Page 172 - COSO Guidance
P. 172

Understanding the entity and its environment



            GAAS requires the auditor to obtain an understanding of the entity and its environment, including its
            internal control, during the auditor’s risk assessment procedures. GAAS is applicable for audits of
            nonpublic companies, not-for-profits, and certain government agencies. The auditor should obtain an
            understanding of the following:

              Industry, regulatory, and other external factors (such as taxes and interest rates)
              Nature of the entity (for example, its life-cycle stage)
              Objectives and strategies and related business risks (for example, industry developments that the
               entity is not equipped to deal with in terms of personnel, technology, and so forth)
              Measurement and review of the entity’s financial performance (such as its market and competition)
              Internal control (for example, its control environment)

            The understanding of internal control gained as part of the auditor’s risk assessment procedures is part
            of the audit evidence that is used to support the auditor’s opinion on the financial statements. The
            auditor is required to evaluate the design of controls relevant to the audit and determine whether the
            controls have been implemented. The auditor evaluates controls and, if the auditor plans to rely on
            controls in order to reduce substantive tests, the auditor tests the controls to assess whether they can
            prevent or detect and correct material errors to ensure that they are not included in the financial
            statements.

            The auditor must document his or her basis for assessing control risk (which is part of the auditor’s
            assessment of the risks of material misstatement). The auditor cannot assess control risk at maximum
            without having support for that assessment. Again, this does not imply that the auditor must test and rely
            on internal control as a basis for reducing detection risk. Rather, the emphasis is on gathering evidence
            to support the assessment. However, due to the extent required for the auditor’s understanding of the
            entity and its environment, including its internal controls, many auditors will perform some tests of
            internal controls in their audit. The auditor gains an understanding of the significant processes of the
            entity during the auditor’s identification of controls relevant to the audit. The auditor keeps in mind the
            entity’s objectives and risks to those objectives when identifying controls that mitigate those risks.




            Knowledge check


            1.  According to GAAS, the auditor is not required to do which of these?
                   a.  Test and rely on internal control to reduce substantive tests.
                   b.  Evaluate the design of controls relevant to the audit and determine whether the relevant
                       controls have been implemented.
                   c.  Document the basis for assessing control risk.
                   d.  Obtain an understanding of the entity and its environment including its internal control.








            © 2020 Association of International Certified Professional Accountants. All rights reserved.    1-2
   167   168   169   170   171   172   173   174   175   176   177