Are You Ready for SAS No. 145?

Are You Ready for SAS No. 145?

This article first appeared in the Pennsylvania CPA Journal - Winter 2024 and is reprinted with permission. Copyright © 2023 by the Pennsylvania Institute of CPAs. All rights reserved. 

The new Statement on Auditing Standards (SAS) No. 145, Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement, is effective for periods ending on or after Dec. 15, 2023. While not a fundamental overhaul of risk assessment, the standard contains several changes of which auditors need to be aware.

Inherent Risk Factors

In the auditor’s contemplations, risk factors include events or conditions that drive the likelihood of a material misstatement for an account balance, transaction class, or disclosure. Auditors will hone in on question such as, “How complex are the underlying calculations?”; “Have there been changes in the entity’s contracts with customers that impact revenue recognition?”; and “Is there increased uncertainty about the ability to sell the inventory on hand?” Appendix B of SAS 145 is a great resource when considering inherent risk factors.

Spectrum of Inherent Risk

The standard introduces the concept of the spectrum of inherent risk. An auditor must consider both the likelihood and magnitude of a particular risk of material misstatement at the assertion level to determine its place on a spectrum of risk (from low to high). Audit methodologies may use defined terms or numeric values to communicate and document risk assessment decisions. In the end, the auditor’s decisions on the likelihood and magnitude of a material misstatement are judgement calls that will drive the audit plan.


Significant Risks and Audit Responses

If the assessment of inherent risk is close to the upper end of the spectrum of inherent risk or must be treated as such in accordance with other AU-C sections, then those would be significant risks. Remember, the goal of audit risk assessment is to help audit teams anticipate where financial statements are more likely to contain material misstatements. Areas of significant risk will be targeted with tailored procedures. Practically, audit teams should take a firm’s standard audit program and discuss how to tailor the program in response to the risk assessment results. With a risk assessment, auditors have two main goals: understand the entity, its environment, and the applicable financial reporting framework; and understand the components of the internal control system to identify and assess the risks of material misstatement. Since financial reporting is intertwined with operations, an auditor’s understanding of an entity’s business provides valuable insights on financial reporting risks. Appendix A of SAS 145 is an excellent resource on this topic. Gaining an understanding of certain aspects of an internal controls system is required. By obtaining an understanding of the information system and communication

component of an entity’s internal controls, auditors gain familiarity with the controls related to significant classes of transactions, account balances, and disclosures. Control activities are designed by management to ensure proper application of its accounting policies. SAS 145 does not require the evaluation of the design or a determination of the implementation of individual controls unless they are identified controls. For identified controls, the auditor is required to evaluate the design and implementation. It is important to understand which are identified controls:

  • Controls that address a risk that is determined to be significant.
  • Controls over journal entries and other adjustments, as required by AU-C Section 240.
  • Controls for which the auditor plans to test operating effectiveness in determining the nature, timing, and extent of substantive procedures.
  • Other controls that the auditor considers appropriate to assess the risks of material misstatement at the assertion level.

SAS 145 requires the auditor to identify general information technology (IT) controls that address the risks arising from the use of IT and evaluate their design and implementation. Here is a brief breakdown:

  • General IT controls keep IT processes functioning as intended.
  • Risks arising from the use of IT are created by the ineffective design or operation of controls, which could jeopardize the integrity of accounting and other data processed. It is important to understand to what extent management is relying on IT controls.
  • For the identified controls discussed above, auditors need to understand what IT infrastructure is used in those accounting processes, determine what could risk data integrity, and determine what general IT controls are in place as preventatives. The auditor must then determine if the general IT controls are properly designed and implemented.
  • The number of general IT controls for which such procedures will be performed is likely lower when an auditor does not test the effectiveness of any controls and when an entity’s IT system lacks complexity.

Now is a great time for firms to thoroughly understand how their audit methodology incorporates the requirements of SAS 145 and to continue training efforts to assure audit team readiness.



Let's start a conversation!

We would be happy to discuss how Trout CPA can help with your specific needs.

photo of accountant shaking hands with a business owner