Statement on Auditing Standards No. 145 (SAS 145), Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement, updates the risk assessment standards. Auditors need to be aware of these upcoming changes.
Conceptually, risk assessment remains the same, but some particulars are different and significantly affect how you audit. SAS 145 is voluminous, but below I summarize the salient points to make it easy for you to digest--or, at least, as easy as I could.
SAS 143, Auditing Accounting Estimates and Related Disclosures, introduced some concepts used in SAS 145. Those concepts include:
- Inherent risk factors
- Spectrum of inherent risk
- Separate assessments of inherent risk and control risk
You’ll see several new definitions below. Understanding those is critical to understanding SAS 145.
SAS 145 Topics
This article addresses the following SAS 145 topics:
- Separate inherent and control risk assessments
- Assessing control risk at the maximum level
- Significant risks
- Inherent risk factors and spectrum of risk
- Relevant assertions
- Significant classes of transactions, account accounts, and disclosures
- Stand-back requirement
- Professional skepticism
- Information technology (IT) controls
- System of internal control
- Increasing complexity of entities and auditing
- Documentation requirements
- Effective date of SAS 145
Separate Inherent and Control Risk Assessments
Most auditors have assessed inherent and control risk separately for some time, but those separate assessments were previously not required. SAS 145, however, requires that auditors individually assess these two risks at the assertion level. Interestingly, documenting a combined inherent and control risk assessment is not required.
You can assess inherent risk and control risk in various ways; the standard does not specify a particular means of doing so. For instance, you might use high, moderate, or low; or use a scale of one to ten (more about this in a moment).
Assessing Control Risk at the Maximum Level
Many auditors assess control risk at high or maximum, regardless of the internal control structure--whether the controls are designed appropriately and implemented or not. You might plan to use a fully substantive approach; for example, when substantive procedures take less time than testing controls for effectiveness.
If you decide not to test controls for effectiveness, SAS 145 requires that you assess control risk at the maximum (or high) so that the risk of material misstatement is the same as the inherent risk assessment.
So, if control risk is assessed at maximum, can the evaluation of the design and implementation of controls (i.e., walkthroughs) still impact the planned audit procedures? Yes. Increased risk leads to a change in nature, timing, and extent of planned audit procedures. For example, if your walkthrough reveals a lack of segregation of duties, you may need to add more substantive procedures to address fraud risk.
On the other hand, if a test of controls for effectiveness supports a lower control risk, you can bring the assessment below maximum. But you cannot lower control risk without the support of a test of controls for effectiveness.
Your inherent risk assessment is crucial if you use a fully substantive approach. Why? Because SAS 145 requires that inherent risk be the same as the risk of material misstatement. If your inherent risk is assessed higher than it should be, you’ll perform unnecessary work to address the risk and waste time.
The Auditing Standards Board provides a new definition for significant risks. The first part of the definition (see paragraph 12 of SAS 145 for the full definition) is as follows:
A significant risk is an identified risk of material misstatement for which the assessment of inherent risk is close to the upper end of the spectrum of inherent risk due to the degree to which inherent risk factors affect the combination of the likelihood of a misstatement occurring and the magnitude of the potential misstatement should that misstatement occur.
(Note - the blog author bolded some words in the definition above for emphasis.)
The prior significant risk definition focused on the response to the risk, not the risk itself. That guidance said it was a risk that needed special audit consideration.
The new definition focuses on the risk itself. To be clear, the risk of material misstatement. Notice the new definition requires consideration of likelihood and magnitude. In other words, probability and dollar impact. Also, notice the description is based solely on inherent risk, with no consideration of control risk.
Inherent Risk Factors and Spectrum of Risk
SAS 145 defines inherent risk factors as:
Characteristics of events or conditions that affect the susceptibility to misstatement, whether due to fraud or error, of an assertion about a class of transactions, account balance, or disclosure, before consideration of controls. Such factors may be qualitative or quantitative and include complexity, subjectivity, change, uncertainty, or susceptibility to misstatement due to management bias or other fraud risk factors insofar as they affect inherent risk.
Depending on the degree to which the inherent risk factors affect the susceptibility of an assertion to misstatement, the level of inherent risk varies on a scale that is referred to as the spectrum of inherent risk.
(Note - the blog author bolded some words in the definition above for emphasis.)
Inherent Risk Factors
Consider the likelihood of misstatement in light of the inherent risk factors, including:
- Susceptibility to misstatement due to management bias or other fraud risk factors (in terms of how they affect inherent risk)
So as you consider the inherent risk of an assertion, use these factors to determine the likelihood of misstatement. Then consider the magnitude of the potential misstatement. If the risk is close to the upper end of the spectrum of risk (for inherent risk) and the potential misstatement is material, then the entity has a significant risk.
Ten-Point Scale, An Example
I like to evaluate significant risks on a ten-point scale, with ten being the highest risk. While SAS 145 does not use such an illustration, a nine or a ten is a significant risk, provided it can lead to a material misstatement. For example, a bank’s allowance for loan losses is usually a significant risk because it is a complex estimate in a material account balance. In making this assessment, we disregard internal controls.
One additional change is SAS 145 removes the requirement to determine whether there are significant risks at the financial statement level.
The term relevant assertion has also changed.
Using SAS 145, relevant assertions are based on classes of transactions, account balances, and disclosures with an identified risk of material misstatement.
Before SAS 145, we looked at relevant assertions as they related to material classes of transactions, account balances, and disclosures. And relevant assertions were those that had a meaningful bearing on whether an account was fairly stated. (I never knew what meaningful bearing meant.)
The new relevant assertion definition is clearer. Assertions are considered in light of:
- Likelihood of misstatement
- Magnitude of misstatement
Relevant Assertion Definition
In SAS 145, a relevant assertion is defined as:
An assertion about a class of transactions, account balance, or disclosure is relevant when it has an identified risk of material misstatement. A risk of material misstatement exists when (a) there is a reasonable possibility of a misstatement occurring (that is, its likelihood), and (b) if it were to occur, there is a reasonable possibility of the misstatement being material (that is, its magnitude). The determination of whether an assertion is a relevant assertion is made before consideration of any related controls (that is, the determination is based on inherent risk).
(Note - the blog author bolded some words in the definition above for emphasis.)
Probability and Dollar Impact
A relevant assertion is an identified risk of material misstatement when a reasonable possibility of its occurrence is present. Reasonable possibility means a more than a remote chance of happening. And if it happens, a material misstatement must be possible. Again we see an emphasis upon probability and dollar impact. And again, internal controls are ignored in making this determination. That is, inherent risk is the basis for determining which assertions are relevant.
As an example, suppose high-technology components comprise inventory that becomes obsolete quickly. Your valuation assertion is inherently risky, and if inventory is a significant account balance, then valuation is a relevant assertion. Notice we made this determination without regard for the related controls. Moreover, we believe there is a reasonable possibility of obsolescence.
Once again, we see that inherent risk is vital in SAS 145.
We said that relevant assertions relate to significant classes of transactions, account balances, and disclosures. But what are significant classes?
Significant Classes of Transactions, Account Balances, and Disclosures
In SAS 145, significant classes of transactions, account balances, or disclosures are defined in the following manner:
Significant class of transactions, account balance, or disclosure. A class of transactions, account balance, or disclosure for which there is one or more relevant assertions.
So a significant class is one with a relevant assertion--one where the likelihood of material misstatement is more than remote.
So, if an account balance like receivables, for example, has a relevant assertion, it’s a significant class.
Purpose of the Definition
The purpose of this definition is to provide clarification concerning the scope of the auditor’s work. In other words, this definition tells us where to focus. We’ll perform risk assessment procedures and assess risk in the significant classes of transactions, account balances, and disclosures. It is in these areas where we will plan responses to the identified risks therein. SAS 145 requires substantive procedures for each significant class of transactions, account balances, and disclosures with relevant assertions.
Consider this: if plant, property, and equipment (PP&E) is material, but there is no relevant assertion for the account balance, it is not a significant area. Suppose a company has $10 million in PP&E (a material balance) and it purchases no new capital assets during the year. There is only one PP&E asset, a building, which has appreciated. Is there a relevant assertion? Probably not. Why? There is little likelihood of material misstatement.
Now change the scenario and suppose the building suffers an earthquake. Is PP&E a significant class? Yes, if substantial damage occurred. Why? Because you now have a relevant assertion: valuation.
Once you have designated all significant classes of transactions, account balances, and disclosures, evaluate all remaining material areas to see if the initial scope determination is appropriate. Is there a remaining account balance, transaction class, or disclosure that needs our attention, even though it did not qualify as a significant area? If yes, then plan audit procedures accordingly.
The main point here is that the auditor focuses upon significant classes of transactions, account balances, and disclosures first (those with relevant assertions) and then remaining material amounts (which don’t have relevant assertions). For instance, say you choose cash, receivables/revenues, payables/expenses, and payroll as your significant areas, but not plant, property, and equipment (PP&E) because it has no relevant assertion. In the stand-back phase, ask yourself if PP&E deserves audit scrutiny. If it does, plan PP&E audit procedures.
A company might have disclosures that are not significant (e.g., executive compensation), but you decide to audit it anyway. Why? You believe the scope of your planned audit is incomplete without it.
The purpose of the stand-back provision is to ensure completeness of the auditor’s identification of transactions, account balances, and disclosures--the areas the auditor plans to audit.
The complexity of an entity’s activities and environment drive the scalability of applying SAS 145.
Size and complexity do not necessarily correlate. Smaller entities tend to be less complex, but some are not--they are complex. Larger entities tend to be more complicated, but some are not. So consider the accounting system, the industry, the internal controls including information technology, and other factors in applying SAS 145. Complexity, not the entity’s size, determines how you use this standard.
Some entities may lack formal internal control policies. Even so, such a system of internal controls can still be functional. Therefore, auditors can vet these informal controls with inquiries, observations, and inspection of documents. In other words, risk assessment works even in small entities with informal controls.
The nature and extent of risk assessment procedures will vary depending upon the nature and circumstances of the entity. Therefore, auditors should exercise judgment in determining the nature and extent of risk assessment procedures. For example, risk assessment procedures can be less for a non-complex business with simple processes. In such a company, the auditor might have fewer inquiries to understand the business and fewer preliminary analytics.
Audit procedures in an initial audit may be more extensive. After the initial audit period, the auditor can focus on changes since then. (Even so, auditors still need to annually review the design and implementation of key controls related to significant transaction classes, account balances, disclosures.)
Understanding the entity and its environment, including its reporting framework, is a foundation for professional skepticism. Auditors determine the evidence needed for risk assessment in light of the entity’s nature and accounting system.
SAS 145 highlights the need for auditors to maintain professional skepticism during the engagement team discussion.
Professional skepticism allows the auditor to:
- Appropriately deal with contradictory information
- Evaluate the responses received from management and those charged with governance
- Be alert to potential misstatement due to fraud or error
- Consider audit evidence in light of the entity’s nature and circumstances
Professional skepticism is necessary for evaluating audit information in an unbiased manner, leading to better identification and assessment of risks of material misstatement.
Information Technology (IT) Controls
SAS 145 emphasizes IT controls as they affect the risk of material misstatement. The standard introduces a new term: risk arising from the use of IT. And it defines general IT controls.
So what IT controls are you to consider? Those that affect the risk of material misstatement at the assertion level.
Here’s how I think about this:
- Start with the risk of material misstatement at the assertion level
- Determine the IT applications that affect the assertion
- Review the general IT controls that affect the IT applications
IT Relevant Assertion Example
For example, say occurrence is a relevant assertion for expenses. Then you might consider an IT control that requires a three-way match for invoice processing; the software will not allow a disbursement without matching the invoice amount, the purchase order amount, and the quantity in the receiving document. In such a system, the IT application is the payables module in the software.
An example of a general control (see definition below) for this application is the password for access to the payables module.
Why is the general IT control (the password) important? If a password was not necessary, then anyone could process payments. And this affects the occurrence assertion.
As the auditor performs a walkthrough for payables, she will (for example):
- Inspect the three-way match documents.
- Observe the payables module in use.
- Inspect the logical access records from IT, showing who has access to the payables module.
- Observe the entry of a password by a payables clerk.
You don’t need to review all general controls, only those related to risks arising from the use of IT.
Risk Arising from the Use of IT
SAS 145 defines risk arising from the use of IT as:
Susceptibility of information-processing controls to ineffective design or operation, or risks to the integrity of information in the entity’s information system, due to ineffective design or operation of controls in the entity’s IT processes.
Lower IT Risk
Entities are less likely to be subject to risks arising from the use of IT when they:
- Use stand-alone applications
- Have low volumes of transactions
- Have transactions supported by hard-copy documents
Higher IT Risks
Entities are more likely to be subject to risks arising from the use of IT when they:
- Have interfaced applications
- Have high volumes of transactions
- Have applications that automatically initiate transactions
General IT Controls
SAS 145 defines general IT controls as:
Controls over the entity’s IT processes that support the continued proper operation of the IT environment, including the continued effective functioning of information-processing controls and the integrity of information in the entity’s information system.
Examples of general IT controls include firewalls, backup and restoration, intrusion detection, passwords, physical security, and antivirus protection.
Increasing Complexity of Entities and Auditing
SAS 145 recognizes the increasing complexity of entities and auditing. It does so by highlighting audit methods and tools such as:
- Remote observation of assets using drones or video cameras
- Use of data analytics software and visualization techniques to identify risks of material misstatement
- Performing risk assessment on large volumes of data, including analysis, recalculations, reperformance, and reconciliations
System of Internal Control
SAS 145 replaces the term internal control with system of internal control. It defines system of control as:
The system designed, implemented, and maintained by those charged with governance, management, and other personnel to provide reasonable assurance about the achievement of an entity’s objectives with regard to reliability of financial reporting, effectiveness and efficiency of operations, and compliance with applicable laws and regulations. For purposes of GAAS, the system of internal control consists of five interrelated components:
i. Control environment
ii. The entity’s risk assessment process
iii. The entity’s process to monitor the system of internal control
iv. The information system and communication
v. Control activities
It appears the Auditing Standards Board is highlighting the holistic nature of internal controls by including all five of the COSO control elements.
SAS 145 Documentation Requirements
Auditors must document their evaluation of the design of identified controls and their determination of whether such controls were implemented.
Additionally, auditors must document their rationale for significant judgments regarding identified and assessed risks of material misstatement. In other words, how did you identify a risk of material misstatement, and why did you assess it as you did?
What is the criterion for determining whether the risk assessment documentation is appropriate? As in the past, it’s whether an experienced auditor having no previous experience with the audit understands the nature, timing, and extent of the risk assessment procedures. So, document the rationale for your risk assessment work and your conclusions.
Effective Date of SAS 145
SAS 145 is effective for audits of financial statements for periods ending on or after December 15, 2023.