There is usually pressure on auditors to perform audits within tight deadlines, which often leads to jumping straight into fieldwork testing without spending adequate time on getting to know the client’s business or changes in the business from the previous year. However, gaining, and documenting a thorough understanding of the entity is a crucial step. It supports the risk and fraud risk assessment being performed, and the determination of the audit approach, while being the biggest source of identifying misstatements.
The entity and its environment
The auditor needs to perform risk assessment procedures to gain an understanding of the entity and its environment. These risk assessment procedures include enquiries, analytical procedures, observation and inspection.
Enquiries should be directed to management and others within the entity, and it is good practice to start by speaking to the person in charge, e.g. the CEO or managing director, and asking open-ended questions about the business. This might lead the auditor to identify aspects of the business that need to be investigated further.
Performing preliminary analytical procedures provides an additional source of information, with the main aim being to aid with risk assessment.
It is important to inspect agreements, reports, management accounts and minutes of meetings, and perform an internet search on the entity and the relevant industry. This will yield more in-depth knowledge of certain aspects of the business, which will corroborate discussions and management explanations for trends identified in the analytical review procedures.
All these risk assessment procedures should be utilised to gain an understanding of the following:
- The entity’s organisational structure, ownership and governance, and business model
- Industry, regulatory and other external factors
- The measures used, internally or externally, to assess the entity’s financial performance.
When gaining an understanding of the business, the inherent risk factors relevant to the business and the industry are important indicators of how this understanding is relevant to the audit. The characteristics of events or conditions identified are inherent risk factors which may affect the susceptibility of the assertions to misstatement by influencing the likelihood of occurrence of a misstatement or the magnitude of misstatement, should it occur.
This assists the auditor with assessing the risk of material misstatement at the assertion level. It also assists the auditor with designing and performing further audit procedures. Inherent risk factors to consider include:
- Management bias
- Other fraud risk factors.
The applicable financial reporting framework
The next area to master is the applicable financial reporting framework, the entity’s accounting policies and the reasons for any changes encountered
When assimilating information about the applicable financial reporting framework, its application in the context of the nature and circumstances of the entity, and its environment should be considered. The entity’s financial reporting practices in this regard should be considered, including aspects such as accounting principles and industry-specific practices; revenue recognition; accounting for financial instruments; foreign currency assets, liabilities and transactions; and accounting for unusual or complex transactions.
When gaining an understanding of the entity’s selection and application of accounting policies, and any changes effected, the accounting policies must be evaluated for appropriateness and consistency with the applicable financial reporting framework. Matters to consider include:
- The methods the entity uses to recognise, measure, present and disclose significant and unusual transactions
- The effect of significant accounting policies in controversial or emerging areas for which there is a lack of authoritative guidance or consensus
- Changes in the environment, such as changes in the applicable financial reporting framework or tax reforms, which may necessitate a change in the entity’s accounting policies
- Financial reporting standards, laws and regulations which are new to the entity, and when and how the entity will adopt, or comply with, such requirements.
In order to perform a well-informed risk assessment and develop the most appropriate audit approach, it is important to gain thorough knowledge of the business covering all the mentioned areas.
LEAF can assist firms with assessing engagement performance through engagement quality reviews, monitoring reviews, methodology design reviews, and training staff on the relevant requirements and procedures.
1. IAASB, ISA 315 (Revised 2019): Identifying and assessing the risks of material misstatement