If you're an audit professional, you know that SAS 145 is here — and it's effective for audits of financial statements for periods ending on or after December 15, 2023.
|What does SAS 145 address?|
|9 steps to apply SAS 145|
||Managing SAS 145 compliance|
What does SAS 145 address?
At a high level, SAS 145 addresses a company’s system of internal control and information technology. It also revises the definition of significant risk so that auditors will be focused on where the risks lie on a spectrum of inherent risk. This new standard supersedes the existing guidance in AU-C 315A and amends other sections related to risk assessment and assessing control risk.
While SAS 145 does not fundamentally change the key concepts underpinning audit risk, it does clarify and enhance certain aspects of the identification and assessment of the risks of material misstatement to address gaps and improve overall audit quality. As auditors, it’s important to understand how to effectively apply SAS 145 to ensure compliance and enhance the overall audit process.
9 steps to apply SAS 145
So now that SAS 145 is here, what steps should auditors take? Let’s take a look.
1. Focus on the risk itself.
SAS 145 revises the definition of significant risk to focus primarily on the risk itself rather than the auditor’s response to the risk. This change aims to promote a more consistent and objective approach to assessing risks. Auditors are still required to respond to significant risk appropriately and apply the requirements of the standards, such as communicating the risk to those charged with governance and testing design and implementation of related internal controls.
2. Emphasize the inherent risk assessment.
SAS 145 places increased emphasis on the inherent risk assessment and introduces a spectrum of inherent risk. When control risk is assessed at the maximum level because the auditor does not plan to test the operating effectiveness of controls, assess the combined risk of material misstatement at the same level as the inherent risk assessment.
3. Enhance audit documentation.
Among the new provisions in SAS 145 is the revision of the audit documentation requirements. Look for opportunities to drive enhanced efficiencies with regard to documentation around design and implementation of your internal controls.
4. Maintain professional skepticism.
Emphasize to your audit team the need to maintain professional skepticism when performing risk assessment procedures and evaluating the results. SAS 145 highlights the importance of maintaining professional skepticism and issues new and enhanced guidance.
5. Stop and reflect.
SAS No. 145 includes a new “stand-back” requirement intended to drive an evaluation of the completeness of the auditor’s identification of significant classes of transactions, account balances, and disclosures. This requires auditors to stop and reflect on the completeness of their identification of significant classes of transactions, account balances, and disclosures.
6. Consider a “top-down” approach.
In light of the new “stand-back” requirement, consider adopting a top-down approach when determining significant classes of transactions, account balances, and disclosures. Firms may find that such an approach can help drive more efficient and effective audits.
7. Enhance communication.
SAS 145 emphasizes the importance of effective communication between the auditor and those charged with governance regarding identified risks of material misstatement due to non-compliance. Auditors should ensure that all relevant parties are adequately informed and aware of the implications of noncompliance risks. On continuing engagements, you will need to reconsider prior year risk assessments in light of new and revised requirements.
8. Complex audits drive scalability.
Under SAS 145, the complexity of an entity’s activities is the primary driver of scalability. Although the size of an entity may be an indicator of its complexity, some smaller entities may be complex, and some larger entities may be less complex. The bottom line: effective risk assessment is achievable even in less complex entities that have informal controls.
9. Evaluate the risks of IT controls.
SAS 145 acknowledges the use of IT by both auditors and clients and expressly defines the risks arising from the use of IT. This means that auditors need to think of IT use in terms of assertions and must evaluate the complexity of a system, even off-the-shelf software packages, and all that is included.
Managing SAS 145 compliance
Remember: SAS No. 145 does not fundamentally change the key concepts underpinning audit risk. Instead, it clarifies and enhances certain aspects of the identification and assessment of the risks of material misstatement to drive better risk assessments and, ultimately, enhance audit quality. And therein lies an opportunity for your audit firm.
By familiarizing yourself with SAS 145 and taking the steps necessary to update your audit processes, you can effectively comply with the standard, conduct thorough and comprehensive audits, and proactively address the risks associated with noncompliance. And perhaps SAS 145 could be an opportunity to better serve your clients and enhance your overall audit productivity and efficiency.
To ensure that your firm is fully prepared to manage the impact of SAS 145, check out our webinar offering guidance on SAS No. 145.
For more information and best practices, visit our SAS 145 Hub.