SAS 145 Audit Risk Assessment

Just a Bit More

Well, let’s add a bit more about SAS 145, Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement. And let’s do it in a question-and-answer format. This SAS is enormous – it’s over 250 pages long. Those in public accounting must understand its implications since understanding the entity, environment, and financial statement risks is the heart and soul of financial audits. An understanding of the risk of misstatements is what drives the remainder of the audit engagement. So, with that being said, let’s begin.

  1. Is SAS 145 principle-based, and is the methodology neutral?

    Yes. The standard is principle and does not prescribe a particular way to accomplish the objectives. Accordingly, much is open to the auditor’s experience and professional judgment.

  2. Are there some specific vital concepts that must be understood to wrap your head around SAS 145?

    Yes. Here are the ones that you must understand. Some are familiar concepts from the previous standard, and some are new.

    Assertions -These are representations made by the entity’s management (explicit or otherwise) about amounts and disclosures in their financial statements.

    Inherent Risk -SAS 145 states that inherent risk is the susceptibility of an assertion to a material misstatement. Inherent risk is determined before consideration of the entity’s control risk. The standard lists some inherent risk factors to be considered.

    Control Risk -The risk that a potential misstatement in an assertion won’t be timely prevented or detected and corrected by the internal control system.

    Relevant Assertion – An assertion with an identified risk of material misstatement (also known as a RMM).

    Risk of a Material Misstatement – A RMM exists when there is a reasonable possibility of a material misstatement occurring. A RMM combines a reasonable possibility of occurrence and a reasonable possibility that if a misstatement occurs, it will be material. Said another way, a RMM means it’s reasonably possible that a misstatement can happen, and if it does, it’s reasonably possible it will be material.

    Significant Class of Transactions, Account Balance, or Disclosure -It’s an audit area with at least one relevant assertion and, therefore, a significant audit area.

    Identified Risk – An identified risk is another name for a RMM – except the risk of a misstatement has been specifically identified. It’s a known RMM.

    Spectrum of Inherent Risk – The spectrum of inherent risk is the extent to which inherent risk varies – i.e., inherently from low to high risk.

    Significant Risk – A significant risk is an identified risk of material misstatement at the higher end of the spectrum of inherent risk. In other words, it is a RMM on steroids.

    Identified Controls – Identified controls are controls for which SAS 145 requires the auditor to evaluate the design and determine the implementation using procedures beyond inquiry.

  3. As a result of risk assessment, should every audit program be tailored to address the identified risks?

    Yes. The primary purpose of risk assessment is to design procedures to address the risk identified. An unmodified one-size-fits-all audit program is suspect. It gives the impression that little thought was given to the linkage of identified risks to procedures that address those risks. Accordingly, unmodified programs may be a peer review finding.

  4. Are all material accounts considered a RMM?

    No. A risk of material misstatement exists when:

    • There is a reasonable possibility of a misstatement occurring, and
    • There is a reasonable possibility it would be material if it did occur.

    In other words, RMM equals Occurrence + Magnitude. Therefore, an account can be material but not have a RMM when there is no reasonable possibility of a misstatement, or if there is a reasonable possibility of a misstatement, there is no reasonable possibility it would be material.

  5. What does reasonable possibility mean?

    Reasonable possibility means there is more than a remote chance of happening. It is based on inherent risk only, without regard to internal controls. Inherent risk is king.

  6. How does “reasonable possibility” align within GAAP’s risk progression?

    Reasonable possibility is a low threshold. It progresses as follows:

    Remote -> Reasonable possibility > More Likely Than Not > Probable > Reasonably certain.

    Therefore, the risk of a material misstatement is only slightly more than a remote risk. It’s a low threshold.

  7. So, inherent risk is king? What are some of the inherent risk factors to be considered?

    • Size, volume, and composition of items
    • Susceptibility of theft or fraud
    • Complexity
    • Subjectivity
    • Uncertainty
    • Changes in business environment, operations, and personnel.

  8. Why are relevant assertions important?

    Remember, a relevant assertion has a RMM attached to it. A significant audit area has at least one relevant assertion and, therefore, at least one risk of a material misstatement. Why is this important? Because substantive procedures must be applied to this area. Limited procedures are insufficient.

  9. Must you assess inherent risk and control risk for each account and each assertion?

    • No. However, you must assess inherent risk and control risk for each identified RMM at the assertion level.

  10. If, as a matter of policy, an auditor assesses all control risks at maximum risk under SAS 145, must the combined RMM have the same assessment as the inherent risk assessment?

    Yes. It’s the math. If control risk is assessed at 100%, and inherent risk is assessed at 50%, then the combined risk, mathematically, must equal 50%. (1.0 x .5 = .5 or 50%.)

  11. What is so significant about a significant risk?

    Remember, a significant risk is a risk on steroids. It is located at the upper end of the spectrum of inherent risk. Therefore, the auditor must:

    • Evaluate the design of the control (often done with narratives) and
    • Determine if the control has been implemented (often done by walk-throughs.)

Audit Risk Assessment Scalability

Where Less Can Be Better

We first addressed SAS 145, Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement in our November 2021 blog. Two years later, the requirements are bearing down on us. SAS 145 is effective for audits of financial statements for periods ending on or after December 15, 2023. In other words, (for most of us) starting with our calendar year 2023 audits.

Audit risk assessment has long been a bane to the small practitioner, especially those whose practice consists primarily of perhaps smaller, less complicated audits. Some practitioners expressed concern that the standard contained concepts challenging to grasp and apply. Some felt that the cost of complying with the standard far outweighed the benefits. Others saw a formal risk assessment as beneficial to more complicated audits but only busywork for the less complex audits where risks were apparent going in. These negative views toward a standard-based risk assessment led to bastardizations of the process, such as:

  • The assigning of the risk assessment to newly minted staff accountants who had limited (or no) knowledge of the industry, the client, and risk assessment in general,
  • Doing the audit in reverse by diving head-first into substantive testing. Only at the tail-end of the audit would attention be given to a form-driven risk assessment limited by the diminishing remaining time allocated to fieldwork,
  • Performing the risk assessment without modifying the standardized audit program to address the significant risk identified. In other words, just going through the motions,
  • Rolling forward the prior year’s risk assessment with limited client inquiries, insufficient professional skepticism, and substandard documentation.

What Has SAS 145 Done For Us?

No Exemptions for Less Complex Audits. The standard does not exempt less complex audits from the risk assessment standard. To do so would be degrading to professional audits under generally accepted auditing standards. Risk must always be identified and addressed for an audit to be efficient and meaningful. However, it does incorporate scalability options into the standard.

Scalability – One Size Does Not Fit All. The standard provides guidance on the concept of scalability. It clarifies that the application of the standard can be designed to fit less complicated companies. In other words, auditor judgment should be used to match the standard’s requirements to the company’s complexity. The work can be scaled down and simplified to fit less complex entities. One size does not fit all. Accordingly, scalability, when understood in large part, addresses concerns expressed by auditors of less complicated entities.

Additionally, scalability is described in great detail in the AICPA’s Audit and Accounting Guide Risk Assessment in a Financial Statement Audit, updated to January 2023, to conform to SAS 145. It has numerous examples (“Scalability Scenario”) that explore the risk assessment requirements of SAS 145 to fit a less complex audit. It compares this to what would be done on a more complex audit. It is suggested that observation and inspection may often be used to obtain audit evidence to conform to the standard’s requirements for less complicated audits.

So, there is hope. The audit risk assessment is critical, but it is not intended to eat our lunch.

It is important to remember that size alone does not equal complexity. A company can be huge, yet due to the nature of its industry and limited use of advanced technology, not be considered complex. Therefore, audit risk assessment procedures can be scaled down. On the other hand, a small company in specific industries can be very complex. It may have several revenue streams and rely heavily on complex information technology. Accordingly, the risk assessment approach would be more demanding.

Getting Things in the Right Order

Understanding the reasons and necessity for a robust audit risk assessment (scalable when appropriate) places the audit procedures in the proper order. And here they are:

  1. Plan the audit. Planning includes several procedures, including preliminary analytics, brainstorming, establishing planning materiality, and risk assessment procedures.
  2. Tailor the audit program to address the identified risks.
  3. Perform substantive procedures to obtain audit evidence that reduces those risks to an acceptable level.
  4. Issue an appropriate report consistent with the audit evidence obtained.

Some Other New Requirements

SAS 145, in addition to new guidance on scalability, also provides the following new requirements:

  • Separately assess inherent risk and control risk for each relevant assertion
  • A requirement to assess control risk at maximum if controls are not to be tested for operating effectiveness
  • A requirement that if the control risk (CR)is set at the maximum level (high), then the risk assessment for risk of a material misstatement (RMM) must be the same as the risk assessment for inherent risk (IR).

    For example, if control risk is assessed as “high” and inherent risk is assessed as “low,” then the RMM must also be assessed as “low” – the same as inherent risk.

  • A “stand-back” requirement
  • A revised definition of significant risk and how to identify and assess such risks.
  • A requirement to evaluate the design and implementation of general IT controls.

Peer Review Focus

Undoubtedly, risk assessment will continue to be a peer review focus in 2024 and beyond. Risk assessment has been a challenging audit area and a continuing focus of the AICPA initiative to improve audit quality.

SAS 145 – New Risk Assessment Standards

More Clarifications

In October 2021, the AICPA issued SAS 145, Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement. SAS 145 is effective for audits of financial statements for periods ending on or after December 15, 2023. Early implementation is permitted. SAS 145, which supersedes SAS 122, section 315 of the same title, and amends various other sections in AICPA Professional Standards, enhances or clarifies specific areas of an auditor’s risk assessment while providing new performance requirements and new terminology in other areas.

Mine Field. For several years now, the subject of the auditor’s risk assessment has been a sore spot between the AICPA and many practitioners with a less complicated, non-public client base. Even though the original suite of risk assessment standards (SAS Nos. 104-111) was issued 15 years ago, peer reviewers continue to find deficiencies in risk assessments as a (perhaps the) leading reason for audit deficiencies

In my opinion, much of the push-back from practitioners of smaller, less complex companies is traced to a belief that the risk assessment standards are primarily applicable to CPAs who audit complex companies of enormous size. Furthermore, some CPAs believe, while a structured risk assessment approach may be necessary to identify risks and develop an audit approach for a company with billions of dollars in revenue, it’s a time-consuming overkill for many smaller, less complex, non-public companies. CPAs who follow this line of thought suggest that the risks for less complex companies are apparent, and the audit responses are obvious. Accordingly, there is little need for a formal structured risk assessment.

While the AICPA’s Auditing Standards Board (“ASB”) has not turned a deaf ear to the concerns noted above, it has not accepted the premise that a standard-based documented risk assessment is unnecessary for less complex companies. Instead, it views risk assessment as the foundational stone of every audit. Accordingly, SAS 145 applies to audits of all non-public companies, regardless of size or complexity. However, the ASB does address “scalability” in SAS 145. This concept of scalability, based on the complexity of the company, is described below.

Purpose of SAS 145. In short, the primary purpose of SAS 145 is to improve audit quality in a critical audit area where a disturbing number of audit deficiencies are found. As stated in the AICPA’s (SAS 145), At a glance:

“SAS No. 145 does not fundamentally change the key concepts underpinning audit risk. Rather, it clarifies and enhances certain aspects of the identification and assessment of the risks of material misstatement to drive better risk assessments and, therefore, enhance audit quality.”

What are the Key Changes? Ok. If it doesn’t “fundamentally change the key concepts underpinning audit risk,” then what does it change? Below are a few of the significant changes made to the prior risk assessment standards. We will describe other changes and nuances of SAS 145 in a later blog.

  1. Assessment of inherent risk and control risk. There is a new requirement to assess inherent risk and control risk separately. While this requirement was not explicitly stated in the prior standards, it’s something that many practitioners did anyway. This was driven, in part, by third-party vendors of auditing software tools who took the approach of a separate assessment of inherent and control risks. Nevertheless, the requirement to make separate assessments of inherent and control risk is now baked into the auditing standards via SAS 145.

  2. Assessing Control Risk at Maximum. If the auditor does not plan to test controls for operating effectiveness, SAS 145 requires that control risk (“CR”) be assessed at maximum risk. In that situation, the new standard requires that the assessment of the risk of material misstatement (“RMM”) be the same as the assessment of inherent risk (“IR”). In other words, if CR equals maximum risk because controls were not tested, then RMM must equal IR.

  3. Revised definition of significant risk. SAS 145 defines a significant risk as an identified risk of a material misstatement:
    • For which the assessment of inherent risk is close to the upper end of the spectrum of inherent risk based on the combination of the likelihood and the magnitude of a potential misstatement.
    • Is to be treated as a significant risk in other AU-C sections.

  4. IT Controls. A greater emphasis will be placed on the evaluation of the design and implementation of general IT controls. Auditors cannot continue to audit around IT controls.

  5. Stand-Back Requirement. SAS 145 incorporates a new so-called “stand-back” requirement. Auditors are now required to pause and evaluate the completeness of their identification of significant classes of transactions, account balances, and disclosures.

  6. Scalability. Under SAS 145, the concept of scalability recognizes “that some aspects of the entity’s system of internal control may be less formalized but still present and functioning, considering the nature and complexity of the entity.” Therefore, “…the auditor may still be able to perform risk assessment procedures through a combination of inquiries and other risk assessment procedures.” Those procedures may include observations or inspection of documents.

  7. Relevant Assertion. Under the new definition of relevant assertion, an assertion is relevant if it has an identified risk of a material misstatement. (Previously, the risk was described as a reasonable risk.) Risk of a material misstatement exists when there is a reasonable possibility that the risk will occur and be material.

  8. Significant Class of Transactions, Balance, or Disclosure. A significant class of transactions, account balance or disclosure is one for which there are one or more relevant assertions (see directly above.)

SAS 145 is effective beginning with audits of the calendar year 2023 financial statements. You can look forward to much discussion and CPE courses regarding this important SAS between now and then.

Show Buttons
Hide Buttons