Communicate significant risks to those charged with governance as you implement SAS 134, Auditor Reporting and Amendments, Including Amendments Addressing Disclosures in the Audit of Financial Statements (required for December 31, 2021 year-end engagements).
AU-C 315 defines significant risk as “An identified and assessed risk of material misstatement that, in the auditor's professional judgment, requires special audit consideration.”
Below I tell you how to communicate significant risks to those charged with governance. I also explain that there are optional communications about significant risks.
How to Communicate Significant Risks
You can communicate significant risks in one of three ways:
- Engagement letter
- Planning letter to those charged with governance
- Verbally to the board with documentation of that communication in the audit file--this could be a separate Word document that says who you talked with, when, and the significant risk areas communicated.
Why the Change?
SAS 134 amended AU-C 260.11 (AU-C 260 The Auditor's Communication with Those Charged with Governance) as follows (amended language in bold):
The auditor should communicate with those charged with governance an overview of the planned scope and timing of the audit, which includes communicating about the significant risks identified by the auditor.
Sample Significant Risk Language
Here's an example of the language to be used in any of the three options above:
The anticipated significant risk areas in the audit are:
- the allowance for uncollectibles
- the pension liability and disclosure.
Significant Risks are Dependent Upon the Entity
The actual significant risk areas are dependent upon the entity you are auditing.
The significant risk areas communicated to the board should, if possible, align with those identified in your workpapers. You could, however, not know all of the significant risk areas when you create your initial communication. It's even possible you might not identify a significant risk until you are well into the engagement. So the initial significant risk communication and the identified significant risks in the audit file might be different.
SAS 145 provides a definition for significant risks. That standard is effective at the end of 2023, but I think it's worthy of our attention now. The extant significant risk definition (basically, an area that deserves special audit consideration) is not a good one since it's based on the response and not the the risk itself.
Optional Communication about Significant Risks
The explanatory information that accompanies AU-C 260 (specifically .A21) states you may include in the governance communication how you (as the auditor) are going to address the significant risks, but this is optional.