Communicating Significant Risks to the Board

By Charles Hall | Auditing

Jan 13

Communicate significant risks to those charged with governance as you implement SAS 134, Auditor Reporting and Amendments, Including Amendments Addressing Disclosures in the Audit of Financial Statements (required for December 31, 2021 year-end engagements). 

AU-C 315 defines significant risk as “An identified and assessed risk of material misstatement that, in the auditor's professional judgment, requires special audit consideration.”

Below I tell you how to communicate significant risks to those charged with governance. I also explain that there are optional communications about significant risks

significant risk

How to Communicate Significant Risks

You can communicate significant risks in one of three ways:

  1. Engagement letter
  2. Planning letter to those charged with governance
  3. Verbally to the board with documentation of that communication in the audit file--this could be a separate Word document that says who you talked with, when, and the significant risk areas communicated. 

Why the Change?

SAS 134 amended AU-C 260.11 (AU-C 260 The Auditor's Communication with Those Charged with Governance) as follows (amended language in bold):

The auditor should communicate with those charged with governance an overview of the planned scope and timing of the audit, which includes communicating about the significant risks identified by the auditor.

Sample Significant Risk Language

Here's an example of the language to be used in any of the three options above:

The anticipated significant risk areas in the audit are:

  1. receivables/revenues,
  2. the allowance for uncollectibles 
  3. the pension liability and disclosure. 

Significant Risks are Dependent Upon the Entity

The actual significant risk areas are dependent upon the entity you are auditing. 

The significant risk areas communicated to the board should, if possible, align with those identified in your workpapers. You could, however, not know all of the significant risk areas when you create your initial communication. It's even possible you might not identify a significant risk until you are well into the engagement. So the initial significant risk communication and the identified significant risks in the audit file might be different.

SAS 145 provides a definition for significant risks. That standard is effective at the end of 2023, but I think it's worthy of our attention now. The extant significant risk definition (basically, an area that deserves special audit consideration) is not a good one since it's based on the response and not the the risk itself. 

Optional Communication about Significant Risks

The explanatory information that accompanies AU-C 260 (specifically .A21) states you may include in the governance communication how you (as the auditor) are going to address the significant risks, but this is optional.  

SAS 134 Article

See my SAS 134 article to understand the types of audit opinions


About the Author

Charles Hall is a practicing CPA and Certified Fraud Examiner. For the last thirty years, he has primarily audited governments, nonprofits, and small businesses. He is the author of The Little Book of Local Government Fraud Prevention and Preparation of Financial Statements & Compilation Engagements. He frequently speaks at continuing education events. Charles is the quality control partner for McNair, McLemore, Middlebrooks & Co. where he provides daily audit and accounting assistance to over 65 CPAs. In addition, he consults with other CPA firms, assisting them with auditing and accounting issues.