Understanding the Entity

and its Environment

including its Internal
Control and Assessing the
Risks of Material
Misstatement
Objective
The objective of the auditor is to identify and assess the risks of material misstatement, whether due to
fraud or error, at the financial statement and assertion levels, through understanding the entity and its
environment, including the entity’s internal control, thereby providing a basis for designing and
implementing responses to the assessed risks of material misstatement.
Definitions
(a) Assertions – Representations by management, explicit or otherwise, that are embodied in the
financial statements, as used by the auditor to consider the different types of potential misstatements
that may occur.

(b) Business risk – A risk resulting from significant conditions, events, circumstances, actions or
inactions that could adversely affect an entity’s ability to achieve its objectives and execute its
strategies, or from the setting of inappropriate objectives and strategies.
Definitions
(c) Internal control – The process designed, implemented and maintained by those charged with
governance, management and other personnel to provide reasonable assurance about the achievement
of an entity’s objectives with regard to reliability of financial reporting, effectiveness and efficiency of
operations, and compliance with applicable laws and regulations. The term “controls” refers to any
aspects of one or more of the components of internal control.

(d) Risk assessment procedures – The audit procedures performed to obtain an understanding of the
entity and its environment, including the entity’s internal control, to identify and assess the risks of
material misstatement, whether due to fraud or error, at the financial statement and assertion levels.
Definitions
(e) Significant risk – An identified and assessed risk of material misstatement that, in the auditor’s
judgment, requires special audit consideration.
Requirements
Risk Assessment Procedures and Related Activities

The auditor shall perform risk assessment procedures to provide a basis for the identification and assessment of
risks of material misstatement at the financial statement and assertion levels. Risk assessment procedures by
themselves, however, do not provide sufficient appropriate audit evidence on which to base the audit opinion.

The risk assessment procedures shall include the following:

(a) Inquiries of management, and of others within the entity who in the auditor’s judgment may have
information that is likely to assist in identifying risks of material misstatement due to fraud or error.

(b) Analytical procedures.

(c) Observation and inspection.

Requirements
Risk Assessment Procedures and Related Activities

Although much of the information the auditor obtains by inquiries can be obtained from management
and those responsible for financial reporting, inquiries of others within the entity, such as production
and internal audit personnel, and other employees with different levels of authority, may be useful in
providing the auditor with a different perspective in identifying risks of material misstatement. In
determining others within the entity to whom inquiries may be directed, and the extent of those
inquiries, the auditor considers what information may be obtained that helps the auditor in identifying
risks of material misstatement.
Requirements
Risk Assessment Procedures and Related Activities

• Inquiries directed towards those charged with governance may help the auditor understand the
environment in which the financial statements are prepared.

• Inquiries directed toward internal audit personnel may relate to their activities concerning the design
and effectiveness of the entity’s internal control and whether management has satisfactorily responded
to any findings from these activities.

• Inquiries of employees involved in initiating, processing or recording complex or unusual transactions

may help the auditor in evaluating the appropriateness of the selection and application of certain
accounting policies.
Requirements
Risk Assessment Procedures and Related Activities

• Inquiries directed toward in-house legal counsel may relate to such matters as litigation, compliance
with laws and regulations, knowledge of fraud or suspected fraud affecting the entity, warranties, post-
sales obligations, arrangements (such as joint ventures) with business partners and the meaning of
contract terms.

• Inquiries directed towards marketing or sales personnel may relate to changes in the entity’s marketing
strategies, sales trends, or contractual arrangements with its customers.
Requirements
Risk Assessment Procedures and Related Activities

Analytical procedures may be helpful in identifying the existence of unusual transactions or events, and
amounts, ratios, and trends that might indicate matters that have financial statement and audit
implications. In performing analytical procedures as risk assessment procedures, the auditor develops
expectations about plausible relationships that are reasonably expected to exist.

•Compare FS with prior periods

•Compare FS with budgets/forecasts

•Compare FS with similar industry information (sales to AR ratio)

•Compare FS with auditor’s own expectations

Requirements
Risk Assessment Procedures and Related Activities
Evaluate relationships among elements of FS that are expected to have a predictable pattern based on
clients previous experience (change in sales, change in COS)
Evaluate relationship between financial and non-financial data (payroll cost to number of employees,
revenue to sales volume)
 Requirements
Risk Assessment Procedures and Related Activities

Observation and inspection may support inquiries of management and others, and also provide information
about the entity and its environment. Such audit procedures ordinarily include the following:

• Observation of entity activities and operations.

• Inspection of documents (such as business plans and strategies), records, and internal control manuals.

• Reading reports prepared by management (such as quarterly management reports and interim financial
statements) and those charged with governance (such as minutes of board of directors’ meetings).

• Visits to the entity’s premises and plant facilities.

• Tracing transactions through the information system relevant to financial reporting (walk-throughs).
Requirements
Risk Assessment Procedures and Related Activities

The auditor shall consider whether information obtained from the auditor’s client acceptance or
continuance process is relevant to identifying risks of material misstatement.

If the engagement partner has performed other engagements for the entity, the engagement partner
shall consider whether information obtained is relevant to identifying risks of material misstatement.
The Required Understanding of the Entity
and Its Environment, Including the Entity’s
Internal Control
The Entity and Its Environment

The auditor shall obtain an understanding of the following:

A. Relevant industry, regulatory, and other external factors including the applicable financial reporting
framework.

B. The nature of the entity, including: (i) its operations; (ii) its ownership and governance structures;
(iii) the types of investments that the entity is making and plans to make, including investments in
special-purpose entities; and (iv) the way that the entity is structured and how it is financed, to enable
the auditor to understand the classes of transactions, account balances, and disclosures to be expected
in the financial statements.
The Required Understanding of the Entity
and Its Environment, Including the Entity’s
Internal Control
The Entity and Its Environment

C. The entity’s selection and application of accounting policies, including the reasons for changes
thereto. The auditor shall evaluate whether the entity’s accounting policies are appropriate for its
business and consistent with the applicable financial reporting framework and accounting policies used
in the relevant industry.

D. The entity’s objectives and strategies, and those related business risks that may result in risks of
material misstatement.

E. The measurement and review of the entity’s financial performance.

The Required Understanding of the Entity
and Its Environment, Including the Entity’s
Internal Control
The Entity’s Internal Control

The auditor shall obtain an understanding of internal control relevant to the audit. Although most
controls relevant to the audit are likely to relate to financial reporting, not all controls that relate to
financial reporting are relevant to the audit. It is a matter of the auditor’s professional judgment
whether a control, individually or in combination with others, is relevant to the audit.

Nature and Extent of the Understanding of Relevant Controls

When obtaining an understanding of controls that are relevant to the audit, the auditor shall evaluate
the design of those controls and determine whether they have been implemented, by performing
procedures in addition to inquiry of the entity’s personnel.
Components of Internal Control
Control Environment

The control environment includes the governance and management functions and the attitudes,
awareness, and actions of those charged with governance and management concerning the entity’s
internal control and its importance in the entity. The control environment sets the tone of an
organization, influencing the control consciousness of its people. It is the foundation for effective
internal control, providing discipline and structure.

The auditor shall obtain an understanding of the control environment. As part of obtaining this
understanding, the auditor shall evaluate whether:

(a) Management, with the oversight of those charged with governance, has created and maintained a
culture of honesty and ethical behavior; and
Components of Internal Control
Control Environment

(b) The strengths in the control environment elements collectively provide an appropriate foundation
for the other components of internal control, and whether those other components are not undermined
by deficiencies in the control environment.

The entity’s risk assessment process

The auditor should obtain an understanding of the entity’s process for identifying business risks
relevant to financial reporting objectives and deciding about actions to address those risks, and the
results thereof. The process is described as the “entity’s risk assessment process” and forms the basis
for how management determines the risks to be managed.
Components of Internal Control
The entity’s risk assessment process

The auditor shall obtain an understanding of whether the entity has a process for:

(a) Identifying business risks relevant to financial reporting objectives;

(b) Estimating the significance of the risks;

(c) Assessing the likelihood of their occurrence; and

(d) Deciding about actions to address those risks.

Components of Internal Control
The entity’s risk assessment process

If the entity has established such a process (referred to hereafter as the “entity’s risk assessment
process”), the auditor shall obtain an understanding of it, and the results thereof.

If the auditor identifies risks of material misstatement that management failed to identify, the auditor
shall evaluate whether there was an underlying risk of a kind that the auditor expects would have been
identified by the entity’s risk assessment process. If there is such a risk, the auditor shall obtain an
understanding of why that process failed to identify it, and evaluate whether the process is appropriate
to its circumstances or determine if there is a significant deficiency in internal control with regard to
the entity’s risk assessment process.
Components of Internal Control
The entity’s risk assessment process

If the entity has not established such a process or has an ad hoc process, the auditor shall discuss with
management whether business risks relevant to financial reporting objectives have been identified and
how they have been addressed. The auditor shall evaluate whether the absence of a documented risk
assessment process is appropriate in the circumstances, or determine whether it represents a significant
deficiency in internal control.
Components of Internal Control
The information system, including the related business processes, relevant to financial reporting,
and communication

The information system relevant to financial reporting objectives, which includes the accounting
system, consists of the procedures and records established to initiate, record, process, and report entity
transactions (as well as events and conditions) and to maintain accountability for the related assets,
liabilities, and equity.

The auditor shall obtain an understanding of the information system, including the related business
processes, relevant to financial reporting, including the following areas:

(a) The classes of transactions in the entity’s operations that are significant to the financial statements;
Components of Internal Control
The information system, including the related business processes, relevant to financial reporting, and communication

(b) The procedures, within both information technology (IT) and manual systems, by which those transactions are initiated,
recorded, processed, corrected as necessary, transferred to the general ledger and reported in the financial statements;

(c) The related accounting records, supporting information and specific accounts in the financial statements that are used to
initiate, record, process and report transactions; this includes the correction of incorrect information and how information is
transferred to the general ledger. The records may be in either manual or electronic form;

(d) How the information system captures events and conditions, other than transactions, that are significant to the financial
statements;

(e) The financial reporting process used to prepare the entity’s financial statements, including significant accounting
estimates and disclosures; and

(f) Controls surrounding journal entries, including non-standard journal entries used to record non-recurring, unusual
transactions or adjustments.
Components of Internal Control
The information system, including the related business processes, relevant to financial reporting,
and communication

The auditor shall obtain an understanding of how the entity communicates financial reporting roles and
responsibilities and significant matters relating to financial reporting, including:

(a) Communications between management and those charged with governance; and

(b) External communications, such as those with regulatory authorities.

Components of Internal Control
Control activities relevant to the audit

Control activities are the policies and procedures that help ensure that management directives are carried
out; for example, that necessary actions are taken to address risks that threaten the achievement of the
entity’s objectives. Control activities, whether within IT or manual systems, have various objectives and are
applied at various organizational and functional levels. Examples of specific control activities include those
relating to the following:

• Authorization.

• Performance reviews.

• Information processing.

• Physical controls.

• Segregation of duties.
Components of Internal Control
Control activities relevant to the audit

The auditor shall obtain an understanding of control activities relevant to the audit, being those the
auditor judges it necessary to understand in order to assess the risks of material misstatement at the
assertion level and design further audit procedures responsive to assessed risks. An audit does not
require an understanding of all the control activities related to each significant class of transactions,
account balance, and disclosure in the financial statements or to every assertion relevant to them.

In understanding the entity’s control activities, the auditor shall obtain an understanding of how the
entity has responded to risks arising from IT.
Components of Internal Control
Monitoring of controls

Monitoring of controls is a process to assess the effectiveness of internal control performance over
time. It involves assessing the design and operation of controls on a timely basis and taking necessary
corrective actions modified for changes in conditions.

The auditor shall obtain an understanding of the major activities that the entity uses to monitor internal
control over financial reporting, including those related to those control activities relevant to the audit,
and how the entity initiates remedial actions to deficiencies in its controls.

If the entity has an internal audit function, the auditor shall obtain an understanding of the following in
order to determine whether the internal audit function is likely to be relevant to the audit: (a) The
nature of the internal audit function’s responsibilities and how the internal audit function fits in the
entity’s organizational structure; and (b) The activities performed, or to be performed, by the internal
audit function.
Components of Internal Control
Monitoring of controls

The auditor shall obtain an understanding of the sources of the information used in the entity’s
monitoring activities, and the basis upon which management considers the information to be
sufficiently reliable for the purpose.
Identifying and Assessing the
Risks of Material Misstatement
The auditor shall identify and assess the risks of material misstatement at:

(a) the financial statement level; and

(b) the assertion level for classes of transactions, account balances, and disclosures,

to provide a basis for designing and performing further audit procedures.

Identifying and Assessing the
Risks of Material Misstatement
For this purpose, the auditor shall:

(a) Identify risks throughout the process of obtaining an understanding of the entity and its
environment, including relevant controls that relate to the risks, and by considering the classes of
transactions, account balances, and disclosures in the financial statements;

(b) Assess the identified risks, and evaluate whether they relate more pervasively to the financial
statements as a whole and potentially affect many assertions;

(c) Relate the identified risks to what can go wrong at the assertion level, taking account of relevant
controls that the auditor intends to test; and

(d) Consider the likelihood of misstatement, including the possibility of multiple misstatements, and
whether the potential misstatement is of a magnitude that could result in a material misstatement.
Identifying and Assessing the
Risks of Material Misstatement
Risks That Require Special Audit Consideration

The auditor shall determine whether any of the risks identified are, in the auditor’s judgment, a
significant risk. In exercising this judgment, the auditor shall exclude the effects of identified controls
related to the risk.

In exercising judgment as to which risks are significant risks, the auditor shall consider at least the
following: (a) Whether the risk is a risk of fraud; (b) Whether the risk is related to recent significant
economic, accounting or other developments and, therefore, requires specific attention; (c) The
complexity of transactions; (d) Whether the risk involves significant transactions with related parties;
(e) The degree of subjectivity in the measurement of financial information related to the risk,
especially those measurements involving a wide range of measurement uncertainty; and (f) Whether
the risk involves significant transactions that are outside the normal course of business for the entity, or
that otherwise appear to be unusual.
Identifying and Assessing the
Risks of Material Misstatement
Risks That Require Special Audit Consideration

If the auditor has determined that a significant risk exists, the auditor shall obtain an understanding of
the entity’s controls, including control activities, relevant to that risk.

Revision of Risk Assessment

The auditor’s assessment of the risks of material misstatement at the assertion level may change during
the course of the audit as additional audit evidence is obtained. In circumstances where the auditor
obtains audit evidence from performing further audit procedures, or if new information is obtained,
either of which is inconsistent with the audit evidence on which the auditor originally based the
assessment, the auditor shall revise the assessment and modify the further planned audit procedures
accordingly.
Documentation
The auditor shall include in the audit documentation:

(a) The discussion among the engagement team, and the significant decisions reached;

(b) Key elements of the understanding obtained regarding each of the aspects of the entity and its
environment and of each of the internal control components; the sources of information from which
the understanding was obtained; and the risk assessment procedures performed;

(c) The identified and assessed risks of material misstatement at the financial statement level and at the
assertion level; and

(d) The risks identified, and related controls about which the auditor has obtained an understanding.