Lessons learned from the first year of SAS 145

Risk assessment is fundamental to audit quality. The AICPA Auditing Standards Board (ASB) issued Statement on Auditing Standards (SAS) No. 145, Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement, to bolster the risk assessment process and boost overall audit quality.

SAS 145 became effective for audits of financial statements for periods ending on or after Dec. 15, 2023. A year later, a firm that implemented the standard in its audits agreed to share lessons learned with the JofA.

WHAT HAS CHANGED?

SAS 145 did not change key audit risk concepts, but it altered and clarified the existing risk assessment guidance and added a few new requirements.

“When our firm did an assessment of SAS 145, we felt there were two big changes that would require edits to our existing risk assessment documentation in virtually all of our audit files,” said Tina Nordquist, CPA, A&A service line leader at Brady Martz and Associates PC in Minot, N.D. “The first was the change in the math in assessing the risk of material misstatement, and the second was the definition of a relevant assertion.”

Because of these changes, Nordquist said, the firm took the opportunity to challenge its staff to take a hard look at the opportunities provided by the standard, to take an especially deep dive into all risk assessments and testing approaches, and to shift their time and focus to areas of higher risk.

Separate assessment of inherent and control risk

While the previous guidance allowed for a combined assessment of material misstatement risk, SAS 145 requires auditors to document a separate assessment of inherent risk and control risk.

The guidance clarifies that during the auditor’s assessment of control risk — if the auditor does not plan to test the operating effectiveness of controls — then control risk is required to be assessed at the maximum level. Further, if control risk is assessed at maximum, SAS 145 then requires the assessment of the risk of material misstatement to be the same as the assessment of inherent risk.

The firm’s third-party practice aids already required documentation for a separate assessment of inherent and control risk, Nordquist said, but the firm tweaked them to comply with SAS 145.

To align the updated requirement for the risk of material misstatement with inherent risk when control risk is assessed at maximum, the firm’s third-party practice aids’ table for the suggested risk of material misstatement had to be adjusted, potentially removing some auditor judgment, Nordquist said. “Prior to SAS 145, if inherent risk was assessed at low and control risk was assessed at high, the vendor recommended a combined risk of material misstatement of either moderate or high based on auditor judgment.”

Nordquist indicated that a positive impact of this change is that the lowered risk of material misstatement for an area with a low assessed inherent risk has allowed the firm to reduce sample sizes in those areas, which facilitates spending more time in areas of higher risk.

Revised definition of a relevant assertion

The second significant change for the firm’s audit planning and procedures was the change in the definition of a relevant assertion. Under SAS 145, an assertion is relevant when there is an identified risk of material misstatement. For a risk of material misstatement to exist, there has to be both a reasonable possibility for the misstatement to occur and a reasonable possibility for the misstatement to be material.

“The change in the standard clarified something we were kind of scared of under the previous standard,” Nordquist said. “Previously, there were areas that were barely material that we knew did not present a lot of risk, but we were afraid to reduce testing because of how the former standard was worded.” The firm noted that staff used too many relevant assertions because they tended to default assertions to low and were hesitant to commit to calling them not relevant, she added. This resulted in some over-auditing of low-risk areas or procedures that weren’t as focused as they could have been.

As part of adopting SAS 145, Brady Martz spent a lot of time as a firm discussing what each of the assertions meant and how the firm would use them in risk assessments, according to Nordquist. This enabled staff to reduce the number of relevant assertions and to develop a more focused testing approach on those that were relevant and of higher risk.

“From a practical standpoint, I found there was a lot more discussion about what is or is not a risk or a relevant assertion,” said David Holt, CPA, a former member of the firm’s board of directors. “During the deep dive, there was a lot more input from staff at all levels, challenging, asking why, and really thinking about it.”

Clarified documentation requirements

In addition to the changes noted above, SAS 145 clarified the existing documentation requirements related to the firm’s understanding of the design and implementation of the client’s system of internal control. The standard added specific requirements to obtain an understanding of controls around journal entries and general information technology (IT) controls that address risks arising from the use of IT.

As a peer reviewer, and in collaborating with individuals at other firms, Nordquist said she has witnessed a great deal of diversity in practice with respect to the nature and volume of information that firms document related to the understanding of controls.

Common issues she noted include:

• Preparation of voluminous process narratives with no documentation of identified controls;
• Firms failing to perform procedures beyond inquiry related to the implementation of identified controls; and
• Firms performing walk-throughs that did not address the identified controls.

Firms also will perform walk-throughs in common areas such as bank reconciliations, cash receipts, and cash disbursements but fail to perform walk-throughs related to their documented significant risks, Nordquist said.

“One example I see commonly is that firms will document a significant risk related to revenue cutoff,” she said, “but will then walk through controls related to cash receipts instead of controls over true revenue recognition issues such as the revenue being recorded in the correct period, determining the correct transaction price, etc.”

She noted SAS 145 clarified a common misconception with the previous standard, under which some firms thought walk-throughs were required for all significant classes of transactions and not just significant risk areas.

Under SAS 145, design and implementation work only has to be done in the following areas:

• Controls over significant risks;
• Controls over journal entries;
• Controls where operating effectiveness is being tested;
• General IT controls arising from the risk of IT; and
• Other controls based on judgment to meet the objectives of paragraph 13 of the standard related to risk assessment.

LESSONS FROM IMPLEMENTING SAS 145

Brady Martz practitioners who implemented SAS 145 extolled the benefits of the following:

Better upfront planning

Nordquist found that it worked well to brainstorm as a group for certain industries with large concentrations of clients similar in nature. These meetings included all levels within the firm — firm industry leads, key shareholders and managers, and experienced staff — to learn from their different perspectives.

They talked about significant classes of transactions and risks common to groups of clients and developed a baseline risk assessment for some, she said. “We heavily emphasized to our staff that the intent of the templates was to reduce the amount of time they were spending populating audit areas and redocumenting the basics, so they could spend more time focusing on the aspects that were unique to each individual client and developing proper responses to these risks.”

This approach promoted great conversation and made the firm members more efficient and consistent where it made sense, according to Nordquist.

“They had more ability to think outside the box and came up with some great new ideas, rather than sticking with ways we had done things for many years,” she said. As a firm, they intend to do more of this where appropriate going forward.

IT controls documentation

As part of the SAS 145 implementation, the firm developed a more in-depth IT risk assessment workpaper that helps guide staff through conversations with clients about IT’s impact on their financial reporting processes, Holt said. “This assessment helps identify IT-related risks and missing IT controls related to those risks.”

Clients took note of how much time staff spent with their IT teams, he said.

Nordquist said there were thought-provoking conversations with clients when staff started asking them about the controls they had in place around remote access to systems. “If they were allowing their staff to work remotely, how did they know unauthorized third parties were not using the same mechanism to access their systems? What procedures did they have in place for disaster recovery or related to hacking incidents? We identified numerous significant deficiencies and material weaknesses related to IT and had a lot of conversations with clients about the need to modernize their IT systems and controls.”

Staff education and involvement

“One of the biggest challenges we noted was that the wording changes in the standard seemed very subtle, and the staff initially didn’t pick up on some of the changes or understand the opportunities for efficiencies that the changes provided,” Nordquist said. “As a peer reviewer, I also observed this same trend among other firms.”

As a result, her firm did a lot of direct staff training, some developed internally and some by bringing in external vendors.

Addressing documentation changes

A challenge the staff at Brady Martz faced was figuring out how to streamline the process of documenting the understanding of the design and implementation of identified controls while making sure they covered all the items required by SAS 145.

The firm created a workpaper template that helped guide staff members through the required considerations, conversations with clients, and documentation requirements.

“In looking at our legacy documentation, we felt we covered all of the requirements somewhere, but we didn’t like how many workpapers the documentation was spread across,” Nordquist said. The firm’s revised template “focused on the identified controls and provided linkage to the requirements of both SAS 145 and the significant risks noted in our risk assessment summary form.”

Additional efficiencies

In the area of revenue recognition, Nordquist, as a peer reviewer, has seen many firms that are not customizing the risks related to improper revenue recognition due to fraud that third-party practice aid providers include by default in their risk assessment forms. “The generic risk related to revenue recognition isn’t specific enough — it’s too open-ended and depending on your documentation can call into question whether you have done enough work related to revenue.”

Firms should also look for opportunities to rely on automated system controls that can be tested efficiently. This may allow them to perform fewer tests of details and more substantive analytics, especially in areas like revenue. “Going forward, with modernization of client IT systems, we are challenging our team to take a harder look at whether we can efficiently do more tests of automated system controls,” Nordquist said.

PEER REVIEW FINDINGS

Now that firms have gone through an audit cycle with SAS 145, they can determine whether changes are needed to fine-tune their risk assessment.

“If a firm had 2024 as a peer review year, they may likely get comments related to SAS 145 and will know what areas of improvement are,” Holt said. “If they have not yet had their peer review, they may not know what they did not do right.”

Nordquist noted a common issue in recent peer reviews has been firms missing the new requirement to understand controls around journal entries. “In some cases, firms missed the requirement altogether. In other cases, firms relied on existing procedures related to testing of journal entries under the fraud standard. Often the firms looked at support for the entries but failed to document the understanding of the controls, such as required reviews, approvals, and potentially restrictions on the financial reporting system rights to those functions.”

Holt agreed: “Firms did not document the client’s controls over journal entries. They knew what the controls were, including who could post or review and approve entries, but they did not include that documentation in their workpapers.”

Auditors can learn from peer review findings related to SAS 145 as they continue to refine their risk assessment process and improve audit quality.

---

About the author

Maria L. Murphy, CPA, is a senior content management analyst, accounting and auditing products, for Wolters Kluwer Tax & Accounting North America and a freelance writer based in North Carolina. To comment on this article or to suggest an idea for another article, contact Jeff Drew at Jeff.Drew@aicpa-cima.com.

---

LEARNING RESOURCES

Use of Technology in an Audit of Financial Statements

Learn to increase the efficiency, effectiveness, and quality of your risk assessment procedures as required under SAS No. 145 by using technology and automated tools and techniques. This is a digital product. The buyer receives full access to the content for three months after the purchase date.

1 to 3 p.m. ET, March 20 and April 24

WEBCAST

Risk Assessment Under SAS No. 145

Hear from members of the AICPA Auditing Standards Board’s risk assessment task force as they help you learn to navigate SAS No. 145 and examine new and updated concepts. This is a digital product. The buyer receives full access to the content for three months after the purchase date.

11 a.m. to 1 p.m. ET, March 20 and April 24

WEBCAST

Applying and Scaling Audit Risk Assessment Procedures Under SAS No. 145

Enhance audit quality and ensure compliance with SAS No. 145, the risk assessment standard that became effective for audits of financial statements for periods ending on or after Dec. 15, 2023. Learn the ins and outs of the new standard, codified as AU-C Section 315.

CPE SELF-STUDY

Risk Assessment in a Financial Statement Audit

Conform with the new SAS No. 145 to identify and assess risks of material misstatement in a financial statement audit that is performed in accordance with generally accepted auditing standards (GAAS).

PUBLICATION

AICPA & CIMA CFO Conference

Seasoned CFOs from across the country will gather at the La Quinta (Calif.) Resort & Club to provide the latest innovations and anticipated trends to keep you on the cutting edge.

April 23–25

CONFERENCE

ENGAGE 25

Firm practice management and auditing are on the agenda at the biggest event in the accounting profession, AICPA & CIMA ENGAGE 25, to be held at the ARIA in Las Vegas. Don’t miss it!

June 9–12

CONFERENCE

For more information or to make a purchase, go to aicpa-cima.com/cpe-learning or call 888-777-7077.

---

AICPA & CIMA MEMBER RESOURCES

Articles

“Scaling SAS 145 for Less-Complex Entities,” JofA, Nov. 1, 2024

“A&A Focus Recap: A Deep Dive Into SAS 145,” JofA, Aug. 16, 2024

“Considering IT Risk During Audit Risk Assessment Procedures,” JofA, Nov. 1, 2023