September 25, 2022
Risk in a financial statement takes on many forms. It can be a material misstatement or can manifest as an undefined intangible that’s highlighted in a footnote. Auditors spend the most time in financial statement audits on identifying and assessing material misstatements because of the impact on the company’s financial position. Yet, risk assessments made up 25 percent of audit deficiencies in 2020 peer reviews, so there’s clearly more work to do to shore up this aspect of financial reporting.
Understanding and documenting significant risks will take on heightened importance with the 2023 roll-out of SAS 145, Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement. Under the new guidance, there were several changes made designed to ensure the assessment and identification of risk factors occur more robustly. To help clients, prospects, and others, Wilson Lewis has provided a summary of the key details below.
Most business owners aren’t accounting and corporate finance experts. That is why they bring in external advisors, yet it is still important to understand some of the basic concepts underpinning the financial statement.
Material misstatement doesn’t necessarily mean that there’s fraud. It does indicate that information is incorrect to the point of potentially impacting economic and financial decisions. Several factors can cause material misstatements including weak internal controls and reporting, lack of oversight, or external factors like a bad economy or rapidly changing industry conditions.
Breaking that down further, the risk of material misstatement can also exist at the assertion level. In this regard, there are two types of risk to consider: inherent and control risk. Inherent risk refers to what the auditor views as a potentially higher risk, and control risk refers to potential failures in internal controls.
To assess audit risk, the financial statements are examined with the intent of understanding the company’s business environment and internal controls. This is where the risk assessment comes in.
Each audit is different, but generally, with full-scope financial statement audits, risk assessment looks like this:
Throughout, the auditor will examine risk from several perspectives, including
These procedures form the basis of every financial statement audit and are often customized to suit specific industries and even clients. Because there’s no single formula or approach, risk assessment is often left to the auditor’s discretion.
Improving risk assessment standards is meant to also improve audit quality through a better understanding of a company’s internal controls, consideration for IT risks, and a heightened focus on material misstatements. SAS 145 was also developed closer in line with international financial reporting standards.
With that in mind, clients should be aware of the new risk assessment standards auditors will have in place next year. SAS 145, Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement, imposes more stringent requirements for risk assessment and issues clarifying guidance on how to address the “economic, technological, and regulatory aspects of the markets and environment in which entities and audit firms operate.”
Among the more notable revisions and new requirements are:
Assessing inherent and control risks separately can be done in different ways. There is no single prescribed way of doing this. More documentation will be required all around so that any auditor, even one without any previous knowledge, could form an understanding of risk assessment procedures.
Additionally, SAS 145 removes the “Considerations Specific to Smaller Entities” sections. In doing so, the standard aims to recognize that smaller entities can have complex audits and a pared-down version of risk assessment may not be in management’s best interest.
Changing Definition of Risk
Due to historical inconsistencies with which significant risk was determined, SAS 145 specifically defines significant risk as:
“An identified risk of material misstatement for which the assessment of inherent risk is close to the upper end of the spectrum of inherent risk due to the degree to which inherent risk factors affect the combination of the likelihood of a misstatement occurring and the magnitude of the potential misstatement should that misstatement occur, or that is to be treated as a significant risk in accordance with the requirements of other AU-C sections.”
There are some risks that will always be considered significant.
Moving forward, SAS 145 will impose special audit requirements for significant risks. A key part of this process is understanding the spectrum of inherent risk and risk factors. The spectrum of risk depends on the possibility that a misstatement could occur and to what extent it matters both quantitatively and qualitatively.
This is a new concept and will bring more audits in line with the same risk assessment standard. Currently, auditors may use a numeric scale or a high/medium/low scale to evaluate risk.
Other Definitions
Other terms that will help clients gain a better understanding of SAS 145 include the following.
Timeline and Other Considerations
SAS 145 will be effective for audits of financial statements for periods ending on or after December 15, 2023.
Auditors will still bring their own levels of experience, professional judgment, and methodology to the audit engagement. On the client side, there won’t appear to be much difference with the new auditing standard; however, clients should be prepared for a closer inspection of the internal control environment and more communication at the beginning of and during audit procedures.
Contact Us
The changes outlined in the recently issued SAS 145 guidance provide additional safeguards to ensure risk factors are properly identified. This will translate into a more effective audit for Georgia companies. If you have questions about the information outlined above or need assistance with your next audit, Wilson Lewis can help. For additional information call 770-476-1004 or click here to contact us. We look forward to speaking with you soon.