Annual Audit Manual

COPYRIGHT NOTICE — This document is intended for internal use. It cannot be distributed to or reproduced by third parties without prior written permission from the Copyright Coordinator for the Office of the Auditor General of Canada. This includes email, fax, mail and hand delivery, or use of any other method of distribution or reproduction. CPA Canada Handbook sections and excerpts are reproduced herein for your non-commercial use with the permission of The Chartered Professional Accountants of Canada (“CPA Canada”). These may not be modified, copied or distributed in any form as this would infringe CPA Canada’s copyright. Reproduced, with permission, from the CPA Canada Handbook, The Chartered Professional Accountants of Canada, Toronto, Canada.

5023 Extent to which the entity’s business model integrates the use of IT
Sep-2022

In This Section

Extent to which the entity’s business model integrates the use of IT

Extent to which the entity’s business model integrates the use of IT

CAS Requirement

The auditor shall perform risk assessment procedures to obtain an understanding of (CAS 315.19):

a) The following aspects of the entity and its environment:

i) The entity's organizational structure, ownership and governance, and its business model, including the extent to which the business model integrates the use of IT;

CAS Guidance

An understanding of the entity's organizational structure and ownership may enable the auditor to understand such matters as (CAS 315.A56):

  • The complexity of the entity's structure.

Example:

The entity may be a single entity or the entity's structure may include subsidiaries, divisions or other components in multiple locations. Further, the legal structure may be different from the operating structure. Complex structures often introduce factors that may give rise to increased susceptibility to risks of material misstatement. Such issues may include whether goodwill, joint ventures, investments, or special-purpose entities are accounted for appropriately and whether adequate disclosure of such issues in the financial statements has been made.
  • The ownership, and relationships between owners and other people or entities, including related parties. This understanding may assist in determining whether related party transactions have been appropriately identified, accounted for, and adequately disclosed in the financial statements.
  • The distinction between the owners, those charged with governance and management.

Example:

In less complex entities, owners of the entity may be involved in managing the entity, therefore there is little or no distinction. In contrast, such as in many listed entities, there may be a clear distinction between management, the owners of the entity, and those charged with governance.
  • The structure and complexity of the entity’s IT environment.

Examples:

An entity may:

  • Have multiple legacy IT systems in diverse businesses that are not well integrated resulting in a complex IT environment.

  • Be using external or internal service providers for aspects of its IT environment (e.g., outsourcing the hosting of its IT environment to a third party or using a shared service center for central management of IT processes in a group).

Understanding the entity's objectives, strategy and business model helps the auditor to understand the entity at a strategic level, and to understand the business risks the entity takes and faces. An understanding of the business risks that have an effect on the financial statements assists the auditor in identifying risks of material misstatement, since most business risks will eventually have financial consequences and, therefore, an effect on the financial statements (CAS 315.A61).

Examples:

An entity's business model may rely on the use of IT in different ways:

  • The entity sells shoes from a physical store, and uses an advanced stock and point of sale system to record the selling of shoes; or

  • The entity sells shoes online so that all sales transactions are processed in an IT environment, including initiation of the transactions through a website.

For both of these entities the business risks arising from a significantly different business model would be substantially different, notwithstanding both entities sell shoes.

OAG Guidance

Understanding the IT environment helps us understand how the entity's business model integrates the use of IT and identifies potential business risks, and how those risks may give rise to risks of material misstatement at the financial statement and assertion level. The IT environment implemented by management to support the entity's business model will typically differ from one entity to another, even for entities in the same industry, as illustrated in the example provided in CAS 315.A61 above. In a less complex entity, the IT environment would generally be less complex because the entity's business model may not require a sophisticated IT infrastructure. For example, a less complex entity with a single location and simple operations may effectively manage its operations in a less automated manner (i.e., operating a higher number of manual controls) and using non-complex commercial software with no customization to automate simple processes.

In contrast, an entity that is engaged in a more technology-dependent business model that uses emerging technologies and/or implements highly automated processes is more likely to require a complex IT infrastructure, including related systems and interfaces.

Our understanding of how the IT environment integrates with the entity's business model facilitates our initial expectation of areas where the risk of material misstatement may be higher. We consider whether the automations were implemented to optimize simple processes or to mitigate a potential business risk, such as complex calculations. For example, where an entity has implemented a customized IT application to automate complex revenue recognition calculations, it may be an indication that management has identified a higher risk of material misstatement related to the complexity of this revenue recognition calculation.

Our understanding of significant changes in an entity's IT environment also may help us identify significant changes to the entity and its environment. For example, changes to the IT environment may be responsive to new regulatory requirements, significant changes in accounting policies or requirements of the applicable financial reporting framework.

The following table provides some examples of different business models and the extent to which the business model integrates the use of IT:

Low level of IT integration

High level of IT integration

Entity A is a subsidiary of a multinational group engaged in the sale of agricultural products that are purchased from the group entity at pre­established transfer prices established by group management. Entity A then sells the products to a limited number of distributors at prices that are manually updated annually and published on a hard copy master price list. Distributors do not have the right of return and payments are due within 30 days of the invoice date. Because of the simplicity of the business model, we would likely conclude Entity A has a lower level of IT integration with its business model.

The following are some of the characteristics that would lead to this likely conclusion:

  • Purchases with pre-established transfer prices established by group

  • Sales prices manually updated and provided in hard copy format to customers annually

  • Limited number of customers that order over the phone or in person

Entity B is a multinational group that produces an extensive portfolio of agricultural products that have several stages of production. The production line machines interface with the inventory system, including to identify components used in the production process to automatically update the value of components, WIP and finished goods inventories. The inventory system automatically creates orders for components based on production schedules and agreed lead times for obtaining each component. Sales are made to distributors, large commercial farm operators, and exported to subsidiaries that operate as sales companies in several countries. An online platform was established to allow customers to place online orders and view product availability. Data from this online platform is monitored by the entity to plan production to meet sales needs. Price lists are updated automatically in the online platform daily in response to fluctuations in the cost of commodities used in Entity B's production processes. These updates are based on public exchange commodity markets, with daily market prices directly interfaced with the entity's IT systems.

The following are some of the characteristics of the business model that indicates a higher level of integration of IT with Entity B's business model:

  • Online transactions with distributors

  • Automation and interfacing built into the complex manufacturing and accounting processes

  • Automated daily market price updates

  • IT enabled monitoring of business performance across different regions and product groups

Our understanding of how the entity's business model integrates with IT, which we obtain as part of understanding the entity and its environment, provides us an indication of the level of complexity of the IT environment. When we identify indications of a complex IT environment, consider involving IT Audit. For the OAG policy requirement on the involvement of IT Audit refer to OAG Audit 3102, and for considerations on the complexity of IT Environment see OAG Audit 5034.