2.23 AU section 314, Understanding the Entity and Its Environment and Assessing the Risks o f Material Misstatement (AICPA, Professional Standards, vol. 1), establishes requirements and provides guidance about implementing the second standard of field work, as follows:
"The auditor must obtain a sufficient understanding of the entity and its environment, including its internal control, to assess the risks of material misstatement of the financial statements whether due to er
ror or fraud, and to design the nature, timing, and extent o f further audit procedures."
2.24 Obtaining an understanding o f the entity and its environment, in
cluding its internal control, is a continuous, dynamic process o f gathering, updating, and analyzing information throughout the audit. Throughout this process, the auditor should also follow the guidance in AU section 316, Con
sideration o f Fraud in a Financial Statement Audit (AICPA, Professional Stan
dards, vol. 1). See paragraphs 2.99-.102 for additional guidance pertaining to AU section 316.
2.25 This section addresses the unique aspects o f property and liability in
surance entities that may be helpful in developing the required understanding o f the entity, its environment, and its internal control.
Risk Assessment Procedures
2.26 As described in AU section 326, audit procedures performed to obtain an understanding of the entity and its environment, including its internal con
trol, to assess the risks of material misstatement at the financial statement and relevant assertion levels are referred to as risk assessment procedures. AU sec
tion 326 paragraph .21 states that the auditor must perform risk assessment procedures to provide a satisfactory basis for the assessment o f risks at the financial statement and relevant assertion levels. Risk assessment procedures by themselves do not provide sufficient appropriate audit evidence on which to base the audit opinion and must be supplemented by further audit procedures in the form of tests of controls, when relevant or necessary, and substantive procedures.
2.27 In accordance with paragraph .06 of AU section 314, the auditor should perform the following risk assessment procedures to obtain an under
standing of the entity and its environment, including its internal control:
a. Inquiries of management and others within the entity b. Analytical procedures
c. Observation and inspection
See paragraphs .06-.13 o f AU section 314 for additional guidance on risk as
sessment procedures.
Discussion Among the Audit Team
2.28 In obtaining an understanding of the entity and its environment, including its internal control, AU section 314 states that there should be dis
sibility for the audit, should discuss the susceptibility o f the entity's financial statements to material misstatements. This discussion could be held concur
rently with the discussion among the audit team that is specified by AU section 316 to discuss the susceptibility of the entity's financial statements to fraud.
Understanding of the Entity and its Environment
2.29 AU section 314 states that the auditor must obtain an understanding of the entity and its environment, including its internal control. In accordance with AU section 314 paragraph .04, the auditor should use professional judg
ment to determine the extent of the understanding required of the entity and its environment, including its internal control. The auditor's primary consid
eration is whether the understanding that has been obtained is sufficient (1) to assess risks o f material misstatement o f the financial statements and (2) to design and perform further audit procedures (tests o f controls and substantive tests).
2.30 The auditor's understanding o f the entity and its environment con
sists o f an understanding of the following aspects:
a. Industry, regulatory, and other external factors b. Nature o f the entity
c. Objectives and strategies and the related business risks that may result in a material misstatement o f the financial statements d. Measurement and review of the entity's financial performance
e. Internal control, which includes the selection and application of accounting policies (see the following section for further discussion) Refer to appendix A of AU section 314 for examples o f matters that the auditor may consider in obtaining an understanding of the entity and its environment relating to categories (a)-(d ).
2.31 In order to obtain a general understanding o f the industry, the auditor may refer to chapter 1 o f this guide, which discusses the nature o f the property and liability insurance business and many characteristics o f operations in the industry. The bibliography at the end o f this guide provides sources for addi
tional information on the industry. Although conditions will vary from company to company, the independent auditor may consider the conditions discussed in the Audit Risk Alert Insurance Industry Developments for the current year.
2.32 Discussed in the following paragraphs are some unique characteris
tics o f property and liability insurance entities that the auditor may consider when obtaining an understanding o f the entity and its environment in order to assess the risks o f material misstatement.
Combined and Operating Ratios
2.33 The profitability o f an insurance company on a statutory basis is gen
erally gauged by combined ratio and its operating ratio. The combined ratio is the sum o f its loss ratio (total incurred losses and loss adjustment expenses expressed as a percent o f earned premiums), its expense ratio (total underwrit
ing expenses incurred less other income to written premiums), and its dividend ratio (policyholder dividends expressed as a percent o f earned premiums). The operating ratio is the combined ratio less the ratio o f investment income, to earned premiums.
2.34 The auditor may consider using the combined and operating ratios—
both for the industry and for the insurance company whose financial state
ments are being audited—in evaluating the risk of material misstatement at the financial statement level. For example, these ratios may provide inform a
tion about the company's profitability relative to the industry and about the economic conditions prevalent in the industry as a whole.
Risk-Based Capital
2.35 Because of the importance of risk-based capital (RBC) to property and liability insurance enterprises, the auditor may consider RBC when as
sessing the risks of material misstatement. The auditor may obtain and review the client's RBC reports to further his or her understanding of the RBC re
quirements for preparing such reports and the actual regulations associated with RBC. For more information on RBC, refer to the section titled "The Audi
tor's Consideration of Regulatory Risk-Based Capital for Property and Liability Insurance Enterprises."
National Association o f Insurance Commissioners Insurance Regulatory Information System
2.36 Many insurance laws and regulations address insurance companies' financial solvency, and insurance departments consequently monitor reports, operating procedures, investment practices, and other activities of insurance companies. One o f the main purposes of the monitoring system is to detect, at an early stage, companies that are insolvent or may become insolvent.
2.37 To assist state insurance departments in monitoring the financial condition of property and liability insurance companies, the National Associ
ation o f Insurance Commissioners (NAIC) Insurance Regulatory Information System (IRIS) was developed by a committee of state insurance department regulators. It is intended to assist state insurance departments in identifying insurance companies whose financial condition warrants close surveillance. The system is based on 12 tests for property and liability insurance companies. The tests are based on studies of financially troubled companies compared to finan
cially sound companies. Usual ranges have been established under each o f the tests for a property and liability company, but the ranges may be adjusted to reflect changing economic conditions. The results of the tests o f all companies are compared, and those companies with three or more results outside o f the usual range are given a priority classification indicating that a close review of the company be undertaken. In addition, a regulatory team annually reviews the results and recommends regulatory attention if needed. One or more re
sults outside the usual range do not necessarily indicate that a company is in unstable financial condition, but the company may need to explain the circum
stances causing the unusual results. Annually, the NAIC publishes a booklet titled NAIC Financial Solvency Tools—Insurance Regulatory Information Sys
tem (IRIS), which explains the IRIS ratios in detail. (Each o f the individual ratios and the acceptable results is briefly described in appendix E.) The au
ditor may consider IRIS test results when performing analytical procedures in the planning stage of an audit.
2.38 The NAIC has also established risk-based capital standards for the property and liability insurance industry. Risk-based capital provides minimum means of setting the capital standards for insurance companies to support their overall business operations in light of their size and risk profile. A company's
derlying risk and lower for less risky items. Risk-based capital standards will be used by regulators to set in motion appropriate regulatory actions relating to insurers which show signs o f weak or deteriorating conditions. They also provide an additional standard for minimum surplus, below which companies would be placed in conservatorship.
NAIC Profitability Reports
2.39 The annual statement and supplemental exhibits are the sources of data for the NAIC Profitability Reports. The Overall Profitability Report devel
ops six rates o f return: two on sales (earned premium), two on net worth, and two on assets. The Overall Profitability Report by Company was developed by the NAIC in 1971. The stated purpose of the report is to establish uniform stan
dards for measuring the profitability of property-liability insurance companies (individually and for companies collectively) on a basis that will facilitate com
parisons with other businesses and industries. Certain assumptions are made and the data reported in insurers' annual statements are adjusted by formulas adopted by the NAIC to estimate a "going-concern" basis. Annually, the NAIC publishes a booklet titled Using the NAIC Profitability Results. This booklet explains in detail the rate-of-return calculations for the Overall Profitability Report by company. In addition to the NAIC, several states have developed their own systems o f early-warning tests.
2.40 Other industry sources useful in the preliminary assessment of risk evaluation include annual and quarterly statements filed with regulatory au
thorities, regulatory examination reports, IRS examination reports, and com
munications with regulatory authorities.
Understanding of Internal Control
2.41 AU section 314 states that the auditor must obtain an understanding of the five components of internal control sufficient to assess the risks of ma
terial misstatement of the financial statements whether due to error or fraud, and to design the nature, timing, and extent o f further audit procedures. The auditor should obtain a sufficient understanding by performing risk assessment procedures to
a. evaluate the design o f controls relevant to an audit of financial statements.
b. determine whether they have been implemented.
2.42 The auditor should use the understanding to
• identify types o f potential misstatements.
• consider factors that affect the risks o f material misstatement.
• design tests of controls, when applicable, and substantive proce
dures.
2.43 Obtaining an understanding of the entity and its environment, in
cluding internal control, is a continuous dynamic process o f gathering, updating, and analyzing information throughout the audit. The objective o f obtaining an understanding o f controls is to evaluate the design of controls and determine whether they have been implemented for the purpose o f assessing the risks of material misstatement. In contrast, the objective of testing the operating
effectiveness o f controls is to determine whether the controls, as designed, pre
vent or detect a material misstatement.
2.44 AU section 314 paragraph .41 defines internal control as "a process—
effected by those charged with governance, management, and other personnel—
designed to provide reasonable assurance about the achievement o f the entity's objectives with regard to reliability o f financial reporting, effectiveness and efficiency o f operations, and compliance with applicable laws and regulations."
Internal control consists of the following five interrelated components:
a. Control environment b. Risk assessment c. Control activities
d. Information and communication systems e. Monitoring
Refer to paragraphs .67-.101 of AU section 314 for a detailed discussion o f the internal control components.