Appendix 1: Understanding the Entity and Its Environment
This appendix provides additional guidance on matters the auditor may consider when obtaining an understanding of the industry, regulatory, and other external factors that affect the entity, including the applicable financial reporting framework; the nature of the entity; objectives and strategies and related business risks; and measurement and review of the entity's financial performance. The examples provided cover a broad range of matters applicable to many engagements; however, not all matters are relevant to every engagement and the list of examples is not necessarily complete. Additional guidance on internal control is contained in Appendix 2. INDUSTRY, REGULATORY AND OTHER EXTERNAL FACTORS, INCLUDING THE APPLICABLE FINANCIAL REPORTING FRAMEWORK Examples of matters an auditor may consider include the following: Industry conditions - The market and competition, including demand, capacity, and price competition - Cyclical or seasonal activity - Product technology relating to the entity's products - Energy supply and cost Regulatory environment - Accounting principles and industry specific practices - Regulatory framework for a regulated industry - Legislation and regulation that significantly affect the entity's operations   Regulatory requirements   Direct supervisory activities - Taxation (corporate and other) - Government policies currently affecting the conduct of the entity's business   Monetary, including foreign exchange controls   Fiscal   Financial incentives (for example, government aid programs)   Tariffs, trade restrictions - Environmental requirements affecting the industry and the entity's business Other external factors currently affecting the entity's business - General level of economic activity (for example, recession, growth) - Interest rates and availability of financing - Inflation, currency revaluation
NATURE OF THE ENTITY Examples of matters an auditor may consider include the following: Business Operations - Nature of revenue sources (for example, manufacturer, wholesaler, banking, insurance or other financial services, import/export trading, utility, transportation, and technology products and services) - Products or services and markets (for example, major customers and contracts, terms of payment, profit margins, market share, competitors, exports, pricing policies, reputation of products, warranties, order book, trends, marketing strategy and objectives, manufacturing processes) - Conduct of operations (for example, stages and methods of production, business segments, delivery or products and services, details of declining or expanding operations) - Alliances, joint ventures, and outsourcing activities - Involvement in electronic commerce, including Internet sales and marketing activities - Geographic dispersion and industry segmentation - Location of production facilities, warehouses, and offices - Key customers - Important suppliers of goods and services (for example, long-term contracts, stability of supply, terms of payment, imports, methods of delivery such as "just-in-time") - Employment (for example, by location, supply, wage levels, union contracts, pension and other post employment benefits, stock option or incentive bonus arrangements, and government regulation related to employment matters) - Research and development activities and expenditures - Transactions with related parties Investments - Acquisitions, mergers or disposals of business activities (planned or recently executed) - Investments and dispositions of securities and loans - Capital investment activities, including investments in plant and equipment and technology, and any recent or planned changes - Investments in non-consolidated entities, including partnerships, joint ventures and special-purpose entities Financing - Group structure N major subsidiaries and associated entities, including consolidated and non-consolidated structures - Debt structure, including covenants, restrictions, guarantees, and off-balance-sheet financing arrangements - Leasing of property, plant or equipment for use in the business - Beneficial owners (local, foreign, business reputation and experience) - Related parties - Use of derivative financial instruments Financial Reporting - Accounting principles and industry specific practices - Revenue recognition practices - Accounting for fair values - Inventories (for example, locations, quantities) - Foreign currency assets, liabilities and transactions - Industry-specific significant categories (for example, loans and investments for banks, accounts receivable and inventory for manufacturers, research and development for pharmaceuticals) - Accounting for unusual or complex transactions including those in controversial or emerging areas (for example, accounting for stock-based compensation) - Financial statement presentation and disclosure
OBJECTIVES AND STRATEGIES AND RELATED BUSINESS RISKS Examples of matters an auditor may consider include the following: Existence of objectives (i.e., how the entity addresses industry, regulatory and other external factors) relating to, for example, the following: - Industry developments (a potential related business risk might be, for example, that the entity does not have the personnel or expertise to deal with the changes in the industry) - New products and services (a potential related business risk might be, for example, that there is increased product liability) - Expansion of the business (a potential related business risk might be, for example, that the demand has not been accurately estimated) - New accounting requirements (a potential related business risk might be, for example, incomplete or improper implementation, or increased costs) - Regulatory requirements (a potential related business risk might be, for example, that there is increased legal exposure) - Current and prospective financing requirements (a potential related business risk might be, for example, the loss of financing due to the entity's inability to meet requirements) - Use of IT (a potential related business risk might be, for example, that systems and processes are incompatible) Effects of implementing a strategy, particularly any effects that will lead to new accounting requirements (a potential related business risk might be, for example, incomplete or improper implementation)
MEASUREMENT AND REVIEW OF THE ENTITY'S FINANCIAL PERFORMANCE
Examples of matters an auditor may consider include the following: Key ratios and operating statistics Key performance indicators Employee performance measures and incentive compensation policies Trends Use of forecasts, budgets and variance analysis Analyst reports and credit rating reports Competitor analysis Period-on-period financial performance (revenue growth, profitability, leverage)
Appendix 2: Internal Control Components
1.	As set out in paragraph 43 and described in paragraphs 67-99, internal control consists of the following components:
	(a)	The control environment;
	(b)	The entity's risk assessment process;
	(c)	The information system, including the related business processes, relevant to financial reporting, and communication;
	(d)	Control activities; and
	(e)	Monitoring of controls.
This appendix further explains the above components as they relate to a financial statement audit. CONTROL ENVIRONMENT
2.	The control environment includes the attitudes, awareness, and actions of management and those charged with governance concerning the entity's internal control and its importance in the entity. The control environment also includes the governance and management functions and sets the tone of an organization, influencing the control consciousness of its people. It is the foundation for effective internal control, providing discipline and structure.
3.	The control environment encompasses the following elements:
	(a)	Communication and enforcement of integrity and ethical values. The effectiveness of controls cannot rise above the integrity and ethical values of the people who create, administer, and monitor them. Integrity and ethical values are essential elements of the control environment which influence the effectiveness of the design, administration, and monitoring of other components of internal control. Integrity and ethical behavior are the product of the entity's ethical and behavioral standards, how they are communicated, and how they are reinforced in practice. They include management's actions to remove or reduce incentives and temptations that might prompt personnel to engage in dishonest, illegal, or unethical acts. They also include the communication of entity values and behavioral standards to personnel through policy statements and codes of conduct and by example.
	(b)	Commitment to competence. Competence is the knowledge and skills necessary to accomplish tasks that define the individual's job. Commitment to competence includes management's consideration of the competence levels for particular jobs and how those levels translate into requisite skills and knowledge.
	(c)	Participation by those charged with governance. An entity's control consciousness is influenced significantly by those charged with governance. Attributes of those charged with governance include independence from management, their experience and stature, the extent of their involvement and scrutiny of activities, the appropriateness of their actions, the information they receive, the degree to which difficult questions are raised and pursued with management, and their interaction with internal and external auditors. The importance of responsibilities of those charged with governance is recognized in codes of practice and other regulations or guidance produced for the benefit of those charged with governance. Other responsibilities of those charged with governance include oversight of the design and effective operation of whistle blower procedures and the process for reviewing the effectiveness of the entity's internal control.
	(d)	Management's philosophy and operating style. Management's philosophy and operating style encompass a broad range of characteristics. Such characteristics may include the following: management's approach to taking and monitoring business risks; management's attitudes and actions toward financial reporting (conservative or aggressive selection from available alternative accounting principles, and conscientiousness and conservatism with which accounting estimates are developed); and management's attitudes toward information processing and accounting functions and personnel.
	(e)	Organizational structure. An entity's organizational structure provides the framework within which its activities for achieving entity-wide objectives are planned, executed, controlled, and reviewed. Establishing a relevant organizational structure includes considering key areas of authority and responsibility and appropriate lines of reporting. An entity develops an organizational structure suited to its needs. The appropriateness of an entity's organizational structure depends, in part, on its size and the nature of its activities.
	(f)	Assignment of authority and responsibility. This factor includes how authority and responsibility for operating activities are assigned and how reporting relationships and authorization hierarchies are established. It also includes policies relating to appropriate business practices, knowledge and experience of key personnel, and resources provided for carrying out duties. In addition, it includes policies and communications directed at ensuring that all personnel understand the entity's objectives, know how their individual actions interrelate and contribute to those objectives, and recognize how and for what they will be held accountable.
	(g)	Human resource policies and practices. Human resource policies and practices relate to recruitment, orientation, training, evaluating, counselling, promoting, compensating, and remedial actions. For example, standards for recruiting the most qualified individuals - with emphasis on educational background, prior work experience, past accomplishments, and evidence of integrity and ethical behaviour - demonstrate an entity's commitment to competent and trustworthy people. Training policies that communicate prospective roles and responsibilities and include practices such as training schools and seminars illustrate expected levels of performance and behaviour. Promotions driven by periodic performance appraisals demonstrate the entity's commitment to the advancement of qualified personnel to higher levels of responsibility.
Application to Small Entities
4.	Small entities may implement the control environment elements differently than larger entities. For example, small entities might not have a written code of conduct but, instead, develop a culture that emphasizes the importance of integrity and ethical behavior through oral communication and by management example. Similarly, those charged with governance in small entities may not include an independent or outside member.
ENTITY'S RISK ASSESSMENT PROCESS
5.	An entity's risk assessment process is its process for identifying and responding to business risks and the results thereof. For financial reporting purposes, the entity's risk assessment process includes how management identifies risks relevant to the preparation of financial statements that give a true and fair view (or are presented fairly, in all material respects) in accordance with the entity's applicable financial reporting framework, estimates their significance, assesses the likelihood of their occurrence, and decides upon actions to manage them. For example, the entity's risk assessment process may address how the entity considers the possibility of unrecorded transactions or identifies and analyzes significant estimates recorded in the financial statements. Risks relevant to reliable financial reporting also relate to specific events or transactions.
6.	Risks relevant to financial reporting include external and internal events and circumstances that may occur and adversely affect an entity's ability to initiate, record, process, and report financial data consistent with the assertions of management in the financial statements. Once risks are identified, management considers their significance, the likelihood of their occurrence, and how they should be managed. Management may initiate plans, programs, or actions to address specific risks or it may decide to accept a risk because of cost or other considerations. Risks can arise or change due to circumstances such as the following: Changes in operating environment. Changes in the regulatory or operating environment can result in changes in competitive pressures and significantly different risks. New personnel. New personnel may have a different focus on or understanding of internal control. New or revamped information systems. Significant and rapid changes in information systems can change the risk relating to internal control. Rapid growth. Significant and rapid expansion of operations can strain controls and increase the risk of a breakdown in controls. New technology. Incorporating new technologies into production processes or information systems may change the risk associated with internal control. New business models, products, or activities. Entering into business areas or transactions with which an entity has little experience may introduce new risks associated with internal control. Corporate restructurings. Restructurings may be accompanied by staff reductions and changes in supervision and segregation of duties that may change the risk associated with internal control. Expanded foreign operations. The expansion or acquisition of foreign operations carries new and often unique risks that may affect internal control, for example, additional or changed risks from foreign currency transactions. New accounting pronouncements. Adoption of new accounting principles or changing accounting principles may affect risks in preparing financial statements.
Application to Small Entities
7.	The basic concepts of the entity's risk assessment process are relevant to every entity, regardless of size, but the risk assessment process is likely to be less formal and less structured in small entities than in larger ones. All entities should have established financial reporting objectives, but they may be recognized implicitly rather than explicitly in small entities. Management may be aware of risks related to these objectives without the use of a formal process but through direct personal involvement with employees and outside parties.
INFORMATION SYSTEM, INCLUDING THE RELATED BUSINESS PROCESSES, RELEVANT TO FINANCIAL REPORTING, AND COMMUNICATION
8.	An information system consists of infrastructure (physical and hardware components), software, people, procedures, and data. Infrastructure and software will be absent, or have less significance, in systems that are exclusively or primarily manual. Many information systems make extensive use of information technology (IT).
9.	The information system relevant to financial reporting objectives, which includes the financial reporting system, consists of the procedures and records established to initiate, record, process, and report entity transactions (as well as events and conditions) and to maintain accountability for the related assets, liabilities, and equity. Transactions may be initiated manually or automatically by programmed procedures. Recording includes identifying and capturing the relevant information for transactions or events. Processing includes functions such as edit and validation, calculation, measurement, valuation, summarization, and reconciliation, whether performed by automated or manual procedures. Reporting relates to the preparation of financial reports as well as other information, in electronic or printed format, that the entity uses in measuring and reviewing the entity's financial performance and in other functions. The quality of system-generated information affects management's ability to make appropriate decisions in managing and controlling the entity's activities and to prepare reliable financial reports.
10.	Accordingly, an information system encompasses methods and records that: Identify and record all valid transactions. Describe on a timely basis the transactions in sufficient detail to permit proper classification of transactions for financial reporting. Measure the value of transactions in a manner that permits recording their proper monetary value in the financial statements. Determine the time period in which transactions occurred to permit recording of transactions in the proper accounting period. Present properly the transactions and related disclosures in the financial statements.
11.	Communication involves providing an understanding of individual roles and responsibilities pertaining to internal control over financial reporting. It includes the extent to which personnel understand how their activities in the financial reporting information system relate to the work of others and the means of reporting exceptions to an appropriate higher level within the entity. Open communication channels help ensure that exceptions are reported and acted on.
12.	Communication takes such forms as policy manuals, accounting and financial reporting manuals, and memoranda. Communication also can be made electronically, orally, and through the actions of management.
Application to Small Entities
13.	Information systems and related business processes relevant to financial reporting in small entities are likely to be less formal than in larger entities, but their role is just as significant. Small entities with active management involvement may not need extensive descriptions of accounting procedures, sophisticated accounting records, or written policies. Communication may be less formal and easier to achieve in a small entity than in a larger entity due to the small entity's size and fewer levels as well as management's greater visibility and availability.
CONTROL ACTIVITIES
14.	Control activities are the policies and procedures that help ensure that management directives are carried out, for example, that necessary actions are taken to address risks that threaten the achievement of the entity's objectives. Control activities, whether within IT or manual systems, have various objectives and are applied at various organizational and functional levels.
15.	Generally, control activities that may be relevant to an audit may be categorized as policies and procedures that pertain to the following: Performance reviews. These control activities include reviews and analyses of actual performance versus budgets, forecasts, and prior period performance; relating different sets of data - operating or financial - to one another, together with analyses of the relationships and investigative and corrective actions; comparing internal data with external sources of information; and review of functional or activity performance, such as a bank's consumer loan manager's review of reports by branch, region, and loan type for loan approvals and collections. Information processing. A variety of controls are performed to check accuracy, completeness, and authorization of transactions. The two broad groupings of information systems control activities are application controls and general IT-controls. Application controls apply to the processing of individual applications. These controls help ensure that transactions occurred, are authorized, and are completely and accurately recorded and processed. Examples of application controls include checking the arithmetical accuracy of records, maintaining and reviewing accounts and trial balances, automated controls such as edit checks of input data and numerical sequence checks, and manual follow-up of exception reports. General IT-controls are polices and procedures that relate to many applications and support the effective functioning of application controls by helping to ensure the continued proper operation of information systems. General IT-controls commonly include controls over data center and network operations; system software acquisition, change and maintenance; access security; and application system acquisition, development, and maintenance. These controls apply to mainframe, miniframe, and end-user environments. Examples of such general IT-controls are program change controls, controls that restrict access to programs or data, controls over the implementation of new releases of packaged software applications, and controls over system software that restrict access to or monitor the use of system utilities that could change financial data or records without leaving an audit trail. Physical controls. These activities encompass the physical security of assets, including adequate safeguards such as secured facilities over access to assets and records; authorization for access to computer programs and data files; and periodic counting and comparison with amounts shown on control records (for example comparing the results of cash, security and inventory counts with accounting records). The extent to which physical controls intended to prevent theft of assets are relevant to the reliability of financial statement preparation, and therefore the audit, depends on circumstances such as when assets are highly susceptible to misappropriation. For example, these controls would ordinarily not be relevant when any inventory losses would be detected pursuant to periodic physical inspection and recorded in the financial statements. However, if for financial reporting purposes management relies solely on perpetual inventory records, the physical security controls would be relevant to the audit. Segregation of duties. Assigning different people the responsibilities of authorizing transactions, recording transactions, and maintaining custody of assets is intended to reduce the opportunities to allow any person to be in a position to both perpetrate and conceal errors or fraud in the normal course of the person's duties. Examples of segregation of duties include reporting, reviewing and approving reconciliations, and approval and control of documents.
16.	Certain control activities may depend on the existence of appropriate higher level policies established by management or those charged with governance. For example, authorization controls may be delegated under established guidelines, such as investment criteria set by those charged with governance; alternatively, non-routine transactions such as major acquisitions or divestments may require specific high level approval, including in some cases that of shareholders.
Application to Small Entities
17.	The concepts underlying control activities in small entities are likely to be similar to those in larger entities, but the formality with which they operate varies. Further, small entities may find that certain types of control activities are not relevant because of controls applied by management. For example, management's retention of authority for approving credit sales, significant purchases, and draw-downs on lines of credit can provide strong control over those activities, lessening or removing the need for more detailed control activities. An appropriate segregation of duties often appears to present difficulties in small entities. Even companies that have only a few employees, however, may be able to assign their responsibilities to achieve appropriate segregation or, if that is not possible, to use management oversight of the incompatible activities to achieve control objectives.
MONITORING OF CONTROLS
18.	An important management responsibility is to establish and maintain internal control on an ongoing basis. Management's monitoring of controls includes considering whether they are operating as intended and that they are modified as appropriate for changes in conditions. Monitoring of controls may include activities such as management's review of whether bank reconciliations are being prepared on a timely basis, internal auditors' evaluation of sales personnel's compliance with the entity's policies on terms of sales contracts, and a legal department's oversight of compliance with the entity's ethical or business practice policies.
19.	Monitoring of controls is a process to assess the quality of internal control performance over time. It involves assessing the design and operation of controls on a timely basis and taking necessary corrective actions. Monitoring is done to ensure that controls continue to operate effectively. For example, if the timeliness and accuracy of bank reconciliations are not monitored, personnel are likely to stop preparing them. Monitoring of controls is accomplished through ongoing monitoring activities, separate evaluations, or a combination of the two.
20.	Ongoing monitoring activities are built into the normal recurring activities of an entity and include regular management and supervisory activities. Managers of sales, purchasing, and production at divisional and corporate levels are in touch with operations and may question reports that differ significantly from their knowledge of operations.
21.	In many entities, internal auditors or personnel performing similar functions contribute to the monitoring of an entity's controls through separate evaluations. They regularly provide information about the functioning of internal control, focusing considerable attention on evaluating the design and operation of internal control. They communicate information about strengths and weaknesses and recommendations for improving internal control.
22.	Monitoring activities may include using information from communications from external parties that may indicate problems or highlight areas in need of improvement. Customers implicitly corroborate billing data by paying their invoices or complaining about their charges. In addition, regulators may communicate with the entity concerning matters that affect the functioning of internal control, for example, communications concerning examinations by bank regulatory agencies. Also, management may consider communications relating to internal control from external auditors in performing monitoring activities.
Application to Small Entities
23.	Ongoing monitoring activities of small entities are more likely to be informal and are typically performed as a part of the overall management of the entity's operations. Management's close involvement in operations often will identify significant variances from expectations and inaccuracies in financial data leading to corrective action to the control.
Appendix 3: Conditions and Events That May Indicate Risks of Material Misstatement
The following are examples of conditions and events that may indicate the existence of risks of material misstatement. The examples provided cover a broad range of conditions and events; however, not all conditions and events are relevant to every audit engagement and the list of examples is not necessarily complete. Operations in regions that are economically unstable, for example, countries with significant currency devaluation or highly inflationary economies. Operations exposed to volatile markets, for example, futures trading. High degree of complex regulation. Going concern and liquidity issues including loss of significant customers. Constraints on the availability of capital and credit. Changes in the industry in which the entity operates. Changes in the supply chain. Developing or offering new products or services, or moving into new lines of business. Expanding into new locations. Changes in the entity such as large acquisitions or reorganizations or other unusual events. Entities or business segments likely to be sold. Complex alliances and joint ventures. Use of off-balance-sheet finance, special-purpose entities, and other complex financing arrangements. Significant transactions with related parties. Lack of personnel with appropriate accounting and financial reporting skills. Changes in key personnel including departure of key executives. Weaknesses in internal control, especially those not addressed by management. Inconsistencies between the entity's IT strategy and its business strategies. Changes in the IT environment. Installation of significant new IT systems related to financial reporting. Inquiries into the entity's operations or financial results by regulatory or government bodies. Past misstatements, history of errors or a significant amount of adjustments at period end. Significant amount of non-routine or non-systematic transactions including intercompany transactions and large revenue transactions at period end. Transactions that are recorded based on management's intent, for example, debt refinancing, assets to be sold and classification of marketable securities. Application of new accounting pronouncements. Accounting measurements that involve complex processes. Events or transactions that involve significant measurement uncertainty, including accounting estimates. Pending litigation and contingent liabilities, for example, sales warranties, financial guarantees and environmental remediation.