SAS 145 Audit Risk Assessment

All Together Now

Now that our firm has been through a few months of audit risk assessment under SAS 145, we felt it beneficial to identify key takeaways to keep in mind as we go forward. To give a frame of reference for our outline below, our clientele is concentrated in the construction industry, and we use Checkpoint Engage for our risk analysis. Hopefully, this outline will help bring the various pieces of the risk assessment process together.

  1. Risk of material misstatements (RMM). Remember that we, as auditors, are searching for areas of the financial statements that may be materially misstated.
    • We tailor the audit program to address the identified risks, especially those we identified as significant risks.
      • Checkpoint Engage is the tool we use to tailor the audit program.
    • Not all risks are created equal. To be a RMM, there must be:
      • A reasonable possibility of a misstatement occurring and
      • If a misstatement were to occur, there must be a reasonable possibility it would be material.
      • Reasonable possibility means there is more than a remote chance (a very low threshold.)
      • Remember the formula: RMM = Occurrence + Magnitude

    The two types of risk are:

    • At the financial statement level,
    • At the assertion level

  2. Risks at the financial statement level. Risks of a material misstatement at the financial statement level are pervasive to the financial statements as a whole.
    • All audit engagements have the overall financial statement risk of management overriding controls. This risk and the audit response are automatically populated in Part I of the Risk Assessment Summary Form.
    • Some companies may have additional overall risks at the financial statement level, such as:
      • Going concern issues
      • Pressure to meet or exceed debt covenants and
      • Lack of qualified accounting personnel.
    • These risks and the audit responses should also be included in Part I of the Risk Assessment Summary Form.

  3. Risks at the assertion level. A risk of material misstatement at the assertion level is a risk that is not pervasive at the financial statement level. It’s a risk at the assertion level for a particular class of transactions (such as revenue), account balance (such as accounts payable), or disclosure (such as those provided for financial loan covenants.)
    • Every engagement is presumed to identify improper revenue recognition as a fraud and significant risk at the assertion level in Part II of the Risk Assessment Summary Form.
    • The peer review expectation is that almost all engagements will have at least one or more additional risks (in addition to improper revenue recognition) that are identified as significant risks (those on the upper end of the spectrum in inherent risk), which should be added to Part II of the Risk Assessment Summary Form.

  4. Inherent risk (IR). Inherent risk is assessed as LOW, MODERATE, HIGH, or NOT RELEVANT.
    • IR is the susceptibility of an assertion to a material misstatement, ignoring any controls the company has in place.
    • An assertion is NOT RELEVANT if the risk of a material misstatement is remote or there is no risk because, due to the nature of the assertion, it does not apply to the class of transactions, account balance, or disclosure. For example, due to the nature of cash, the valuation assertion is NOT RELEVANT.
    • Inherent risk factors include: Size, volume, and composition of items; Susceptibility to theft or fraud, management bias, and obsolescence; Complexity; Subjectivity; Uncertainty; Changes in business environment, operations, and personnel.
    • CON-CX-7.2 Inherent Risk Assessment Form is an excellent way to document your reasoning for IR assessment.

  5. Relevant assertion. A relevant assertion (for IR) has one or more identified risks of material misstatement (an identified RMM.)
    • Rarely are all assertions relevant to an account balance, class of transactions, or disclosures. Usually, one or more assertions are relevant (i.e., have an identified RMM), but not all.
      • The IR for assertions that do not have an identified RMM are assessed as NOT RELEVANT when:
        • The risk of misstatement is remote, or
        • The assertion is not applicable due to the nature of the audit area.

          NOTE: See # 12 below for a further description of LOW inherent risk as it relates to the spectrum of IR.

      • The assertions used by PPC are:
        • Existence or occurrence
        • Completeness
        • Rights or obligations
        • Accuracy, classification, or presentation
        • Valuation or allocation
        • Cutoff

  6. Identified risk (a.k.a. Identified RMM). If the inherent risk for an assertion is assessed as either MODERATE or HIGH, you must specifically identify the risk (“identified risk”) on Part II of the Risk Assessment Summary Form (or elsewhere in the risk assessment workpapers.) If done elsewhere in the workpapers, you must link it to the Risk Assessment Summary Form. This specific identification of the risk is required under the new standard.
    • Scalability. SAS 145 requires auditors to document the identified risk for all relevant assertions. Under PPC methodology, an identified risk can be LOW, MODERATE, or HIGH RMMs. However, relying on the standard’s concept of scalability, we only need to clearly document the identified risks for MODERATE AND HIGH risks of material misstatements.

  7. Significant risk. A significant risk is an identified risk of material misstatement at the higher end of the spectrum of inherent risk. It’s a RMM on steroids.
    • What you are looking to dig out are the significant risks.
    • Significant risks are high-end risks (the upper end of the spectrum of inherent risk) whose related controls must be tested for design and implementation.

  8. Control risk. Remember that we assess all control risks at the assertion level as HIGH unless the IR assertion is NOT RELEVANT. In that case, the CR will also automatically be assessed as NOT RELEVANT.

  9. Combined risk. Since we assess all control risks as HIGH, then, per SAS 145, the combined risk MUST be assessed the same as the inherent risk. For example, if IR is LOW and CR is HIGH, the assessment for the combined risk must be LOW. In that case, by definition, it cannot be MODERATE.

  10. Significant audit area. A significant audit area has nothing to do with materiality, as it did under the prior standard. Under SAS 145, a significant audit area has one or more assertions with an identified risk of a material misstatement (a.k.a “relevant assertion” – see #5 above.)
    • Most audit areas will be marked as significant audit areas since the risk threshold is so low under the new standard. All it takes is one assertion with a low risk that is reasonably possible of materially misstating the financial statements. (See #11 directly below.)
    • You must apply substantive procedures for each relevant assertion of significant audit areas.
    • If the audit area is a significant audit area, you cannot only apply limited procedures. (Limited procedures are preliminary and final analytical, as well as other risk assessment procedures).
    • Stand back requirements. Auditors are required, at some point during the audit, to “stand back” and consider if their original assessment of what is regarded as a significant audit area is still appropriate – or should additional areas also be deemed significant. You indicate that you did this by signing off on the appropriate step (generally step 13b) of Checkpoint Engage program AP-10:General Planning Procedures.

  11. Risk of material misstatement. A risk of a material misstatement is a risk that has more than a remote chance (i.e., “reasonably possible” chance) of occurring and, if it does happen, has more than a remote chance of being material.

  12. Low inherent risk vs. Not relevant. An assertion with a LOW inherent RMM is deemed a relevant assertion because, under PPC’s methodology, LOW-risk designation is one in which the risk of a material misstatement of the financial statements is reasonably possible (more than remote) but does not rise to the level of MODERATE or HIGH on the spectrum of inherent risk.

    On the other hand, under PPC’s methodology, if the risk is remote or less, then inherent risk should be marked as NOT RELEVANT instead of LOW.

    • Marking an assertion with a remote risk as NOT RELEVANT is important because PPC will only permit you to perform limited procedures when all assertions are marked as NOT RELEVANT. You cannot perform limited procedures if one or more assertions are marked as LOW, MODERATE, or HIGH inherent risk of material misstatement.

  13. High inherent risk. An assertion assessed as a HIGH inherent risk of material misstatement may or may not be a significant risk of material misstatement.
    • If the risk is on the upper end of the spectrum of inherent risk, it is considered a significant risk of material misstatement, subject to design and implementation testing.
    • PPC only provides three risk categories: LOW, MODERATE, and HIGH. So, an inherent risk can be assessed as a HIGH risk but not be on the upper end of the spectrum of IR and, therefore, not be considered a significant risk under the standard.
    • If you have inherent risks assessed as HIGH but not identified as significant risks, it would be prudent to note in the comment section of the Risk Assessment Summary Form that IR is on the lower end of the high section of the spectrum of IR and, therefore, the risk is HIGH, but is not considered high enough on the spectrum of IR to be a significant risk.

  14. IMPORTANT! Identified controls (previously key controls). Identified controls must be tested for design and implementation. Identified controls are controls that address the following three high-end risk categories:
    • Significant risks. As stated in 3b, 7b, & 13a above, significant risks are inherent risks on the upper end of the spectrum of inherent risks. Therefore, controls over significant risks are identified controls subject to design and implementation testing.
    • Journal entries and adjustments. Controls over journal entries are identified controls and must be tested for design and implementation.
    • Risks from the use of IT. General IT controls that address a significant risk of material misstatement arising from the use of IT are also a type of identified controls subject to design and implementation testing.
      • For all identified controls, AU-C 315.28–.29 requires the auditor to identify related IT applications and other aspects of the IT environment subject to risks related to the use of IT, as well as general IT controls that address such risks.
      • This identification may affect the testing of the design and implementation of the required identified control(s). It may have broader implications on the audit strategy, including the design of further audit procedures. For instance, if information-processing controls depend on general IT controls, and the auditor determines that general IT controls are expected to be ineffective, the related risks arising from the use of IT may need to be addressed through the design of substantive procedures.
      • For example, the company’s use of Excel to calculate POC revenue presents a risk from the use of IT. General IT controls, such as the following, may be subject to design and implementation:
        • Access control – Limit who can change formulas, cell protection, etc.
        • Passwords
        • Data backup and recovery
        • Physical security
        • Segregation of duties
        • IT Governance
        • Vulnerability management
        • Security awareness training
      • Another example may relate to the significant risk of cost shifting by a project manager. In this example, the risk from the use of IT relates to the job cost module and who uses and has IT rights to the module. The possible general IT controls subject to design and implementation testing are:
        • Access control
        • Passwords
        • User authentication
        • Segregation of duties
        • Security awareness training
      • Complete Checkpoint Engage form CON-CX-4.2.2: Internal Control Documentation—IT Environment and General IT Controls.
      • e. Consider using Part 1 of Checkpoint Engage form CX-4.2.3:Internal Control Documentation –Evaluation of the Design and Implementation of Identified Controls to document the identified controls subject to design and implementation testing.
        • Parts II & III can also be used to describe the design and implementation, but narratives and walkthroughs are probably the better and more efficient way to do each of those procedures.

  15. COSO internal control components. SAS 145 requires us to gain an understanding of the five components of the company’s system of internal controls
    • “Gain an understanding” means becoming knowledgeably aware of the company’s policies and procedures for each of the five internal control components.
    • The five COSO internal control components are:
      • Control environment (tone at the top)
      • Risk assessment (i.e., the assessment performed by the company.)
      • Monitoring
      • Information and communication
      • Activity level controls and information processing
    • However, as described above in #14, certain activity level controls and information processing require more than a mere understanding.
      • For identified controls, the auditor is required to:
        • Evaluate the design of the control,
        • And to determine whether the control has been implemented.
      • IMPORTANT. If identified controls are not properly designed, or controls have not been implemented, or both, then the auditor MUST consider the need to expand substantive testing for the assertions affected.

SAS 145 Audit Risk Assessment

Information Technology

This blog is about a particular topic of SAS 145, Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement, which largely stays hidden in plain sight. That topic is audit risk assessment related to information technology (“IT”). Risks related to IT are often (intentionally) overlooked. It’s problematic because some auditors don’t exactly feel IT-empowered, myself included. And even though IT requirements have been there for some time now, we find that SAS 145 has given it particular emphasis, perhaps to draw our attention to its importance. It will be no surprise if IT risk assessment is a target for peer review engagements in 2024 and several years after.

SAS 145 requires auditors to consider IT controls that address risks of material misstatement at the assertion level. The standard breaks this down to 1) the risk of use of IT and 2) the general IT controls that address those risks.

In the codification of auditing standards, AU-C Glossary – Glossary of Terms defines the two related aspects of IT risk assessment as follows:

  • Risks arising from the use of IT. Susceptibility of information-processing controls to ineffective design or operation, or risks to the integrity of information in the entity’s information system, due to ineffective design or operation of controls in the entity’s IT processes.
  • General IT controls. Controls over the entity’s IT processes that support the continued proper operation of the IT environment, including the continued effective functioning of information-processing controls and the integrity of information in the entity’s information system.

Risks arising from the use of IT

Some IT systems inherently have more risk than other systems. Canned software for which the company cannot access the source code is inherently less risky than larger, more complex, internally developed systems subject to source code modifications.

Interfacing applications inherently have more risk of material misstatement than packages that integrate the various applications.

A partial list of risks arising from the use of IT are:

  • Miscalculations: Coding errors could cause miscalculations of the financial data.
  • Unauthorized Access: Weak controls related to data entry or bugs in the system could compromise the financial data.
  • Data Loss or Corruption: System crashes, cyberattacks, and other failures could lead to the loss of critical financial data.
  • Failure to Update Software: Old versions of accounting software could lead to a host of risks, such as security and compatibility issues
  • Limited Data Backup and Recovery. Again, this could lead to the loss of critical financial data.

Electronic Spreadsheet Risk of Use

A particular IT category inherently prone to greater risk of material misstatements is the use of electronic spreadsheets, such as Excel.

Here are two examples of risks arising from the use of IT as it relates to electronic spreadsheets:

  • Example 1: Material Misstatement of Construction Revenue. An Excel spreadsheet is a type of IT tool. Many contractors use it to calculate the percentage-of-completion revenue measurement of individual construction contracts. Such spreadsheets may contain numerous contracts rolled over from period to period. Contract information is often imported from the job activity ledgers, but some companies may manually input the data. The calculations are complex and data intensive.
  • Example 2: Material Misstatement of Accrued Loss on Uncompleted Contracts. Certain contractors also use Excel to pull takeoffs from specs and drawings. The takeoff information is summarized in Excel, and formulas and perhaps pivot tables are used to create a summarized bid for a prospective construction project.

The risks arising from the use of IT associated with Excel in the above two examples are extensive. It includes potential design and operation errors, such as incorrect cell formulas, cells not being protected whereby formulas can be accidentally or intentionally deleted, manual input errors, and human misunderstanding of Excel functionality.

For the first example, there is a significant risk of a material misstatement of construction revenue. The relevant assertions primarily affected by this significant risk of a material misstatement are accuracy and occurrence.

In the second example, there is a significant risk of material misstatement due to the potential failure to record the total amount of the accrued loss on the contract obtained (because, at inception, the bidding error was not discovered by management). The relevant assertions primarily affected by this significant risk of a material misstatement are accuracy and completeness.

General IT Controls

Here is a list of broad general IT controls (not all-inclusive) that auditors should be aware of:

  • Logical Access Controls: Ensure proper access rights and permissions are assigned to appropriate users based on their roles.
  • Change Management: Ensures that software, hardware, and configuration changes are approved and monitored.
  • Data Backup and Recovery: Regularly back up critical data and test the recovery process.
  • Network Security Management: Implement firewalls, intrusion detection systems, and secure network architecture.
  • User Authentication: Use robust authentication methods (e.g., multi-factor authentication) to verify user identities.
  • Physical Security: Safeguard physical access to servers, data centers, and other IT infrastructure.
  • Security Awareness Training: A formalized program to educate employees about security best practices.

Now, here’s the thing that you do not want to miss. General IT controls that address a significant risk of material misstatement arising from the use of IT are subject to design and implementation testing.

For the sake of bringing it all together, general IT controls that address the risk of the use of IT related to electronic spreadsheets (and are subject to design and implementation testing) are:

  • Logical access controls (restrictions as to who can use the worksheet)
  • Change management (controls over who can change the formulas and other functionality of the spreadsheets)
  • Data backup and recovery (always important to make sure these are in place)

Since the above general IT controls address significant risks of a material misstatement from the use of IT (i.e., electronic spreadsheets) to calculate construction revenue and the accrued losses on uncompleted contracts, the auditor should evaluate the design of those identified controls and determine if such controls have been implemented. This evaluation and determination are customarily done through narratives (perhaps internal control questionnaires) and walkthroughs.

SAS 145 Audit Risk Assessment

Just a Bit More

Well, let’s add a bit more about SAS 145, Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement. And let’s do it in a question-and-answer format. This SAS is enormous – it’s over 250 pages long. Those in public accounting must understand its implications since understanding the entity, environment, and financial statement risks is the heart and soul of financial audits. An understanding of the risk of misstatements is what drives the remainder of the audit engagement. So, with that being said, let’s begin.

  1. Is SAS 145 principle-based, and is the methodology neutral?

    Yes. The standard is principle and does not prescribe a particular way to accomplish the objectives. Accordingly, much is open to the auditor’s experience and professional judgment.

  2. Are there some specific vital concepts that must be understood to wrap your head around SAS 145?

    Yes. Here are the ones that you must understand. Some are familiar concepts from the previous standard, and some are new.

    Assertions -These are representations made by the entity’s management (explicit or otherwise) about amounts and disclosures in their financial statements.

    Inherent Risk -SAS 145 states that inherent risk is the susceptibility of an assertion to a material misstatement. Inherent risk is determined before consideration of the entity’s control risk. The standard lists some inherent risk factors to be considered.

    Control Risk -The risk that a potential misstatement in an assertion won’t be timely prevented or detected and corrected by the internal control system.

    Relevant Assertion – An assertion with an identified risk of material misstatement (also known as a RMM).

    Risk of a Material Misstatement – A RMM exists when there is a reasonable possibility of a material misstatement occurring. A RMM combines a reasonable possibility of occurrence and a reasonable possibility that if a misstatement occurs, it will be material. Said another way, a RMM means it’s reasonably possible that a misstatement can happen, and if it does, it’s reasonably possible it will be material.

    Significant Class of Transactions, Account Balance, or Disclosure -It’s an audit area with at least one relevant assertion and, therefore, a significant audit area.

    Identified Risk – An identified risk is another name for a RMM – except the risk of a misstatement has been specifically identified. It’s a known RMM.

    Spectrum of Inherent Risk – The spectrum of inherent risk is the extent to which inherent risk varies – i.e., inherently from low to high risk.

    Significant Risk – A significant risk is an identified risk of material misstatement at the higher end of the spectrum of inherent risk. In other words, it is a RMM on steroids.

    Identified Controls – Identified controls are controls for which SAS 145 requires the auditor to evaluate the design and determine the implementation using procedures beyond inquiry.

  3. As a result of risk assessment, should every audit program be tailored to address the identified risks?

    Yes. The primary purpose of risk assessment is to design procedures to address the risk identified. An unmodified one-size-fits-all audit program is suspect. It gives the impression that little thought was given to the linkage of identified risks to procedures that address those risks. Accordingly, unmodified programs may be a peer review finding.

  4. Are all material accounts considered a RMM?

    No. A risk of material misstatement exists when:

    • There is a reasonable possibility of a misstatement occurring, and
    • There is a reasonable possibility it would be material if it did occur.

    In other words, RMM equals Occurrence + Magnitude. Therefore, an account can be material but not have a RMM when there is no reasonable possibility of a misstatement, or if there is a reasonable possibility of a misstatement, there is no reasonable possibility it would be material.

  5. What does reasonable possibility mean?

    Reasonable possibility means there is more than a remote chance of happening. It is based on inherent risk only, without regard to internal controls. Inherent risk is king.

  6. How does “reasonable possibility” align within GAAP’s risk progression?

    Reasonable possibility is a low threshold. It progresses as follows:

    Remote -> Reasonable possibility > More Likely Than Not > Probable > Reasonably certain.

    Therefore, the risk of a material misstatement is only slightly more than a remote risk. It’s a low threshold.

  7. So, inherent risk is king? What are some of the inherent risk factors to be considered?

    • Size, volume, and composition of items
    • Susceptibility of theft or fraud
    • Complexity
    • Subjectivity
    • Uncertainty
    • Changes in business environment, operations, and personnel.

  8. Why are relevant assertions important?

    Remember, a relevant assertion has a RMM attached to it. A significant audit area has at least one relevant assertion and, therefore, at least one risk of a material misstatement. Why is this important? Because substantive procedures must be applied to this area. Limited procedures are insufficient.

  9. Must you assess inherent risk and control risk for each account and each assertion?

    • No. However, you must assess inherent risk and control risk for each identified RMM at the assertion level.

  10. If, as a matter of policy, an auditor assesses all control risks at maximum risk under SAS 145, must the combined RMM have the same assessment as the inherent risk assessment?

    Yes. It’s the math. If control risk is assessed at 100%, and inherent risk is assessed at 50%, then the combined risk, mathematically, must equal 50%. (1.0 x .5 = .5 or 50%.)

  11. What is so significant about a significant risk?

    Remember, a significant risk is a risk on steroids. It is located at the upper end of the spectrum of inherent risk. Therefore, the auditor must:

    • Evaluate the design of the control (often done with narratives) and
    • Determine if the control has been implemented (often done by walk-throughs.)

Audit Risk Assessment Scalability

Where Less Can Be Better

We first addressed SAS 145, Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement in our November 2021 blog. Two years later, the requirements are bearing down on us. SAS 145 is effective for audits of financial statements for periods ending on or after December 15, 2023. In other words, (for most of us) starting with our calendar year 2023 audits.

Audit risk assessment has long been a bane to the small practitioner, especially those whose practice consists primarily of perhaps smaller, less complicated audits. Some practitioners expressed concern that the standard contained concepts challenging to grasp and apply. Some felt that the cost of complying with the standard far outweighed the benefits. Others saw a formal risk assessment as beneficial to more complicated audits but only busywork for the less complex audits where risks were apparent going in. These negative views toward a standard-based risk assessment led to bastardizations of the process, such as:

  • The assigning of the risk assessment to newly minted staff accountants who had limited (or no) knowledge of the industry, the client, and risk assessment in general,
  • Doing the audit in reverse by diving head-first into substantive testing. Only at the tail-end of the audit would attention be given to a form-driven risk assessment limited by the diminishing remaining time allocated to fieldwork,
  • Performing the risk assessment without modifying the standardized audit program to address the significant risk identified. In other words, just going through the motions,
  • Rolling forward the prior year’s risk assessment with limited client inquiries, insufficient professional skepticism, and substandard documentation.

What Has SAS 145 Done For Us?

No Exemptions for Less Complex Audits. The standard does not exempt less complex audits from the risk assessment standard. To do so would be degrading to professional audits under generally accepted auditing standards. Risk must always be identified and addressed for an audit to be efficient and meaningful. However, it does incorporate scalability options into the standard.

Scalability – One Size Does Not Fit All. The standard provides guidance on the concept of scalability. It clarifies that the application of the standard can be designed to fit less complicated companies. In other words, auditor judgment should be used to match the standard’s requirements to the company’s complexity. The work can be scaled down and simplified to fit less complex entities. One size does not fit all. Accordingly, scalability, when understood in large part, addresses concerns expressed by auditors of less complicated entities.

Additionally, scalability is described in great detail in the AICPA’s Audit and Accounting Guide Risk Assessment in a Financial Statement Audit, updated to January 2023, to conform to SAS 145. It has numerous examples (“Scalability Scenario”) that explore the risk assessment requirements of SAS 145 to fit a less complex audit. It compares this to what would be done on a more complex audit. It is suggested that observation and inspection may often be used to obtain audit evidence to conform to the standard’s requirements for less complicated audits.

So, there is hope. The audit risk assessment is critical, but it is not intended to eat our lunch.

It is important to remember that size alone does not equal complexity. A company can be huge, yet due to the nature of its industry and limited use of advanced technology, not be considered complex. Therefore, audit risk assessment procedures can be scaled down. On the other hand, a small company in specific industries can be very complex. It may have several revenue streams and rely heavily on complex information technology. Accordingly, the risk assessment approach would be more demanding.

Getting Things in the Right Order

Understanding the reasons and necessity for a robust audit risk assessment (scalable when appropriate) places the audit procedures in the proper order. And here they are:

  1. Plan the audit. Planning includes several procedures, including preliminary analytics, brainstorming, establishing planning materiality, and risk assessment procedures.
  2. Tailor the audit program to address the identified risks.
  3. Perform substantive procedures to obtain audit evidence that reduces those risks to an acceptable level.
  4. Issue an appropriate report consistent with the audit evidence obtained.

Some Other New Requirements

SAS 145, in addition to new guidance on scalability, also provides the following new requirements:

  • Separately assess inherent risk and control risk for each relevant assertion
  • A requirement to assess control risk at maximum if controls are not to be tested for operating effectiveness
  • A requirement that if the control risk (CR)is set at the maximum level (high), then the risk assessment for risk of a material misstatement (RMM) must be the same as the risk assessment for inherent risk (IR).

    For example, if control risk is assessed as “high” and inherent risk is assessed as “low,” then the RMM must also be assessed as “low” – the same as inherent risk.

  • A “stand-back” requirement
  • A revised definition of significant risk and how to identify and assess such risks.
  • A requirement to evaluate the design and implementation of general IT controls.

Peer Review Focus

Undoubtedly, risk assessment will continue to be a peer review focus in 2024 and beyond. Risk assessment has been a challenging audit area and a continuing focus of the AICPA initiative to improve audit quality.

SAS 145 – New Risk Assessment Standards

More Clarifications

In October 2021, the AICPA issued SAS 145, Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement. SAS 145 is effective for audits of financial statements for periods ending on or after December 15, 2023. Early implementation is permitted. SAS 145, which supersedes SAS 122, section 315 of the same title, and amends various other sections in AICPA Professional Standards, enhances or clarifies specific areas of an auditor’s risk assessment while providing new performance requirements and new terminology in other areas.

Mine Field. For several years now, the subject of the auditor’s risk assessment has been a sore spot between the AICPA and many practitioners with a less complicated, non-public client base. Even though the original suite of risk assessment standards (SAS Nos. 104-111) was issued 15 years ago, peer reviewers continue to find deficiencies in risk assessments as a (perhaps the) leading reason for audit deficiencies

In my opinion, much of the push-back from practitioners of smaller, less complex companies is traced to a belief that the risk assessment standards are primarily applicable to CPAs who audit complex companies of enormous size. Furthermore, some CPAs believe, while a structured risk assessment approach may be necessary to identify risks and develop an audit approach for a company with billions of dollars in revenue, it’s a time-consuming overkill for many smaller, less complex, non-public companies. CPAs who follow this line of thought suggest that the risks for less complex companies are apparent, and the audit responses are obvious. Accordingly, there is little need for a formal structured risk assessment.

While the AICPA’s Auditing Standards Board (“ASB”) has not turned a deaf ear to the concerns noted above, it has not accepted the premise that a standard-based documented risk assessment is unnecessary for less complex companies. Instead, it views risk assessment as the foundational stone of every audit. Accordingly, SAS 145 applies to audits of all non-public companies, regardless of size or complexity. However, the ASB does address “scalability” in SAS 145. This concept of scalability, based on the complexity of the company, is described below.

Purpose of SAS 145. In short, the primary purpose of SAS 145 is to improve audit quality in a critical audit area where a disturbing number of audit deficiencies are found. As stated in the AICPA’s (SAS 145), At a glance:

“SAS No. 145 does not fundamentally change the key concepts underpinning audit risk. Rather, it clarifies and enhances certain aspects of the identification and assessment of the risks of material misstatement to drive better risk assessments and, therefore, enhance audit quality.”

What are the Key Changes? Ok. If it doesn’t “fundamentally change the key concepts underpinning audit risk,” then what does it change? Below are a few of the significant changes made to the prior risk assessment standards. We will describe other changes and nuances of SAS 145 in a later blog.

  1. Assessment of inherent risk and control risk. There is a new requirement to assess inherent risk and control risk separately. While this requirement was not explicitly stated in the prior standards, it’s something that many practitioners did anyway. This was driven, in part, by third-party vendors of auditing software tools who took the approach of a separate assessment of inherent and control risks. Nevertheless, the requirement to make separate assessments of inherent and control risk is now baked into the auditing standards via SAS 145.

  2. Assessing Control Risk at Maximum. If the auditor does not plan to test controls for operating effectiveness, SAS 145 requires that control risk (“CR”) be assessed at maximum risk. In that situation, the new standard requires that the assessment of the risk of material misstatement (“RMM”) be the same as the assessment of inherent risk (“IR”). In other words, if CR equals maximum risk because controls were not tested, then RMM must equal IR.

  3. Revised definition of significant risk. SAS 145 defines a significant risk as an identified risk of a material misstatement:
    • For which the assessment of inherent risk is close to the upper end of the spectrum of inherent risk based on the combination of the likelihood and the magnitude of a potential misstatement.
    • Is to be treated as a significant risk in other AU-C sections.

  4. IT Controls. A greater emphasis will be placed on the evaluation of the design and implementation of general IT controls. Auditors cannot continue to audit around IT controls.

  5. Stand-Back Requirement. SAS 145 incorporates a new so-called “stand-back” requirement. Auditors are now required to pause and evaluate the completeness of their identification of significant classes of transactions, account balances, and disclosures.

  6. Scalability. Under SAS 145, the concept of scalability recognizes “that some aspects of the entity’s system of internal control may be less formalized but still present and functioning, considering the nature and complexity of the entity.” Therefore, “…the auditor may still be able to perform risk assessment procedures through a combination of inquiries and other risk assessment procedures.” Those procedures may include observations or inspection of documents.

  7. Relevant Assertion. Under the new definition of relevant assertion, an assertion is relevant if it has an identified risk of a material misstatement. (Previously, the risk was described as a reasonable risk.) Risk of a material misstatement exists when there is a reasonable possibility that the risk will occur and be material.

  8. Significant Class of Transactions, Balance, or Disclosure. A significant class of transactions, account balance or disclosure is one for which there are one or more relevant assertions (see directly above.)

SAS 145 is effective beginning with audits of the calendar year 2023 financial statements. You can look forward to much discussion and CPE courses regarding this important SAS between now and then.

Show Buttons
Hide Buttons