SAS 145 Audit Risk Assessment

All Together Now

Now that our firm has been through a few months of audit risk assessment under SAS 145, we felt it beneficial to identify key takeaways to keep in mind as we go forward. To give a frame of reference for our outline below, our clientele is concentrated in the construction industry, and we use Checkpoint Engage for our risk analysis. Hopefully, this outline will help bring the various pieces of the risk assessment process together.

  1. Risk of material misstatements (RMM). Remember that we, as auditors, are searching for areas of the financial statements that may be materially misstated.
    • We tailor the audit program to address the identified risks, especially those we identified as significant risks.
      • Checkpoint Engage is the tool we use to tailor the audit program.
    • Not all risks are created equal. To be a RMM, there must be:
      • A reasonable possibility of a misstatement occurring and
      • If a misstatement were to occur, there must be a reasonable possibility it would be material.
      • Reasonable possibility means there is more than a remote chance (a very low threshold.)
      • Remember the formula: RMM = Occurrence + Magnitude

    The two types of risk are:

    • At the financial statement level,
    • At the assertion level

  2. Risks at the financial statement level. Risks of a material misstatement at the financial statement level are pervasive to the financial statements as a whole.
    • All audit engagements have the overall financial statement risk of management overriding controls. This risk and the audit response are automatically populated in Part I of the Risk Assessment Summary Form.
    • Some companies may have additional overall risks at the financial statement level, such as:
      • Going concern issues
      • Pressure to meet or exceed debt covenants and
      • Lack of qualified accounting personnel.
    • These risks and the audit responses should also be included in Part I of the Risk Assessment Summary Form.

  3. Risks at the assertion level. A risk of material misstatement at the assertion level is a risk that is not pervasive at the financial statement level. It’s a risk at the assertion level for a particular class of transactions (such as revenue), account balance (such as accounts payable), or disclosure (such as those provided for financial loan covenants.)
    • Every engagement is presumed to identify improper revenue recognition as a fraud and significant risk at the assertion level in Part II of the Risk Assessment Summary Form.
    • The peer review expectation is that almost all engagements will have at least one or more additional risks (in addition to improper revenue recognition) that are identified as significant risks (those on the upper end of the spectrum in inherent risk), which should be added to Part II of the Risk Assessment Summary Form.

  4. Inherent risk (IR). Inherent risk is assessed as LOW, MODERATE, HIGH, or NOT RELEVANT.
    • IR is the susceptibility of an assertion to a material misstatement, ignoring any controls the company has in place.
    • An assertion is NOT RELEVANT if the risk of a material misstatement is remote or there is no risk because, due to the nature of the assertion, it does not apply to the class of transactions, account balance, or disclosure. For example, due to the nature of cash, the valuation assertion is NOT RELEVANT.
    • Inherent risk factors include: Size, volume, and composition of items; Susceptibility to theft or fraud, management bias, and obsolescence; Complexity; Subjectivity; Uncertainty; Changes in business environment, operations, and personnel.
    • CON-CX-7.2 Inherent Risk Assessment Form is an excellent way to document your reasoning for IR assessment.

  5. Relevant assertion. A relevant assertion (for IR) has one or more identified risks of material misstatement (an identified RMM.)
    • Rarely are all assertions relevant to an account balance, class of transactions, or disclosures. Usually, one or more assertions are relevant (i.e., have an identified RMM), but not all.
      • The IR for assertions that do not have an identified RMM are assessed as NOT RELEVANT when:
        • The risk of misstatement is remote, or
        • The assertion is not applicable due to the nature of the audit area.

          NOTE: See # 12 below for a further description of LOW inherent risk as it relates to the spectrum of IR.

      • The assertions used by PPC are:
        • Existence or occurrence
        • Completeness
        • Rights or obligations
        • Accuracy, classification, or presentation
        • Valuation or allocation
        • Cutoff

  6. Identified risk (a.k.a. Identified RMM). If the inherent risk for an assertion is assessed as either MODERATE or HIGH, you must specifically identify the risk (“identified risk”) on Part II of the Risk Assessment Summary Form (or elsewhere in the risk assessment workpapers.) If done elsewhere in the workpapers, you must link it to the Risk Assessment Summary Form. This specific identification of the risk is required under the new standard.
    • Scalability. SAS 145 requires auditors to document the identified risk for all relevant assertions. Under PPC methodology, an identified risk can be LOW, MODERATE, or HIGH RMMs. However, relying on the standard’s concept of scalability, we only need to clearly document the identified risks for MODERATE AND HIGH risks of material misstatements.

  7. Significant risk. A significant risk is an identified risk of material misstatement at the higher end of the spectrum of inherent risk. It’s a RMM on steroids.
    • What you are looking to dig out are the significant risks.
    • Significant risks are high-end risks (the upper end of the spectrum of inherent risk) whose related controls must be tested for design and implementation.

  8. Control risk. Remember that we assess all control risks at the assertion level as HIGH unless the IR assertion is NOT RELEVANT. In that case, the CR will also automatically be assessed as NOT RELEVANT.

  9. Combined risk. Since we assess all control risks as HIGH, then, per SAS 145, the combined risk MUST be assessed the same as the inherent risk. For example, if IR is LOW and CR is HIGH, the assessment for the combined risk must be LOW. In that case, by definition, it cannot be MODERATE.

  10. Significant audit area. A significant audit area has nothing to do with materiality, as it did under the prior standard. Under SAS 145, a significant audit area has one or more assertions with an identified risk of a material misstatement (a.k.a “relevant assertion” – see #5 above.)
    • Most audit areas will be marked as significant audit areas since the risk threshold is so low under the new standard. All it takes is one assertion with a low risk that is reasonably possible of materially misstating the financial statements. (See #11 directly below.)
    • You must apply substantive procedures for each relevant assertion of significant audit areas.
    • If the audit area is a significant audit area, you cannot only apply limited procedures. (Limited procedures are preliminary and final analytical, as well as other risk assessment procedures).
    • Stand back requirements. Auditors are required, at some point during the audit, to “stand back” and consider if their original assessment of what is regarded as a significant audit area is still appropriate – or should additional areas also be deemed significant. You indicate that you did this by signing off on the appropriate step (generally step 13b) of Checkpoint Engage program AP-10:General Planning Procedures.

  11. Risk of material misstatement. A risk of a material misstatement is a risk that has more than a remote chance (i.e., “reasonably possible” chance) of occurring and, if it does happen, has more than a remote chance of being material.

  12. Low inherent risk vs. Not relevant. An assertion with a LOW inherent RMM is deemed a relevant assertion because, under PPC’s methodology, LOW-risk designation is one in which the risk of a material misstatement of the financial statements is reasonably possible (more than remote) but does not rise to the level of MODERATE or HIGH on the spectrum of inherent risk.

    On the other hand, under PPC’s methodology, if the risk is remote or less, then inherent risk should be marked as NOT RELEVANT instead of LOW.

    • Marking an assertion with a remote risk as NOT RELEVANT is important because PPC will only permit you to perform limited procedures when all assertions are marked as NOT RELEVANT. You cannot perform limited procedures if one or more assertions are marked as LOW, MODERATE, or HIGH inherent risk of material misstatement.

  13. High inherent risk. An assertion assessed as a HIGH inherent risk of material misstatement may or may not be a significant risk of material misstatement.
    • If the risk is on the upper end of the spectrum of inherent risk, it is considered a significant risk of material misstatement, subject to design and implementation testing.
    • PPC only provides three risk categories: LOW, MODERATE, and HIGH. So, an inherent risk can be assessed as a HIGH risk but not be on the upper end of the spectrum of IR and, therefore, not be considered a significant risk under the standard.
    • If you have inherent risks assessed as HIGH but not identified as significant risks, it would be prudent to note in the comment section of the Risk Assessment Summary Form that IR is on the lower end of the high section of the spectrum of IR and, therefore, the risk is HIGH, but is not considered high enough on the spectrum of IR to be a significant risk.

  14. IMPORTANT! Identified controls (previously key controls). Identified controls must be tested for design and implementation. Identified controls are controls that address the following three high-end risk categories:
    • Significant risks. As stated in 3b, 7b, & 13a above, significant risks are inherent risks on the upper end of the spectrum of inherent risks. Therefore, controls over significant risks are identified controls subject to design and implementation testing.
    • Journal entries and adjustments. Controls over journal entries are identified controls and must be tested for design and implementation.
    • Risks from the use of IT. General IT controls that address a significant risk of material misstatement arising from the use of IT are also a type of identified controls subject to design and implementation testing.
      • For all identified controls, AU-C 315.28–.29 requires the auditor to identify related IT applications and other aspects of the IT environment subject to risks related to the use of IT, as well as general IT controls that address such risks.
      • This identification may affect the testing of the design and implementation of the required identified control(s). It may have broader implications on the audit strategy, including the design of further audit procedures. For instance, if information-processing controls depend on general IT controls, and the auditor determines that general IT controls are expected to be ineffective, the related risks arising from the use of IT may need to be addressed through the design of substantive procedures.
      • For example, the company’s use of Excel to calculate POC revenue presents a risk from the use of IT. General IT controls, such as the following, may be subject to design and implementation:
        • Access control – Limit who can change formulas, cell protection, etc.
        • Passwords
        • Data backup and recovery
        • Physical security
        • Segregation of duties
        • IT Governance
        • Vulnerability management
        • Security awareness training
      • Another example may relate to the significant risk of cost shifting by a project manager. In this example, the risk from the use of IT relates to the job cost module and who uses and has IT rights to the module. The possible general IT controls subject to design and implementation testing are:
        • Access control
        • Passwords
        • User authentication
        • Segregation of duties
        • Security awareness training
      • Complete Checkpoint Engage form CON-CX-4.2.2: Internal Control Documentation—IT Environment and General IT Controls.
      • e. Consider using Part 1 of Checkpoint Engage form CX-4.2.3:Internal Control Documentation –Evaluation of the Design and Implementation of Identified Controls to document the identified controls subject to design and implementation testing.
        • Parts II & III can also be used to describe the design and implementation, but narratives and walkthroughs are probably the better and more efficient way to do each of those procedures.

  15. COSO internal control components. SAS 145 requires us to gain an understanding of the five components of the company’s system of internal controls
    • “Gain an understanding” means becoming knowledgeably aware of the company’s policies and procedures for each of the five internal control components.
    • The five COSO internal control components are:
      • Control environment (tone at the top)
      • Risk assessment (i.e., the assessment performed by the company.)
      • Monitoring
      • Information and communication
      • Activity level controls and information processing
    • However, as described above in #14, certain activity level controls and information processing require more than a mere understanding.
      • For identified controls, the auditor is required to:
        • Evaluate the design of the control,
        • And to determine whether the control has been implemented.
      • IMPORTANT. If identified controls are not properly designed, or controls have not been implemented, or both, then the auditor MUST consider the need to expand substantive testing for the assertions affected.

Update on March Blog regarding TN HB 1893 and SB 2103

Significant Refund Opportunity Created

It’s a done deal! Tennessee has changed its franchise tax by removing the property measure. The bills making this change authorize refunds to certain taxpayers. Namely, those taxpayers who paid franchise tax based on the value of real or tangible property owned or rented in the state for all applicable open years (2020-2023).

Effective for tax years ending on or after January 1, 2024, the legislation removes the property measure from the Tennessee franchise tax base. Additionally, taxpayers who paid franchise tax on the greater property measure can recalculate the tax using the apportioned net worth and file refund claims for the difference in tax paid. To the extent a taxpayer utilized credits on the return, the credits will be reinstated but won’t be paid as a refund. The franchise tax subject to refund must have been reported on a Tennessee return filed on or after January 1, 2021, covering a tax period that ended on or after March 31, 2020.

Effective for tax years ending on or after January 1, 2024, the legislation removes the property measure from the Tennessee franchise tax base.

We are proactively starting the refund process for all our affected clients. Refund claims must be filed between May 15 and November 30, 2024. The process involves first amending the returns for all four affected years, then submitting one Claim for Refund of Franchise Tax Paid on the Department’s special Property Measure form. This can all be accomplished electronically in TNTAP. By filing the refund claim, the taxpayer is affirmatively waiving any claim by the taxpayer or the right to file suit alleging that the franchise tax under prior law was unconstitutional by failing the internal consistency test.

Interest will be computed beginning 90 days after Tennessee receives the refund claim and proper proof to verify the refund.

As stated in the March Blog, this will significantly impact you, our clients, and our workload in getting those refunds back for you. Please do not hesitate to contact us with any questions you may have.

SAS 145 Audit Risk Assessment

Information Technology

This blog is about a particular topic of SAS 145, Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement, which largely stays hidden in plain sight. That topic is audit risk assessment related to information technology (“IT”). Risks related to IT are often (intentionally) overlooked. It’s problematic because some auditors don’t exactly feel IT-empowered, myself included. And even though IT requirements have been there for some time now, we find that SAS 145 has given it particular emphasis, perhaps to draw our attention to its importance. It will be no surprise if IT risk assessment is a target for peer review engagements in 2024 and several years after.

SAS 145 requires auditors to consider IT controls that address risks of material misstatement at the assertion level. The standard breaks this down to 1) the risk of use of IT and 2) the general IT controls that address those risks.

In the codification of auditing standards, AU-C Glossary – Glossary of Terms defines the two related aspects of IT risk assessment as follows:

  • Risks arising from the use of IT. Susceptibility of information-processing controls to ineffective design or operation, or risks to the integrity of information in the entity’s information system, due to ineffective design or operation of controls in the entity’s IT processes.
  • General IT controls. Controls over the entity’s IT processes that support the continued proper operation of the IT environment, including the continued effective functioning of information-processing controls and the integrity of information in the entity’s information system.

Risks arising from the use of IT

Some IT systems inherently have more risk than other systems. Canned software for which the company cannot access the source code is inherently less risky than larger, more complex, internally developed systems subject to source code modifications.

Interfacing applications inherently have more risk of material misstatement than packages that integrate the various applications.

A partial list of risks arising from the use of IT are:

  • Miscalculations: Coding errors could cause miscalculations of the financial data.
  • Unauthorized Access: Weak controls related to data entry or bugs in the system could compromise the financial data.
  • Data Loss or Corruption: System crashes, cyberattacks, and other failures could lead to the loss of critical financial data.
  • Failure to Update Software: Old versions of accounting software could lead to a host of risks, such as security and compatibility issues
  • Limited Data Backup and Recovery. Again, this could lead to the loss of critical financial data.

Electronic Spreadsheet Risk of Use

A particular IT category inherently prone to greater risk of material misstatements is the use of electronic spreadsheets, such as Excel.

Here are two examples of risks arising from the use of IT as it relates to electronic spreadsheets:

  • Example 1: Material Misstatement of Construction Revenue. An Excel spreadsheet is a type of IT tool. Many contractors use it to calculate the percentage-of-completion revenue measurement of individual construction contracts. Such spreadsheets may contain numerous contracts rolled over from period to period. Contract information is often imported from the job activity ledgers, but some companies may manually input the data. The calculations are complex and data intensive.
  • Example 2: Material Misstatement of Accrued Loss on Uncompleted Contracts. Certain contractors also use Excel to pull takeoffs from specs and drawings. The takeoff information is summarized in Excel, and formulas and perhaps pivot tables are used to create a summarized bid for a prospective construction project.

The risks arising from the use of IT associated with Excel in the above two examples are extensive. It includes potential design and operation errors, such as incorrect cell formulas, cells not being protected whereby formulas can be accidentally or intentionally deleted, manual input errors, and human misunderstanding of Excel functionality.

For the first example, there is a significant risk of a material misstatement of construction revenue. The relevant assertions primarily affected by this significant risk of a material misstatement are accuracy and occurrence.

In the second example, there is a significant risk of material misstatement due to the potential failure to record the total amount of the accrued loss on the contract obtained (because, at inception, the bidding error was not discovered by management). The relevant assertions primarily affected by this significant risk of a material misstatement are accuracy and completeness.

General IT Controls

Here is a list of broad general IT controls (not all-inclusive) that auditors should be aware of:

  • Logical Access Controls: Ensure proper access rights and permissions are assigned to appropriate users based on their roles.
  • Change Management: Ensures that software, hardware, and configuration changes are approved and monitored.
  • Data Backup and Recovery: Regularly back up critical data and test the recovery process.
  • Network Security Management: Implement firewalls, intrusion detection systems, and secure network architecture.
  • User Authentication: Use robust authentication methods (e.g., multi-factor authentication) to verify user identities.
  • Physical Security: Safeguard physical access to servers, data centers, and other IT infrastructure.
  • Security Awareness Training: A formalized program to educate employees about security best practices.

Now, here’s the thing that you do not want to miss. General IT controls that address a significant risk of material misstatement arising from the use of IT are subject to design and implementation testing.

For the sake of bringing it all together, general IT controls that address the risk of the use of IT related to electronic spreadsheets (and are subject to design and implementation testing) are:

  • Logical access controls (restrictions as to who can use the worksheet)
  • Change management (controls over who can change the formulas and other functionality of the spreadsheets)
  • Data backup and recovery (always important to make sure these are in place)

Since the above general IT controls address significant risks of a material misstatement from the use of IT (i.e., electronic spreadsheets) to calculate construction revenue and the accrued losses on uncompleted contracts, the auditor should evaluate the design of those identified controls and determine if such controls have been implemented. This evaluation and determination are customarily done through narratives (perhaps internal control questionnaires) and walkthroughs.

Proposed Franchise Tax TN HB 1893 and SB 2103

Proposed Franchise Tax Would Generate Significant Refund Opportunities

Current Tennessee Franchise and Excise Tax law requires that entities (corporations, subchapter S corporations, limited liability companies, professional limited liability companies, registered limited liability partnerships, professional registered limited liability partnerships, limited partnerships, cooperatives, joint-stock associations, business trusts, regulated investment companies, REITs, state-chartered or national banks, and state-chartered or federally chartered savings and loan associations) pay a Franchise Tax equal to 25 cents of every $100 of the greater of the entities Total Net Worth or Total Real & Tangible Personal Property.

Example of an actual client:
  1. Total net worth Schedule F1, Line 5…………………………….-304,227
  2. Total real and tangible personal property, Sch. G……………5,456,297
  3. Franchise tax (25 cents per $100 on the greater)…………………13,641

In a nutshell, these bills, if passed into law, would change the present law and remove the alternative tangible/realty property base from the Tennessee franchise tax (basically Schedule G). Additionally, the bills would require the payment of refunds for open years for taxpayers who paid on the tangible property base. The bills provide that the refund amount would be limited to the difference in tax between what was paid on the tangible/real property base and what would have been paid using the apportioned net worth base. In this example, the entire amount.

Right now, “open” years would include 2020, meaning the taxpayer could potentially apply for five years’ worth of refunds. If these bills are passed this year, as expected, the taxpayer will have until December 31, 2024, to file for 2020 before it drops off of the statute of limitations.

The refund is subject to the following provisions:

(1) The refund must be claimed within three years from December 31 of the year in which the payment was made or within any period covered by an extension permitted by existing law;

(2) The claim for refund, including information necessary to determine the proper amount due, must be filed on a form prescribed by the commissioner exclusively for the purpose of seeking a refund pursuant to this bill and must not include a claim for refund on any other basis. A claim on any other basis must be filed separately under existing law. The commissioner is also authorized to refund, under this bill, a claim timely filed under existing law and filed before January 1, 2024, that alleges that the franchise tax in the franchise tax law of 1999 or any provision of the franchise tax law of 1999, is unconstitutional by failing the internal consistency test. The commissioner is not authorized to make a refund under this bill unless a claim is filed;

(3) As used in this bill, “tax actually paid” includes any credits applied on the return. Credits must be reinstated but not paid as a refund;

(4) This bill does not prevent the commissioner from auditing the refund claim, appropriately adjusting or denying the claim, or auditing the amount of tax otherwise due under the franchise tax law of 1999 within the applicable statute of limitations;

(5) A refund due under this bill must first be used to offset any outstanding tax liabilities and is subject to the report of debts requirements in existing law;

(6) A denial of a refund claimed under this bill is subject to the remedies provided in existing law regarding taxpayer remedies for disputed taxes.

(7) Interest at the rate established by determination of rate of interest under the Internal Revenue Code for a large corporate overpayment in the amount of the federal short-term rate plus five-tenths of a percentage point must be added to the amount refunded under this bill beginning 90 days from the date the commissioner receives the refund claim and proper proof to verify that the refund or credit is due and payable; and

(8) Attorneys’ fees must not be added to the amount of refund due.

This will significantly impact you, our clients, and our workload to get those refunds back for you. We will be keeping a watchful eye on how this develops.

The Secret 280A Deduction

Holding Business Meetings for Your Business at Your Personal Residence

In the ordinary course of business, some companies, due to their structure, are required by law to hold meetings for their entities. Others hold meetings for a variety of purposes, including educational workshops, Christmas parties, or even regular staff meetings.

Tax Code Section 280A contains provisions allowing a business owner to conduct regular meetings at his or her residence.

Traditionally, business meetings are held on office premises or rented spaces such as a Board Room at a Hotel or Conference Center. The expense of conducting these meetings in an outside venue can be significant, with the national average cost approaching $1,500 per day. This cost is based upon accommodating the Officers, Stockholders, Directors, Managers, Principals, Members, and Employees while providing two meals, break expenses, audio-visual and internet access support, etc. However, self-employed owners are specifically excluded.

In Nashville, costs range from $1,800 to $2,000 per day for comparable facilities.

These expenses are tax deductible for your business but are not considered taxable income on your personal return under Tax Code Section 280A.

Whether these meetings are a requirement by law for your practice or other purposes, these meetings can and should be conducted at your home.

However, your business entity must have principals, directors, or board members to qualify for the tax deduction. This means your business entity must be organized as something more than a sole proprietorship, such as an LLC, PLLC, S-Corporation, C-Corporation, or partnership.

There are certain requirements for conducting these business meetings. While each entity will have its specific Agenda items to cover and determining the meeting frequency will be a personal decision, certain topics should be covered annually, semi-annually, and· every time a meeting is held. There may also be a need to conduct Special Meetings to adopt resolutions, change practice direction, adopt a new program of significant impact, re-finance for strategic purposes, expend or commit a material practice resource, or make significant personnel or ownership adjustments.

Under Code Section 280, you can rent your home up to 14 days per year without having to recognize personal income. This could cover up to 12 monthly sessions plus a Semi-Annual and Annual meeting if you so desire. The scenario for the rental is as follows:

As a business owner, you would rent from you, the homeowner, the Fair Market Value of area meeting space for up to 14 days per year. The total you spend as the business owner is written off as rental expenses, while this same income to you as the homeowner is non-taxable rental income.
Taking the lower Nashville area figure of $1,800 per meeting, your business would spend $25,200 for 14 meetings. The estimated potential tax savings for your business to conduct these required meetings could be up to $9,324, with no tax due on the $25,200 paid to you for renting your home.

There are specific requirements for conducting these business meetings. If this is of interest to you, we would be happy to guide you through the process to make your meetings run smoothly, comply with all regulations, and maintain deductibility over the course of a year.

Remember, you must maintain the correct documentation.

SAS 145 Audit Risk Assessment

Just a Bit More

Well, let’s add a bit more about SAS 145, Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement. And let’s do it in a question-and-answer format. This SAS is enormous – it’s over 250 pages long. Those in public accounting must understand its implications since understanding the entity, environment, and financial statement risks is the heart and soul of financial audits. An understanding of the risk of misstatements is what drives the remainder of the audit engagement. So, with that being said, let’s begin.

  1. Is SAS 145 principle-based, and is the methodology neutral?

    Yes. The standard is principle and does not prescribe a particular way to accomplish the objectives. Accordingly, much is open to the auditor’s experience and professional judgment.

  2. Are there some specific vital concepts that must be understood to wrap your head around SAS 145?

    Yes. Here are the ones that you must understand. Some are familiar concepts from the previous standard, and some are new.

    Assertions -These are representations made by the entity’s management (explicit or otherwise) about amounts and disclosures in their financial statements.

    Inherent Risk -SAS 145 states that inherent risk is the susceptibility of an assertion to a material misstatement. Inherent risk is determined before consideration of the entity’s control risk. The standard lists some inherent risk factors to be considered.

    Control Risk -The risk that a potential misstatement in an assertion won’t be timely prevented or detected and corrected by the internal control system.

    Relevant Assertion – An assertion with an identified risk of material misstatement (also known as a RMM).

    Risk of a Material Misstatement – A RMM exists when there is a reasonable possibility of a material misstatement occurring. A RMM combines a reasonable possibility of occurrence and a reasonable possibility that if a misstatement occurs, it will be material. Said another way, a RMM means it’s reasonably possible that a misstatement can happen, and if it does, it’s reasonably possible it will be material.

    Significant Class of Transactions, Account Balance, or Disclosure -It’s an audit area with at least one relevant assertion and, therefore, a significant audit area.

    Identified Risk – An identified risk is another name for a RMM – except the risk of a misstatement has been specifically identified. It’s a known RMM.

    Spectrum of Inherent Risk – The spectrum of inherent risk is the extent to which inherent risk varies – i.e., inherently from low to high risk.

    Significant Risk – A significant risk is an identified risk of material misstatement at the higher end of the spectrum of inherent risk. In other words, it is a RMM on steroids.

    Identified Controls – Identified controls are controls for which SAS 145 requires the auditor to evaluate the design and determine the implementation using procedures beyond inquiry.

  3. As a result of risk assessment, should every audit program be tailored to address the identified risks?

    Yes. The primary purpose of risk assessment is to design procedures to address the risk identified. An unmodified one-size-fits-all audit program is suspect. It gives the impression that little thought was given to the linkage of identified risks to procedures that address those risks. Accordingly, unmodified programs may be a peer review finding.

  4. Are all material accounts considered a RMM?

    No. A risk of material misstatement exists when:

    • There is a reasonable possibility of a misstatement occurring, and
    • There is a reasonable possibility it would be material if it did occur.

    In other words, RMM equals Occurrence + Magnitude. Therefore, an account can be material but not have a RMM when there is no reasonable possibility of a misstatement, or if there is a reasonable possibility of a misstatement, there is no reasonable possibility it would be material.

  5. What does reasonable possibility mean?

    Reasonable possibility means there is more than a remote chance of happening. It is based on inherent risk only, without regard to internal controls. Inherent risk is king.

  6. How does “reasonable possibility” align within GAAP’s risk progression?

    Reasonable possibility is a low threshold. It progresses as follows:

    Remote -> Reasonable possibility > More Likely Than Not > Probable > Reasonably certain.

    Therefore, the risk of a material misstatement is only slightly more than a remote risk. It’s a low threshold.

  7. So, inherent risk is king? What are some of the inherent risk factors to be considered?

    • Size, volume, and composition of items
    • Susceptibility of theft or fraud
    • Complexity
    • Subjectivity
    • Uncertainty
    • Changes in business environment, operations, and personnel.

  8. Why are relevant assertions important?

    Remember, a relevant assertion has a RMM attached to it. A significant audit area has at least one relevant assertion and, therefore, at least one risk of a material misstatement. Why is this important? Because substantive procedures must be applied to this area. Limited procedures are insufficient.

  9. Must you assess inherent risk and control risk for each account and each assertion?

    • No. However, you must assess inherent risk and control risk for each identified RMM at the assertion level.

  10. If, as a matter of policy, an auditor assesses all control risks at maximum risk under SAS 145, must the combined RMM have the same assessment as the inherent risk assessment?

    Yes. It’s the math. If control risk is assessed at 100%, and inherent risk is assessed at 50%, then the combined risk, mathematically, must equal 50%. (1.0 x .5 = .5 or 50%.)

  11. What is so significant about a significant risk?

    Remember, a significant risk is a risk on steroids. It is located at the upper end of the spectrum of inherent risk. Therefore, the auditor must:

    • Evaluate the design of the control (often done with narratives) and
    • Determine if the control has been implemented (often done by walk-throughs.)

Corporate Transparency Act

An Important Heads Up

  1. What is the Corporate Transparency Act?

    The Corporate Transparency Act authorizes the Financial Crimes Enforcement Network to collect certain identifying information about the beneficial owners and company applicants. The Act applies to domestic corporations, LLCs, and any entity created by the Secretary of State (or similar office) in any state or tribal jurisdiction, as well as foreign entities registered to do business in any state or tribal jurisdiction.

  2. Who Must Report?

    • All domestic corporations, LLCs, and other entities created by filing with a Secretary of State or similar office
    • All foreign corporations, LLCs, and other entities created under the laws of foreign countries and registered in any state or tribal jurisdiction to do business.

  3. Who is Exempt from Reporting?

    There are several entities exempt from reporting, including but not limited to:

    • Large Operating Company

      • A large operating company is an entity that:
        • Employs more than 20 full-time employees (30+ hours per week)
        • Conducts operations at a physical office within the United States
        • Filed a US federal income tax or information return for the previous year with more than $5,000,000 in gross receipts or sales, net of returns and allowances, excluding gross receipts or sales from sources outside the United States.
      • Tax-exempt entity (described in Sec. 501(c) and exempt from tax under Sec. 501(a) of the IRC)
      • Inactive entity (as defined)
      • Securities reporting issuer
      • Governmental authority
      • Bank
      • Credit union
      • Depository institution holding company
      • Money services business
      • Broker or dealer in securities
      • Securities exchange or clearing agency
      • Other Exchange Act registered entity
      • Investment company or investment adviser
      • Venture capital fund adviser
      • Insurance company
      • State-licensed insurance producer
      • Commodity Exchange Act registered entity
      • Accounting firm (if registered in accordance with Sec. 102 of the Sarbanes-Oxley Act of 2002)
      • Public utility
      • Financial market utility
      • Pooled investment vehicle
      • Entity assisting a tax-exempt entity
      • Subsidiary of certain exempt-from-reporting entities

  4. What Must be Reported?

    Beneficial owners must be reported. A beneficial owner is any individual who owns or controls at least 25% of the ownership interest or, directly or indirectly, exercises substantial control over the reporting company. The individual has substantial control if any of the following apply:

    • Serves as a senior officer of the reporting company
    • Has authority to appoint or remove any senior officer or majority of the directors
    • Directs, determines, or has substantial influence over important decisions, including:
      • Nature, scope, and attributes of the business
      • Reorganization, dissolution, or merger
      • Major expenditures or investments, issuance of equity, debt, operating budget
      • Selection or termination of business lines or ventures or geographic focus
      • Compensation and incentives for senior officers
      • Entry into or termination of significant contracts
      • Amendments to governance documents
    • Has any other form of substantial control over the reporting company

    Company applicants must be reported. Company applicants may be:

    • Individuals who directly file the document that creates the reporting company
    • Individuals who are primarily responsible for directing or controlling the filing of those documents.

  5. Where is the Information Reported?

    The information is reported on the Financial Crimes Enforcement Network and can be found at https://fincen.gov/boi. The website also provides a large amount of other helpful information.

  6. When is Reporting Required?

    • Companies created or registered with a Secretary of State or similar office before January 1, 2024, must report beneficial owner information between January 1, 2024 and December 31, 2024. Company applicant information is not required to be reported.
    • Companies created or registered with a Secretary of State or similar office on or after January 1, 2024, must report beneficial owner information and company applicant information within 90 days of creation or registration.
    • ALERT: In certain situations, reporting must be updated.

  7. Why Report?

    If the requirements are met, reporting is required. Failure to do so can result in substantial civil and criminal penalties.

    The Act’s intent is to help prevent illicit activity such as money laundering, financing of terrorism, tax evasion, fraud, and other illegal activity. It also promotes corporate transparency and accountability.


This blog does not cover all aspects of the Corporate Transparency Act. Please see the official documentation or consult a legal professional for more detailed information. It is highly recommended that companies seek legal advice for assistance and help in understanding and complying with these requirements.

Audit Risk Assessment Scalability

Where Less Can Be Better

We first addressed SAS 145, Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement in our November 2021 blog. Two years later, the requirements are bearing down on us. SAS 145 is effective for audits of financial statements for periods ending on or after December 15, 2023. In other words, (for most of us) starting with our calendar year 2023 audits.

Audit risk assessment has long been a bane to the small practitioner, especially those whose practice consists primarily of perhaps smaller, less complicated audits. Some practitioners expressed concern that the standard contained concepts challenging to grasp and apply. Some felt that the cost of complying with the standard far outweighed the benefits. Others saw a formal risk assessment as beneficial to more complicated audits but only busywork for the less complex audits where risks were apparent going in. These negative views toward a standard-based risk assessment led to bastardizations of the process, such as:

  • The assigning of the risk assessment to newly minted staff accountants who had limited (or no) knowledge of the industry, the client, and risk assessment in general,
  • Doing the audit in reverse by diving head-first into substantive testing. Only at the tail-end of the audit would attention be given to a form-driven risk assessment limited by the diminishing remaining time allocated to fieldwork,
  • Performing the risk assessment without modifying the standardized audit program to address the significant risk identified. In other words, just going through the motions,
  • Rolling forward the prior year’s risk assessment with limited client inquiries, insufficient professional skepticism, and substandard documentation.

What Has SAS 145 Done For Us?

No Exemptions for Less Complex Audits. The standard does not exempt less complex audits from the risk assessment standard. To do so would be degrading to professional audits under generally accepted auditing standards. Risk must always be identified and addressed for an audit to be efficient and meaningful. However, it does incorporate scalability options into the standard.

Scalability – One Size Does Not Fit All. The standard provides guidance on the concept of scalability. It clarifies that the application of the standard can be designed to fit less complicated companies. In other words, auditor judgment should be used to match the standard’s requirements to the company’s complexity. The work can be scaled down and simplified to fit less complex entities. One size does not fit all. Accordingly, scalability, when understood in large part, addresses concerns expressed by auditors of less complicated entities.

Additionally, scalability is described in great detail in the AICPA’s Audit and Accounting Guide Risk Assessment in a Financial Statement Audit, updated to January 2023, to conform to SAS 145. It has numerous examples (“Scalability Scenario”) that explore the risk assessment requirements of SAS 145 to fit a less complex audit. It compares this to what would be done on a more complex audit. It is suggested that observation and inspection may often be used to obtain audit evidence to conform to the standard’s requirements for less complicated audits.

So, there is hope. The audit risk assessment is critical, but it is not intended to eat our lunch.

It is important to remember that size alone does not equal complexity. A company can be huge, yet due to the nature of its industry and limited use of advanced technology, not be considered complex. Therefore, audit risk assessment procedures can be scaled down. On the other hand, a small company in specific industries can be very complex. It may have several revenue streams and rely heavily on complex information technology. Accordingly, the risk assessment approach would be more demanding.

Getting Things in the Right Order

Understanding the reasons and necessity for a robust audit risk assessment (scalable when appropriate) places the audit procedures in the proper order. And here they are:

  1. Plan the audit. Planning includes several procedures, including preliminary analytics, brainstorming, establishing planning materiality, and risk assessment procedures.
  2. Tailor the audit program to address the identified risks.
  3. Perform substantive procedures to obtain audit evidence that reduces those risks to an acceptable level.
  4. Issue an appropriate report consistent with the audit evidence obtained.

Some Other New Requirements

SAS 145, in addition to new guidance on scalability, also provides the following new requirements:

  • Separately assess inherent risk and control risk for each relevant assertion
  • A requirement to assess control risk at maximum if controls are not to be tested for operating effectiveness
  • A requirement that if the control risk (CR)is set at the maximum level (high), then the risk assessment for risk of a material misstatement (RMM) must be the same as the risk assessment for inherent risk (IR).

    For example, if control risk is assessed as “high” and inherent risk is assessed as “low,” then the RMM must also be assessed as “low” – the same as inherent risk.

  • A “stand-back” requirement
  • A revised definition of significant risk and how to identify and assess such risks.
  • A requirement to evaluate the design and implementation of general IT controls.

Peer Review Focus

Undoubtedly, risk assessment will continue to be a peer review focus in 2024 and beyond. Risk assessment has been a challenging audit area and a continuing focus of the AICPA initiative to improve audit quality.

The New Quality Management Standards

Did I Hear Someone Say Risk Assessment?

In 2022, the AICPA issued four new quality management standards, as follows:

  • Statement on Quality Management Standards (SQMS) No. 1 – A Firm’s System of Quality Management;
  • SQMS No. 2 – Engagement Quality Reviews;
  • Statement on Auditing Standards (SAS) No. 146 – Quality Management for an Engagement Conducted in Accordance With Generally Accepted Auditing Standards; and
  • Statement on Standards for Accounting and Review Services (SSARS) No. 26 – Quality Management for an Engagement Conducted in Accordance With Statements for Accounting and Review Services.

Effective Dates. The quality management systems compliance with SQMS No. 1 must be designed and implemented by December 15, 2025. The quality management system evaluation required by paragraphs 54-55 of SQMS No. 1 must be performed within one year following December 15, 2025.

SQMS No. 2 is effective for audits or reviews of financial statements for periods beginning on or after December 15, 2025, and other engagements in the firm’s accounting and auditing practice beginning on or after December 15, 2025.

SAS No. 146 becomes effective for audits of financial statements for periods beginning on or after December 15, 2025.

SSARS No. 26 becomes effective for engagements performed for periods beginning on or after December 15, 2025.

Who Do the New Standards Affect? The new standards apply to every firm that does engagements under SASs, SSARSs, and SSAEs. It also applies to audit and attestation engagements performed under Government Auditing Standards. However, it does not apply to audits of government organizations.

SQMS No. 1 – A Firm’s System of Quality Management. SQMS 1 will supersede Statement on Quality Control Standards No. 8 (SQCS No. 8) on December 15, 2025.

SQMS No. 1 represents a significant change in how CPA firms manage quality. It will take considerable time and effort to implement fully. Thus, the reason for what may appear to be a long time-line before the effective date.

Under the current QAS system, CPA firms must have a quality control system in place, but there are no specific requirements for what the system must include or how it must be implemented. It is more principles-based. SQMS No. 1, on the other hand, sets out specific requirements for designing and implementing a quality management system. CPA firms must significantly change their quality control systems to comply with SQMS No. 1, and a word of caution – it may take more time than you may think.

As stated in SQMS No. 1: “(t)he objective of the firm is to design, implement, and operate a system of quality management for engagements performed by the firm in its accounting and auditing practice that provides the firm with reasonable assurance that

a. the firm and its personnel fulfill their responsibilities in accordance with professional standards and applicable legal and regulatory requirements and conduct engagements in accordance with such standards and requirements, and
b. engagement reports issued by the firm are appropriate in the circumstances.”

To give you an idea of the approach taken in SQMS No. 1, here are some of the changes and approaches:

  • SQMS No.1 will address eight components of quality instead of the current six areas under SQCS No. 8. Those eight areas are:
    1. The firm’s risk assessment process (Surprise! New area),
    2. Governance and leadership,
    3. Relevant ethical requirements,
    4. Acceptance and continuance of client relationships and specific engagements,
    5. Engagement performance,
    6. Resources,
    7. Information and communication (new area),
    8. The monitoring and remediation process.

  • The new risk-based approach (sound familiar?) requires:
    1. That quality objectives be established,
    2. Quality risks are identified and assessed to design and implement appropriate responses.

    Fortunately, the risk-based approach is scalable based on the design and formality of the system.

  • As stated in SQMS No. 1, the new information and communication component requires:
    1. An information system that “identifies, captures, processes, and maintains relevant and reliable information that supports the system of quality management, whether from internal or external sources.”
    2. The firm culture values the exchange of information with the firm and one another,
    3. “Relevant and reliable information is exchanged throughout the firm and with engagement teams…”
    4. “Relevant and reliable information is communicated to external parties…”

  • The system of quality management must be evaluated annually, even during the peer review year. So gone will be the days of assessing the system two out of three years.

SQMS No. 2 – Engagement Quality Reviews. This standard discusses the appointment and eligibility of the engagement quality reviewer (EQR) and the EQR’s responsibilities.

An engagement quality review is necessary under the standard when it is required by law or regulation and when the firm determines it is an appropriate response to one or more quality risks identified in the risk assessment. Additionally, an engagement quality review is scalable based on the nature and circumstances of the engagement or the entity.

As in the current standard, the EQR cannot be an engagement team member.

Stay tuned. There is more coming on this topic.

ASC Topic 326 – Current Expected Credit Losses

Give Credit Where Credit is Due

For the non-public, non-financial sector, it took a while for the new standard on credit losses to get here. But it’s here now and breathing down our necks with a vengeance. CECL (pronounced cecil) was issued by the FASB in 2016. For the non-financial sector, it’s somewhat of a wolf in sheep’s clothing. Not that it was intended to be that way, but it just is. So beware. It’s a peer review “gotcha” event. As the song says, “Things ain’t what they used to be.” This article will address some CECL issues in a question-and-answer format.

  1. When was CECL’s (ASC 326) effective for non-public companies?

    ASC 326 was effective for all non-public companies for fiscal years beginning after December 15, 2022, including interim periods within those fiscal years. So, in other words, it is effective for calendar year 2023 financial statements, including interim financial statements that begin in 2023.

    The interim financial statement’s effective date for non-public companies is a change from the customary practice of the FASB. Usually, for private companies, new standards are effective for interim financial statements the year after it is effective for the annual financial statements. When the original pronouncement was issued in 2016, that’s how it was – the interim financial statement’s effective date was a year later. However, this decision was later reversed by the FASB in an ASU released in 2018. This change may have flown under the radar screen for many busy accountants.

  2. To whom does CECL apply?

    While the standard was primarily directed to financial institutions like banks and credit unions, it also applies to non-financial institutions. That includes construction companies, manufacturing companies, and non-profit entities, to name a few. However, as discussed in the next question, the standard does scope out specific areas.

  3. So, what is CECL, and which financial assets does it apply to?

    CECL stands for “current expected credit losses” related to financial instruments. The key phrase is “current expected.” The standard intends to inform the financial statement user what credit losses (bad debts) the company currently (upfront) expects to incur on its financial assets over the contractual life of those assets (the future). Generally, the standard applies to financial assets carried at amortized cost and includes:

    • Cash equivalents
    • Trade receivable
    • Contract assets (such as underbillings and retainage receivables)
    • Loans receivable/Notes receivable
    • Loans to officers and employees
    • Investment in debt securities held-to-maturity
    • A lessor’s receivables from sales-type or direct financing leases

    Notably, the following financial assets are not within the scope of CECL:

    • Receivables between entities under common control (see following two paragraphs)
    • Equity securities
    • Loans made to participants by defined contribution employee benefit plans
    • Pledge receivables of a not-for-profit organization
    • Lessor receivables from operating leases
    • Other financial assets measured at fair value through net income
    • Securities available-for-sale (though ASC 326-30 did make targeted changes to this area related to CECL)

    The AICPA’s Center for Plain English Accounting report for August 16, 2023, observed that “(T)he scope exception in FASB ASC 326-20-15-3f is for loans and receivables between “entities” under common control and makes no mention of “individuals.” Therefore, it is not clear based on the omissions in the plain language whether individuals (natural persons) such as a controlling shareholder are within the scope exception for CECL in FASB ASC 326-20-15-3f.”

    However, the article further states: “FASB staff has indicated that the scope exception for entities under common control also applies to natural persons (i.e., controlling shareholder) within a common control group. We should note that the scope exception for common control entities would NOT extend to an (sic) loan to an unrelated officer of one of the entities who did not hold a controlling financial interest.”

  4. What is the difference between the legacy standard and ASC 326?

    The former standard used an “incurred loss” methodology to recognize credit losses if it was deemed probable to be uncollectible. While probable is not defined, many practitioners consider probable equal to or greater than a 75% threshold. The collection loss had to be incurred and probable under the previous standard to be recognized.

    The new accounting standard’s model is designed to be forward-looking and considers the entire contractual life of a financial instrument. Moreover, it significantly reduces the threshold for recognizing credit losses. Under ASC 326, a credit loss can be recognized on financial assets, such as a class of trade receivables, at the asset’s inception, even if the likelihood of a loss is considered remote. CECL mandates that management consider expected credit losses throughout the entire life of a group of financial assets, regardless of the absence of any current signs of trouble. Accordingly, under CECL, losses are expected to be recognized sooner than losses were under legacy GAAP.

    Key takeaway: The loss recognition is forward-looking over the contractual life of the financial instrument, recognized at the asset’s inception, and the loss recognition threshold is considerably lower than previous GAAP.

  5. Does ASC 326 specify a particular way to estimate current expected credit losses?

    No. The standard is principle-based. The particular methodology used to arrive at the expected loss at the origination or acquisition date of the financial instrument is management’s decision. In a broad sense, the standard requires that the company base its estimate on:

    • Relevant information about past events, such as historical loss experiences,
    • Current conditions,
    • Reasonable and supportable forecasts.
    • For periods when the company cannot obtain supportable forecasts for expected credit losses, it may revert to historical loss information.

    ASC 326-20-30-7 states, in part, that “(A)n entity shall consider relevant qualitative and quantitative factors that relate to the environment in which the entity operates and are specific to the borrower(s).”

    Additionally, as stated in the AICPA’s Center for Plain English Accounting report, same date given above, “…CECL requires measurement of the expected credit loss even if that risk of loss is remote, regardless of the method applied to estimate the credit losses.”

  6. Can an entity ever have an expected credit loss of zero?

    It’s possible. But in most cases, it’s unlikely or even rare. The standard permits a zero credit loss in narrow situations where the expectation of not being paid is zero, even if a technical default were to occur. An example would be U.S. treasury securities guaranteed by the good faith and credit of the U.S. government, which can also print currency to retire the debt.

  7. Does ASC 326 require additional disclosure?

    As you probably expect, the answer is yes.

    On the balance sheet, there is a requirement to separately present the allowance for credit losses for financial assets measured at amortized cost, such as trade receivables, contract assets, and loans receivable. Also, investments in available-for-sale debt securities carried at fair value must present both amortized cost and allowance for credit losses parenthetically on the balance sheet.

    There are many required disclosures to achieve the stated objectives of ASC 326. For example, ASC 326 requires a roll-forward of the allowance for credit loss accounts. We suggest having your disclosure checklist for non-public companies readily available for reference as you draft the disclosures for financial instruments.

In summary, ASC 326, the credit loss standard, has a broad scope encompassing financial institutions and non-financial companies, including entities like construction firms. It applies to a wide array of financial assets measured at amortized cost, including items like trade receivables and contract assets. Notably, the threshold for recognizing credit losses has shifted from probable to remote, and this new standard mandates a forward-looking estimation of credit losses. It’s important to note that the new standard does not apply to specific financial instruments that are excluded, such as receivables between entities under common control or between companies and majority owners who are natural persons, in my opinion. Additionally, recognition is only required for amounts and disclosures considered material.

Show Buttons
Hide Buttons