Are You Ready for SAS No. 145?

Statement on Auditing Standards No. 145, Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement, is effective for periods ending on or after Dec. 15, 2023. Nicole K. Cradic, CPA, shares some the key changes in the standard of which auditors need to be aware.

by Nicole K. Cradic, CPA Dec 18, 2023, 13:25 PM

A bright yellow triangle with an exclamation pointThe new Statement on Auditing Standards (SAS) No. 145, Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement, is effective for periods ending on or after Dec. 15, 2023. While not a fundamental overhaul of risk assessment, the standard contains several changes of which auditors need to be aware.

Inherent Risk Factors

In the auditor’s contemplations, risk factors include events or conditions that drive the likelihood of a material misstatement for an account balance, transaction class, or disclosure. Auditors will home in on question such as, “How complex are the underlying calculations?”; “Have there been changes in the entity’s contracts with customers that impact revenue recognition?”; and “Is there increased uncertainty about the ability to sell the inventory on hand?” Appendix B of SAS 145 is a great resource when considering inherent risk factors.

Spectrum of Inherent Risk

The standard introduces the concept of the spectrum of inherent risk. An auditor must consider both the likelihood and magnitude of a particular risk of material misstatement at the assertion level to determine its place on a spectrum of risk (from low to high). Audit methodologies may use defined terms or numeric values to communicate and document risk assessment decisions. In the end, the auditor’s decisions on likelihood and magnitude of a material misstatement are judgement calls that will drive the audit plan.

Significant Risks and Audit Responses

If the assessment of inherent risk is close to the upper end of the spectrum of inherent risk or must be treated as such in accordance with other AU-C sections, then those would be significant risks. Remember, the goal of audit risk assessment is to help audit teams anticipate where financial statements are more likely to contain material misstatements. Areas of significant risk will be targeted with tailored procedures. Practically, audit teams should take a firm’s standard audit program and discuss how to tailor the program in response to the risk assessment results.

With a risk assessment, auditors have two main goals: understand the entity, its environment, and the applicable financial reporting framework; and understand the components of the internal control system to identify and assess the risks of material misstatement. Since financial reporting is intertwined with operations, an auditor’s understanding of an entity’s business provides valuable insights on financial reporting risks. Appendix A of SAS 145 is an excellent resource on this topic.

Gaining an understanding of certain aspects of an internal controls system is required. By obtaining an understanding of the information system and communication component of an entity’s internal controls, auditors gain familiarity with the controls related to significant classes of transactions, account balances, and disclosures. Control activities are designed by management to ensure proper application of its accounting policies.

SAS 145 does not require the evaluation of the design or a determination of the implementation of individual controls, unless they are identified controls. For identified controls, the auditor is required to evaluate the design and implementation. It is important to understand which are identified controls:

  • Controls that address a risk that is determined to be significant.
  • Controls over journal entries and other adjustments, as required by AU-C Section 240.
  • Controls for which the auditor plans to test operating effectiveness in determining the nature, timing, and extent of substantive procedures.
  • Other controls that the auditor considers appropriate to assess the risks of material misstatement at the assertion level.

SAS 145 requires the auditor to identify general information technology (IT) controls that address the risks arising from the use of IT, and to evaluate their design and implementation. Here is a brief breakdown:

  • General IT controls keep IT processes functioning as intended.
  • Risks arising from the use of IT are created from the ineffective design or operation of controls that could jeopardize the integrity of accounting and other data processed. It is important to understand to what extent management is relying on IT controls.
  • For identified controls discussed above, auditors need to understand what IT infrastructure is used in those accounting processes, determine what could risk data integrity, and determine what general IT controls are in place as preventatives. The auditor then needs to determine if the general IT controls are properly designed and implemented.
  • The number of general IT controls for which such procedures will be performed is likely lower when an auditor does not test the effectiveness of any controls and when an entity’s IT system lacks complexity.

Now is a great time for firms to thoroughly understand how their audit methodology incorporates the requirements of SAS 145 and to continue training efforts to assure audit team readiness. 

Nicole K. Cradic, CPA, is a partner at Trout CPA in Mechanicsburg. She can be reached at ncradic@troutcpa.com.

Leave a comment

Order by

Newest on top Oldest on top
Load more comments
New code
Comment by from
Pennsylvania Institute Of Certified Public Accountants
Phone: (215) 496-9272
Webcast/Webinar Hotline: (267) 705-4450
Email: info@picpa.org
My Account

Subscribe to PICPA's personalized e-newsletter to receive news and events that interest you.

Subscribe

Copyright © 1998-2023 PICPA. All rights reserved. Privacy Policy | Terms and Conditions