In October 2021, the AICPA issued SAS 145, Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement. SAS 145 is effective for audits of financial statements for periods ending on or after December 15, 2023. Early implementation is permitted. SAS 145, which supersedes SAS 122, section 315 of the same title, and amends various other sections in AICPA Professional Standards, enhances or clarifies specific areas of an auditor’s risk assessment while providing new performance requirements and new terminology in other areas.
Mine Field. For several years now, the subject of the auditor’s risk assessment has been a sore spot between the AICPA and many practitioners with a less complicated, non-public client base. Even though the original suite of risk assessment standards (SAS Nos. 104-111) was issued 15 years ago, peer reviewers continue to find deficiencies in risk assessments as a (perhaps the) leading reason for audit deficiencies
In my opinion, much of the push-back from practitioners of smaller, less complex companies is traced to a belief that the risk assessment standards are primarily applicable to CPAs who audit complex companies of enormous size. Furthermore, some CPAs believe, while a structured risk assessment approach may be necessary to identify risks and develop an audit approach for a company with billions of dollars in revenue, it’s a time-consuming overkill for many smaller, less complex, non-public companies. CPAs who follow this line of thought suggest that the risks for less complex companies are apparent, and the audit responses are obvious. Accordingly, there is little need for a formal structured risk assessment.
While the AICPA’s Auditing Standards Board (“ASB”) has not turned a deaf ear to the concerns noted above, it has not accepted the premise that a standard-based documented risk assessment is unnecessary for less complex companies. Instead, it views risk assessment as the foundational stone of every audit. Accordingly, SAS 145 applies to audits of all non-public companies, regardless of size or complexity. However, the ASB does address “scalability” in SAS 145. This concept of scalability, based on the complexity of the company, is described below.
Purpose of SAS 145. In short, the primary purpose of SAS 145 is to improve audit quality in a critical audit area where a disturbing number of audit deficiencies are found. As stated in the AICPA’s (SAS 145), At a glance:
“SAS No. 145 does not fundamentally change the key concepts underpinning audit risk. Rather, it clarifies and enhances certain aspects of the identification and assessment of the risks of material misstatement to drive better risk assessments and, therefore, enhance audit quality.”
What are the Key Changes? Ok. If it doesn’t “fundamentally change the key concepts underpinning audit risk,” then what does it change? Below are a few of the significant changes made to the prior risk assessment standards. We will describe other changes and nuances of SAS 145 in a later blog.
- Assessment of inherent risk and control risk. There is a new requirement to assess inherent risk and control risk separately. While this requirement was not explicitly stated in the prior standards, it’s something that many practitioners did anyway. This was driven, in part, by third-party vendors of auditing software tools who took the approach of a separate assessment of inherent and control risks. Nevertheless, the requirement to make separate assessments of inherent and control risk is now baked into the auditing standards via SAS 145.
- Assessing Control Risk at Maximum. If the auditor does not plan to test controls for operating effectiveness, SAS 145 requires that control risk (“CR”) be assessed at maximum risk. In that situation, the new standard requires that the assessment of the risk of material misstatement (“RMM”) be the same as the assessment of inherent risk (“IR”). In other words, if CR equals maximum risk because controls were not tested, then RMM must equal IR.
- Revised definition of significant risk. SAS 145 defines a significant risk as an identified risk of a material misstatement:
- For which the assessment of inherent risk is close to the upper end of the spectrum of inherent risk based on the combination of the likelihood and the magnitude of a potential misstatement.
- Is to be treated as a significant risk in other AU-C sections.
- IT Controls. A greater emphasis will be placed on the evaluation of the design and implementation of general IT controls. Auditors cannot continue to audit around IT controls.
- Stand-Back Requirement. SAS 145 incorporates a new so-called “stand-back” requirement. Auditors are now required to pause and evaluate the completeness of their identification of significant classes of transactions, account balances, and disclosures.
- Scalability. Under SAS 145, the concept of scalability recognizes “that some aspects of the entity’s system of internal control may be less formalized but still present and functioning, considering the nature and complexity of the entity.” Therefore, “…the auditor may still be able to perform risk assessment procedures through a combination of inquiries and other risk assessment procedures.” Those procedures may include observations or inspection of documents.
- Relevant Assertion. Under the new definition of relevant assertion, an assertion is relevant if it has an identified risk of a material misstatement. (Previously, the risk was described as a reasonable risk.) Risk of a material misstatement exists when there is a reasonable possibility that the risk will occur and be material.
- Significant Class of Transactions, Balance, or Disclosure. A significant class of transactions, account balance or disclosure is one for which there are one or more relevant assertions (see directly above.)
SAS 145 is effective beginning with audits of the calendar year 2023 financial statements. You can look forward to much discussion and CPE courses regarding this important SAS between now and then.