To bolster the risk assessment process and improve overall audit quality, the AICPA Auditing Standards Board (ASB) issued Statement on Auditing Standards (SAS) No. 145, Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement. The new standard becomes effective for audits of financial statements for periods ending on or after Dec. 15, 2023.
The revisions in SAS No. 145 do not change the key concepts underpinning audit risk. Rather, according to the Executive Summary of the standard, the standard "clarifies and enhances certain aspects of the identification and assessment of the risks of material misstatement to drive better risk assessment and, therefore, enhance audit quality." These enhancements include changes to certain of the defined concepts.
With an understanding of the revised definitions, you can strengthen your knowledge of the standard and ultimately strengthen your audits. The following highlights some of those changing foundational concepts.
The definition of assertions is the same as it was before SAS No. 145, but it has two notable additions.
The revised definition notes that assertions are representations "… with respect to the recognition, measurement, presentation, and disclosure of information in the financial statements, which are inherent in management, representing that the financial statements are prepared in accordance with the applicable financial reporting framework."
These assertions are used by the auditor to consider the different types of potential misstatements that may occur when "identifying, assessing, and responding to the risks of material misstatement."
The extant definition defines a "relevant assertion" as a financial statement assertion having a reasonable possibility of containing misstatements that would cause a material misstatement of the financial statements. The revised definition states that a relevant assertion is "an assertion about a class of transactions, account balance, or disclosure [that] is relevant when it has an identified risk of material misstatement."
Additionally, the new guidance introduces the concept of assessing the likelihood and magnitude of a misstatement collectively. "Likelihood" represents the possibility of a misstatement while "magnitude" represents the possibility of the misstatement being material.
This revised definition also clarifies that the root of a relevant assertion is based upon inherent risk. Although both the extant and the revised definitions make it clear that the determination of whether an assertion is relevant is made before consideration of related controls, the revised definition underscores the importance of the point by adding the clarification that "the determination is based on inherent risk."
Inherent risk and inherent risk factors
The definition of inherent risk, as provided in AU-C Section 200, Overall Objectives of the Independent Auditor and the Conduct of an Audit in Accordance With Generally Accepted Auditing Standards, remains unchanged, but SAS No. 145 introduces the definition of inherent risk factors and within that concept, the spectrum of inherent risk.
As the standard states, "inherent risk factors" are qualitative or quantitative "characteristics of events or conditions that affect the susceptibility to misstatement, whether due to fraud or error, of an assertion about a class of transactions, account balance, or disclosure, before consideration of controls." Further, "depending on the degree to which the inherent risk factors affect the susceptibility of an assertion to misstatement, the level of inherent risk varies on a scale that is referred to as the spectrum of inherent risk."
As specified in SAS No. 145, the "spectrum of inherent risk" represents "the degree to which the level of inherent risk varies."
Although similar to the low/medium/high or numerical scales that many firms now implement, the spectrum of inherent risk is designed to be a continuum.
The standard states that "[t]he auditor uses the significance of the combination of the likelihood and magnitude of a possible misstatement in determining where on the spectrum of inherent risk (that is, the range) inherent risk is assessed." Further, "the higher the combination of likelihood and magnitude, the higher the assessment of inherent risk; the lower the combination of likelihood and magnitude, the lower the assessment of inherent risk."
Current guidance defines a significant risk as "an identified and assessed risk of material misstatement that, in the auditor's professional judgment, requires special audit consideration."
To promote a more consistent approach to determining a significant risk, SAS No. 145 revises the definition to incorporate the spectrum of inherent risk and to note that a "significant risk" is an identified risk "for which the assessment of inherent risk is close to the upper end of the spectrum of inherent risk." Also included are risks that are to be treated as significant by other AU-C sections. Unchanged is the need for professional judgment.
Significant class of transactions, account balance, or disclosure
Although the term "significant class of transactions, account balance, or disclosure" has been used within generally accepted auditing standards (GAAS) — particularly within AU-C Section 940, An Audit of Internal Control Over Financial Reporting That Is Integrated With an Audit of Financial Statements — it was not explicitly defined in GAAS.
SAS No. 145 now explicitly defines a significant class of transactions, account balance, or disclosure as one "for which there is one or more relevant assertions."
System of internal control
The meaning of controls is similar under both the current and revised guidance. However, under SAS No. 145, the term "controls" is now explicitly defined as "policies or procedures that an entity establishes to achieve the control objectives of management or those charged with governance."
Both SAS No. 145 and the present guidance require the auditor to perform procedures addressing the entity's internal control. Under SAS No. 145, however, the term "internal control" has been replaced with "system of internal control," and the updated definition comprises five interrelated components of the COSO Internal Control — Integrated Framework.
Information technology-related considerations
SAS No. 145 now provides explicit definitions for the terms general information technology (IT) controls, IT environment, and information-processing controls. In addition, as IT utilization brings additional risk, the new guidance expressly defines risks arising from the use of IT.
The term "IT environment" includes IT applications ("a program or a set of programs that is used in the initiation, processing, recording, and reporting of transactions or information"); infrastructure ("the network, operating systems, and databases, and their related hardware and software"); processes ("processes to manage access to the IT environment, manage program changes or changes to the IT environment, and manage IT operations"); and personnel.
The term "general IT controls" is defined as "[c]ontrols over the entity's IT processes that support the continued proper operation of the IT environment, including the continued effective functioning of information-processing controls and the integrity of information in the entity's information system." The term "information-processing controls" refers to "[c]ontrols relating to the processing of information in IT applications or manual information processes in the entity's information system that directly address risks to the integrity of information."
The term "risks arising from the use of IT" is defined as the "[s]usceptibility of information-processing controls to ineffective design or operation, or risks to the integrity of information in the entity's information system, due to ineffective design or operation of controls in the entity's IT processes."
These are some of the changes to the foundational concepts in SAS No. 145, but this list is not exhaustive. Before the new standard takes effect, make sure to read through SAS No. 145 to understand all the changes, enhancements, and new definitions.
Attend a webcast on Risk Assessment Under SAS No. 145 on Sept. 27. Following that date, the webcast will be rebroadcast on a monthly basis. Visit the AICPA Audit and Assurance webpage for more resources.
— Dave Arman, CPA, MBA, is senior manager–Audit Quality at the Association of International Certified Professional Accountants, representing AICPA & CIMA. To comment on this article, contact Courtney Vien at Courtney.Vien@aicpa-cima.com.