Skip to main content

Understanding the Entity and Its Environment

Before an auditor can assess the risk of material misstatement and design appropriate audit procedures, the auditor must first develop a deep understanding of the entity being audited and the environment in which it operates. This is not a formality—it is the foundation of the entire risk-based audit. Without this understanding, the auditor cannot identify what could go wrong, where misstatements are most likely to occur, or how to allocate audit resources effectively.

This section covers the requirements under AU-C 315 (AICPA) and AS 2110 (PCAOB), the external and internal factors the auditor must consider, the entity's accounting policies and financial reporting framework, the auditor's understanding of internal control components, the risk assessment procedures used to obtain this understanding, and key sources of information about the entity.

info

Both AU-C 315 (for nonissuers) and AS 2110 (for issuers) require the auditor to obtain an understanding of the entity and its environment, including internal control, as a basis for identifying and assessing the risks of material misstatement. This understanding is obtained through risk assessment procedures, which are performed in every audit.

Why Understanding the Entity Matters

Understanding the entity and its environment enables the auditor to:

  • Identify risks of material misstatement at both the financial statement and assertion levels
  • Design audit procedures that are responsive to assessed risks
  • Establish expectations for analytical procedures
  • Evaluate accounting estimates and the reasonableness of management's judgments
  • Detect conditions that may indicate fraud risk or going concern issues
  • Exercise professional skepticism more effectively

Example: Kingfisher Industries is a manufacturer that sells products internationally. If the auditor does not understand that Kingfisher has significant foreign currency transactions, the auditor may fail to assess the risk of misstatement related to foreign currency translation and remeasurement—a potentially material area.

External Factors

The auditor must understand the external environment in which the entity operates. Key external factors include:

Industry Conditions

  • Nature of the industry (e.g., manufacturing, technology, financial services)
  • Competitive environment and market demand
  • Cyclical or seasonal patterns
  • Industry-specific accounting practices
  • Key performance metrics and benchmarks

Regulatory Environment

  • Applicable laws and regulations that directly affect the financial statements (e.g., tax law, environmental regulations, banking regulations)
  • Regulatory agencies with oversight authority
  • Pending or recently enacted regulatory changes
  • Industry-specific compliance requirements

Economic Conditions

  • General economic conditions (recession, growth, inflation)
  • Interest rate environment and its effect on borrowing costs
  • Foreign exchange rates for entities with international operations
  • Availability of financing and credit market conditions

Other External Factors

  • Technological changes affecting the entity or its industry
  • Tax law changes
  • Trade policies, tariffs, and geopolitical events

Example: MAS Inc. operates in the oil and gas industry. The auditor's understanding of external factors includes the current commodity price environment (which affects revenue and asset impairment risk), environmental regulations (which affect contingent liabilities for cleanup costs), and the volatile nature of capital expenditures tied to exploration and development.

Exam Tip

On the CPA exam, questions about understanding the entity often test whether you can identify which external factor would be most relevant to a specific audit risk. For example, a sharp decline in commodity prices is most relevant to assessing impairment risk for an oil and gas company.

Internal Factors

The auditor must also understand the entity's internal characteristics:

Nature of the Entity

  • Ownership structure (public vs. private, partnership, subsidiary)
  • Organizational structure and legal structure
  • Types of investments and investment activities (including special-purpose entities)
  • How the entity is financed (debt, equity, related-party financing)

Operations

  • Principal products, services, and revenue sources
  • Key customers and suppliers
  • Geographic locations and operating segments
  • Supply chain and distribution methods
  • Related party relationships and transactions

Governance

  • Structure and composition of those charged with governance (board of directors, audit committee)
  • Management's philosophy and operating style
  • Entity's policies on corporate governance, risk management, and ethics

Strategies and Objectives

  • The entity's business strategies and related business risks
  • Management's financial and operating objectives
  • Capital allocation priorities
  • Plans for expansion, acquisition, restructuring, or divestiture

Example: BIF Partners is a private equity fund organized as a limited partnership. The auditor's understanding of internal factors includes the fund's investment strategy, the valuation methodologies used for portfolio investments (often requiring significant estimation), the fee structure (management fees and carried interest), and the governance framework (general partner authority vs. limited partner oversight).

Entity's Accounting Policies and Financial Reporting Framework

The auditor must understand the entity's selection and application of accounting policies, including:

  • The applicable financial reporting framework (e.g., U.S. GAAP, IFRS, special-purpose framework)
  • Revenue recognition methods and the timing of revenue
  • Inventory valuation methods (FIFO, weighted average, etc.)
  • Depreciation and amortization policies
  • Estimates and judgments — including assumptions underlying significant estimates
  • Changes in accounting policies or adoption of new standards
  • Industry-specific accounting requirements

The auditor evaluates whether the entity's accounting policies are appropriate for its circumstances and consistent with the applicable framework.

Area of FocusWhat the Auditor Considers
AppropriatenessAre the policies suitable for the entity's industry and transactions?
ConsistencyHave the policies been applied consistently from period to period?
DisclosureAre the policies adequately disclosed in the notes to the financial statements?
EstimatesAre significant estimates reasonable and based on supportable assumptions?

Understanding Internal Control Components

As part of understanding the entity, the auditor must obtain an understanding of each of the five components of internal control (as defined by the COSO framework):

  1. Control environment — Tone at the top, governance, integrity, and ethical values
  2. Risk assessment — The entity's process for identifying and responding to business risks relevant to financial reporting
  3. Information and communication — The information system and how the entity communicates roles and responsibilities for internal control
  4. Control activities — Policies and procedures that help ensure management directives are carried out (e.g., authorizations, reconciliations, segregation of duties)
  5. Monitoring activities — The entity's process for assessing the quality of internal control performance over time
caution

The auditor is required to obtain an understanding of all five components of internal control in every audit. However, the auditor is not required to test all controls—only those the auditor intends to rely upon to reduce substantive testing. Understanding internal control is distinct from testing its operating effectiveness.

Risk Assessment Procedures

Risk assessment procedures are the specific procedures the auditor performs to obtain the understanding of the entity and its environment. They are required in every audit and include:

Inquiry

Asking management, those charged with governance, and other personnel within the entity questions about:

  • The entity's business operations, strategies, and objectives
  • Known risks and how management addresses them
  • Changes in the business or operating environment
  • The financial reporting process and internal controls

Observation

Physically observing the entity's operations, facilities, and processes—such as touring a manufacturing plant, watching how transactions are processed, or observing the physical security of assets.

Inspection

Examining documents and records, such as:

  • Business plans, organizational charts, and policy manuals
  • Board and audit committee minutes
  • Internal audit reports
  • Prior-year audit workpapers and financial statements
  • Contracts, agreements, and legal correspondence

Analytical Procedures

Performing preliminary analytical procedures to identify unusual trends, unexpected relationships, or areas requiring further investigation. This includes:

  • Comparing current-year financial data to prior years
  • Comparing financial data to budgets or forecasts
  • Analyzing financial ratios relative to industry benchmarks
  • Identifying significant fluctuations that may indicate misstatement risk

Example: While performing preliminary analytical procedures on Illini Entertainment's financial statements, the auditor notices that revenue increased 25% year over year while the number of events hosted declined by 10%. This unexpected relationship suggests the possibility of fictitious revenue or significant changes in pricing that warrant further investigation.

Exam Tip

Risk assessment procedures are not sufficient by themselves to provide a basis for the audit opinion. They must be complemented by further audit procedures (tests of controls and/or substantive procedures). Think of risk assessment procedures as the diagnostic step—they tell you where to look, not what to conclude.

Understanding Business Processes and Transaction Flows

The auditor must understand how significant classes of transactions are:

  • Initiated — How do transactions begin? (e.g., customer places an order)
  • Authorized — Who approves the transaction?
  • Recorded — How and when are transactions captured in the accounting records?
  • Processed — What steps occur between recording and reporting?
  • Reported — How do transactions flow into the financial statements?
  • Corrected — How are errors identified and corrected?

This understanding is often documented using flowcharts, narratives, or walkthrough procedures (tracing a transaction from initiation to recording).

Example: The auditor walks through Gies Co.'s revenue cycle by selecting one sales transaction and tracing it from the customer's purchase order, through credit approval, shipment, invoicing, recording in the sales journal, and posting to the general ledger. This walkthrough helps the auditor confirm the understanding of the transaction flow and identify relevant controls.

Sources of Information About the Entity

Auditors use a variety of sources to build their understanding:

SourceExamples
Client inquiriesDiscussions with management, accounting staff, legal counsel, internal audit
Prior-year workpapersPrior audit documentation, including risk assessments and known issues
Industry publicationsTrade journals, industry risk alerts, AICPA audit guides
Regulatory filingsSEC filings (10-K, 10-Q, proxy statements), regulatory examination reports
External dataCredit reports, analyst coverage, economic forecasts
Internal documentsBoard minutes, strategic plans, budgets, internal audit reports, organizational charts
ObservationPlant tours, observation of operations and personnel
Engagement team discussionsBrainstorming sessions among audit team members about risks and susceptibility to misstatement
info

Auditing standards require the engagement team to hold a discussion about the susceptibility of the entity's financial statements to material misstatement. This brainstorming session ensures that the knowledge and insights of all team members are shared and that the team collectively considers fraud risks and other significant risks.

Documenting the Understanding

The auditor must document the understanding of the entity and its environment, including internal control, in the audit workpapers. Documentation typically includes:

  • A description of key aspects of the entity and its environment
  • Identified risks of material misstatement at the financial statement and assertion levels
  • The rationale for the risk assessment
  • Identified significant risks requiring special audit consideration
  • An overview of the entity's internal control components relevant to the audit

This documentation forms the basis for the auditor's overall audit strategy and detailed audit plan.

Example: After completing risk assessment procedures for MSA Records, the auditor documents that the entity operates in a highly competitive and rapidly evolving industry (music distribution), faces significant risk related to digital rights and royalty accounting, has recently changed its revenue recognition policy, and has a small accounting department with limited segregation of duties. These findings drive the auditor to classify revenue recognition and royalty liabilities as significant risks requiring enhanced audit procedures.