsupported AJEs) are next year's risks until the controller can demonstrate a fix.

Required on every audit. Whole engagement team participates — partner, manager, seniors, and IT specialist if applicable. Cover incentives, opportunities, and rationalizations; presume revenue recognition fraud risk and management override of controls. Document the discussion in the engagement file.

Document inherent risks specific to the client's industry — construction WIP and percentage-of-completion estimates, SaaS deferred revenue, dealer floor-plan financing, nonprofit donor restrictions. Cross-check against AICPA industry audit guides.

Use the firm's benchmark policy — typically 5% of pre-tax income for profitable companies, 0.5–1% of revenue for break-even or loss companies, 1–2% of net assets for nonprofits. Performance materiality is usually 50–75% of planning materiality. Document the benchmark and the rationale for any deviation.

Run year-over-year and budget-vs-actual analytics on revenue, gross margin, A/R aging, A/P aging, and key ratios. Variances over performance materiality without a documented business explanation become risk factors carried forward to the audit program.

For each significant account and disclosure, rate inherent risk and control risk by assertion (existence, completeness, valuation, rights & obligations, presentation). Significant risks — those requiring special audit consideration under AU-C 315 — must be listed individually with planned response.

Boilerplate audit programs from Caseware or CCH ProSystem fx are a starting point, not a deliverable. Each significant risk needs a linked procedure with clear assertion coverage, sample size justification, and tickmark legend. Generic 'review for reasonableness' steps fail peer review.

For each significant cycle (revenue, purchasing, payroll, financial close), decide whether to test controls and reduce substantive work, or go fully substantive. Reliance requires walkthroughs plus operating-effectiveness testing — don't choose reliance unless the budgeted hours actually cover both.

Each significant risk gets a named owner — usually a senior or manager — accountable for executing the planned response, clearing review notes, and reporting status weekly. Avoid concentrating all risks on the in-charge senior; spread by competency and availability.

Goodwill impairment, complex derivatives, ESOP valuations, and ITGC testing on large ERPs need specialists booked early — they're scarce in busy season. Lock dates in the engagement calendar before fieldwork starts, not when the senior hits the issue.

Standing 30-minute meeting with partner, manager, and seniors. Walk the risk register: status, blockers, PBC items overdue, fee budget burn. Risks dropped without explanation reappear at year-end as missed adjustments.

Discovery during fieldwork — a related-party transaction not previously disclosed, a covenant breach, a subsequent-event lawsuit — triggers a planned reassessment. Document the new risk, the changed response, and partner approval before continuing.

Add the new risk with assertion, planned procedure, owner, and target date. If the new risk is significant, update the AU-C 315 risk assessment memo and notify the EQR partner. Email the controller a list of additional PBC items needed.

If the new risk expands hours by more than the engagement letter's threshold (typically 10%), issue a change order to the client before incurring the work. Absorbing scope creep silently is the fastest way to blow the realization rate on the engagement.

Letter must be dated the same day as the audit report and signed by the CEO and CFO. Include representations on fraud, related parties, going concern, subsequent events, and any uncorrected misstatements (the SUM schedule). Do not release the report without the signed letter in hand.

Engagement Quality Review partner is independent of the engagement team. Reviews significant judgments, financial statements, and report wording. All EQR notes cleared before report release; document concurrence in the engagement file.

Documentation completion date is 60 days after report release for non-issuers (AU-C 230); 45 days for issuers (PCAOB AS 1215). After that date, no additions or deletions without a documented reason. Retention is typically 7 years for audits, longer for tax workpapers in IRS-extended jurisdictions.