Upcoming Audit Changes – SAS 145 Risk Concepts

FASB’s Statement on Auditing Standards (SAS) No. 145, Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement, provides revised guidance for the calendar year 2023 financial statement audits. The broad concept of improved risk assessment standards in SAS 145 will extend to other areas of an audit, like IT and material misstatements. These changes will result in a different audit process for most Atlanta companies. There will be a greater reliance on data and analytics, a new approach to risk assessment and a deeper analysis of information technology (IT) controls. Companies can prepare by gaining a better understanding of the revised risk concepts in SAS 145 and how controls will be assessed. To help clients, prospects, and others, Wilson Lewis has summarized the key details below.

Better Audit Quality Through Enhanced Risk Assessment

The goal of SAS 145 is to provide more clarity surrounding audit risks and, ultimately, better audit quality. Many accounting firms fail to perform adequate risk assessments, resulting in a deficient audit for the company. Even without audit deficiencies, inaccurately evaluating risk can mask the company’s true financial position, knowingly or unknowingly. These updates will help to better define and contextualize risk for all financial statement users.

While SAS 145 doesn’t fundamentally change underlying risk concepts, it does clarify, revise, and add different audit requirements.

The following risk guidance is enhanced:

• System of internal control and control risk
• Impact of economic, technological, and regulatory aspects of the relevant markets and environment

The following risk requirements are revised:

• Significant risk definition
• Design of certain controls, including IT controls
• Audit documentation

There are new requirements and guidance in SAS 145, too.

• Control risk and inherent risk will be assessed separately
• The maximum level of control risk will be assessed by default if controls aren’t tested for operational effectiveness
• “Stand-back” requirement related to significant classes of transactions, account balances, and disclosures
• Scalability and professional skepticism

Defining and Assessing Inherent Risk

New concepts are introduced in SAS 145 to better frame the risk environment. Inherent risk, which is at the management assertion level, is defined as:

“the susceptibility of an assertion about a class of transactions, account balance, or disclosure to a misstatement that could be material, either individually or when aggregated with other misstatements, before consideration of any related controls.”

Inherent risk refers to an assertion that could lead to a material misstatement. It is addressed first in SAS 145 and on a risk spectrum. The risk spectrum considers the likelihood of a material misstatement occurring because of the risk and the magnitude of the potential misstatement. Just because a transaction or account balance is easy to review doesn’t necessarily mean it’s low risk. The inherent risk depends on the transaction or disclosure.

These factors are measured based on their potential for fraud or misstatement. Factors like incentives, pressure, opportunity, attitudes, and rationalization – elements in the fraud diamond model – are considered in the context of the potential likelihood of a material misstatement.

Both qualitative and quantitative factors frame inherent risk.

• Qualitative inherent risk factors consider complexity, subjectivity, change, uncertainty, and susceptibility to fraud or misstatement.
• As quantitative factors, volume or a lack of conformity should also be considered. Additionally, if the risk of material misstatement relates to more than one management assertion, all other relevant assertions will be considered.

Private companies examining their system of internal controls should be looking not just at whether a particular control can mitigate risk but other factors that could directly or indirectly influence the risk environment. 

These scenarios are examples of inherent risk factors that management may encounter.

• Complex concepts or difficult estimates in financial statement preparation
• Management’s use of subjective judgment on estimates
• External factors like the pandemic, inflation, or a recession
• Potential legal judgment against an entity
• Management’s pressure to hit certain financial targets

Companies should also expect more documentation for these areas.

Significant Risk Under SAS 145

Along the same thread, significant risk arises when the inherent risk area is close to the upper end of the risk spectrum. This is a different approach from previous guidance.

Some risks will always be considered significant. The regulations state that:

“Areas of significant management judgment and unusual transactions may often be identified as significant risks. Significant risks are therefore often areas that require significant auditor attention.” 

Since this is a revised approach, companies may not see the same scale for determining significant risks as in prior audits. The overall benefit is that, across the board, audits will be more in line with a consistent risk assessment standard.

General IT Controls

Recognizing that the IT environment is changing and a larger part of the overall risk assessment, SAS 145 spends a great deal of time addressing IT general controls. Private companies will see increased audit scrutiny related to controls for IT applications, risks arising from the use of IT, and whether and how many existing controls would mitigate the risk of material misstatement. 

Companies don’t need specific controls for every IT process but should have processes that address the overall risks of using IT. Entities that only use commercial software and don’t have access to the source code can use a more streamlined audit process for general IT controls.

Moving Forward

Another revision in SAS 145 should help to scale the risk assessment approach regardless of entity size. The new regulations remove the sections specific to “Considerations Specific to Smaller Entities.” This means the same level of risk assessment will be performed for all entities.

Although SAS 145 shifts the focus from risk response to risk assessment, it’s still a good idea for companies to implement a risk management strategy. A risk management strategy is a continuous process that identifies risks in tools, processes, and applications, whether they present as inherent or significant and how likely they are to influence material misstatements. From there, companies can proactively develop and implement relevant controls.

It is important to remember the new regulations are effective for periods ending on, or after December 15, 2023.

Contact Us

Several changes are coming to the financial statement audit process soon. Atlanta businesses should become familiar with the new regulations to determine what changes will need to be made to the audit preparation process. If you have questions about the information outlined above or need assistance with an audit or accounting concern, Wilson Lewis can help. For additional information, call 770-476-1004 or click here to contact us. We look forward to speaking with you soon.