Manage risks and risk assessments in an engagement

Risk management is a core feature within Caseware products that provides a centralized location for managing all risks identified throughout an engagement. It serves as the master repository for risk information, allowing users to:

  • View, add, and edit all risks associated with the engagement, regardless of where they were identified.

  • Track risk details, such as descriptions, categories, likelihood, impact, and responses.

  • Link risks to controls, procedures, or other engagement elements.

  • Generate reports or summaries of all risks for review and compliance purposes.

You can access this feature through the Risk page:

The user interface for the Risks page

Signoff options

Depending on how your product is configured, risk reports can be signed off in two ways:

Sign off the entire report - One signoff button is available in the report for you to sign off the entire report.

Sign off each risk in the report - A signoff button is available in each risk card in the report. You can sign off each risk individually.

Custom signoff – in some cases, your product may have custom signoff procedures configured for your product.

Add a risk

  1. Select the Risk & Controls page in your engagement.

  2. Click the New Risk button.

  3. Complete the risk details.

  4. Click Save or Save and Create Another.

Note: You can also add Controls to your risk assessment in a similar way. Controls are procedures or activities designed to mitigate identified risks in your Caseware Cloud engagement.

Risks:

The user interface to add a new risk.

 

the user interface for the dialog box to add a risk.

Controls:

the user interface for selecting the Controls tab under the Risk and Controls page.

Scale options

As authors, you can define the rating systems used to assess and score risks. As a user, you can use the rating system to evaluate the likelihood, impact, or other attributes of a risk.

Purpose of Scales:

  • Ensures that all risks are assessed using the same criteria and rating system across the firm.

  • Provides clear definitions for each level of the scale (e.g., Low, Medium, High) to guide user judgment.

  • Adapts the risk assessment process to your firm’s risk appetite, regulatory environment, or industry standards by defining custom scales.

Example Scales:

  • Likelihood: Rare, Unlikely, Possible, Likely, Almost Certain

  • Impact: Insignificant, Minor, Moderate, Major, Catastrophic

  • Overall Risk: Low, Medium, High

Perform a risk assessment

When you perform a risk assessment, you evaluate the engagement's risks to determine their significance and action items.

  • You rate the risk (for example, as high, medium, or low) based on likelihood and impact.

  • You may assess inherent risk, control risk, and risk of material misstatement.

  • You document your planned response or actions to address the risk.

  • You may add comments, issues, or sign off on your assessment

The Assessment tab is available in the Risk & Controls page:

the user interface for selecting the Assessment tab in the Risks and Controls page.

Add issues and annotations for each assertion row in risk assessments

You can now add issues and annotations directly to each assertion row in your risk assessment cards. This allows for more granular documentation and tracking of risks, considerations and notes at the assertion level. Annotations and issues are clearly associated with the relevant section (IR or RMM), improving clarity and auditability.

Users can add two types of issues to an assertion row:

  • General issues for tracking.

  • Consideration for next year issues that are carried forward to future periods.

Annotations are free-form notes that provide additional context and are always carried forward by default.

To create issues and annotations for each assertion row:

  1. Open the Assessment tab in the Risk & Controls page of an engagement.

  2. Click the Add icon [] beside an assertion row to add an annotation.

  3. The annotation expands to the left.

  4. Click the Issue icon [] beside an assertion row to add an issue.

  5. The system saves each annotation or issue with a property that determines its display location (IR section or RMM section).

  6. When carrying forward to a new period:

  7. Annotations are carried forward by default.

  8. Only issues of the type “consideration for next year” are carried forward.

  9. The same assertion row object is used in both the LMO + MPM → IR and IR + CR → RMM sections, ensuring consistency.

The user interface for adding issues or annotations to a risk assessment row