The survival of a business, its relevance as well as its growth, are constantly being challenged due to pressures from the internal and external environments arising from factors such as adverse economic downturns, sporadic changes in technology, increasing customers' taste, and fashion. Likewise, just like businesses and other professions, the auditing profession and its methodologies have also undergone vigorous changes arising from rising changes in technology, increasing business complexity and in recent times, rising corporate scandals and business failures. Although audit risks and business risks are dissimilar, it is often the case that identification of significant business risks leads to the detection of audit risks.(Ammar Ali ,2020 Accounting Simplified Web) However, this auditor's consideration of business risk can also impact positively on business operations, growth and survival beyond regulatory compliance purposes.
In order to ensure the timeliness and relevance of the audit profession in meeting public expectation despite changes in business complexities, the International Standard on Audit 315 (Revised), identifying and assessing the risk of material misstatement through Understanding the Entity and its Environment, states that the auditor, at the audit planning stage (ISA 300), should perform an appropriate risk assessment of the client's business environment and understanding of its internal control systems in a manner that commensurate with the size and nature of the entity. Primarily, the consideration of these business risks provides the auditor the opportunity to identify the risk of material misstatement due to error or fraud in the financial statement and designing its audit strategy in response to the risk identified (ISA 330). However, on the other hand, it is quite clear that this risk-based approach also provides an independent evaluation of the entity's environments in identifying business risks that could impede the attainment of its set objectives.
Regrettably, some entities, majorly unlisted companies, perceive that the sole significance of audit is to ensure compliance with statutory or regulatory requirements, most importantly, filing of tax returns and ensuring deadlines are met. Such that if the audited financial statement (AFS) is expunged from filing requirements, the essence of the audit might be lost in totality. This perception could explain the perceived lack of full cooperation of some staff and management towards the auditors during the audit planning stage, thereby, underestimating the Value of the risk-based audit approach to business success.
We shall demonstrate, using examples, how the auditor's risk assessment of the client's business environment through Understanding its entity and its environment and understanding its internal control can impact on other business activities beyond compliance.
What is understanding the entity and its environment and how can businesses derive benefit from this auditor's assessment of its entity and its environment?
According to ISA 315, Understanding the entity and its environment entails, gaining relevant and sufficient knowledge of the internal and external factors that impacts or influences the client's businesses. from its corporate governance structure, organizational structure, business models, and objectives, measures to assess its financial performance, industry performance, regulatory and legal factors. Gaining an understanding of these factors is a key audit planning activity.
The following example illustrates how identifying risk through understanding the entity & its environs impacts audit strategy and how businesses can benefit from this risk-based audit approach in devising business strategies to attain its objectives.
What are the Components of an entity's internal control system and how can businesses derive benefit from the auditor's assessment of its Internal Control systems?
The Committee Of Sponsoring Organizations (COSO) framework, defined ICS as the structures put in place by the board of directors and management to ensure compliance with the organization's policies and procedures, attainment of the organization's objective, and integrity of the financial reports. In 2013, COSO also updated its framework to address significant changes in the business environment. This simultaneously means, businesses can also derive other value-added benefits based on the auditor's assessment of its ICS.
The framework classified an effective Internal control system to consist of 5 Components which are: Control Environment, Risk Assessment, Control Activities, Information and Communication, and Monitoring Activities. The most prominent of these components is “Control Activity”. However, believing an internal control system is all about “Control Activities” undermines the relevance of the other components of the internal control system.
Hence, understanding the entity's internal control means the auditor is expected to have adequate knowledge of all 5 components, assess the adequacy of their designs, test the operating effectiveness over financial reporting, and draws his conclusion thereon. The examples below illustrate how auditor's identification of control deficiency can impact Business, and how the business can respond to these identified risks to ensure attainment of its overall objectives.
Control Environment Responses: Senior Management or Board Reviews through External Consultant, establish a Code of Conduct and anti-fraud policies to be communicated across all management levels
Control Activities Responses: Engage services of internal auditor or Business Process Engineer to carry out periodic evaluation of designs and effectiveness of the Internal control system.
Monitoring Activities Responses: Periodic reconciliation of account balances, Staff Training on relevant financial reporting standards, Outsource Accounting functions
Information and Communication Responses: Establish strong ICT systems and update regularly.
Risk Assessment Responses: Ensure a formal documentation of its risk management policies, communication and orientation of its staff on risk topics.
The illustrations above depict how the auditor's risk assessment procedures can aid in the formulation of business risk management strategies and achieving business growths. To derive these benefits, Senior Management or Those Charged with Governance (TCWG) should ensure auditors perform audit procedures in line with the Professional requirements, the Involvement of TCWG during the audit planning stage to discuss and review the audit strategy and Management/Staff re-orientation on the significance of audit to business survival and growth. This will ensure that maximum cooperation is achieved and enables the seamless transfer of sufficient, relevant, and appropriate information necessary for the Auditor to identify significant business risks.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
© Mondaq® Ltd 1994 – 2022. All Rights Reserved.
Forgot your password?
Free, unlimited access to more than half a million articles (one-article limit removed) from the diverse perspectives of 5,000 leading law, accountancy and advisory firms
Articles tailored to your interests and optional alerts about important changes
Receive priority invitations to relevant webinars and events
You’ll only need to do it once, and readership information is just for authors and is never sold to third parties.
We need this to enable us to match you with other users from the same organisation. It is also part of the information that we share to our content providers (“Contributors”) who contribute Content for free for your use.