At the core of every audit is the identification and assessment of risks of material misstatement, which is critical given the potential impact on a company’s financial position.
The significance is not taken lightly among auditors, who understand the importance of their role in providing reasonable assurance about whether a company’s financial statements are free of material misstatement. Despite this, 25 percent of recent peer review comments have been related to failure to understand and/or document risk of material misstatement.
In an effort to address gaps in risk assessments and improve overall audit quality, the AICPA Auditing Standards Board (ASB) issued SAS 145, Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement, which becomes effective for audits of financial statements for periods ending on or after Dec. 15, 2023.
SAS 145 supersedes the existing guidance in AU-C 315A and amends other sections related to risk assessment and assessing control risk.
While SAS 145 “does not fundamentally change the key concepts underpinning audit risk,” as explained in the Executive Summary accompanying the new standards (the Executive Summary), it does enhance and clarify aspects of the identification and assessment of the risks of material misstatement.
Among the changes, which we will discuss in more detail, the new guidance addresses a company’s system of internal control and information technology. It also revises the definition of significant risk so that auditors will be focused on where the risks lie on a spectrum of inherent risk.
It is essential that auditors are aware of the upcoming changes and how to apply SAS 145 to ensure compliance and further improve overall audit quality. This blog series will explore some of the notable changes within SAS 145 and will discuss how firms can manage the change. Let’s begin with a closer look at some of the changes within SAS 145.
New definition of significant risk
Auditors have, historically, thought of significant risk as one that required special audit consideration. In other words, their response to a risk determined whether it was significant. The problem was a lack of consistency.
In an effort to promote a more consistent approach, the new standard revises the definition of significant risk to now focus on the risk itself. As explained in the Executive Summary, “The definition in SAS No. 145 focuses on those risks for which the assessment of inherent risk is close to the upper end of the spectrum of inherent risk due to the degree to which inherent risk factors affect the combination of the likelihood of a misstatement occurring and the magnitude of the potential misstatement should that misstatement occur.” The previous definition of significant risk focused on the response to the risk, rather than the risk itself.
This does not mean that a significant risk no longer requires special consideration — it does. Auditors are still required to respond to significant risk appropriately and apply the requirements of the standards, such as communicating the risk to those charged with governance and testing design and implementation of related internal controls.
The new definition of significant risk is essentially a “change in mindset,” noted Alison Parker, Executive Editor of PPC products for the Tax and Accounting business of Thomson Reuters, in a recent webcast on guidance for SAS 145.
“Your significant risks, which include your fraud risks, should always have a high inherent risk. Under the new definition, that would be the default,” Parker said.
Inherent risk and spectrum of inherent risk
Auditors have, too often, based their inherent risk assessment on incorrect conclusions. Inherent risk directly affects the scope of the audit and getting inherent risk wrong is going to result in either over-auditing or deficiencies.
Therefore, it is important to consider inherent risk on its own when making the determination that an assertion is susceptible to a misstatement that could be material.
SAS 145 defines inherent risk as: “Characteristics of events or conditions that affect the susceptibility to misstatement, whether due to fraud or error, of an assertion about a class of transactions, account balance, or disclosure, before consideration of controls.”
When considering the inherent risk of an assertion, it is important to use the following factors to determine the likelihood of misstatement:
- Complexity
- Subjectivity
- Change
- Uncertainty
- Susceptibility to misstatement due to management bias or other fraud risk factors.
Depending on the degree to which the inherent risk factors impact the susceptibility of an assertion to misstatement, the level of inherent risk will vary on a scale known as the spectrum of inherent risk (the intersection of likelihood and magnitude of misstatement).
So, if the potential misstatement is material and the risk is higher up on the spectrum of inherent risk, then there’s significant risk.
When done properly, firms will benefit from a more focused response to identified and assessed risk and, overall, a higher-quality audit.
Assessing control risk at the maximum level
It is common audit practice to set control risk at high or maximum, regardless of the control structure. This option has already been built into audit practice aids and audit methodology. Under SAS 145, some changes are in store.
When firms set control risk at high or maximum, it is generally because they are planning a fully substantive audit approach. It “may take less time than testing the controls for effectiveness,” said Stephanie Lanke, Senior Audit and Accounting Consultant, AuditWatch at Thomson Reuters, during our webcast.
If the auditor does not test the operating effectiveness of controls, the standard requires them to assess control risk at the maximum level, and now it also clarifies that in such cases, the combined assessment of the risk of material misstatement is the same as the assessment of inherent risk. For this reason, if the auditor uses a fully substantive approach, an inherent risk assessment is critical. Why?
If the standard practice is to set control risk at high or maximum, getting the incorrect inherent risk will result in either over-auditing or deficiencies, Lanke explained. This is why there is a greater focus on inherent risk.
It is important to remember that design and implementation of controls are still important. Walk-throughs are still important. “For example,” said Lanke, “if a walk-through reveals a lack of segregation of duties, then more substantive produces may be necessary. But, again, keep in mind that inherent risk assessment is critical if auditors use a fully substantive approach.”
On the flip side, auditors can bring the assessment below maximum if a test of controls for effectiveness supports a lower control risk. In other words, tests of the operating effectiveness of controls are mandatory to support a control risk assessment below the maximum level.
Conclusion
SAS 145 may not fundamentally change the foundational concepts of audit risk assessment, but its impact on the audit profession is no doubt important.
Managing change can be a challenging task for any firm; however, there are effective strategies that firms can employ to manage change and overcome its challenges. It’s essential to have a proactive approach toward identifying and adapting to changes in the industry, along with seeking guidance and partnerships from industry experts. By adopting a collaborative approach, your firm can successfully handle change and stay ahead of the curve.
Take action now to ensure that your firm is fully prepared for SAS 145. To learn more, view our webinar offering guidance on SAS No. 145.
Visit our SAS 145 Hub for more information.
This is the first in a four-blog series about SAS 145 and its impact on tax and accounting professionals. Stay tuned for future posts.
