5022 Organizational structure, ownership and governance, and business model

Sep-2022

CAS Guidance

An understanding of the entity’s organizational structure and ownership may enables the auditor to understand such matters as (CAS 315.A56):

• The complexity of the entity’s structure.

Example: The entity may be a single entity or the entity’s structure may include subsidiaries, divisions or other components in multiple locations. Further, the legal structure may be different from the operating structure. Complex structures often introduce factors that may give rise to increased susceptibility to risks of material misstatement. Such issues may include whether goodwill, joint ventures, investments, or special‑purpose entities are accounted for appropriately and whether adequate disclosure of such issues in the financial statements has been made.

• The ownership, and relationships between owners and other people or entities, including related parties. This understanding assists the auditor in determining whether related party transactions have been appropriately identified, accounted for, and adequately disclosed in the financial statements.

• The distinction between the owners, those charged with governance and management.

Example: In less complex entities, owners of the entity may be involved in managing the entity, therefore there is little or no distinction. In contrast, such as in many listed entities, there may be a clear distinction between management, the owners of the entity, and those charged with governance.

• The structure and complexity of the entity’s IT environment.

Example: An entity may: Have multiple legacy IT systems in diverse businesses that are not well integrated resulting in a complex IT environment. Be using external or internal service providers for aspects of its IT environment (e.g., outsourcing the hosting of its IT environment to a third party or using a shared service center for central management of IT processes in a group).

Considerations specific to public sector entities

Ownership of a public sector entity may not have the same relevance as in the private sector because decisions related to the entity may be made outside of the entity as a result of political processes. Therefore, management may not have control over certain decisions that are made. Matters that may be relevant include understanding the ability of the entity to make unilateral decisions, and the ability of other public sector entities to control or influence the entity’s mandate and strategic direction (CAS 315.A58).

Example: A public sector entity may be subject to laws or other directives from authorities that require it to obtain approval from parties external to the entity of its strategy and objectives prior to it implementing them. Therefore, matters related to understanding the legal structure of the entity may include applicable laws and regulations, and the classification of the entity (i.e., whether the entity is a ministry, department, agency or other type of entity).

Understanding the entity’s governance may assist the auditor with understanding the entity’s ability to provide appropriate oversight of its system of internal control. However, this understanding may also provide evidence of deficiencies, which may indicate an increase in the susceptibility of the entity’s financial statements to risks of material misstatement (CAS 315.A59).

Matters that may be relevant for the auditor to consider in obtaining an understanding of the governance of the entity include (CAS 315.A60):

• Whether any or all of those charged with governance are involved in managing the entity.

• The existence (and separation) of a non‑executive Board, if any, from executive management.

• Whether those charged with governance hold positions that are an integral part of the entity’s legal structure, for example as directors.

• The existence of sub‑groups of those charged with governance, such as an audit committee, and the responsibilities of such a group.

• The responsibilities of those charged with governance for oversight of financial reporting, including approval of the financial statements.

CAS Guidance

Understanding the entity’s objectives, strategy and business model helps the auditor to understand the entity at a strategic level, and to understand the business risks the entity takes and faces. An understanding of the business risks that have an effect on the financial statements assists the auditor in identifying risks of material misstatement, since most business risks will eventually have financial consequences and, therefore, an effect on the financial statements (CAS 315.A61).

Examples : An entity’s business model may rely on the use of IT in different ways: The entity sells shoes from a physical store, and uses an advanced stock and point of sale system to record the selling of shoes; or The entity sells shoes online so that all sales transactions are processed in an IT environment, including initiation of the transactions through a website. For both of these entities the business risks arising from a significantly different business model would be substantially different, notwithstanding both entities sell shoes.

An entity’s business model describes how an entity considers, for example its organizational structure, operations or scope of activities, business lines (including competitors and customers thereof), processes, growth opportunities, globalization, regulatory requirements and technologies. The entity’s business model describes how the entity creates, preserves and captures financial or broader value, for its stakeholders (CAS 315 Appendix 1.1).

Strategies are the approaches by which management plans to achieve the entity’s objectives, including how the entity plans to address the risks and opportunities that it faces. An entity’s strategies are changed over time by management, to respond to changes in its objectives and in the internal and external circumstances in which it operates (CAS 315 Appendix 1.2).

A description of a business model typically includes (CAS 315 Appendix 1.3):

• The scope of the entity’s activities, and why it does them.

• The entity’s structure and scale of its operations.

• The markets or geographical or demographic spheres, and parts of the value chain, in which it operates, how it engages with those markets or spheres (main products, customer segments and distribution methods), and the basis on which it competes.

• The entity’s business or operating processes (e.g., investment, financing and operating processes) employed in performing its activities, focusing on those parts of the business processes that are important in creating, preserving or capturing value.

• The resources (e.g., financial, human, intellectual, environmental and technological) and other inputs and relationships (e.g., customers, competitors, suppliers and employees) that are necessary or important to its success.

• How the entity’s business model integrates the use of IT in its interactions with customers, suppliers, lenders and other stakeholders through IT interfaces and other technologies.

Examples of matters that the auditor may consider when obtaining an understanding of the activities of the entity (included in the entity’s business model) include (CAS 315 Appendix 1.5):

(a) Business operations such as:

• Nature of revenue sources, products or services, and markets, including involvement in electronic commerce such as Internet sales and marketing activities.

• Conduct of operations (for example, stages and methods of production, or activities exposed to environmental risks).

• Alliances, joint ventures, and outsourcing activities.

• Geographic dispersion and industry segmentation.

• Location of production facilities, warehouses, and offices, and location and quantities of inventories.

• Key customers and important suppliers of goods and services, employment arrangements (including the existence of union contracts, pension and other post‑employment benefits, stock option or incentive bonus arrangements, and government regulation related to employment matters).

• Research and development activities and expenditures.

• Transactions with related parties.

(b) Investments and investment activities such as:

• Planned or recently executed acquisitions or divestitures.

• Investments and dispositions of securities and loans.

• Capital investment activities.

• Investments in non‑consolidated entities, including non‑controlled partnerships, joint ventures and non‑controlled special‑purpose entities.

(c) Financing and financing activities such as:

• Ownership structure of major subsidiaries and associated entities, including consolidated and non‑consolidated structures.

• Debt structure and related terms, including off‑balance‑sheet financing arrangements and leasing arrangements.

• Beneficial owners (for example, local, foreign, business reputation and experience) and related parties.

• Use of derivative financial instruments.

Not all aspects of the business model are relevant to the auditor’s understanding. Business risks are broader than the risks of material misstatement of the financial statements, although business risks include the latter. The auditor does not have a responsibility to understand or identify all business risks because not all business risks give rise to risks of material misstatement (CAS 315.A62).

A business risk may have an immediate consequence for the risk of material misstatement for classes of transactions, account balances, and disclosures at the assertion level or the financial statement level. For example, the business risk arising from a significant fall in real estate market values may increase the risk of material misstatement associated with the valuation assertion for a lender of medium‑term real estate backed loans. However, the same risk, particularly in combination with a severe economic downturn that concurrently increases the underlying risk of lifetime credit losses on its loans, may also have a longer‑term consequence. The resulting net exposure to credit losses may cast significant doubt on the entity’s ability to continue as a going concern. If so, this could have implications for management’s, and the auditor’s, conclusion as to the appropriateness of the entity’s use of the going concern basis of accounting, and determination as to whether a material uncertainty exists. Whether a business risk may result in a risk of material misstatement is, therefore, considered in light of the entity’s circumstances (CAS 315 Appendix 1.4).

Business risks increasing the susceptibility to risks of material misstatement may arise from (CAS 315.A63):

• Inappropriate objectives or strategies, ineffective execution of strategies, or change or complexity.

• A failure to recognize the need for change may also give rise to business risk, for example, from:

• The development of new products or services that may fail;
• A market which, even if successfully developed, is inadequate to support a product or service; or
• Flaws in a product or service that may result in legal liability and reputational risk.

• Incentives and pressures on management, which may result in intentional or unintentional management bias, and therefore affect the reasonableness of significant assumptions and the expectations of management or those charged with governance.

Examples of matters that the auditor may consider when obtaining an understanding of the entity’s business model, objectives, strategies and related business risks that may result in a risk of material misstatement of the financial statements include (CAS 315.A64):

• Industry developments, such as the lack of personnel or expertise to deal with the changes in the industry;

• New products and services that may lead to increased product liability;

• Expansion of the entity’s business, and demand has not been accurately estimated;

• New accounting requirements where there has been incomplete or improper implementation;

• Regulatory requirements resulting in increased legal exposure;

• Current and prospective financing requirements, such as loss of financing due to the entity’s inability to meet requirements;

• Use of IT, such as the implementation of a new IT system that will affect both operations and financial reporting; or

• The effects of implementing a strategy, particularly any effects that will lead to new accounting requirements.

Ordinarily, management identifies business risks and develops approaches to address them. Such a risk assessment process is part of the entity’s system of internal control and is discussed in paragraph 22, and paragraphs A109-A113 (CAS 315.A65).

Considerations specific to public sector entities

Entities operating in the public sector may create and deliver value in different ways to those creating wealth for owners but will still have a ’business model’ with a specific objective. Matters public sector auditors may obtain an understanding of that are relevant to the business model of the entity, include (CAS 315.A66):

• Knowledge of relevant government activities, including related programs.
• Program objectives and strategies, including public policy elements.

For the audits of public sector entities, "management objectives" may be influenced by requirements to demonstrate public accountability and may include objectives which have their source in law, regulation or other authority (CAS 315.A67).

CAS Guidance

A special-purpose entity (sometimes referred to as a special purpose vehicle) is an entity that is generally established for a narrow and well‑defined purpose, such as to effect a lease or a securitization of financial assets, or to carry out research and development activities. It may take the form of a corporation, trust, partnership or unincorporated entity. The entity on behalf of which the special‑purpose entity has been created may often transfer assets to the latter (e.g., as part of a derecognition transaction involving financial assets), obtain the right to use the latter’s assets, or perform services for the latter, while other parties may provide the funding to the latter. As CAS 550 Related Parties indicates, in some circumstances, a special‑purpose entity may be a related party of the entity (CAS 315.Appendix 1.6).

Financial reporting frameworks often specify detailed conditions that are deemed to amount to control, or circumstances under which the special‑purpose entity should be considered for consolidation. The interpretation of the requirements of such frameworks often demands a detailed knowledge of the relevant agreements involving the special‑purpose entity (CAS 315.Appendix 1.7).