7 December 2022

We’ve talked about risk assessment, professional scepticism, responding to identified risks, and the business model in terms of ISA 315 (revised 2019). But the bulk of the actual requirements of the standard (paragraphs 19-27) relate to, as the heading puts it: ‘Obtaining an Understanding of the Entity and Its Environment, the Applicable Financial Reporting Framework and the Entity’s System of Internal Control’. This is the topic of this article.

The new approach to understanding the entity and environment – especially its controls – is fairly significant. The easiest way to express this is to compare the requirements of the old ISA 315 with the revised 2019 version.

Entity and Environment

Paragraphs 19-20 address Understanding the Entity and Its Environment, and the Applicable Financial Reporting Framework.

Paragraph 19(a)(i) specifies that we obtain an understanding of the entity’s organisational structure, ownership and governance, and its business model, including the extent to which the business model integrates the use of IT. Understanding the organisational structure, ownership and governance were previously required under ISA 315, 11(b)(ii). The requirement to understand the business model, and the extent to which this integrates the use of IT is new. We have discussed this at length in a previous article.

Paragraph 19(a)(ii) specifies that we obtain an understanding of industry, regulatory and external factors. This was required in the old standard under paragraph 11(a). The supporting information in paragraphs A68-A73 is worth a read to refresh yourself as to the scope of what is required here. Good general knowledge of the economy, the current issues with the specific industry and the inputs and outputs of the entity are likely to be extremely helpful, and points to be discussed and documented in the team meeting.

Paragraph 19(a)(ii) specifies that we obtain an understanding of the measures used, internally and externally, to assess the entity’s financial performance. This replaces the old paragraph 11(e) requirement to obtain an understanding of the measurement and review of the entity’s financial performance. The difference is specifying internally and externally. The supporting information in paragraph A74 explains that this helps us to consider whether such measures, whether used externally or internally, may create pressure on the entity to achieve performance targets, motivating management to take actions that increase the susceptibility to misstatement due to management bias or fraud. Again, something to discuss in the team meeting. Paragraphs A74-A77 are well worth reading.

Paragraph 19(b) states that we obtain an understanding of the applicable financial reporting framework, and the entity’s accounting policies and the reasons for any changes thereto. This was covered previously in paragraph 11(c). There are three parts to consider: the applicability of the framework, how this fits with the actual policies, whether there have been any changes, and if so, whether are these justified.

Paragraph 19(c) states that we must obtain an understanding of how inherent risk factors affect the susceptibility of assertions to misstatement and the degree to which they do so, in the preparation of the financial statements in accordance with the applicable financial reporting framework, based on the understanding obtained in (a) and (b). This is new. If follows the emphasis in the revised ISA 315 on inherent risks. In paragraphs A87-A89 the emphasis is on susceptibility to misstatement relating to complexity or subjectivity. The greater the complexity or subjectivity, the greater the risk, and the more professional scepticism is required.

Finally, paragraph 20 requires us to evaluate whether the entity’s accounting policies are appropriate and consistent with the applicable financial reporting framework. This was also covered in the old 11(c) paragraph.

It is also interesting to note what has been dropped out. The old ISA 315 11(b) specified that we understand the operations of the entity, the types of investments that the entity is making and plans to make including investments in special-purpose entities, and how the entity is financed. These are all now covered in Appendix 1, which includes these and many more examples of matters to consider when understanding the entity.


The new standard splits the analysis of controls into:

  • the control environment (paragraph 21),
  • the risk assessment process (paragraphs 22-23),
  • the entity’s process to monitor the system of internal control (paragraph 24),
  • the information system and communication (paragraph 25) and
  • control activities (paragraph 26).

These components were previously covered in general terms in paragraphs 12-23 of the old standard, but the new standard is more specific and detailed and will require more work to provide the detail required. Each element must be separately assessed, even though there will be significant common ground. Note too that this work is required whether or not there is any reliance to be placed on controls. This is a risk assessment exercise.

For instance, we must now identify what controls, processes and structures address how management’s oversight responsibilities are carried out, such as the entity’s culture and management’s commitment to integrity and ethical values. (Paragraph 21(a)(i))

This seems a bit over the top for a smaller entity. This is where the scalability provisions can help. Paragraph A16 says: The nature and extent of risk assessment procedures will vary based on the nature and circumstances of the entity (e.g., the formality of the entity’s policies and procedures, and processes and systems). The auditor uses professional judgement to determine the nature and extent of the risk assessment procedures to be performed to meet the requirements of this ISA (NZ).

Paragraph A17 further states: Although the extent to which an entity’s policies and procedures, and processes and systems are formalized may vary, the auditor is still required to obtain the understanding in accordance with paragraphs 19,21,22, 24, 25 and 26.

It continues with an example: Some entities, including less complex entities, and particularly owner-managed entities, may not have established structured processes and systems (e.g., a risk assessment process or a process to monitor the system of internal control) or may have established processes or systems with limited documentation or a lack of consistency in how they are undertaken. When such systems and processes lack formality, the auditor may still be able to perform risk assessment procedures through observation and enquiry.

So we still need to ask the questions, but in the light of the small scale of the entity, on enquiry, the answer might be ‘no formal system, however, ethics are emphasised by example and in staff and board meetings.’

For smaller and less complex entities. meeting all the specific requirements of this part of ISA 315 (revised 2019) may seem tedious, but until we get a standard for LCEs it is, unfortunately, unavoidable.

<< previous article