Full Text

Statement on Auditing Standard (SAS) 109, Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement, formalizes the linkage between the risk of material misstatement in an entity's financial statements and the overall operating environment of an entity. SAS 109 requires the auditor to obtain an understanding of the risks associated with the entity's regulatory, legal, and political environment, including environmental requirements. When significant risks exist, the auditor is required to evaluate the design of the entity's related internal controls and determine whether the controls have been implemented and are effectively operating. Fortunately, in addition to the guidance found in SAS 109. the guidance provided in SAS 99. Consideration of Fraud in a Financial Statement Audit, can also facilitate the auditor's understanding of the risks associated with the entity's legal and regulatory environment.

Understanding the Entity and Its Environment

SAS 109 is grounded in the adage "you can't audit what you don't understand." In this regard, the SAS specifies that auditors should:

* perform certain risk assessment procedures (Exhibit 1) to obtain an understanding of the entity and its environment (Exhibit 2), including its internal control (Exhibit 3); and

* assess, with audit team members, the susceptibility of the entity's financial statements Io material misstatement.

SAS 109 indicates that the auditor's understanding of the entity and its environment extends beyond a basic understanding of the accounting and financial aspects of the entity. For example, the auditor must identify the risk factors associated with the entity's operations, industry conditions, regulatory environment, and so on (Exhibit 2) that might result in material misstatement of the financial statements. Identifying risk factors provides the auditor with information about the entity's susceptibility of material misstatement resulting from issues such as:

* revenue recognition;

* disclosure requirements;

* valuation and allocation;

* related-party transactions;

* liabilities, including contingent liabilities: and

* going-concern status.

In addition to obtaining an understanding of the entity and its environment, the auditor must also obtain an understanding of the entity's internal controls. In this regard, SAS 109 provides guidance in terms of the Committee of Sponsoring Organizations' (COSO's) internal control framework to assess the risk of...