Annual Audit Manual
COPYRIGHT NOTICE — This document is intended for internal use. It cannot be distributed to or reproduced by third parties without prior written permission from the Copyright Coordinator for the Office of the Auditor General of Canada. This includes email, fax, mail and hand delivery, or use of any other method of distribution or reproduction. CPA Canada Handbook sections and excerpts are reproduced herein for your non-commercial use with the permission of The Chartered Professional Accountants of Canada (“CPA Canada”). These may not be modified, copied or distributed in any form as this would infringe CPA Canada’s copyright. Reproduced, with permission, from the CPA Canada Handbook, The Chartered Professional Accountants of Canada, Toronto, Canada.
5022 Organizational structure, ownership and governance, and business model
Sep-2022
In This Section
Organizational structure, ownership and governance
CAS Requirement
The auditor shall perform risk assessment procedures to obtain an understanding of (CAS 315.19):
-
The following aspects of the entity and its environment:
-
The entity’s organizational structure, ownership and governance, and its business model, including the extent to which the business model integrates the use of IT;
-
CAS Guidance
An understanding of the entity’s organizational structure and ownership may enables the auditor to understand such matters as (CAS 315.A56):
- The complexity of the entity’s structure.
Example: The entity may be a single entity or the entity’s structure may include subsidiaries, divisions or other components in multiple locations. Further, the legal structure may be different from the operating structure. Complex structures often introduce factors that may give rise to increased susceptibility to risks of material misstatement. Such issues may include whether goodwill, joint ventures, investments, or special‑purpose entities are accounted for appropriately and whether adequate disclosure of such issues in the financial statements has been made. |
- The ownership, and relationships between owners and other people or entities, including related parties. This understanding assists the auditor in determining whether related party transactions have been appropriately identified, accounted for, and adequately disclosed in the financial statements.
- The distinction between the owners, those charged with governance and management.
Example: In less complex entities, owners of the entity may be involved in managing the entity, therefore there is little or no distinction. In contrast, such as in many listed entities, there may be a clear distinction between management, the owners of the entity, and those charged with governance. |
- The structure and complexity of the entity’s IT environment.
Example: An entity may:
|
Considerations specific to public sector entities
Ownership of a public sector entity may not have the same relevance as in the private sector because decisions related to the entity may be made outside of the entity as a result of political processes. Therefore, management may not have control over certain decisions that are made. Matters that may be relevant include understanding the ability of the entity to make unilateral decisions, and the ability of other public sector entities to control or influence the entity’s mandate and strategic direction (CAS 315.A58).
Example: A public sector entity may be subject to laws or other directives from authorities that require it to obtain approval from parties external to the entity of its strategy and objectives prior to it implementing them. Therefore, matters related to understanding the legal structure of the entity may include applicable laws and regulations, and the classification of the entity (i.e., whether the entity is a ministry, department, agency or other type of entity). |
Understanding the entity’s governance may assist the auditor with understanding the entity’s ability to provide appropriate oversight of its system of internal control. However, this understanding may also provide evidence of deficiencies, which may indicate an increase in the susceptibility of the entity’s financial statements to risks of material misstatement (CAS 315.A59).
Matters that may be relevant for the auditor to consider in obtaining an understanding of the governance of the entity include (CAS 315.A60):
-
Whether any or all of those charged with governance are involved in managing the entity.
-
The existence (and separation) of a non‑executive Board, if any, from executive management.
-
Whether those charged with governance hold positions that are an integral part of the entity’s legal structure, for example as directors.
-
The existence of sub‑groups of those charged with governance, such as an audit committee, and the responsibilities of such a group.
-
The responsibilities of those charged with governance for oversight of financial reporting, including approval of the financial statements.
OAG Guidance
As part of our understanding of the entity, we understand the entity’s operating and legal structure. The level of complexity of the organizational structure may increase susceptibility to risks of material misstatement. Entities may be organized by different components, for example, by products, processes, geography, functions or profit/cost centers. Many entities establish centralized services that perform business activities ranging from portions of business processes (e.g., processing customer payments, to complete functions or business processes (e.g., a centralized treasury process for all entities in the group or a centralized information technology function.
This understanding may be further enhanced by considering our assessment of the control environment, specifically in the areas of organizational structure and the assignment of authority and responsibility. For example, when an entity establishes centralized services, understanding the oversight and control environment may lead us to assess certain risks as lower if we conclude that oversight and other aspects of control are effective. On the other hand, if we identify deficiencies in the entity’s oversight is ineffective or identify other deficiencies in processes or controls, we may conclude the centralization increases risks due to the pervasive impacts. If the entity has an internal audit function, understanding its assessment of the entity’s risk assessment process may further enhance our understanding of the entity.
The following are examples of events or conditions that may indicate a risk of material misstatement and information which may be useful to developing our understanding in this area.
Events or conditions which may indicate a risk of material misstatement | Examples of information that may be used by management and may be useful to developing our understanding |
---|---|
Organizational structure: Organizational structure can be an important factor contributing to or detracting from an entity’s ability to meet its strategic goals. Strategic and organizational alignment needs to be carefully managed and clearly communicated to both internal (e.g., employees responsible for managing the strategic alignment) and external stakeholders (e.g., investors seeking to understand the entity’s plans for executing its strategic priorities). It is increasingly common for entities to utilize organizational structures beyond a traditional parent company and controlled subsidiary design to achieve their strategic operating objectives. For example, joint ventures, strategic alliances and partnering arrangements are common to many entity’s organizational structures. |
|
|
|
Governance: The processes implemented by those charged with governance influence the entity’s current and future value through supervision, oversight, and accountability. We understand these governance processes by reviewing corporate guidelines, policies, and procedures and, by understanding accountability actions taken when guidelines and policies are not followed. |
|
|
|
As part of our understanding of the entity, we understand in more detail the entity’s ownership structure. Understanding the ownership structure and the expectations of the owners, may provide insights into why certain decisions related to the business are made. For example, private equity owners may defer significant investment in new enterprise software at an entity where the business does not align with their long‑term portfolio strategy (i.e., they plan to sell the entity). This insight into the goals and objectives of the owners enhances our understanding of the business risks the entity faces and whether those business risks may give rise to risks of material misstatement.
Understanding the governance structure of the entity may provide insight into the entity’s approach to oversight of management and the system of internal control. This understanding of the form and robustness of oversight from a governance body, can inform our identification and assessment of risks of material misstatement due to fraud or error and our assessment of the entity’s control environment.
Example : In listed entities, there are typically sub‑groups of those charged with governance. We obtain an understanding of sub‑groups of those charged with governance and their responsibilities, such as an audit committee or a remuneration committee. The audit committee is responsible for providing oversight of the financial reporting process. |
Related Guidance
-
For examples of conditions or events that may indicate risks of material misstatement of the group financial statements see CAS 600 Appendix 3.
-
For procedures to obtain information relevant to identifying the risks of material misstatement associated with related parties and transactions see OAG Audit 7530.
CAS Guidance
Understanding the entity’s objectives, strategy and business model helps the auditor to understand the entity at a strategic level, and to understand the business risks the entity takes and faces. An understanding of the business risks that have an effect on the financial statements assists the auditor in identifying risks of material misstatement, since most business risks will eventually have financial consequences and, therefore, an effect on the financial statements (CAS 315.A61).
Examples : An entity’s business model may rely on the use of IT in different ways:
For both of these entities the business risks arising from a significantly different business model would be substantially different, notwithstanding both entities sell shoes. |
An entity’s business model describes how an entity considers, for example its organizational structure, operations or scope of activities, business lines (including competitors and customers thereof), processes, growth opportunities, globalization, regulatory requirements and technologies. The entity’s business model describes how the entity creates, preserves and captures financial or broader value, for its stakeholders (CAS 315 Appendix 1.1).
Strategies are the approaches by which management plans to achieve the entity’s objectives, including how the entity plans to address the risks and opportunities that it faces. An entity’s strategies are changed over time by management, to respond to changes in its objectives and in the internal and external circumstances in which it operates (CAS 315 Appendix 1.2).
A description of a business model typically includes (CAS 315 Appendix 1.3):
-
The scope of the entity’s activities, and why it does them.
-
The entity’s structure and scale of its operations.
-
The markets or geographical or demographic spheres, and parts of the value chain, in which it operates, how it engages with those markets or spheres (main products, customer segments and distribution methods), and the basis on which it competes.
-
The entity’s business or operating processes (e.g., investment, financing and operating processes) employed in performing its activities, focusing on those parts of the business processes that are important in creating, preserving or capturing value.
-
The resources (e.g., financial, human, intellectual, environmental and technological) and other inputs and relationships (e.g., customers, competitors, suppliers and employees) that are necessary or important to its success.
-
How the entity’s business model integrates the use of IT in its interactions with customers, suppliers, lenders and other stakeholders through IT interfaces and other technologies.
Examples of matters that the auditor may consider when obtaining an understanding of the activities of the entity (included in the entity’s business model) include (CAS 315 Appendix 1.5):
(a) Business operations such as:
-
Nature of revenue sources, products or services, and markets, including involvement in electronic commerce such as Internet sales and marketing activities.
-
Conduct of operations (for example, stages and methods of production, or activities exposed to environmental risks).
-
Alliances, joint ventures, and outsourcing activities.
-
Geographic dispersion and industry segmentation.
-
Location of production facilities, warehouses, and offices, and location and quantities of inventories.
-
Key customers and important suppliers of goods and services, employment arrangements (including the existence of union contracts, pension and other post‑employment benefits, stock option or incentive bonus arrangements, and government regulation related to employment matters).
-
Research and development activities and expenditures.
- Transactions with related parties.
(b) Investments and investment activities such as:
-
Planned or recently executed acquisitions or divestitures.
-
Investments and dispositions of securities and loans.
-
Capital investment activities.
-
Investments in non‑consolidated entities, including non‑controlled partnerships, joint ventures and non‑controlled special‑purpose entities.
(c) Financing and financing activities such as:
-
Ownership structure of major subsidiaries and associated entities, including consolidated and non‑consolidated structures.
-
Debt structure and related terms, including off‑balance‑sheet financing arrangements and leasing arrangements.
-
Beneficial owners (for example, local, foreign, business reputation and experience) and related parties.
-
Use of derivative financial instruments.
Not all aspects of the business model are relevant to the auditor’s understanding. Business risks are broader than the risks of material misstatement of the financial statements, although business risks include the latter. The auditor does not have a responsibility to understand or identify all business risks because not all business risks give rise to risks of material misstatement (CAS 315.A62).
A business risk may have an immediate consequence for the risk of material misstatement for classes of transactions, account balances, and disclosures at the assertion level or the financial statement level. For example, the business risk arising from a significant fall in real estate market values may increase the risk of material misstatement associated with the valuation assertion for a lender of medium‑term real estate backed loans. However, the same risk, particularly in combination with a severe economic downturn that concurrently increases the underlying risk of lifetime credit losses on its loans, may also have a longer‑term consequence. The resulting net exposure to credit losses may cast significant doubt on the entity’s ability to continue as a going concern. If so, this could have implications for management’s, and the auditor’s, conclusion as to the appropriateness of the entity’s use of the going concern basis of accounting, and determination as to whether a material uncertainty exists. Whether a business risk may result in a risk of material misstatement is, therefore, considered in light of the entity’s circumstances (CAS 315 Appendix 1.4).
Business risks increasing the susceptibility to risks of material misstatement may arise from (CAS 315.A63):
- Inappropriate objectives or strategies, ineffective execution of strategies, or change or complexity.
- A failure to recognize the need for change may also give rise to business risk, for example, from:
- The development of new products or services that may fail;
- A market which, even if successfully developed, is inadequate to support a product or service; or
- Flaws in a product or service that may result in legal liability and reputational risk.
- Incentives and pressures on management, which may result in intentional or unintentional management bias, and therefore affect the reasonableness of significant assumptions and the expectations of management or those charged with governance.
Examples of matters that the auditor may consider when obtaining an understanding of the entity’s business model, objectives, strategies and related business risks that may result in a risk of material misstatement of the financial statements include (CAS 315.A64):
-
Industry developments, such as the lack of personnel or expertise to deal with the changes in the industry;
-
New products and services that may lead to increased product liability;
-
Expansion of the entity’s business, and demand has not been accurately estimated;
-
New accounting requirements where there has been incomplete or improper implementation;
-
Regulatory requirements resulting in increased legal exposure;
-
Current and prospective financing requirements, such as loss of financing due to the entity’s inability to meet requirements;
-
Use of IT, such as the implementation of a new IT system that will affect both operations and financial reporting; or
-
The effects of implementing a strategy, particularly any effects that will lead to new accounting requirements.
Ordinarily, management identifies business risks and develops approaches to address them. Such a risk assessment process is part of the entity’s system of internal control and is discussed in paragraph 22, and paragraphs A109-A113 (CAS 315.A65).
Considerations specific to public sector entities
Entities operating in the public sector may create and deliver value in different ways to those creating wealth for owners but will still have a ’business model’ with a specific objective. Matters public sector auditors may obtain an understanding of that are relevant to the business model of the entity, include (CAS 315.A66):
- Knowledge of relevant government activities, including related programs.
- Program objectives and strategies, including public policy elements.
For the audits of public sector entities, "management objectives" may be influenced by requirements to demonstrate public accountability and may include objectives which have their source in law, regulation or other authority (CAS 315.A67).
OAG Guidance
As CAS 315.A61 articulates, understanding the entity’s objectives, strategy and business model helps the auditor to understand the entity at a strategic level, and to understand the business risks the entity takes and faces. An understanding of the business risks that have an effect on the financial statements assists the auditor in identifying risks of material misstatement, since most business risks will eventually have financial consequences and, therefore, an effect on the financial statements.
An entity’s business strategy typically articulates what the entity wants to achieve in the future, and how it is intending to achieve those goals. The strategy should be clear as to what markets the entity operates in and how the entity will create value within those markets.
There are three levels of strategy that would ordinarily be developed by management:
-
Corporate: Defines the overall purpose and scope of the business in order to meet the expected returns required by investors and balance the needs of other stakeholders. At a group level this includes an explanation of how the group itself creates value.
-
Business unit: Defines how the unit will compete successfully in a particular market and generate a required return commensurate with the risk of the business. It articulates how the unit implements the corporate strategy.
-
Operational: Analyzes the component parts of the organization in terms of resources, processes, people and their skills to deliver corporate and business level strategies.
Understanding the entity’s business strategy at all three levels helps in identifying business risks and in understanding which business risks may increase the risk of material misstatement.
Example: An entity may have a new corporate strategy to expand its business through acquisitions. A potential related business risk may be identified due to the significant changes in the organizational structure of the entity that will result from multiple acquisitions. This business risk might lead us to assess the change inherent risk factor as higher (i.e., moderate or high) for the valuation assertion of the risk "Method (including any model), significant assumptions and data used to estimate fair values for assets acquired and liabilities assumed are not appropriate/reasonable". |
The following are examples of events or conditions that may indicate a risk of material misstatement and information which may be useful to developing our understanding in this area.
Events or conditions which may indicate a risk of material misstatement | Examples of information that may be used by management and may be useful to developing our understanding |
---|---|
Customers: The ultimate success of an entity depends on customers buying its goods or services. A customer’s future buying behavior is clearly a critical success factor that management needs to understand and be in a position to anticipate and influence. The challenge is to find answers to some key questions. How much does it cost to acquire a new customer? How loyal are existing customers? Are they satisfied with the product or service offered? How well these measures are managed and embedded within the entity’s control structure affects how much of the value in the critical customer relationship can be realized. After all, the level of today’s customer satisfaction is likely to be a good indicator of tomorrow’s market share. |
|
|
|
Supply chain: The efficiency and effectiveness of an entity’s supply chain and the infrastructure that supports it is critical to long‑term value creation. For example, engagement with strategic partners, joint ventures and strategic alliances are commonplace for developing new ideas, exploiting research and reducing costs, among other things. Some well‑known companies do not manufacture any of their products; instead, they concentrate on managing their brand and use various suppliers and manufacturers across the world to produce products to the entity’s stated quality requirements. Low value activities are often outsources to other parties. Understanding the manner in which an entity structures its supply chain informs our understanding of business risks that may give rise to risks of material misstatement. |
|
|
|
CAS Guidance
A special-purpose entity (sometimes referred to as a special purpose vehicle) is an entity that is generally established for a narrow and well‑defined purpose, such as to effect a lease or a securitization of financial assets, or to carry out research and development activities. It may take the form of a corporation, trust, partnership or unincorporated entity. The entity on behalf of which the special‑purpose entity has been created may often transfer assets to the latter (e.g., as part of a derecognition transaction involving financial assets), obtain the right to use the latter’s assets, or perform services for the latter, while other parties may provide the funding to the latter. As CAS 550 Related Parties indicates, in some circumstances, a special‑purpose entity may be a related party of the entity (CAS 315.Appendix 1.6).
Financial reporting frameworks often specify detailed conditions that are deemed to amount to control, or circumstances under which the special‑purpose entity should be considered for consolidation. The interpretation of the requirements of such frameworks often demands a detailed knowledge of the relevant agreements involving the special‑purpose entity (CAS 315.Appendix 1.7).
OAG Guidance
Understanding the entity includes understanding the ownership structure of major subsidiaries and associated entities, including consolidated and non‑consolidated structures and the business rationale for the special‑purpose entities. We also need to consider the susceptibility of the financial statements to material misstatement due to fraud or error that could result from the existence of special‑purpose entities. The use of special‑purpose entities or other complex financing arrangements is an example of an event or condition that may indicate the existence of a risk of material misstatement at the assertion level based on the complexity inherent risk factor. This is especially the case where we identify a special‑purpose entity that may have been introduced primarily to support a particular tax or accounting treatment. In cases where the entity has a complex organization structure which includes special‑purpose entities, consider the need to engage a specialist.
Consider special‑purpose entities when understanding the entity’s related parties and related party transactions. Refer to OAG Audit 7532 for guidance addressing whether a special‑purpose entity is also a related party.