Risk Assessment Checklist

Confirm the enterprise risk management policy is signed by the board and dated within the last 12 months. Note any drift between the stated risk appetite and current strategic plan — that gap is the partner discussion.

Read the last four quarters of audit committee minutes. Tag any open risk items not yet remediated and any management responses that the committee declined to accept.

Run a 90-minute structured workshop covering revenue, procurement, treasury, IT, and HR process owners. Capture entity-level and process-level risks separately; the most common miss is omitting the IT general controls layer.

Roll forward last quarter's register, retire risks that are no longer relevant, and add risks raised in the workshop. Each risk needs an owner, a category (financial, operational, compliance, strategic, IT), and a current control reference.

Use the firm's 1–5 likelihood × 1–5 impact heat map. Score gross (inherent) and net (residual after controls) separately — partners want to see where existing controls are actually pulling the rating down.

Apply performance materiality (typically 50–75% of overall materiality) to flag risks that could individually cause a material misstatement. Anything rated High on the residual heat map should be cross-referenced to a key control.

Every High residual risk needs at least one named key control with a documented owner, frequency, and evidence type. Manual reviews without sign-off evidence are the most common audit finding.

Walk through each key control with the owner. Confirm segregation of duties for the journal-entry, wire-approval, and user-access controls — these three account for the bulk of significant deficiencies in SMB engagements.

Record each deficiency with severity, affected assertion, and management response. Include the workpaper reference so the deficiency ties back to evidence in the engagement binder.

Send each owner the slice of the register they own — not the full document. Confirm receipt; the register is a shared accountability artifact, not a CYA email.

When residual ratings include any High, the chair expects a written alert ahead of the next scheduled meeting. Include the risk, owner, and proposed mitigation timeline — keep it to one page.

Present the heat map, year-over-year rating changes, deficiencies identified, and remediation status. Allow time for executive session without management present — the committee often raises items there that don't surface in the open meeting.

Put the next workshop, the audit committee meeting, and the deficiency re-test dates on the engagement calendar. Re-tests of significant deficiencies should land before the next external audit fieldwork.