Understanding the business before understanding the audit

One of the objectives of an audit is to identify and assess the risk of material misstatement within the financial statements, together with an assessment of the internal control environment within which an entity operates, to provide a basis for designing and implementing audit procedures to respond to the assessed risks of material misstatement. One of the best ways to identify and assess the risk of material misstatements to the financial statements is through understanding the entity and its environment, which is nothing but having an understanding of the business of the entity which is ultimately to be audited.

Obtaining an understanding of the entity’s business helps to undertake an effective and efficient audit, by tailoring audit procedures to suit the individual facts and circumstances of each client and to undertake the audit procedures and evaluate the audit findings in an informed manner. Knowledge of the entity’s business also helps to develop and maintain a positive professional relationship with the client. Accordingly, business relevance is becoming a key consideration in an audit. In view of the hectic pace at which changes are taking place, auditees have less time and they would prefer to listen to auditors who can demonstrate that they have business knowledge which would make them more credible and relevant. Accordingly, auditing is now a skill which cannot be applied in a business vacuum. Understanding the entity is an iterative and continuous process from the pre-engagement stage to the reporting stage.

The purpose of this article is to identify the professional responsibilities of auditors in dealing with various aspects of the entity’s business environment, which need to be considered by the auditor and evaluating their impact during an audit of the financial statements, duly supplemented by various practical scenarios.

Relevant Auditing Pronouncements:

The following Standards of Auditing (SAs) deal with various aspects of understanding of the entity and its environment during an audit of the financial statements: l SA-315 on Identifying and Assessing the Risks of Material Misstatements Through Understanding the Entity l SA-250 on Consideration of Laws and Regulations in an Audit of Financial Statements l SA-402 on Audit Considerations Relating to an Entity Using a Service Organisation l SA-550 on Related Parties Professional Responsibilities of Auditors: Various professional responsibilities of auditors under each of the above SAs, to the extent they deal with various aspects of understanding of the entity and its environment in an audit of financial statements, are briefly discussed below. SA-315 on Identifying and Assessing the Risks of Material Misstatements Through Understanding the Entity: SA-315 is the primary standard which deals with the various aspects of understanding an entity and its environment, keeping in mind the following two objectives:

•  Identifying and assessing the risk of material misstatements within the financial statements.
•  Understanding the Entity and its Internal Control environment.

Risk Assessment Procedures: The auditor should obtain an understanding of the entity’s strategies and related business risks that may result in material misstatement of the financial statements. Business risk is primarily concerned with external factors that could affect the entity, which may result in material misstatement within the financial statements. It arises as a result of significant conditions, events, circumstances or actions that could adversely affect the entity’s ability to achieve its objectives and strategies. Risk assessment can be undertaken by a combination of one or more of the following procedures:

•  Inquiries with the Management, operating personnel, those charged with governance, legal counsel etc. which could provide an insight into the industry developments, new products and services, extent of IT support, nature and extent of ongoing litigation and claims etc. Based on the results of the inquiries, the auditor is able to assess the impact of the following possible risks, which could have an impact on the financial statements:

1. Nature and extent of management override of controls especially in small and promoter driven entities. In such cases, the auditor should specifically inquire as to whether the transactions are undertaken on an arms length basis.

2. The risk of technological obsolescence of certain products which may necessitate provisioning for items lying in inventory.

3. The controls over the preparation and generation of financial information and reporting.

•  Analytical review of financial and non-financial information to identify any unusual trends or characteristics which will help in identifying risks of material misstatements, especially in relation to fraud. This will help the auditor in identifying any aspects which he is not aware of. Based on the results of the analytical review, the auditor is able to assess the impact of the following possible risks, which could have an impact on the financial statements.
• Observation and inspection to enable gathering of evidence concerning assertions made by the management and others through one or more of the following procedures:

1. Observation of the entity’s activities and operations which would give an insight into the revenue streams, materials used etc.

2. Inspection of various documents like Minutes of meetings, MIS reports, Procedural Manuals etc. which would give an insight into future trends, investments, acquisitions, financial reporting mechanisms etc.

3. Performing walk through tests (i.e observing evidence of controls which are documented in the procedure manuals for a sample of transactions of each type) on various controls which would help identify any procedural inadequacies vis-a-vis the documented controls in the key business cycles like purchasing, revenue, payroll, fixed assets etc. which could result in possible risks and material misstatements.

• Discussion amongst the engagement team members especially for recurring engagements. This enables the experienced team members to share their insights and learning with the junior and new staff members. Considering the global diversification of many entities, discussion is an effective way of communicating with the engagement teams located in different countries/jurisdictions.
• Understanding the Entity and its Internal Control Environment: The auditor must understand the entity, the environment in which it operates and its internal control structure, so as to enable him to undertake an effective and efficient audit. This involves an understanding of the following aspects:

•  External factors
• Nature of the entity 
• Internal Controls

External Factors:

There are various external factors as indicated below which the auditor needs to evaluate to ascertain the impact thereof during the course of the audit:

•  Industry and Economic Developments – These include a consideration of the following aspects: 

1. Seasonality or cyclicality of the products or services which would help in applying appropriate analytical procedures.

2. Technological advances or obsolescence of the entity’s products or service offerings, which could have an impact on the demand and also whether any provision for impairment or obsolescence is warranted.

3. Economic conditions like interest rates, exchange rates etc. which could impact the ability to raise and service borrowings.

•     Specific Operational Issues – A large part of gaining an understanding of an entity and its environment, involves looking at the specific factors attached to the entity. The following are certain specific factors which an auditor should consider, when gaining an understanding of the entity and the environment in which it operates:

2.    Investments and investment activities including any planned or recently executed acquisitions, investments in various securities
and special purpose entities.

3.    Financing and financing activities including those pertaining to subsidiaries and associated entities, consolidated and non consolidated structures, debt matters and use of derivatives and hedging instruments and structures.

4.    Financial reporting issues such as the use of industry specific accounting policies (e.g. financial services, software, media and entertainment etc.), revenue recognition practices (e.g. fertilisers, telecom etc.), fair value accounting (e.g. investments, brand acquisitions etc.) and other complex transactions which could give rise to “substance over form” issues.

Nature of the Entity:

It is of prime importance for an auditor to gain a thorough understanding of the nature and structure of the entity, its owners and other parties who purport to control the entity in substance. This is particularly important for identification of any related party transactions in accordance with the applicable financial reporting and regulatory framework. In case of complex entities operating in various jurisdictions, this can be a complicated and long winding process.

The understanding of the ownership and control structure is particularly important and relevant for new entities, whose audit is accepted for the first time and must be performed prior to acceptance of the audit as part of the KYC procedures, which the ICAI has recently recommended vide its announcement dated 4th August, 2011. In terms of the said announcement, for all attest engagements, the Council has recommended that certain details be obtained by every member before accepting any attest function. Though the above guidelines are recommendatory, it is in the best interest of the auditor to adhere to them.

Internal Controls:
This is the single most important factor which determines the course of the audit, since it helps to identify factors that affect the risk of material misstatements within the financial statements. An ineffective internal control environment is more likely to give rise to material misstatements. However, a robust internal control environment is not a fool proof guarantee of success but merely an enabler to reduce the risk of material misstatements.

Internal controls represent processes designed and implemented by the management, those charged with the governance and other personnel to provide reasonable assurance about the achievement of the entity’s objectives and to address the business risks identified by the management. The nature and complexity of the internal controls is directly proportional to the size of the entity.

For the purposes of determining which internal controls are relevant to the audit, the following five components as laid down in the COSO framework, are useful to ascertain the different aspects of an entity’s internal controls:

•     The Control Environment

•     The Entity’s Risk Assessment Process

•     The Information System, including Related Busi-ness Processes relevant for Financial Reporting and Communication

•     Control Activities

•     Monitoring of Controls

The Control Environment:
An entity’s Control Environment is a crucial aspect. More than any tangible factors, it represents the intangibles which define an entity and its culture, values and ethics which the management and employees imbibe through a code of conduct or other similar means. The quality of the entity’s human resources plays a vital role in ensuring the effectiveness of the control environment. The following are some of the matters which an auditor needs to consider, whilst evaluating the adequacy of the control environment and the degree and extent of reliance which he needs to place thereon to determine the nature, timing and extent of further audit procedures:

•     Board and Committee Structure – The nature and composition of the Board and its various committees and the degree and extent of their involvement is the single most important factor that determines the effectiveness of the control environment. There is no better substitute than the “tone at the top” which determines the success or failure of the control environment. This can be determined based on a review of the minutes and the information which is furnished to the Board as part of the agenda.

•     Organisation Structure- A simple structure may work for smaller entities, whereas for larger and more complex entities, it is important to ascertain the authority and responsibility matrix and the lines of reporting.

•     HR Policies – Human resources play a vital role in the entity’s control environment. This can be evidenced by the selection of appropriately trained individuals for various roles and having appropriate KYC procedures prior to their selection, coupled with appropriate training and continued professional development activities.

Entity’s Risk Assessment Process:
The entity should have risk assessment processes in place to deal with the various business risks relevant to the preparation of the financial statements, which would encompass estimating the level of such risks as well as identifying the likelihood of their occurrence. The following are examples of certain factors which need to be considered by the auditor, to ascertain the impact of changes in circumstances due to which either new risks could arise or the existing risks could change:

•     Changes in the regulatory and operating environment can result in changes in competitive pressures leading to significantly different risks. A recent example is the power sector, which is impacted by the availability of coal both domestically and internationally.

•     Significant and rapid expansion of operations can strain controls and increase the risks of breakdowns in internal control.

Information System, including Related Business Processes, Relevant for Financial Reporting and Communication:

In today’s age, most entities deal with reporting and communication of financial issues through the use of IT. It is imperative for an auditor to obtain an understanding of the various general and application controls for various business cycles, to enable him to ensure that all assertions for the generation of financial statements can be tested to enable him to issue an opinion thereon:

•     Identifying and recording all valid transactions.

•     Obtaining sufficient details of all transactions on a timely basis to enable proper classification thereof.

•     Measuring the value of transactions in a manner that permits recording thereof at the proper value.

•     Determining the time period in which the transactions occurred, to permit the recording thereof in the proper accounting period.

The controls for capturing of data especially the master data is of prime importance, to determine the quality of the system generated reports and information, which not only affects the management’s ability to take appropriate decisions, but also enables preparation of reliable financial reports.

Control Activities:

An auditor must obtain a sufficient understanding of the control activities of the various business cycles, to assess the risk of material misstatement at the assertion level and to design further audit procedures in response to the levels of assessed risks. Control activities encompass a combination of one or more of the following procedures, which the auditor needs to review as deemed appropriate:

•    Authorisation procedures

•     Performance reviews

•     Information processing

•     Physical controls

•    Segregation of duties

Monitoring of Controls:
This is an all encompassing activity which covers each of the above components and is primarily performed by the management. It represents the major type of activities that the management uses to monitor internal controls over financial reporting, including those related to control activities relevant to an audit and how corrective actions are initiated. The Audit Committee and Internal Audit are the key facilitators in this process. There are various external and regulatory agencies which also monitor specific aspects of the controls relevant to them like tax authorities, RBI inspectors, factory inspectors etc. One of the most common methods of monitoring controls, is the preparation of the bank reconciliation statement on a monthly or more frequent basis and its regular review and followup.

Other Standards:

The requirements of other SA’s which deal with the audit considerations pertaining to the understanding of the entity and its environment are summarised below:

•    SA-250 casts a responsibility on the auditor to obtain an understanding of the various laws and regulations impacting the entity which is a key element of the environment in which the entity operates. The SA broadly envisages the following two situations:

1.    Laws and regulations which have a direct effect on the financial statements and issuance of audit reports and other certificates in respect of the reporting entity.

2.    Laws and regulations which do not have a direct effect on the financial statements of the reporting entity, but compliance with which may have a fundamental effect on the operating aspects of the business, non-compliance with which may result in material penalties being levied by the concerned regulatory authorities.

•     SA-402 casts a responsibility on the auditor to understand the nature of services provided to a user entity by a service organisation which is defined as a third party organisation or a segment thereof that provides services to user entities that are part of those entities’ information systems relevant to financial reporting since such service organisations are nothing but an extension of the environment in which the entity operates in accordance with the provisions of SA-315. The most common examples of service organisations are payroll processing agencies, registrars and transfer agents, custodians, accounting and tax compliance service entities etc. The following are some of the matters which the auditor needs to consider relating to the service organisation:

1.    The nature of services provided.

2.    The contractual terms.

3.    The extent to which the internal controls of the entity interact with those of the service organisation.

4.    Information available on the relevant internal controls of the service organisation.

5.    Types of transactions processed.

The aforesaid information can be obtained in either of the following ways:

1.    Visiting the service organisation.

2.    Obtaining an independent auditors report on the design, implementation and operating effectiveness of the internal controls of the service organisation, commonly referred to a Type 1 and Type 2 reports.

3.    Using another auditor to perform procedures to obtain an understanding of relevant controls at the service organisation.

•     SA-550 casts a responsibility on the auditor to ensure that the management has correctly identified the related party transactions and made sufficient disclosures thereof in the financial statements, which is part of the broader framework of understanding the entity and its environment in terms of SA-315. The following are examples of procedures to identify related parties:

1.    Review of the declarations from directors in Form 24AA under the Companies Act, 1956.

2.    Review of the minutes of board meetings.

3.    Reviewing the audited accounts of known related parties to identify any step-down relationships.

4.    Review of bank confirmation for existence of guarantees given to related parties.

Illustrative Scenarios On Understanding Certain Aspects of Business/Environment in which an Entity Operates:

An attempt here is made to give an illustrative understanding in respect of certain aspects of the business/environment in which an entity is operating which could have an impact on financial reporting.

Business Model/Supply Chain:

An understanding of the business model is the primary driver of the revenue streams and cash flows of an entity. It covers the entire supply chain right from the co-ordination with the suppliers for sourcing of raw materials, the production to be undertaken in line with the demand from the customers, the extent of inventory to be maintained, the various stocking points and the distribution chain. It is imperative to gain an appropriate understanding of the business model and assess its utility in the light of the changes in the business dynamics and competitive environment in which the entity is operating. This would help to assess whether the entity would be able to sustain its existence on a going concern basis, which is one of the fundamental assumptions for the preparation of the financial statements. Understanding the business model/ supply chain gives the auditor an insight into the following matters, amongst others:

•     The extent, level and type of inventory to be maintained and its valuation methodology.

•     The nature and type of customers and accordingly the extent of provisioning for any non recoveries.

•     The normal margin and cost structure.

Brand/Intellectual Property:

An understanding of the brands/intellectual properties owned/acquired by the entity is imperative to gain an understanding of the sustainability of the business model of the enterprise vis-a-vis the competition. This would help the auditor to assess the value at which it is to be recognised and whether any impairment needs to be considered.

Insurance Coverage

The nature and extent of the risk coverage is an important indicator of the risk management and risk philosophy of the entity. It also helps to assess the extent of loss, both qualitative and quantitative, in times of damages or other stresses that the business might have to undergo. It is imperative that the auditor is able to assess the adequacy of the nature and extent of insurance coverage, to enable the entity to sustain its existence on a going concern basis.

Properties:

The policy of the entity with regard to the type and nature of properties to be acquired needs to be understood, keeping in mind the business model and the cash flows of the entity. This would consequentially determine special accounting requirements, especially with respect to lease transactions and other similar matters.

Conclusion:

Understanding the business environment during the audit is a continuous activity which an auditor needs to undertake for an effective and efficient audit. To conclude, effective auditing requires not just good technical skills, but also a willingness to venture outside the box to gain a better understanding of the entity.

Reference Material:

•     Indian Auditing Standards

•     Wiley’s Interpretation and Application of International Standards on Auditing by Steven Collings

•     Various Research Reports on Audit Process available for general public.