Risk Assessment Checklist

Confirm the enterprise risk management policy is signed by the board and dated within the last 12 months. Note any drift between the stated risk appetite and current strategic plan — that gap is the partner discussion.

Read the last four quarters of audit committee minutes. Tag any open risk items not yet remediated and any management responses that the committee declined to accept.

Verify the committee has met at least quarterly per its charter and that membership still satisfies independence requirements. Document attendance gaps as a governance deficiency.

Run a 90-minute structured workshop covering revenue, procurement, treasury, IT, and HR process owners. Capture entity-level and process-level risks separately; the most common miss is omitting the IT general controls layer.

Roll forward last quarter's register, retire risks that are no longer relevant, and add risks raised in the workshop. Each risk needs an owner, a category (financial, operational, compliance, strategic, IT), and a current control reference.

Check recent SEC enforcement actions, FASB ASUs, AICPA risk alerts, and industry-specific guidance issued since the last assessment. Cyber, climate disclosure, and crypto holdings are the recurring 2024–25 themes.

Use the firm's 1–5 likelihood × 1–5 impact heat map. Score gross (inherent) and net (residual after controls) separately — partners want to see where existing controls are actually pulling the rating down.

Apply performance materiality (typically 50–75% of overall materiality) to flag risks that could individually cause a material misstatement. Anything rated High on the residual heat map should be cross-referenced to a key control.

Reconcile this quarter's heat map to last year's. Material rating changes need a written rationale in the workpaper — auditors and the audit committee both ask why a risk dropped from High to Medium.

Every High residual risk needs at least one named key control with a documented owner, frequency, and evidence type. Manual reviews without sign-off evidence are the most common audit finding.

Walk through each key control with the owner. Confirm segregation of duties for the journal-entry, wire-approval, and user-access controls — these three account for the bulk of significant deficiencies in SMB engagements.

Record each deficiency with severity, affected assertion, and management response. Include the workpaper reference so the deficiency ties back to evidence in the engagement binder.

For any significant deficiency, draft a remediation plan with named owner, target date, and re-test date. Significant deficiencies must be communicated in writing to the audit committee under AU-C 265 / AS 1305.

Send each owner the slice of the register they own — not the full document. Confirm receipt; the register is a shared accountability artifact, not a CYA email.

When residual ratings include any High, the chair expects a written alert ahead of the next scheduled meeting. Include the risk, owner, and proposed mitigation timeline — keep it to one page.

Present the heat map, year-over-year rating changes, deficiencies identified, and remediation status. Allow time for executive session without management present — the committee often raises items there that don't surface in the open meeting.

Index workpapers in Caseware or CCH Engagement under the risk-assessment section. Include the workshop notes, register, heat map, deficiency log, and committee deck — these become the audit support for the planning section.

Put the next workshop, the audit committee meeting, and the deficiency re-test dates on the engagement calendar. Re-tests of significant deficiencies should land before the next external audit fieldwork.

Partner reviews the heat map, deficiency log, and committee communication. Sign-off is the gate to closing the assessment in the workflow tool and releasing the binder to the audit team.