2/12/23, 2:28 PM Exam technique 1 – planning questions and risk (part 1) | ACCA Global

Menu 

Exam technique 1 – planning questions

and risk (part 1)

Home / Students / Study resources / Advanced Audit and Assurance (AAA) / Technical articles
/ Exam technique 1 – planning questions and risk (part 1)

Business risk

Candidates will be tasked with a question set at the planning stage of an engagement in section A. This will require candidates to
evaluate risks relevant to an audit or assurance engagement. This article is intended to help candidates to achieve both the technical

and professional marks usually associated with these types of requirements.

ISA315 (Revised), Identifying and Assessing the Risks of Material Misstatement gives extensive guidance on the need to understand
the client’s business, controls and operating environment in order to assess the risks on the engagement. Audit risk arises through

https://www.accaglobal.com/gb/en/student/exam-support-resources/professional-exams-study-resources/p7/technical-articles/exam-tech1-planning-qu… 1/8
2/12/23, 2:28 PM Exam technique 1 – planning questions and risk (part 1) | ACCA Global

these risks of material misstatement but also assess the risk that these may not be detected during the audit process. Candidates

are tested on their skills in identifying and evaluating these risks

Business risk in audit planning questions

ISA315 (Revised) explains that understanding the entity’s objectives, strategy and business model helps the auditor to understand

the entity at a strategic level, and to understand the business risks the entity takes and faces. An understanding of the business risks
that have an effect on the financial statements assists the auditor in identifying risks of material misstatement, since most business

risks will eventually have financial consequences and, therefore, an effect on the financial statements.

ISA315 (Revised) defines business risk as a risk resulting from significant conditions, events, circumstances, actions or inactions that

could adversely affect an entity’s ability to achieve its objectives and execute its strategies, or from the setting of inappropriate
objectives and strategies.

A typical requirement in section A with a focus on business risk would be 'Using the exhibits provided, evaluate the significant
business risks facing the company/group'. The key elements to consider for this requirement to note are as follows:

• Using the exhibits

Candidates are not required to have any industry specific knowledge. There will be sufficient detail in the scenario to allow

candidates to identify the key risks which should be evaluated. Candidates should focus on the risks arising from the information
provided and not speculate on additional risks which might arise.

• Evaluate

In order to evaluate effectively, Candidates will initially need to identify the risk arising from the information provided and illustrate

the impacts of the risk on the client. Candidates should make use of specific points that are relevant to the client in the question

rather than be discussed in a generic context.

Candidates should then expand on this issue in order to fully evaluate a point. There needs to be an assessment of the scale of the
risk in the context of the scenario. For example, an illustration of why this risk is particularly significant for this client or discussing

how the impact may be increased in the light of other risks and information relevant to the scenario.

• Significant

In the context of the AAA exam, it is essential that candidates assess the significant business risks within the scenario. These

should be assessed as those issues which are a medium to high likelihood of occurrence and impact, after consideration of any
mitigation which is described in the scenario.

• Risk

Business risks, in the context of the AAA exam, are areas of uncertain occurrence and outcome, not factual statements of something

which has already happened and, therefore, is already fully quantified in the scenario.

https://www.accaglobal.com/gb/en/student/exam-support-resources/professional-exams-study-resources/p7/technical-articles/exam-tech1-planning-qu… 2/8
2/12/23, 2:28 PM Exam technique 1 – planning questions and risk (part 1) | ACCA Global

Consider the example below from the September 2022 published question Winberry Co, a listed food delivery company whose sales

are made entirely online.

In this question, there are several different related risks which a candidate might identify. This topic will only be treated as one risk

regardless of which of those are developed and marks will be available for many alternative development points.

Examples of risks and evaluation are provided below.

Identification of the risk Initial development Further evaluation

Data breach may become public The company will suffer The fact that the company did not
knowledge reputational damage and lose report the breach themselves may
customers increase the reputational damage
which would have occurred had
Or this been disclosed immediately
(considering severity in the
Customers will no longer trust context of the delay to reporting
Winberry Co to protect their online described in the scenario)
data.
Or

The lack of trust in the website if

customers do not trust Winberry to
protect their data is a significant
problem as Winberry Co only
operates online and has no
physical stores or outlets
(considering severity in the

https://www.accaglobal.com/gb/en/student/exam-support-resources/professional-exams-study-resources/p7/technical-articles/exam-tech1-planning-qu… 3/8
2/12/23, 2:28 PM Exam technique 1 – planning questions and risk (part 1) | ACCA Global

context of the specific business

model)

The company might be fined for This will put pressures on cash These may be higher as a result
data breaches flow and reduce profits of Winberry Co not reporting the
breach themselves (considering
severity in the context of the delay
to reporting described in the
scenario)

The fall in profit may result in the

breach of banking covenants
(Linking to impact on other
specific risks in the scenario)

Further data weaknesses may These may be more serious These will lead to more severe
exist and have not yet been breaches where customer credit fines and bad publicity if this is the
identified card or identity details are lost case. (considering severity)

These examples are indicative not exhaustive, and candidates will be awarded credit for valid evaluation points which relate to the

scenario.

Professional marks associated with business risk

In most cases, the professional marks available for the evaluation of business risk will be commercial acumen. These will be awarded

in addition to the technical marks. Candidates will be awarded credit for professional skills when answers demonstrate an awareness

of potential commercial.

Examples where commercial acumen could be demonstrated in response to the above scenario

• Management’s failure to report the breach may lead to more serious consequences

• There is the additional risk of specific reputational damage which could impact share price as well as profits

• Linking the impact of any fine to the debt covenants on interest cover

• Linking the severity of the risk to the company being online only and, therefore, more exposed to the consequences of data risk
than a traditional retail outlet for groceries

https://www.accaglobal.com/gb/en/student/exam-support-resources/professional-exams-study-resources/p7/technical-articles/exam-tech1-planning-qu… 4/8
2/12/23, 2:28 PM Exam technique 1 – planning questions and risk (part 1) | ACCA Global

It is possible to evaluate a risk severity in relation to the scenario without demonstrating commercial acumen and it is also possible to
demonstrate acumen in a risk not considered fully evaluated. Where a single response does provide evaluation and demonstrate

commercial acumen, credit will be awarded for both. The professional marks are additional to, rather than, in place of technical

marks.

Candidates should also note the following will not obtain marks for the identification and development of a risk.

Facts given in the question – there has been a data breach/credit card details may be lost – these are known and therefore, not a

risk. The risk is something uncertain as a result of the event or an uncertain event.

Risks which are flagged as mitigated in the scenario In the case of Winberry Co, the scenario was clear that specialised staff

were employed to ensure food safety legislation was complied with as part of the company risk management strategy. These are

likely to be easily replaceable given the ubiquitous nature of food. This might be different in a particularly niche industry where

experts are less readily available.

Extreme outcomes which are not likely – for example, 'the data breach will mean fines the company cannot afford to pay and it will
be bankrupt'. Whilst worst case scenarios exist, if this is not likely in the context of the specific scenario, then it’s not necessarily a

significant risk or an appropriate evaluation in this case. This outcome might be valid in a different scenario, perhaps where the

company has a history of severe data protection breaches, with total disregard for data protection, and the company was already loss

making, and experiencing cash flow issues. Candidates are expected to tailor their answers to the specific scenario in the question.

This is a demonstration of professional judgement which is an important skill for auditors.

Summary

Candidates preparing for the AAA exam should be mindful that they will be required to evaluate risks in the context of specific

information provided in a scenario in the exam. The examining team are looking for depth of evaluation of significant risks, rather

than brief and untailored answers covering large numbers of risks. Candidates are recommended to use past published questions to

practice evaluation skills. Exam question practice is essential, but candidates should remain mindful that they should not try and

apply rote learnt or generic responses in the real exam. They should ensure that their answer in the actual exam is tailored to the

specific information provided in the question, otherwise little credit will be awarded. Well prepared candidates using good technique

often achieve full marks in risk questions and this is often indicative of those candidates demonstrating the requisite professional

skills of an auditor.

 Related Links

https://www.accaglobal.com/gb/en/student/exam-support-resources/professional-exams-study-resources/p7/technical-articles/exam-tech1-planning-qu… 5/8
2/12/23, 2:28 PM Exam technique 1 – planning questions and risk (part 1) | ACCA Global

• Exam technique 2 – planning questions and risk (part 2): Risks of material misstatement
(RoMM) and audit risks

• Student Accountant hub

Advertisement

Our sites

myACCA

ACCA mail

ACCA Careers

ACCA Career Navigator

ACCA Learning Community

Your Future

https://www.accaglobal.com/gb/en/student/exam-support-resources/professional-exams-study-resources/p7/technical-articles/exam-tech1-planning-qu… 6/8
2/12/23, 2:28 PM Exam technique 1 – planning questions and risk (part 1) | ACCA Global

Useful links

Make a payment

ACCA-X online courses

Find an accountant

ACCA Rulebook

News

Work for us

Most popular

Professional insights

ACCA Qualification

Member events and CPD

Supporting Ukraine

Past exam papers

   

Contact us
 Send us a message

Planned system updates

 View our maintenance windows

https://www.accaglobal.com/gb/en/student/exam-support-resources/professional-exams-study-resources/p7/technical-articles/exam-tech1-planning-qu… 7/8
2/12/23, 2:28 PM Exam technique 1 – planning questions and risk (part 1) | ACCA Global

Accessibility Legal policies Data protection & cookies Advertising Site map

Contact us

https://www.accaglobal.com/gb/en/student/exam-support-resources/professional-exams-study-resources/p7/technical-articles/exam-tech1-planning-qu… 8/8