Scaling SAS 145 for less-complex entities

When drafting Statement on Auditing Standards (SAS) No. 145, Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement, the AICPA Auditing Standards Board (ASB) recognized that a less-complex entity may address its risks differently than a larger, more-complex business.

Given that, many of the requirements of AU-C Section 315, the codified version of SAS No. 145 (see the sidebar, “SAS No. 145”), offer opportunities to make an audit of a less-complex entity effective and efficient.

AU-C Section 315 states that the guidance surrounding risk assessment “is intended for audits of all entities, regardless of size or complexity.” The “Application and Other Explanatory Material” paragraphs of SAS No. 145 contain discussion of the scalability opportunities of the standard with further guidance on how auditors can customize their procedures, using their professional judgment.

For example, as discussed in paragraph .A23 of AU-C Section 315, some entities, including less-complex entities, and particularly ownermanaged entities, may not have established structured processes and systems (such as a risk assessment process or a process to monitor the system of internal control) or may have established processes or systems with limited documentation or a lack of consistency in how they are undertaken. Other entities, typically more-complex entities, are expected to have more formalized and documented policies and procedures.

Let’s examine common risk assessment procedures for the five components of the entity’s system of internal control and where SAS No. 145 suggests that scaling procedures at a less-complex entity may increase auditor efficiency and effectiveness.

This discussion is not designed to be all-inclusive or to provide com plete guidance when performing an audit of a less-complex entity. The AICPA Audit Guide Risk Assessment in a Financial Statement Audit provides a comprehensive discussion of applying SAS No. 145, including the scalability scenarios reproduced below as well as additional scalability examples.

THE CONTROL ENVIRONMENT COMPONENT

Paragraph .21 of AU-C Section 315 notes that the auditor should, through performing risk assessment procedures, obtain an understanding of the control environment relevant to the preparation of the financial statements.

How might the auditor perform the procedures required by paragraph .21 at a less-complex entity?

Consider A&E Landscaping LLC, (A&E) a fictional family-owned partnership that performs landscaping work and employs 20 laborers. The company outsources its accounting to a provider who performs almost all accounting functions and prepares monthly financial statements. A&E has an informal system of internal control that the owners believe is sufficient to prevent a material misstatement in the financial statements and no formal documentation of company policies and procedures. Governance of A&E consists of two related member-owners. The engagement team consists of only the engagement partner.

Although A&E’s system is less formal, the auditor would recognize that the responsibility for understanding and evaluating the control environment remains. To fulfill this responsibility, the auditor might perform a detailed interview with each member- owner, individually, to obtain an understanding of the relevant tenets of the control environment at the entity. The auditor might also observe the member-owners’ interactions with entity personnel through daily business activities. If these procedures identify appropriate controls, the auditor, using professional judgment, might agree that the control environment is appropriate to the entity’s circumstances, considering the entity’s nature and complexity.

The auditor would document the results of the procedures to address the requirements of paragraph .21 in a memorandum memorializing the discussions with the member-owners, the auditor’s observations, and any conclusions made.

THE RISK ASSESSMENT PROCESS COMPONENT

Paragraph .22 of AU-C Section 315 notes that the auditor should, through performing risk assessment procedures, obtain an understanding of the risk assessment process relevant to the preparation of the financial statements. How might the auditor perform the procedures required by paragraph .22 at a less-complex entity?

Again, consider the characteristics of A&E. Even though the entity may not have documented policies and procedures for risk assessment, the auditor can still perform procedures to obtain the required understanding of the entity’s risk assessment process. The auditor would likely perform an inquiry of the entity’s management to understand whether the risk assessment process exists, and through observing the direct involvement of management or the owner-manager.

Additionally, although A&E’s process may not be documented or formal, the auditor might inquire of staff to verify that they have observed management collecting information to inform their risk assessment activities, including the auditor inspecting written communication from management staff detailing their involvement.

The auditor would document the results of the procedures to address the requirements of paragraph .22 in a memorandum memorializing the discussions with management and staff, the auditor’s observations, any related inquiries, and any conclusions made.

THE ENTITY’S PROCESS FOR MONITORING THE SYSTEM OF INTERNAL CONTROL COMPONENT

Paragraph .24 of AU-C Section 315 notes that the auditor should, through performing risk assessment procedures, obtain an understanding of the entity’s process for monitoring the system of internal control relevant to the preparation of the financial statements.

How might the auditor perform the procedures required by paragraph .24, with respect to the entity’s process for monitoring the system of internal control component, at a less-complex entity?

At A&E, the auditor might perform procedures to obtain his or her understanding of the entity’s process to monitor the system of internal control by examining how the member-owners are directly involved in operations. There may not be other robust monitoring activities. For example, the memberowners of A&E might review the entity’s monthly results of operations and its balance sheet to understand whether the results appear out of line relative to expectations. In addition, anomalies identified in this review would likely provide the memberowners with an indication of an internal control failure that would require action.

The auditor would document the results of the procedures to address the requirements of paragraph .24 in a memorandum memorializing his or her discussions, observations, and any conclusions made.

THE INFORMATION SYSTEM AND COMMUNICATION COMPONENT

Paragraph .25 of AU-C Section 315 notes that the auditor should, through performing risk assessment procedures, obtain an understanding of the entity’s information system and communication relevant to the preparation of the financial statements.

How might the auditor perform the procedures required by paragraph .25, with respect to the information system and communication component, at a less-complex entity?

The information system and related communication processes at A&E are likely to be less sophisticated and are likely to involve a less-complex IT environment; however, the role of the information system is just as important. For example, A&E, with its direct management involvement, may not need extensive descriptions of accounting procedures, sophisticated accounting records, or written policies. Understanding the relevant aspects of the entity’s information system may therefore require less effort in the audit of A&E.

The auditor, again, would document the results of the procedures to address the requirements of paragraph .25 in a memorandum memorializing his or her discussions, observations, and any conclusions made.

CONTROL ACTIVITIES COMPONENT

Paragraph .26 of AU-C Section 315 states that the auditor should, through performing risk assessment procedures, obtain an understanding of the control activities component. How might the auditor perform the procedures required by paragraph .26, with respect to the control activities component, at a less-complex entity?

Controls in the control activities component at A&E are likely to be similar to those in larger entities, but the formality with which they operate may vary. Further, at A&E, more controls are likely directly applied by management. For example, management’s sole authority for granting credit to customers and approving significant purchases can provide strong control over important account balances and transactions.

At A&E, while many of the controls would be expected to be similar to those at a more-complex entity, they may not be clearly documented. In fact, the staff at A&E may not recognize that the procedures they may be performing are indeed valuable controls. The auditor may consider performing what are commonly referred to as walk-throughs to identify the controls being performed and to evaluate the design and determine implementation (D&I) of the identified controls.

Although not explicitly defined under the “Definitions” heading of AU-C Section 315 (paragraph .12), the requirements in paragraphs .26–.30 of AU-C Section 315 include the concept of identified controls, which are further described in the related application material. Controls in the control activities component are required to be identified when such controls meet one or more of the criteria included in paragraph .27 or .29b of AU-C Section 315.

Note that procedures used in obtaining the evidence necessary to perform D&I can be accomplished in various ways. Many auditors perform what is referred to as a walk-through as discussed in paragraphs .A204 and .A205 in the Application and Other Explanatory Material section of AU-C Section 315. A walk-through involves following a transaction from origination through the entity’s processes, including information systems, until it is reflected in the entity’s financial records, using the same documents and IT that entity personnel use.

Walk-throughs may assist the auditor in understanding the information system as required by paragraph .25, as discussed earlier, and in evaluating the design of controls that address the risks of material misstatement and determining whether those controls have been implemented as required by paragraph .30.

Walk-through procedures usually include a combination of inquiry, observation, inspection of relevant documentation, and reperformance of controls. Whether the auditor documents his or her procedures over controls in a memorandum format, a tabular format, or even in a flowchart format, the documentation of the results of the evaluation of design and the auditor’s determination of whether identified controls have been implemented is key.

SAS No. 145

The AICPA Auditing Standards Board wrote Statement on Accounting Standards No. 145, Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement, to bolster the risk assessment process and improve overall audit quality. Codified as AU-C Section 315, the standard is effective for audits of financial statements for periods ending on or after Dec. 15, 2023.

About the author 

Dave Arman, CPA, MBA, is the senior manager– Audit Quality at AICPA & CIMA, together as the Association of International Certified Professional Accountants. To comment on this article or to suggest an idea for another article, contact Jeff Drew at Jeff.Drew@aicpa-cima.com.

LEARNING RESOURCES

Risk Assessments Under SAS No. 145 

Overcome the challenges commonly faced when conducting risk assessment in conjunction with SAS No. 145. 

WEBCAST 

Applying and Scaling Audit Risk Assessment Procedures Under SAS No. 145 

Enhance audit quality and ensure compliance with the new risk assessment standard (SAS No. 145), which became effective in December 2023, and learn the ins and outs of AU-C Section 315.

CPE SELF-STUDY 

Risk Assessment in a Financial Statement Audit (new guide as of Jan. 1, 2023) 

Conform with the new SAS No. 145 to identify and assess risks of material misstatement in a financial statement audit that is performed in accordance with generally accepted auditing standards (GAAS). 

PUBLICATION

AICPA & CIMA MEMBER RESOURCES

Articles 

 “Implementing the Risk Assessment Standards in Your State and Local Government Financial Statement Audits,” AICPA & CIMA, March 20, 2024 

“What NFPs Need to Know About SAS No. 145,” AICPA & CIMA, May 31, 2023 

“One Size Does Not Fit All Clients: SAS No. 145 on Scalability,” JofA, Dec. 16, 2022 

“Inherent Risk and SAS No. 145: New Concepts and Requirements,” JofA, Oct. 13, 2022 

“Significant Risk Revised: Concept Changes Under SAS No. 145,” JofA, Sept. 12, 2022 

 “SAS No. 145 at a Glance,” AICPA & CIMA, Oct. 11, 2021