The concept of understanding an entity’s business model, including how it uses Information Technology (IT) is new in ISA 315 (Revised 2019).
Understanding the business model sounds like child’s play, but in the context of exploring inherent risks, it presents a powerful tool to understand the entity.
Paragraph 19(a)(i) tells us that:
The auditor shall perform risk assessment procedures to obtain an understanding of… The entity’s organisational structure, ownership and governance, and its business model, including the extent to which the business model integrates the use of IT.
Paragraph A61 explains why this is necessary.
Understanding the entity’s objectives, strategy and business model helps the auditor to understand the entity at a strategic level, and to understand the business risks the entity takes and faces. An understanding of the business risks that have an effect on the financial statements assists the auditor in identifying risks of material misstatement, since most business risks will eventually have financial consequences and, therefore, an effect on the financial statements.
Organisational structure, ownership and governance are generally simple enough to understand and document, but ‘business model’ is a more nebulous term. Looking at every business risk could be a rabbit hole that swallows a lot of audit time.
However, business risk itself is not a new concept. The old standard defined it as:
A risk resulting from significant conditions, events, circumstances, actions or inactions that could adversely affect an entity’s ability to achieve its objectives and execute its strategies, or from the setting of inappropriate objectives and strategies.
What actually is a business model?
Wikipedia defines a business model as follows:
In theory and practice, the term business model is used for a broad range of informal and formal descriptions to represent core aspects of an organization or business, including purpose, business process, target customers, offerings, strategies, infrastructure, organizational structures, sourcing, trading practices, and operational processes and policies including culture.
So our client may have adopted one of the following business models:
- Bricks and mortar retail model
- Value-added reseller model
- Franchise model
- Subscription model
- Online sales retail model
- B2B model – etc.
These are useful to identify and document in our file, but that is still very broad. Paragraph A62 tells us that ‘Not all aspects of the business model are relevant to the auditor’s understanding.’ We need only concern ourselves with those that give rise to the risk of material misstatement.
The standard itself, in Appendix 1(1), says:
The entity’s business model describes how the entity creates, preserves and captures financial or broader value, for its stakeholders.
This is all-encompassing but lacking in specifics. Appendix 1(3) tells us that a description of a business model typically includes:
- The scope of the entity’s activities, and why it does them.
- The entity’s structure and scale of its operations.
- The markets or geographical or demographic spheres, and parts of the value chain, in which it operates, how it engages with those markets or spheres (main products, customer segments and distribution methods), and the basis on which it competes.
- The entity’s business or operating processes (e.g., investment, financing and operating processes) employed in performing its activities, focusing on those parts of the business processes that are important in creating, preserving or capturing value.
- The resources (e.g., financial, human, intellectual, environmental and technological) and other inputs and relationships (e.g., customers, competitors, suppliers and employees) that are necessary or important to its success.
- How the entity’s business model integrates the use of IT in its interactions with customers, suppliers, lenders and other stakeholders through IT interfaces and other technologies.
These are all helpful points to consider and document in our audit work and to flag and analyse the inherent and control risk that we identify.
A 2014 paper by the UK and French standard setters discussing the role of the business model in financial statements state that the first time the term ‘business model’ appeared in the IFRS literature was in 2009 when IFRS 9 (Financial Instruments) was issued. In defining the term business model for use in reporting standards they say:
…there is overall agreement, as evidenced by the responses received, that if the term business model is used in financial reporting, it focuses on the value creation process of an entity, i.e. how the entity generates cash flows.
So moving in from the broad description, we need to start to identify how the entity generates cash flows. In a 2014 paper on Business Models in Integrated Reporting, IFAC state that:
An organization’s business model is its system of transforming inputs, through its business activities, into outputs and outcomes that aim to fulfil the organization’s strategic purposes and create value over the short, medium and long term.
Application to audit work
Cash flows are generated and value is added by a cycle of inputs and outputs. From a risk identification auditing perspective, this is a helpful paradigm, especially in our current climate. Continuing inputs of raw materials, labour, land and capital are no longer a given with complex regulation, supply chain issues, labour shortages, restrictions on land use, and the spectre of inflation.
Similarly, the ability to continue to assume a market based on these disruptions is not as certain as it was a few years ago. We live in uncertain times.
Paragraph A63 acknowledges this by giving the following examples of possible risks:
- Inappropriate objectives or strategies, ineffective execution of strategies, or change or complexity.
- A failure to recognise the need for change may also give rise to business risk, for example, from:
- The development of new products or services that may fail;
- A market which, even if successfully developed, is inadequate to support a product or service; or
- Flaws in a product or service that may result in legal liability and reputational risk.
- Incentives and pressures on management, which may result in intentional or unintentional management bias, and therefore affect the reasonableness of significant assumptions and the expectations of management or those charged with governance.
All these potential risks are exacerbated in uncertain times. Paragraph A64 lists specific matters we should consider:
- Industry developments, such as the lack of personnel or expertise to deal with the changes in the industry;
- New products and services that may lead to increased product liability;
- Expansion of the entity’s business, and demand has not been accurately estimated;
- New accounting requirements where there has been incomplete or improper implementation;
- Regulatory requirements resulting in increased legal exposure;
- Current and prospective financing requirements, such as loss of financing due to the entity’s inability to meet requirements;
- Use of IT, such as the implementation of a new IT system that will affect both operations and financial reporting; or
- The effects of implementing a strategy, particularly any effects that will lead to new accounting requirements.
Paragraph A65 points out that ‘Ordinarily, management identifies business risks and develops approaches to address them.’ so our risk assessment process should include assessing this as part of reviewing the internal controls, as under the old standard.
Appendix A(4) concludes:
A business risk may have an immediate consequence for the risk of material misstatement for classes of transactions, account balances, and disclosures at the assertion level or the financial statement level.
So to sum up, understand the business, think outside the square in terms of how inputs and outputs work, and what the associated risks might be. Then stay focussed on those things that actually represent a risk of material misstatement.