Engagement Risk Management Checklist

Search Karbon, Canopy, or TaxDome for prior or current relationships with the prospect, its owners, and related parties. Common misses: a partner's spouse on the board, a referring attorney who is also a tax client, or a subsidiary the firm bookkeeps for.

For attest engagements (audit, review, compilation with assurance), apply the full AICPA independence standard. Watch for nonattest services like bookkeeping or 401(k) administration that breach independence on review or audit clients. SSARS preparation engagements have a reduced standard but still require disclosure.

Required for new audit engagements. Obtain client consent in writing, then ask the predecessor about disagreements with management, fraud or illegal-act concerns, and reasons for the change. Skipping this step is a peer-review finding.

Risk-rate the engagement (low / moderate / high) considering industry, ownership complexity, going-concern indicators, and prior preparer disputes. Managing partner signs off on any moderate-or-higher engagement before the engagement letter goes out.

Pull last year's risk register, management letter, and unresolved review notes from the engagement file. Recurring issues (e.g., late bank recs, weak revenue cutoff, unsupported AJEs) are next year's risks until the controller can demonstrate a fix.

Required on every audit. Whole engagement team participates — partner, manager, seniors, and IT specialist if applicable. Cover incentives, opportunities, and rationalizations; presume revenue recognition fraud risk and management override of controls. Document the discussion in the engagement file.

Use the firm's benchmark policy — typically 5% of pre-tax income for profitable companies, 0.5–1% of revenue for break-even or loss companies, 1–2% of net assets for nonprofits. Performance materiality is usually 50–75% of planning materiality. Document the benchmark and the rationale for any deviation.

Run year-over-year and budget-vs-actual analytics on revenue, gross margin, A/R aging, A/P aging, and key ratios. Variances over performance materiality without a documented business explanation become risk factors carried forward to the audit program.

Boilerplate audit programs from Caseware or CCH ProSystem fx are a starting point, not a deliverable. Each significant risk needs a linked procedure with clear assertion coverage, sample size justification, and tickmark legend. Generic 'review for reasonableness' steps fail peer review.

For each significant cycle (revenue, purchasing, payroll, financial close), decide whether to test controls and reduce substantive work, or go fully substantive. Reliance requires walkthroughs plus operating-effectiveness testing — don't choose reliance unless the budgeted hours actually cover both.

Each significant risk gets a named owner — usually a senior or manager — accountable for executing the planned response, clearing review notes, and reporting status weekly. Avoid concentrating all risks on the in-charge senior; spread by competency and availability.

Standing 30-minute meeting with partner, manager, and seniors. Walk the risk register: status, blockers, PBC items overdue, fee budget burn. Risks dropped without explanation reappear at year-end as missed adjustments.

Discovery during fieldwork — a related-party transaction not previously disclosed, a covenant breach, a subsequent-event lawsuit — triggers a planned reassessment. Document the new risk, the changed response, and partner approval before continuing.

Add the new risk with assertion, planned procedure, owner, and target date. If the new risk is significant, update the AU-C 315 risk assessment memo and notify the EQR partner. Email the controller a list of additional PBC items needed.

Letter must be dated the same day as the audit report and signed by the CEO and CFO. Include representations on fraud, related parties, going concern, subsequent events, and any uncorrected misstatements (the SUM schedule). Do not release the report without the signed letter in hand.

Engagement Quality Review partner is independent of the engagement team. Reviews significant judgments, financial statements, and report wording. All EQR notes cleared before report release; document concurrence in the engagement file.