What is Understanding the Entity?
ISA 315 (Revised 2019) paragraph 19 requires the auditor to obtain an understanding of the entity and its environment, the applicable financial reporting framework, and the entity's system of internal control. This understanding serves one purpose: to identify and assess the risks of material misstatement at the financial statement and assertion levels.
The 2019 revision significantly expanded what "understanding" means in practice. The auditor must now obtain knowledge across integrated components: the entity's business model and industry factors, the regulatory environment, the applicable financial reporting framework, the entity's accounting policies, and — critically — the IT environment. ISA 315.26(a) explicitly requires understanding of the IT applications relevant to financial reporting, the supporting IT infrastructure, the IT processes, and the personnel involved.
ISA 315.21 requires the auditor to evaluate how the entity's business activities, industry conditions, and regulatory framework create conditions in which misstatements could occur. Entity knowledge that does not connect to a risk assessment is either irrelevant documentation or a missed risk. Every fact about the client should lead somewhere.
Key Points
- ISA 315.19 requires understanding across four areas: entity and environment, financial reporting framework, system of internal control, and inherent risk factors.
- IT environment is now explicitly required — ISA 315.26(a) covers applications, infrastructure, processes, and personnel.
- Every piece of entity knowledge must connect to a risk. ISA 315.21 links understanding to conditions for misstatement.
- The 2019 revision integrated previously scattered requirements into a single, structured framework.
Why it matters in practice
The FRC's 2022 inspection findings identified files with extensive entity descriptions that were not connected to the risk assessment. Teams documented detailed industry analyses and business model descriptions without explaining how those facts created conditions for misstatement. The entity understanding section and the risk assessment section existed as separate, disconnected parts of the file.
The AFM flagged a related problem: blank or minimal IT environment sections. ISA 315.26(a) requires the auditor to understand the IT applications the entity uses in financial reporting, the supporting IT infrastructure, IT processes, and IT personnel. Teams that skip this section or complete it with generic statements like "the entity uses standard accounting software" do not meet the requirement. The standard requires understanding how the IT environment affects the flow of transactions and what controls operate within it.
The strongest files show a clear chain: entity knowledge leads to identified conditions for misstatement, which leads to assessed risks, which leads to planned audit procedures. If any link in that chain is missing, the file cannot demonstrate that the audit approach is responsive to the client's actual circumstances.
Key standard references
- ISA 315.19: Core requirement to understand the entity, its environment, framework, and internal controls.
- ISA 315.21: Requirement to evaluate conditions that create risks of misstatement.
- ISA 315.26(a): IT environment — applications, infrastructure, processes, and personnel.
- ISA 315.A40–A75: Application guidance on entity understanding across all components.
Related terms
Related reading
Frequently asked questions
What changed with ISA 315 (Revised 2019)?
The revision expanded the required understanding to include the IT environment, applicable financial reporting framework, the entity's system of internal control, and inherent risk factors as integrated components. Previously these were separate, scattered requirements.
Does every piece of entity knowledge need to connect to a risk?
Yes. ISA 315.21 requires the understanding to evaluate where misstatements might occur. If entity knowledge doesn't connect to a risk assessment, it is either irrelevant documentation or a missed risk.