Why auditors need to obtain an understanding of the entity and its environment before commencing audit work?

12. The auditor should have an understanding of the entity and its environment, including its internal control, as it relates to the preparation of both annual and interim financial information, sufficient to plan and conduct the engagement so as to be able to:

Identify the types of potential material misstatement and consider the likelihood of their occurrence; and
Select the inquiries, analytical and other review procedures that will provide the auditor with a basis for reporting whether anything has come to the auditor’s attention that causes the auditor to believe that the interim financial information is not prepared, in all material respects, in accordance with the applicable financial reporting framework.

13. As required by ISA 315 (Revised), Understanding the Entity and its Environment and Assessing the Risks of Material Misstatement, the auditor who has audited the entity’s financial statements for one or more annual periods has obtained an understanding of the entity and its environment, including its internal control, as it relates to the preparation of annual financial information that was sufficient to conduct the audit. In planning a review of interim financial information, the auditor updates this understanding. The auditor also obtains a sufficient understanding of internal control as it relates to the preparation of interim financial information as it may differ from internal control as it relates to annual financial information.

14. The auditor uses the understanding of the entity and its environment, including its internal control, to determine the inquiries to be made and the analytical and other review procedures to be applied, and to identify the particular events, transactions or assertions to which inquiries may be directed or analytical or other review procedures applied.

15. The procedures performed by the auditor to update the understanding of the entity and its environment, including its internal control, ordinarily include the following:

Reading the documentation, to the extent necessary, of the preceding year’s audit and reviews of prior interim period(s) of the current year and corresponding interim period(s) of the prior year, to enable the auditor to identify matters that may affect the current-period interim financial information.
Considering any significant risks, including the risk of management override of controls, that were identified in the audit of the prior year’s financial statements.
Reading the most recent annual and comparable prior period interim financial information.
Considering materiality with reference to the applicable financial reporting framework as it relates to interim financial information to assist in determining the nature and extent of the procedures to be performed and evaluating the effect of misstatements.
Considering the nature of any corrected material misstatements and any identified uncorrected immaterial misstatements in the prior year’s financial statements.
Considering significant financial accounting and reporting matters that may be of continuing significance such as significant deficiencies in internal control.
Considering the results of any audit procedures performed with respect to the current year’s financial statements.
Considering the results of any internal audit performed and the subsequent actions taken by management.
Inquiring of management about the results of management’s assessment of the risk that the interim financial information may be materially misstated as a result of fraud.
Inquiring of management about the effect of changes in the entity’s business activities.
Inquiring of management about any significant changes in internal control and the potential effect of any such changes on the preparation of interim financial information.
Inquiring of management of the process by which the interim financial information has been prepared and the reliability of the underlying accounting records to which the interim financial information is agreed or reconciled.

16. The auditor determines the nature of the review procedures, if any, to be performed for components and, where applicable, communicates these matters to other auditors involved in the review. Factors to be considered include the materiality of, and risk of misstatement in, the interim financial information of components, and the auditor’s understanding of the extent to which internal control over the preparation of such information is centralized or decentralized.

17. In order to plan and conduct a review of interim financial information, a recently appointed auditor, who has not yet performed an audit of the annual financial statements in accordance with ISAs, should obtain an understanding of the entity and its environment, including its internal control, as it relates to the preparation of both annual and interim financial information.

18. This understanding enables the auditor to focus the inquiries made, and the analytical and other review procedures applied in performing a review of interim financial information in accordance with this ISRE. As part of obtaining this understanding, the auditor ordinarily makes inquiries of the predecessor auditor and, where practicable, reviews the predecessor auditor’s documentation for the preceding annual audit, and for any prior interim periods in the current year that have been reviewed by the predecessor auditor. In doing so, the auditor considers the nature of any corrected misstatements, and any uncorrected misstatements aggregated by the predecessor auditor, any significant risks, including the risk of management override of controls, and significant accounting and any reporting matters that may be of continuing significance, such as significant deficiencies in internal control.

SAS No. 109, Understanding the Entity, Its Environment and Assessing the Risks of Material Misstatement, states:

The purpose of obtaining an understanding of the entity and its environment, including its internal control, is to identify and assess risks of material misstatement and to design and perform procedures that respond to such risks.
Risk assessment procedures include inquiries of management and client personnel, observation and inspection procedures and various analytical procedures.
The auditor is required to obtain a sufficient understanding of the five elements of internal control to evaluate their design and operation.
Substantive procedures must be performed for significant risks.
Tests of controls are required only when substantive procedures alone are not sufficient to test financial statement assertions, such as the completeness assertion for revenues.

As it has been for decades, the auditor's understanding of an entity and its environment is the basis for risk assessment and designing auditing procedures that respond to identified risks. SAS No.109 hasn't changed that purpose.

The standard did, however, identify risk assessment procedures such as inquiries, observations, inspections and analytical procedures that are considered substantive evidence that supports the auditor's conclusions on financial statements. This evidence can serve to reduce evidence previously required from more costly tests of balances, even on small audits.

Further, inquiries, observations and inspections may be performed to obtain a sufficient understanding of the five elements of internal control. For small audits, applying these procedures to obtain a sufficient understanding of informal key controls applied by owners or managers may even provide evidence that could reduce control risk to a level less than high!

Are you taking credit for the audit evidence you obtain while gaining an understanding of an entity and its environment? If you are, post a comment and tell us how you use the evidence to reduce other more costly evidence.

Share this content