Page|1

MODULE 6
MODULE 6 – UNDERSTANDING THE ENTITY AND ITS ENVIRONMENT

Module Title: Understanding the Entity and its Environment

Course Title: Auditing and Assurance Principles
Course Number: PrE 311

Course Description: This course is designed to provide students with the conceptual knowledge
and understanding of the fundamental theory of auditing and assurance services, and the
philosophy underlying audits with emphasis on external auditing as performed by independent
Certified Public Accountants and the management of public accounting practice. The course
covers Generally Accepted Auditing Standards [specifically, Philippine Standards on Auditing
(PSA)], the Philippine Accountancy Law, internal and external auditing, internal controls,
manual records, audit objectives, audit techniques, audit programs and procedures, and audit
reports. Ethical standards affecting the accountancy profession are also taken up.

Total Learning Time:

Pre-requisite: Intermediate Accounting 3

Overview:
This module includes the discussion about the risk assessment procedures being performed by
the auditor to enable him to understand the environment of the client entity. Inherent risk factors
and the risks of material misstatements are also presented.

Learning Outcomes: At the end of this module, students will be able to:
1. Demonstrate understanding of the risk assessment procedures.
2. Identify the scope of the auditor’s understanding of the client entity.
3. Determine inherent risk factors and risks of material misstatements.

Indicative Content:
 Risk Assessment Procedures
 Scope of the Auditor’s Understanding of the Client Entity
 Inherent Risk Factors
 Risks of Material Misstatement

Discussion:
Risk Assessment Procedures

Risk assessment procedures are audit procedures designed and performed to identify and assess
the risks of material misstatement and assertion levels. Risk assessment procedures by
themselves, however, do not provide sufficient appropriate audit evidence on which to base the
auditor’s opinion.
Risk assessment procedures include the following:
 Page|2

• Inquiries of management and of others appropriate individuals within the entity, including
individuals within the internal audit function (if the function exists)
• Analytical procedures
• Observation and inspection

Analytical Procedures
Analytical procedures refer to evaluations of financial information through analysis of plausible
relationships among both financial and non-financial data. It involves the analysis of significant
ratios and trends including the resulting investigation of fluctuations and relationships that are
inconsistent with other relevant information or which deviate from predicted amounts.
Analytical procedures may be used in the:
• Planning stage, as part of risk assessment procedures, to assess the risks of material
misstatement in order to determine the nature, timing and extent of audit procedures
to be performed
• Testing stage, as a substantive procedure to obtain corroborative audit evidence about
the client’s assertions
• Completion stage, as part of the overall review of conclusions reached

The auditor should apply analytical procedures at the planning (as a risk assessment
procedure) and overall review stages of the audit. Analytical procedures performed as part of
substantive procedures is not required.
Analytical procedures performed as a risk assessment procedure during the planning stage:

• Enhance the auditor’s understanding of the client’s business

• Assists the auditor in identifying areas of potential risk
• Helps the auditor in identifying the existence of unusual transactions and events
Application of analytical procedures as a risk assessment procedure may indicate aspects
of the business of which the auditor was unaware, and may assist the auditor in identifying risks
of material misstatement, especially risk of material misstatement due to fraud. Analytical
procedures at this stage often use data aggregated at a high level and accordingly only provide a
broad initial indication of whether a material misstatement exists.
Analytical procedures may cover both financial and non-financial information (e.g.,
establishing the relationship between sales and square footage of selling space or volume of
goods sold).

Scope of the Auditor’s Understanding of the Client Entity

In performing an audit of financial statements, the auditor should obtain knowledge of the
client’s business which covers the following:
• A general knowledge of the economy and the industry within which the entity
operates
• A more particular knowledge of how the entity operates
 Page|3

The level of knowledge required of an audit would, however, ordinarily be less than that
possessed by management.
Obtaining an understanding of the entity and its environment, and the applicable financial
reporting framework establishes a frame of reference within which the auditor plans the audit and
exercises professional judgment throughout the audit. It assists the auditor in:
• Identifying and assessing risks of material misstatement of the financial
statements
• Performing procedures to help identify instances of noncompliance with laws and
regulations that may have a material effect on the financial statements
• Evaluating whether the financial statements provide adequate disclosures
• Determining materiality or performance materiality
• Considering the appropriateness of the selection and application of accounting
policies, and the adequacy of financial statement disclosures.
• Developing expectations for use when performing analytical procedures.
• Designing and performing further audit procedures to obtain sufficient appropriate
audit evidence
• Evaluating the sufficiency and appropriateness of audit evidence obtained.

In accordance with PSA 315 (Revised 2019), “Identifying and Assessing the Risks of Material
Misstatement”, the auditor should perform risk assessment procedures to obtain an understanding
of:
• The following of the entity and its environment:
 The entity’s organizational structure and ownership
 The entity’s governance  The entity’s business model, including the extent to
which the business model integrates the use of IT
 Industry, regulatory, and other external factors
 The measures used, internally and externally, to assess the entity’s financial
performance
• The applicable financial reporting framework, and the entity’s accounting policies and the
reasons for any changes thereto
• How inherent risk factors affect susceptibility of assertions to misstatement and the
degree to which they do so, in the preparation of the financial statements in accordance
with the applicable financial reporting framework, based on the understanding obtained in
the above statements.
• The components of the entity’s system of internal control

Auditor’s Understanding of the Entity’s Organizational Structure and Ownership

The auditor should obtain an understanding of the entity’s organizational structure and
ownership in order to understand the:

• Complexity of the entity’s structure (e.g., single entity or may include subsidiaries
and divisions)
• Ownership and relationships between owners and other people or entities,
including related parties (e.g., whether related party transactions are properly
accounted for and disclosed)
 Page|4

• Distinction between owners, those charged with governance and management

(e.g., the owners of the entity may be personally involved in managing the entity)
• Structure and complexity of the entity’s IT environment (e.g., outsourcing the
hosting of an entity’s IT system to a third party).

Auditor’s Understanding of the Entity’s Governance

Understanding of the entity’s governance may assist the auditor with understanding the entity’s
ability to provide appropriate oversight of its system of internal control. However, this
understanding may also provide evidence of deficiencies, which may indicate an increase in the
susceptibility of the entity’s financial statements to risks of material misstatements.
The following matters should be considered by the auditor:
• Whether any or all of those charged with governance are involved in managing the entity
• The existence (and separation) of a non-executive Board, if any, from executive
management
• Whether those charged with governance hold positions that are an integral part of the
entity’s legal structure, for example as directors
• The existence of sub-groups of those charged with governance, such as an audit
committee, and the responsibilities of such a group
• The responsibilities of those charged with governance for oversight of financial reporting,
including approval of the financial statements.

Auditor’s Understanding of the Entity’s Business Model

Understanding the entity’s objectives, strategy and business model helps the auditor to
understand the entity at a strategic level, and to understand the business risks the entity takes and
faces.
Objectives refers to the overall plans for the entity, while strategies are the approaches by which
management plans to achieve the entity’s objective, including how the entity plans to address the
risks and opportunities that it faces:
A typical business model includes:

• The scope of the entity’s activities, and why it does them

• The entity’s structure and scale of its operations
• The markets or geographical or demographical spheres, and parts of the value chain,
in which it operates
• The entity’s business or operating process employed in performing its activities
• The resources (e.g., financial, human) and other inputs and relationships (e.g.,
suppliers, customers) that are necessary or important to its success
• How the entity’s business model integrates the use of IT in its interactions with
customers, suppliers, lenders, and other stakeholders through IT interfaces and other
technologies
Business Risk refers to the risk of resulting from significant conditions, events,
circumstances, actions or inactions that could adversely affect an entity’s ability to achieve its
objectives and execute its strategies, or from the setting of inappropriate objectives and
strategies. Business risk is broader than the risk of material misstatement of the financial
statements, though it includes the latter.
An understanding of the business risks that have an effect on the financial statements assists
the auditor in identifying risks of material misstatement, since most business risks will
 Page|5

eventually have financial consequences and, therefore, an effect on the financial statement.
However, the auditor is not responsible to identify or assess all business risks because not all
business risks give rise to risk of material misstatement.
The following are matters that the auditor may consider when obtaining an understanding of
the business entity’s model, objectives, strategies and related business risks that may result in
a risk of material misstatement of the financial statements:
• Industry developments (a potential related business risk might be, for example, that
the entity does not have the personnel or expertise to deal with the changes in the
industry)
• New products and services (a potential related business risk might be, for example,
that there is increased product liability)
• Expansion of the business (a potential related business risk might be, for example,
that the demand has not been accurately estimated)
• New accounting requirements (a potential related business risk might be, for example,
incomplete or improper implementation, or increased costs)
• Regulatory requirements (a potential related business risk might be, for example, that
there is increased legal exposure)
• Current and prospective financing requirements (a potential related business risk
might be, for example, the loss of financing due to the entity’s inability to meet
requirements)
• Use of IT (a potential related business risk might be, for example, that systems and
processes are incompatible)
• The effects of implementing a strategy, particularly any effects that will lead to ne
accounting requirements (a potential related business risk might be, for example,
incomplete or improper implementation.
Moreover, the following are matters that the auditor may consider when obtaining an
understanding of the activities of the entity that are included in the entity’s business
model:
a. Business Operations
• Nature of revenue sources, products or services, and markets, including involvement
in electronic commerce such as internet sales and marketing activities
• Conduct of operations (for examples, stages and methods of production, or activities
exposed to environmental risks)
• Alliances, joint ventures, and outsourcing activities  Geographical dispersion and
industry segmentation
• Location of production facilities, warehouses, and offices, and location and quantities
of inventories
• Key customers and important suppliers of goods and services, employment
arrangements (including the existence of union contracts, pension and other post-
employment benefits, stocks option or incentive bonus arrangements, and government
regulation related to employment matters)
• Research and development activities and expenditures
• Transactions with related parties

b. Investments and Investment Activities

• Planned or recently executed acquisitions or divestitures
• Investments and dispositions of securities and loans
• Capital investment activities
• Investment in non-consolidated entities, including partnerships, joint
ventures and special-purpose entities
 Page|6

c. Financing and Financing Activities

• Major subsidiaries and associated entities, including consolidated and
nonconsolidated structures
• Debt structure and related terms, including off-balance-sheet financing
arrangements and leasing arrangements
• Beneficial owners (local, foreign, business reputation and experience)
and related parties
• Use of derivative financial instruments

Regulatory and Other External Factors that may Affect the Client Entity
Relevant industry factors include industry conditions such as the competitive environment,
supplier and customer relationships, and technological developments. Examples of matters the
auditor may consider include the market and competition, cyclical or seasonal activity, product
technology relating to the entity’s products, and energy supply and cost.
Relevant regulatory factors include the regulatory environment, which encompasses the
applicable financial reporting framework and the legal and political environment. The auditor
should consider the regulatory framework for a regulated industry, legislation and regulation that
significantly affect the entity’s operations (including direct supervisory activities), taxation
(corporate and others), government policies currently affecting the conduct of the entity’s
business (such as monetary, including foreign exchange controls, fiscal, financial incentives),
tariffs or trade restrictions policies, and environmental requirements affecting the industry and
the entity’s business.
Other external factors affecting the entity that the auditor may consider include the general
economic conditions, interest rates and availability of financing, and inflation or currency
revaluation.

Auditor’s Understanding of the Entity’s Performance Measures

Management and others will measure and review those things they regard as important.
Performance measures, whether external or internal, create pressures on the entity, which in turn,
may motivate management to take action to improve the business performance or to misstate the
financial statements. Accordingly, an understanding of the entity’s performance measures assists
the auditor in considering whether pressures to achieve performance targets may result in
management actions that increase the risks of material misstatement, including those due to
fraud.

Typical indicators used to evaluate financial performance include:

• Key performance indicators (financial and non-financial) are key ratios, trends and
operating statistics
• Period-on-period financial performance analyses
• Budgets, forecasts, variance analyses, segment information and divisional, departmental
or other level performance reports
• Employee performance measures and incentive compensation policies  Comparisons of
an entity’s performance with that of competitors
 Page|7

Auditor’s Understanding of the Entity’s Applicable Financial Reporting Framework and

Accounting Policies
The auditor should consider the entity’s financial reporting practices in terms of the applicable
financial reporting framework, such as accounting principles and industry specific practices,
revenue recognition, accounting for financial instruments, foreign currency transactions, and
accounting for unusual or complex transactions (e.g., cryptocurrency).
The auditor should also understand the entity’s selection and application of accounting
policies in relations to matters such as:
• Methods the entity uses to account for significant and unusual transactions
• The effect of significant accounting policies in controversial or emerging areas for which
there is lack of authoritative guidance or consensus
• Changes in the entity’s accounting policies
• Financial reporting standards and laws and regulations that are new to the entity and when
and how the entity will adopt such requirements

Inherent Risk Factors

Understanding the entity and its environment, and the applicable financial framework
assists the auditor in inherent risk factors, or the characteristics of events or conditions that affect
susceptibility to misstatement, whether due to fraud or error, of an assertion about classes of
transactions, account balance, before consideration of controls.
Inherent risk factors may affect susceptibility of assertions to misstatement by influencing
the likelihood of occurrence of a misstatement or the magnitude of the misstatement if it were to
occur.
Understanding how inherent risk factors affect the susceptibility of assertions to
misstatement assists the auditor:
• With a preliminary understanding of the likelihood or magnitude of misstatements which
assist in identifying risks of material misstatement at the assertion level
• In assessing the likelihood and magnitude of a possible misstatement when assessing
inherent risk
• In designing and performing further audit procedures

Factors that may Affect Inherent Risk

Inherent risk factors may be qualitative or quantitative. In obtaining the understanding of the
entity and its environment, and the applicable financial reporting framework and the entity’s
accounting policies, the auditor also understands how inherent risk factors affect susceptibility of
assertions to misstatement in the preparation of the financial statements.
Inherent risk factors relating to the preparation of information required by the applicable
financial reporting include:
 Page|8

a. Complexity. Arises either from the nature of the information or in the way that the
required information is prepared, including when such preparation processes are more
inherently difficult to apply.

For example, complexity may arise in calculating supplier rebate provisions because it
may be necessary to take into account different commercial terms that are all relevant
in calculating the rebates due.

b. Subjectivity. Arises from inherent limitations in the ability to prepare required

information in an objective manner because of limitations in the availability of
knowledge or information, such that management may need to make a subjective
judgment about the appropriate approach to take and about the resulting information
to include in the financial statements.

Due to the different approaches in preparing the required information, different

outcomes could result from appropriately applying the requirements of the applicable
financial reporting framework. As limitations in knowledge or data increase, the
subjectivity in the judgments that could be made by reasonably knowledgeable and
independent individuals, and the diversity in possible outcomes of those judgments,
will also increase.

c. Change. Results from events or conditions that, over time, affect the entity’s business
or the economic, accounting, regulatory, industry or other aspects of the environment
in which it operates, when the effects of those events or conditions are reflected in the
required information. Such events or conditions may occur during, or between,
financial reporting periods.

For example, change may result from developments in the requirements of a PRFS, or
in the entity and its business model, or in the environment in which the entity
operates. Such change may affect management’s selection of accounting policies or
how accounting estimates are made or related disclosures are determined.

d. Uncertainty. Arises when the required information cannot be prepared based only on
sufficient precise and comprehensive data that is verifiable through direct observation.
Constraints on the availability of knowledge or data, which are not within the control
of management are sources of uncertainty and their effect on the preparation of the
required information cannot be eliminated.

For example, estimation uncertainty arises when the required monetary amount
cannot be determined with precision and the outcome of the estimate is not known
before the date the financial statements are finalized.

e. Susceptibility to Misstatement Due to Management Bias or Other Fraud Risk

Factors Insofar as they Affect Inherent Risk. Susceptibility to management bias
results from conditions that create susceptibility to failure by management to maintain
neutrality in preparing the information.
 Page|9

Management bias is often associated with certain conditions that have the potential to
give rise to management not maintaining neutrality in exercising judgment
(indicators of potential management bias), which could lead to a material
misstatement of the information that would be fraudulent if intentional. Such
indicators include incentives or pressures insofar as they affect inherent risk (for
example, as a result of motivation to achieve a desired result, such as a desired profit
target or capital ratio), and opportunity, not to maintain neutrality.

Events and Conditions that may Indicate the Existence of Risks of Material
Misstatement a. Complexity

 Regulatory: operations that are subject to a high degree of complex regulation

 Business model: the existence of complex alliances and joint ventures
 Applicable financial reporting framework: accounting measurements that
involve complex processes
 Transactions: use of off-balance sheet finance, special-purpose entities, and
other complex financing arrangements
b. Subjectivity
 Applicable financial reporting framework
• A wide range of possible measurement criteria of an accounting
estimate (e.g., depreciation)
• Management’s selection of valuation technique or model for a
noncurrent asset (e.g., investments)
c. Change
 Economic conditions: operations in regions that are economically unstable
 Markets: operations exposed to volatile markets (e.g., futures trading)
 Industry model: changes in the industry in which the entity operates
 Business model: changes in the supply chain; developing or offering new
products or services, or moving into a new lines of business
 Geography: expanding into new locations
 Entity structure: changes in the entity such as large acquisitions or
reorganizations; entities or business segment likely to be sold
 Human resource competence: changes in key personnel, including departure of
key executives; changes in IT environment; installation of significant new IT
systems related to financial reporting
 Applicable financial reporting framework: application of new accounting
pronouncements
 Capital: new constraints on the availability of capital and credit
 Regulatory: investigation into the entity’s operations by regulatory bodies;
Impact of new legislation related to environmental protection
 P a g e | 10

d. Uncertainty
 Reporting: events or transactions that involve significant measurement of
uncertainty (e.g., accounting estimates); pending litigation and contingent
liabilities (e.g., environmental remediation)

e. Susceptibility to misstatement due to management bias or other fraud risk factors

insofar as they affect inherent risk
 Reporting: opportunities for management and employees to engage in fraudulent
financial reporting
 Transactions: significant transactions with related parties; significant amount of non-
routine or non-systematic transactions (e.g., large revenue transactions at period end);
transactions that are recorded based on management’s intent (e.g., classification of
marketable securities).
The following events or conditions may also indicate risks of material misstatement at
the financial statement level:

 Lack of personnel with appropriate accounting and financial reporting skills

 Control deficiencies, particularly in the control environment, risk assessment process,
and process for monitoring, and especially those not addressed by management
 Past misstatement, history of errors or a significant amount of adjustment at period
end

Risk of Material Misstatements

Matters to Discuss Among the Engagement Team Members to Assess Risk of Material
Misstatements
The engagement partner and other key engagement team members should discuss the
susceptibility of the entity’s financial statements to material misstatement, and the application
of the applicable financial reporting framework to the entity’s facts and circumstances. The
engagement partner should determine which matters are to be communicated to engagement
team members not involved in the discussion.
The discussion among the engagement team members (brainstorming session) about the
susceptibility of the entity’s financial statements to material misstatement:
• Provides an opportunity for more experienced engagement team members, including
the engagement partner, to share their insights based on their knowledge of the entity
• Allows the engagement team members to exchange information about the business
risks to which the entity is subject and about how and where the financial statements
might be susceptible to material misstatement due to fraud or error.
• Assist the engagement team members to gain a better understanding of the potential
for material misstatement of the financial statements in the specific areas assigned to
 P a g e | 11

them, and to understand how the results of the audit procedures that they perform may
affect other aspects of the audit including the decisions about the nature, timing, and
extent of further audit procedures.
• Provides a basis upon which engagement team members communicate and share new
information obtained throughout the audit that may affect the assessment of risks of
material misstatement or the audit procedures performed to address these risks.
Discussion of the engagement team members should be documented by the auditor.

References:
Chen, H. (2021/2022). Auditing Theory (Volume 1). Iloilo City, Philippines

Online Reference:

https://www.bcauditor.com/about-us/what-we-do/financial-audits/audit-process/i-
preengagement-procedures https://pcaobus.org/oversight/standards/auditing-
standards/details/AS2101 https://www.accountingtools.com/articles/2017/6/7/predecessor-
auditor https://www.accountingtools.com/articles/2017/5/16/successor-auditor
https://pcaobus.org/oversight/standards/archived-standards/pre-reorganized-
auditingstandards-interpretations/details/AU315
https://www.accountingtools.com/articles/2017/9/4/audit-engagement
https://www.ifac.org/system/files/downloads/2008_Auditing_Handbook_A065_ISA_210.pdf