Understanding the Entity and Its Environment

What is understanding the entity?

In its 2022 inspection cycle, the FRC identified files with extensive entity descriptions that were not connected to any risk assessment. Pages of industry background and copied-and-pasted annual report extracts, all sitting in the file without linking to a single assessed risk. At firms like ours, this section becomes a tick box exercise: teams roll forward the prior year template SALY, update the revenue figure, and move on. Inspectors see through it immediately.

Understanding the entity is the process by which the auditor obtains sufficient knowledge of the client's business, industry, regulation, and financial reporting framework to identify and assess risks of material misstatement (RoMM). ISA 315 (Revised 2019) paragraph 19 requires the auditor to obtain this understanding across the entity and its environment, the applicable financial reporting framework, the entity's system of internal control, and the inherent risk factors that affect susceptibility to misstatement. The understanding serves one purpose: to identify and assess RoMM at the financial statement (FS) and assertion levels.

ISA 315's 2019 revision significantly expanded what "understanding" means in practice. The auditor must now obtain knowledge across integrated components: the entity's business model and industry factors, the regulatory environment, the applicable financial reporting framework, the entity's accounting policies, and (critically) the IT environment. ISA 315.26 (a) explicitly requires understanding of the IT applications relevant to financial reporting, the supporting IT infrastructure, the IT processes, and the personnel involved.

ISA 315.21 requires the auditor to evaluate how the entity's business activities and regulatory framework create conditions in which misstatements could occur. Entity knowledge that does not connect to a risk assessment is either irrelevant documentation or a missed risk. Every fact about the client should lead somewhere.

Why it matters in practice

Blank or minimal IT environment sections were flagged by the AFM as a recurring deficiency. ISA 315.26 (a) requires the auditor to understand the IT applications the entity uses in financial reporting, the supporting IT infrastructure, IT processes, and IT personnel. Teams that skip this section or complete it with generic statements like "the entity uses standard accounting software" do not meet the requirement. The standard requires understanding how the IT environment affects the flow of transactions and what controls operate within it.

Nobody enjoys writing the entity understanding section from scratch, but copying last year's working papers (WPs) word-for-word is how files get flagged. The strongest files show a clear chain: entity knowledge leads to identified conditions for misstatement, which leads to assessed risks, which leads to planned audit procedures. If any link in that chain is missing, the file cannot demonstrate that the audit approach is responsive to the client's actual circumstances.

Key standard references

• ISA 315.19 sets the core requirement to understand the entity, its environment, framework, and internal controls.
• ISA 315.21 requires the auditor to evaluate conditions that create RoMM.
• ISA 315.26 (a) covers the IT environment (applications, infrastructure, processes, and personnel).
• ISA 315 .A40–A75 provides application guidance on entity understanding across all components.

Related terms

Related reading

Frequently asked questions