SAS 145 Audit Risk Assessment

Just a Bit More

Well, let’s add a bit more about SAS 145, Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement. And let’s do it in a question-and-answer format. This SAS is enormous – it’s over 250 pages long. Those in public accounting must understand its implications since understanding the entity, environment, and financial statement risks is the heart and soul of financial audits. An understanding of the risk of misstatements is what drives the remainder of the audit engagement. So, with that being said, let’s begin.

  1. Is SAS 145 principle-based, and is the methodology neutral?

    Yes. The standard is principle and does not prescribe a particular way to accomplish the objectives. Accordingly, much is open to the auditor’s experience and professional judgment.

  2. Are there some specific vital concepts that must be understood to wrap your head around SAS 145?

    Yes. Here are the ones that you must understand. Some are familiar concepts from the previous standard, and some are new.

    Assertions -These are representations made by the entity’s management (explicit or otherwise) about amounts and disclosures in their financial statements.

    Inherent Risk -SAS 145 states that inherent risk is the susceptibility of an assertion to a material misstatement. Inherent risk is determined before consideration of the entity’s control risk. The standard lists some inherent risk factors to be considered.

    Control Risk -The risk that a potential misstatement in an assertion won’t be timely prevented or detected and corrected by the internal control system.

    Relevant Assertion – An assertion with an identified risk of material misstatement (also known as a RMM).

    Risk of a Material Misstatement – A RMM exists when there is a reasonable possibility of a material misstatement occurring. A RMM combines a reasonable possibility of occurrence and a reasonable possibility that if a misstatement occurs, it will be material. Said another way, a RMM means it’s reasonably possible that a misstatement can happen, and if it does, it’s reasonably possible it will be material.

    Significant Class of Transactions, Account Balance, or Disclosure -It’s an audit area with at least one relevant assertion and, therefore, a significant audit area.

    Identified Risk – An identified risk is another name for a RMM – except the risk of a misstatement has been specifically identified. It’s a known RMM.

    Spectrum of Inherent Risk – The spectrum of inherent risk is the extent to which inherent risk varies – i.e., inherently from low to high risk.

    Significant Risk – A significant risk is an identified risk of material misstatement at the higher end of the spectrum of inherent risk. In other words, it is a RMM on steroids.

    Identified Controls – Identified controls are controls for which SAS 145 requires the auditor to evaluate the design and determine the implementation using procedures beyond inquiry.

  3. As a result of risk assessment, should every audit program be tailored to address the identified risks?

    Yes. The primary purpose of risk assessment is to design procedures to address the risk identified. An unmodified one-size-fits-all audit program is suspect. It gives the impression that little thought was given to the linkage of identified risks to procedures that address those risks. Accordingly, unmodified programs may be a peer review finding.

  4. Are all material accounts considered a RMM?

    No. A risk of material misstatement exists when:

    • There is a reasonable possibility of a misstatement occurring, and
    • There is a reasonable possibility it would be material if it did occur.

    In other words, RMM equals Occurrence + Magnitude. Therefore, an account can be material but not have a RMM when there is no reasonable possibility of a misstatement, or if there is a reasonable possibility of a misstatement, there is no reasonable possibility it would be material.

  5. What does reasonable possibility mean?

    Reasonable possibility means there is more than a remote chance of happening. It is based on inherent risk only, without regard to internal controls. Inherent risk is king.

  6. How does “reasonable possibility” align within GAAP’s risk progression?

    Reasonable possibility is a low threshold. It progresses as follows:

    Remote -> Reasonable possibility > More Likely Than Not > Probable > Reasonably certain.

    Therefore, the risk of a material misstatement is only slightly more than a remote risk. It’s a low threshold.

  7. So, inherent risk is king? What are some of the inherent risk factors to be considered?

    • Size, volume, and composition of items
    • Susceptibility of theft or fraud
    • Complexity
    • Subjectivity
    • Uncertainty
    • Changes in business environment, operations, and personnel.

  8. Why are relevant assertions important?

    Remember, a relevant assertion has a RMM attached to it. A significant audit area has at least one relevant assertion and, therefore, at least one risk of a material misstatement. Why is this important? Because substantive procedures must be applied to this area. Limited procedures are insufficient.

  9. Must you assess inherent risk and control risk for each account and each assertion?

    • No. However, you must assess inherent risk and control risk for each identified RMM at the assertion level.

  10. If, as a matter of policy, an auditor assesses all control risks at maximum risk under SAS 145, must the combined RMM have the same assessment as the inherent risk assessment?

    Yes. It’s the math. If control risk is assessed at 100%, and inherent risk is assessed at 50%, then the combined risk, mathematically, must equal 50%. (1.0 x .5 = .5 or 50%.)

  11. What is so significant about a significant risk?

    Remember, a significant risk is a risk on steroids. It is located at the upper end of the spectrum of inherent risk. Therefore, the auditor must:

    • Evaluate the design of the control (often done with narratives) and
    • Determine if the control has been implemented (often done by walk-throughs.)

Audit Risk Assessment Scalability

Where Less Can Be Better

We first addressed SAS 145, Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement in our November 2021 blog. Two years later, the requirements are bearing down on us. SAS 145 is effective for audits of financial statements for periods ending on or after December 15, 2023. In other words, (for most of us) starting with our calendar year 2023 audits.

Audit risk assessment has long been a bane to the small practitioner, especially those whose practice consists primarily of perhaps smaller, less complicated audits. Some practitioners expressed concern that the standard contained concepts challenging to grasp and apply. Some felt that the cost of complying with the standard far outweighed the benefits. Others saw a formal risk assessment as beneficial to more complicated audits but only busywork for the less complex audits where risks were apparent going in. These negative views toward a standard-based risk assessment led to bastardizations of the process, such as:

  • The assigning of the risk assessment to newly minted staff accountants who had limited (or no) knowledge of the industry, the client, and risk assessment in general,
  • Doing the audit in reverse by diving head-first into substantive testing. Only at the tail-end of the audit would attention be given to a form-driven risk assessment limited by the diminishing remaining time allocated to fieldwork,
  • Performing the risk assessment without modifying the standardized audit program to address the significant risk identified. In other words, just going through the motions,
  • Rolling forward the prior year’s risk assessment with limited client inquiries, insufficient professional skepticism, and substandard documentation.

What Has SAS 145 Done For Us?

No Exemptions for Less Complex Audits. The standard does not exempt less complex audits from the risk assessment standard. To do so would be degrading to professional audits under generally accepted auditing standards. Risk must always be identified and addressed for an audit to be efficient and meaningful. However, it does incorporate scalability options into the standard.

Scalability – One Size Does Not Fit All. The standard provides guidance on the concept of scalability. It clarifies that the application of the standard can be designed to fit less complicated companies. In other words, auditor judgment should be used to match the standard’s requirements to the company’s complexity. The work can be scaled down and simplified to fit less complex entities. One size does not fit all. Accordingly, scalability, when understood in large part, addresses concerns expressed by auditors of less complicated entities.

Additionally, scalability is described in great detail in the AICPA’s Audit and Accounting Guide Risk Assessment in a Financial Statement Audit, updated to January 2023, to conform to SAS 145. It has numerous examples (“Scalability Scenario”) that explore the risk assessment requirements of SAS 145 to fit a less complex audit. It compares this to what would be done on a more complex audit. It is suggested that observation and inspection may often be used to obtain audit evidence to conform to the standard’s requirements for less complicated audits.

So, there is hope. The audit risk assessment is critical, but it is not intended to eat our lunch.

It is important to remember that size alone does not equal complexity. A company can be huge, yet due to the nature of its industry and limited use of advanced technology, not be considered complex. Therefore, audit risk assessment procedures can be scaled down. On the other hand, a small company in specific industries can be very complex. It may have several revenue streams and rely heavily on complex information technology. Accordingly, the risk assessment approach would be more demanding.

Getting Things in the Right Order

Understanding the reasons and necessity for a robust audit risk assessment (scalable when appropriate) places the audit procedures in the proper order. And here they are:

  1. Plan the audit. Planning includes several procedures, including preliminary analytics, brainstorming, establishing planning materiality, and risk assessment procedures.
  2. Tailor the audit program to address the identified risks.
  3. Perform substantive procedures to obtain audit evidence that reduces those risks to an acceptable level.
  4. Issue an appropriate report consistent with the audit evidence obtained.

Some Other New Requirements

SAS 145, in addition to new guidance on scalability, also provides the following new requirements:

  • Separately assess inherent risk and control risk for each relevant assertion
  • A requirement to assess control risk at maximum if controls are not to be tested for operating effectiveness
  • A requirement that if the control risk (CR)is set at the maximum level (high), then the risk assessment for risk of a material misstatement (RMM) must be the same as the risk assessment for inherent risk (IR).

    For example, if control risk is assessed as “high” and inherent risk is assessed as “low,” then the RMM must also be assessed as “low” – the same as inherent risk.

  • A “stand-back” requirement
  • A revised definition of significant risk and how to identify and assess such risks.
  • A requirement to evaluate the design and implementation of general IT controls.

Peer Review Focus

Undoubtedly, risk assessment will continue to be a peer review focus in 2024 and beyond. Risk assessment has been a challenging audit area and a continuing focus of the AICPA initiative to improve audit quality.

Show Buttons
Hide Buttons