Considering IT risk during audit risk assessment procedures

SAS No. 145 assists auditors in identifying and addressing risks that the use of information technology can introduce.

By Dave Arman, CPA

November 1, 2023

IMAGE BY DRAFTER123/ GETTY IMAGES

September 3, 2025

New: Digital assets practice aid addresses auditing of lending, borrowing

September 2, 2025

Incorporating prompt engineering into the accounting curriculum

September 1, 2025

Create a dynamic to-do list with Excel’s checkboxes

The widespread use of information technology (IT) can introduce various risks that affect financial reporting and the audit process. To assist auditors in identifying and addressing these risks, the AICPA has issued Statement on Auditing Standards (SAS) No. 145, Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement, which is codified in AU-C Section 315, by the same name.

WHAT SAS NO. 145 SAYS ABOUT THE USE OF IT AND RELATED RISKS

Plainly stated, SAS No. 145 tells auditors to consider their clients’ use of technology, the risks the use of technology presents, and what, if any, controls the entity has in place to address these risks.

During the risk assessment procedures, SAS No. 145 instructs auditors to gain an understanding of “how information flows through the entity’s information system, including how transactions are initiated, and how information about them is recorded, processed, corrected as necessary, incorporated into the general ledger, and reported in the financial statements.”

In other words, auditors will identify which applications and other aspects of the entity’s IT environment pose risks. Then, auditors will identify specific risks arising from the use of IT and general IT controls to address these risks for each identified application or aspect. Once auditors understand the risks, they identify controls and perform procedures around those controls.

The definitions “risks arising from the use of IT” and “general IT controls” are key:

Risks arising from the use of IT relate to the “susceptibility of information-processing controls to ineffective design or operation, or risks to the integrity of information in the entity’s information system, due to ineffective design or operation of controls in the entity’s IT processes.”
General IT controls relate to “controls over the entity’s IT processes that support the continued proper operation of the IT environment, including the continued effective functioning of information-processing controls and the integrity of information in the entity’s information system.”

General IT controls can be thought of as higher-level, broad controls — think “tone at the top” controls — and information-processing controls are lower-level, akin to a control in a payables system that automatically performs a three-way match.

General IT controls support the continued, effective functioning of those other, specific information-processing controls or manual information processes in the entity’s information system.

SAS NO. 145 REQUIREMENTS WITH RESPECT TO GENERAL IT CONTROLS

The standard requires auditors to identify the IT applications and other aspects of the entity’s IT environment that are subject to risks arising from the use of IT, the specific related risks arising from the use of IT, and the general IT controls that address those risks.

For example, a client may use a software package that records inventory purchases or keeps track of employee compensation. That software package may write checks or initialize electronic payments to vendors or employees. Access restrictions to that system would be a general IT control auditors would expect to see and expect to work. Robust password management and access privilege policies lower the risk of fraud and misappropriation of assets.

Identification of general IT controls is critical

The identification of these controls is important for the following reasons:

The auditor’s decision to test controls at the assertion level may be influenced by the presence or absence of effective general IT controls. For example, if general IT controls are not designed or implemented properly to address risks associated with IT, the auditor may choose not to rely on automated controls within the affected IT applications.
The ongoing effectiveness of informationprocessing controls may depend on general IT controls that prevent unauthorized program changes. The expected effectiveness of these general IT controls can affect the auditor’s assessment of control risk. If the general IT controls are expected to be ineffective, control risk may be higher, and the auditor may need to plan additional tests.
When the entity’s information system relies on IT applications to obtain audit evidence, the auditor may need to test controls over system-generated reports, for example, to gain comfort over the completeness and accuracy of the report. This includes identifying and testing general IT controls that address risks, such as unauthorized program changes or data tampering.
Significant programming changes made to an IT application to comply with reporting requirements can indicate complexity and potential risks associated with IT. Understanding these changes helps the auditor assess inherent risk at the assertion level.
The design of further audit procedures can be influenced by the relationship between information-processing controls and general IT controls. If information-processing controls rely on general IT controls, the auditor may need to test the effectiveness of those controls and design tests accordingly. If general IT controls are expected to be ineffective, the related risks arising from IT may need to be addressed through substantive procedures. However, this may not provide sufficient appropriate audit evidence for certain risks, and the auditor may need to consider the implications for the audit opinion.

AUDIT WORK THESE GENERAL IT CONTROLS REQUIRE

Regardless of whether they plan to rely on controls, the auditor needs to perform procedures to evaluate the design of the identified controls and determine whether they have been implemented. Evaluating the design of these controls and determining whether they have been implemented will inform the auditor’s decisions regarding further audit procedures. If the auditor does not plan to rely on controls to lower the amount of substantive work to be performed, or if substantive procedures will provide sufficient appropriate audit evidence for the audit opinion, the requirements stop at the auditor’s evaluation of the design and implementation — otherwise, their further audit procedures will include performing appropriate steps to test the operating effectiveness of identified controls. Understanding which IT applications are in place and other characteristics of the IT environment, the risks arising from the use of IT and the general IT controls implemented by the entity to address those risks will affect the audit plan. For example:

The type of application and the reliance the entity places on that application may affect the audit plan.
The risks embedded in that application and the potential impact due to heavy reliance may affect the audit plan.
The results when testing the design and implementation of a particular IT general control may affect the audit plan, potentially calling into question the reliability of information that is produced by or involves information from that application.

To be clear, unless a control is an identified control as noted in paragraph .27 of AU-C Section 315; is required by another AU-C section; or is the result of your professional judgment, you are not required to perform testing of operating effectiveness on these IT-related controls.

SAS NO. 145 AND IDENTIFYING TECH APPLICATIONS SUBJECT TO RISKS

SAS No. 145 is a comprehensive standard and provides significant application and other explanatory material related to the requirements. Included in this explanatory guidance is a significant discussion of IT-related topics.

The standard discusses why the auditor is required to identify the applications and other aspects of the IT environment, along with the risks and general IT controls. Because IT is likely critical to the entity, an understanding will be key to the auditor’s ability to perform the audit efficiently and effectively.

For example, if you are the auditor, your understanding of the client will assist you in determining which IT applications the entity is relying on to accurately process and maintain the integrity of information in the entity’s information system. Of those IT applications, some likely will have risks arising from the use of IT. Identifying the IT applications subject to risks due to IT use involves taking into account the controls you identify, because those controls may involve the use of IT or rely on IT. The bottom line is that IT applications most likely to have risks are those for which you identified controls.

SAS No. 145 provides some general guidelines and considerations to determine whether an application is more or less susceptible to risks. Characteristics of an IT application that make risks arising from IT use more likely include the following:

Applications are interfaced.
The volume of data or transactions is significant.
The application’s functionality is complex, automatically initiates transactions, or has a variety of complex calculations underlying automated entries.

Management relies on an application system to process or maintain data, or management relies on the application system to perform certain automated controls that the auditor has also identified.

Characteristics of an IT application that make risks arising from IT use less likely include the following:

It is a stand-alone application.
The volume of data or transactions is not significant.
The application’s functionality is not complex.
Each transaction is supported by original hard copy documentation.

To determine risks, the SAS No. 145 executive summary provides several examples of what the auditor may need to consider. Risks arising from the use of IT include risks related to inappropriate reliance on IT applications that are inaccurately processing data, processing inaccurate data, or both.

They commonly include the following:

Unauthorized access to data, which may destroy or improperly change data, such as the recording of unauthorized or nonexistent transactions or inaccurate recording of transactions. Particular risks may arise when multiple users access a common database.
The possibility of IT personnel gaining access privileges beyond those necessary to perform their assigned duties, thereby breaking down the segregation of duties.
Unauthorized changes to data in master files.
Unauthorized changes to IT applications or other aspects of the IT environment.
Failure to make necessary changes to IT applications or other aspects of the IT environment.
Inappropriate manual intervention.
Potential loss of data or inability to access data as required.

The type of an entity’s IT application and its risks, controls, and use will likely affect the auditor’s assessment of control risk (and possibly the assessment of inherent risk) at the assertion level and will have an effect on the amount of further audit procedures the auditor will need to perform to achieve the desired reduction of audit risk.

SAS NO. 145 IS SCALABLE

Keeping up to date on what technology clients are using and what is on the horizon is never a bad idea, but SAS No. 145 doesn’t force auditors to become IT gurus. They may have clients that use very little technology, and SAS No. 145 recognizes that. Scalability is interwoven throughout the standard. The standard notes that the extent of the auditor’s understanding of the IT processes, including the extent to which the client has general IT controls in place, will vary with the nature and circumstances of the client and its IT environment and will also be based on the nature and extent of controls the auditor identifies.

For example, the auditor may encounter a client using only commercial software with no access to make program changes. Or the auditor may take on a client with multiple IT applications, and the management of those applications is not limited and complex. These circumstances will call for different responses. The auditor’s professional judgment is key to recognizing where they can properly scale their procedures.

General IT controls likely still need to be considered even if the entity uses a commercial software and does not modify these programs. There are often general IT controls found in less complex entities. They commonly include the following:

Controls to secure logical access to critical applications, databases, operating systems, and networks
Controls related to significant upgrades to the IT operating system or to significant packaged applications, e.g., significant upgrades that are tested before they are put into production
Controls to back up critical data and programs There may be circumstances in which, in the auditor’s professional judgment, an IT specialist may need to be involved. (See the chart “Considerations Regarding Use of an IT Professional,” below.)

considerations-regarding-use-of-an-it=professional

VALUABLE GUIDANCE ON RISKS

As the reliance on data and technology continues to grow, the risks associated with IT in financial statement audits increase as well. Auditors can minimize risks related to IT use and improve the efficiency and effectiveness of audit procedures by gaining a comprehensive understanding of the organization’s IT environment, evaluating controls, and conducting relevant procedures. Following the requirements outlined in SAS No. 145 allows auditors to effectively address the intricacies of IT systems and conduct audits that prioritize risk assessment.

The revised requirements of SAS No. 145 provide auditors with valuable guidance to identify, assess, and respond to these risks effectively.

About the author

Dave Arman, CPA, is senior manager — Audit Quality at AICPA & CIMA, together as the Association of International Certified Professional Accountants. To comment on this article or to suggest an idea for another article, contact Jeff Drew at Jeff.Drew@aicpa-cima.com.

LEARNING RESOURCES

Risk Assessment Under SAS No. 145

Overcome the challenges commonly faced when conducting risk assessment in conjunction with SAS No. 145.

WEBCAST

Risk Assessment in a Financial Statement Audit (New Guide as of Jan. 1, 2023)

Conform with the new SAS No. 145 to identify and assess risks of material misstatement in a financial statement audit that is performed in accordance with generally accepted auditing standards (GAAS).

CPE SELF-STUDY

Applying and Scaling Audit Risk Assessment Procedures Under SAS No. 145

Enhance audit quality and ensure compliance with the new risk assessment standard (SAS No. 145) that will become effective in December 2023, and learn the ins and outs of AU-C Section 315.

CPE SELF-STUDY

Use of Technology in An Audit of Financial Statements – Risk Assessment

Learn ways to improve the effectiveness and efficiency of your audit while maintaining quality. Two members of the AICPA Auditing Standards Board Technology Working Group discuss how technology can help auditors with the ever-increasing demands of a modern audit.

WEBCAST

For more information or to make a purchase, go to aicpa-cima.com/cpe-learning or call AICPA & CIMA at 888-777-7077.

AICPA & CIMA RESOURCES

Articles

“Embracing a digital technology-driven mindset for audits,” AICPA & CIMA Insights, Aug. 8, 2023

“Tech roundtable: Tapping into automation and tools of the future,” JofA, May 11, 2023

“The promise and peril of ChatGPT,” JofA, May 1, 2023

“5 ways firms can use technology to transform audits,” JofA, Dec. 20, 2022