Why do auditors need to obtain an understanding of the client and its environment?

In order to continue enjoying our site, we ask that you confirm your identity as a human. Thank you very much for your cooperation.

As it has been for decades, the auditor's understanding of an entity and its environment is the basis for risk assessment and designing auditing procedures that respond to identified risks. The importance of understanding the operation of a client’s business and its competitive environment to achieve an effective audit is well-known. More specifically, the International Standards on Auditing requires that an auditor understand the company’s objectives and strategies and those related business risks that might reasonably be expected to result in risks of material misstatement.

It is important to point out that the process of identifying risks should start from developing knowledge of the nature, characteristics and dynamics of the entity and of the environment in which it operates and then move to the assessment of the potential effect in terms of misstatement that such risks could have on the financial statements, rather than going in the opposite direction of starting to assess risk by reading the financial statements, which could result in missing relevant and pervasive risks relating to the entity’s industry or its specific circumstances.

Recently, I came across the model called Business Model Canvas in the book (Business Model Generation: Alexander Osterwalder & Yves Pigneur) that may be useful for the auditor's understanding of an entity and its environment. The book describes business model as the rationale of how an organization creates, delivers and captures value. An organization business model can be described with nine basic building blocks: Key Partners, Key Activities, Key Resources, Value Propositions, Customer Relationships, Channels, Customer Segments, Cost Structure, and Revenue Streams.

Lets briefly go through nine building blocks. I have especially highlighted the questions that may help auditors to get sufficient and appropriate understanding of an entity and its environment during the audit.

For whom client is trying to create value? Who are the most important customers?

The Customer Segments Building Block defines the different groups of people or organizations an organization aims to reach and serve.

What value do client deliver to the customer? Which one of their customer’s problems are they helping to solve? Which customer needs are they satisfying? What bundles of products and services are they offering to each Customer Segment?

The Value Propositions Building Block describes the bundle of products and services that create value for a specific Customer Segment. Values may be quantitative (e.g. price, speed of service) or qualitative (e.g. design, customer experience).

Through which Channels do their Customer Segments want to be reached? How are they reaching them now? How are their Channels integrated? Which ones work best? Which ones are most cost-efficient? How are they integrating them with customer routines?

The Channels Building Block describes how an organization communicates with and reaches its Customer Segments to deliver a Value Proposition Communication, distribution, and sales Channels comprise a company's interface with customers. Channels have five distinct phases.

What type of relationship does each of their Customer Segments expect them to establish and maintain with their Customer Segments? Which ones have they established? How costly are they? How are they integrated with the rest of their business model?

The Customer Relationships Building Block describes the types of relationships a company establishes with specific Customer Segments.

For what value are their customers really willing to pay? For what do they currently pay? How are they currently paying? How would they prefer to pay? How much does each Revenue Stream contribute to overall revenues?

The Revenue Streams Building Block represents the cash a company generates from each Customer Segment.

What Key Resources do their Value Propositions require? Their Distribution Channels? Customer Relationships? Revenue Streams?

The Key Resources Building Block describes the most important assets required to make a business model work.

What Key Activities do their Value Propositions require? Their Distribution Channels? Customer Relationships? Revenue streams?

The Key Activities Building Block describes the most important things a company must do to make its business model work.

Who are their Key Partners? Who are their key suppliers? Which Key Resources are they acquiring from partners? Which Key Activities do partners perform?

The Key Partnerships Building Block describes the network of suppliers and partners that make the business model work.

What are the most important costs inherent in their business model? Which Key Resources are most expensive? Which Key Activities are most expensive?

This building block describes the most important costs incurred while operating under a particular business model.

Conclusion: There are undeniable benefits for financial auditors to understand a client’s business strategy, strategic objectives and critical business processes, as well as understanding the business risks of a client’s business model during the reporting period. In fact, an inadequate understanding of business risks can result in an audit failure. While business risk auditing continues to be a central framework for auditing, whether auditors can achieve the necessary in-depth understanding of the business risks generated by different strategies and business models remains unclear.

SAS No. 109, Understanding the Entity, Its Environment and Assessing the Risks of Material Misstatement, states:

The purpose of obtaining an understanding of the entity and its environment, including its internal control, is to identify and assess risks of material misstatement and to design and perform procedures that respond to such risks.
Risk assessment procedures include inquiries of management and client personnel, observation and inspection procedures and various analytical procedures.
The auditor is required to obtain a sufficient understanding of the five elements of internal control to evaluate their design and operation.
Substantive procedures must be performed for significant risks.
Tests of controls are required only when substantive procedures alone are not sufficient to test financial statement assertions, such as the completeness assertion for revenues.

The standard did, however, identify risk assessment procedures such as inquiries, observations, inspections and analytical procedures that are considered substantive evidence that supports the auditor's conclusions on financial statements. This evidence can serve to reduce evidence previously required from more costly tests of balances, even on small audits.

Further, inquiries, observations and inspections may be performed to obtain a sufficient understanding of the five elements of internal control. For small audits, applying these procedures to obtain a sufficient understanding of informal key controls applied by owners or managers may even provide evidence that could reduce control risk to a level less than high!

Are you taking credit for the audit evidence you obtain while gaining an understanding of an entity and its environment? If you are, post a comment and tell us how you use the evidence to reduce other more costly evidence.

Share this content

Obtaining an understanding of the client’s business is key to an effective and efficient audit. It enables us not only to tailor our work to meet the individual facts and circumstances of each client, but also to carry out that work and to evaluate our findings in an informed manner. Our knowledge of the client’s business also helps us to develop and maintain a positive professional relationship with the client.

International Standards on Auditing (ISA) 315 states that the auditor should obtain an understanding of the entity and its environment, including its internal control, sufficient to identify and assess the risks of material misstatement of the financial statements whether due to fraud or error, and sufficient to design and perform further audit procedures.

Understanding the entity is an iterative process, continuing throughout the entire duration of the audit.

Prior the accepting an audit engagement, we should obtain a preliminary knowledge of the industry and of the ownership, management and operations of the entity to be audited.

Detailed information is required at the planning stage of our audit to enable us to plan our work adequately. We need to understand the nature of client’s business, its organization, its method of operation and the industry in which it is involved. This understanding enables us to appreciate which events and transactions are likely to have a significant effect on the financial statements.

Specifically, such an understanding helps us to :

Identify the areas of high risk where we should concentrate our audit effort
Maximize efficiency in other areas of audit significance
Assess the potential for use of analytical procedures, by enabling us to identify the information which we can use to make predictions and comparisons
Obtain an understanding of the internal control structure
Assess the inherent and control risks in the key areas of audit significance
Develop an audit strategy enabling us to obtain the necessary audit evidence in the most effective and efficient manner possible.

Knowing the client’s business helps us in a number of ways both during the conduct of the audit, and when we come to complete our work.

This includes, for example, helping us in :

Recognising errors in the financial statements
Asking the right questions and evaluating the reasonableness of the answers we receive
Making judgements about the appropriateness of the client’s accounting principles, policies and procedures
Identifying unusual or unexpected transactions and related party transactions
Interpreting the results of audit tests and evaluating their effect
Carrying out appropriate procedures to review events occurring after the balance sheet date
Carrying out an overall review of the financial statements.

Knowledge of the client’s business and the industry in which it operates is essential also to the development of a positive relationship and it helps us as follows :

In understanding the management’s philosophy and aspirations for the business
Understanding the business strategy and plans
Providing relevant and practical business advice to the client
Identifying areas in which the client might benefit from other professional services which we provide.

ISA 315 states that :

the auditor should obtain an understanding of relevant industry, regulatory, and other external factors including the applicable financial reporting framework
the auditor should obtain an understanding of the nature of the entity
the auditor should obtain an understanding of the entity's selection and application of accounting policies and consider whether they are appropriate for its business and consistent with the applicable financial reporting framework and accounting policies used in the relevant industry
the auditor should obtain an understanding of the entity's objectives and strategies, and the related business risks that may result in material misstatement of the financial statements
the auditor should obtain an understanding of the measurement and review of the entity's financial performance.

Each year, the auditor's understanding of the entity should be updated and details of significant changes documented (Hrd) ***