Skip to content

AICPA Issues New Audit Standards on Risk Assessment

Soyoung Ho  Senior Editor, Accounting and Compliance Alert

· 5 minute read

Soyoung Ho  Senior Editor, Accounting and Compliance Alert

· 5 minute read

The AICPA’s Auditing Standards Board (ASB) on October 12, 2021, issued revised audit standards that enhance the requirements and guidance on identifying and assessing risks of material misstatement.

In particular, the new guidance addresses a company’s system of internal control and information technology.

Statement on Auditing Standards (SAS) No. 145, Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement, supersedes SAS No. 122, as amended, AU-C Section 315 of the same title, and amends various AU-C sections in AICPA Professional Standards.

The new standard becomes effective for audits of financial statements for periods ending on or after December 15, 2023.

“The auditor’s risk assessment drives almost every part of the audit. As a result, the evaluation of risks sits at the core of audit quality,” AICPA Chief Auditor Jennifer Burns said in a statement. “SAS No. 145 supports the performance of quality audits by providing additional clarity and guidance in identifying and evaluating risks of material misstatement, while considering the evolving nature of business.”

The standard also revised the definition of significant risk so that auditors will be focused on where the risks lie on a spectrum of inherent risk.

Significant risk is defined as an identified risk of material misstatement: “for which the assessment of inherent risk is close to the upper end of the spectrum of inherent risk due to the degree to which inherent risk factors affect the combination of the likelihood of a misstatement occurring and the magnitude of the potential misstatement should that misstatement occur; or that is to be treated as a significant risk in accordance with the requirements of other AU-C sections.”

Thus, the higher on the spectrum of inherent risk a risk is assessed, the more persuasive the audit evidence needs to be.

SAS No. 145 notes that the definition was changed to promote a more consistent approach. Previously, the focus was on the response—whether a risk requires special audit consideration.

The final standard no longer requires the auditor to determine whether a financial statement level risk is a significant risk.

“However, identified risks of material misstatement at the financial statement level may affect the auditor’s assessment of significant risks at the assertion level,” the standard states. “SAS No. 145 acknowledges that the determination of whether a risk is a significant risk requires the exercise of professional judgment. AU-C section 330 continues to include special audit considerations in the form of specific requirements related to significant risks because of the nature of the risk and the likelihood and potential magnitude of misstatement related to the risk.”

The AICPA said SAS No. 145 includes a new “stand-back” requirement when auditors evaluate the completeness of the identification of significant classes of transactions, account balances, and disclosures.

If auditors determine that material classes of transactions, account balances, or disclosures are not significant, then the new standard requires the auditor to evaluate whether its determination remains appropriate.

“Materiality is in the context of the financial statements,” SAS No. 145 states. “Accordingly, classes of transactions, account balances, or disclosures are material if there is a substantial likelihood that omitting, misstating, or obscuring information about them would influence the judgment made by a reasonable user based on the financial statements.”

Among other things, the new standard includes:

  • Revised requirements to evaluate the design of certain controls within the control activities component and to determine whether such controls have been implemented.
  • New requirement to separately assess inherent risk and control risk.
  • New requirement to assess control risk at the maximum level such that, if the auditor does not plan to test the operating effectiveness of controls, the assessment of the risk of material misstatement is the same as the assessment of inherent risk.
  • New guidance on scalability.
  • Revised requirements on audit documentation.
  • A conforming amendment to perform substantive procedures for each relevant assertion of each significant class of transactions, account balance, and disclosure, regardless of the assessed level of control risk.

The association said it will host a free webcast on November 16 to help CPAs prepare for the changes in the risk assessment standard.

“Attendees will learn how to determine their responsibility to identify and assess the risks of material misstatement in the financial statements; apply the new concepts in SAS No. 145 as they begin to plan and perform audits and apply the enhanced or new requirements or guidance in SAS No. 145,” the AICPA said.

The final standards are based on proposed SAS, Identifying and Assessing the Risks of Material Misstatement Through Understanding the Entity and its Environment, issued in August 2020.


This article originally appeared in the October 13, 2021 edition of Accounting & Compliance Alert, available on Checkpoint.

Subscribe to our Checkpoint Daily Newsstand email to get all the latest tax, accounting, and audit news delivered to your inbox each weekday. It’s free!

More answers