SAS No. 145 – What Is Changing

The AICPA Auditing Standards Board (ASB) issued Statement on Auditing Standards (SAS) No. 145, Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement. The new standard becomes effective for audits of financial statements for periods ending on or after Dec. 15, 2023.

The revisions in SAS No. 145 do not change the key concepts underpinning audit risk. Rather, according to the Executive Summary of the standard, the standard “clarifies and enhances certain aspects of the identification and assessment of the risks of material misstatement to drive better risk assessment and, therefore, enhance audit quality.” These enhancements include changes to certain of the defined concepts.

What the key changes are:

  • Relevant Assertion
    • Under the new definition of relevant assertion, an assertion is relevant if it has an identified risk of a material misstatement. Previously, the risk was described as a reasonable risk. Risk of a    material misstatement exists when there is a reasonable possibility that the risk will occur and be material.
  • Inherent risk and inherent risk factors
    • There is a new requirement to assess inherent risk and control risk separately. While this requirement was not explicitly stated in the prior standards, it’s something that many practitioners did anyway. This was driven, in part, by third-party vendors of auditing software tools who took the approach of a separate assessment of inherent and control risks. Nevertheless, the requirement to make separate assessments of inherent and control risk is now baked into the auditing standards thru SAS 145.
  • Assessing Control Risk at Maximum Level
    • If the auditor does not test the operating effectiveness of controls, the standard requires that control risk (“CR”) be assessed at maximum risk. In that situation, the new standard requires that the assessment of the risk of material misstatement (“RMM”) be the same as the assessment of inherent risk (“IR”). In other words, if CR equals maximum risk because controls were not tested, then RMM must equal IR.
  • New definition of significant risk
    • SAS 145 defines a significant risk as an identified risk of a material misstatement:
      • For which the assessment of inherent risk is close to the upper end of the spectrum of inherent risk due to the degree to which inherent risk factors affect the combination of the likelihood of the misstatement occurring and the magnitude of the potential misstatement should that misstatement occur. The previous definition of significant risk focused on the response to the risk, rather than the risk itself.
      • Is to be treated as a significant risk in other AU-C sections.

Unchanged is the need for professional judgment.

  • Significant Class of Transactions, Balance, or Disclosure
    • A significant class of transactions, account balance or disclosure is one for which there are one or more relevant assertions.
  • Information technology
    • SAS 145 requires the auditor to identify general information technology (IT) controls that address the risks arising from the use of IT and evaluate their design and implementation. Auditors cannot continue to audit around IT controls.
  • A new Stand-Back Requirement
    • SAS 145 incorporates a new so-called “stand-back” requirement. Auditors are now required to pause and evaluate the completeness of their identification of significant classes of transactions, account balances, and disclosures.
  • New guidance on Scalability
    • As practitioners are already aware, size does not always correlate to complexity. Smaller entities cannot just have the assumption of less complexity. Correspondingly, larger entities are not always complex. Under SAS 145, the concept of scalability recognizes “that some aspects of the entity’s system of internal control may be less formalized but still present and functioning, considering the nature and complexity of the entity.” Therefore, “…the auditor may still be able to perform risk assessment procedures through a combination of inquiries and other risk assessment procedures.” Those procedures may include observations or inspection of documents.

The changes discussed here are only part of the overall content of SAS 145. Review of the full content of the standard is recommended for successful implementation and application.

Article Prepared By:
Lila Leno, CPA, MBA | Partner

Related Posts