(Editors' note: All quoted material in this article comes from SAS No. 145, Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement, as codified in AU-C Section 315.)
Revised risk assessment guidance will require auditors to apply new concepts for calendar year 2023 audits. The concept of inherent risk will remain a critical piece of your risk assessment process, and Statement on Auditing Standards (SAS) No. 145, Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement, has brought a number of changes to enhance clarity and audit effectiveness.
Risk assessment continues to be the foundation upon which an efficient and effective audit is built. Identified risks are the basis for your further audit procedures, and the process of identifying those risks is critical.
SAS No. 145 introduces inherent risk factors and new requirements to consider those factors, to help you in the risk assessment process. Inherent risk factors are intended to steer the auditor toward the factors that affect an assertion's susceptibility to misstatement, resulting in a more focused identification of risks of material misstatement.
Inherent risk basics
Inherent risks represent a key input to the calculation of the risk of material misstatement and are described as "the susceptibility of an assertion about a class of transactions, account balance, or disclosure to a misstatement that could be material, either individually or when aggregated with other misstatements, before consideration of any related controls."
There is a lot to unpack here. First, inherent risk is related to a management assertion, and management's assertion relates to a class of transaction, account balance, or a disclosure that appears in the financial statements. Second, inherent risk is the likelihood that the assertion could be materially misstated on its own or could combine with other misstatements to be material. Lastly, and just as important, is the concept that inherent risk is to be assessed before the consideration of any related control.
Be careful in your assessment that you are truly considering the inherent risk on its own when making a determination that an assertion is susceptible to a misstatement that individually or in combination could be material. Reviews performed on audit procedures note that many times auditors base their inherent risk assessment on incorrect conclusions. For example, an assertion that is easy to audit — think "cash exists" — does not necessarily have a low risk. Many times auditors will note: "The existence of cash has a low inherent risk because it is kept in the bank" or "because we count it at the end of every day."
Both of these assessments are based on the risk after the consideration of a control, not on the inherent risk alone. Both safeguarding cash in the bank and accounting for it daily are safeguarding controls that can lower the overall risk of material misstatement but should not be considered as a mitigating factor in an inherent risk assessment. In essence, inherent risk comes from the nature of the transaction.
New tools for assessing inherent risk
SAS No. 145 defines a new term, inherent risk factors, as "characteristics of events or conditions that affect the susceptibility to misstatement, whether due to fraud or error, of an assertion about a class of transactions, account balance, or disclosure, before consideration of controls."
Auditors should already be familiar with the term fraud risk factors, as those risk factors are discussed in AU-C Section 240, Consideration of Fraud in a Financial Statement Audit, and include considerations such as incentives and pressures, opportunities, and attitudes and rationalizations. Taking into account the degree to which the inherent risk factors affect susceptibility to misstatement assists in the assessment of inherent risk.
Inherent risk factors may be qualitative and include "complexity, subjectivity, change, uncertainty, or susceptibility to misstatement due to management bias" (discussed below) and may include the more familiar fraud risk factors insofar as they affect inherent risk.
Inherent risk factors may also be quantitative. For example, the quantitative significance of the class of transactions or account balance can be a factor, or "the volume or a lack of uniformity in the composition of the items to be processed" can be considered.
Qualitative inherent risk factor illustrations
Increased complexity as a risk factor involves the type of information or its preparation. For example, you may see increased complexity in derivatives, warranty reserves, or other areas where the concept is more complex or where difficult estimates occur.
Increased subjectivity is often also seen in estimates or in areas that are judgment-based. This risk factor "arises from inherent limitations in the ability to prepare required information in an objective manner, due to limitations in the availability of knowledge or information, such that management may need to make an election or subjective judgment about the appropriate approach to take and about the resulting information to include in the financial statements."
Change "results from events or conditions that, over time, affect the entity's business or the economic, accounting, regulatory, industry, or other aspects of the environment in which it operates, when the effects of those events or conditions are reflected in the required information." These events may include disruptions like the COVID-19 pandemic, heightened inflation, or the potential onset of a recession.
Uncertainty comes "when the required information cannot be prepared based only on sufficiently precise and comprehensive data that is verifiable through direct observation." Uncertainty might be found in estimates of potential legal action against an entity. The likelihood of a negative judgment may be high, but the amount of monetary loss may be highly uncertain.
"Susceptibility to management bias results from conditions that create susceptibility to intentional or unintentional failure by management to maintain neutrality in preparing the information," for instance pressure to achieve a desired result that could lead to a misstatement in the financial statements, which if intentional may result in fraud.
How will auditors be impacted?
SAS No. 145 requires inherent risk factors to be considered during audit procedures to understand the entity and its environment and the applicable financial reporting framework. Paragraph .19 requires that auditors "obtain an understanding of … how inherent risk factors affect the susceptibility of assertions to misstatement and the degree to which they do so, in the preparation of the financial statements." These procedures are based on the results of the auditor's gathered understanding of the entity and its environment.
Further, SAS No. 145 requires inherent risk factors to be considered in assessing risks of material misstatement at the assertion level. Paragraph .35 requires that the auditor "take into account how, and the degree to which inherent risk factors affect the susceptibility of relevant assertions to misstatement."
Inherent risk factors are also a great topic to discuss when the engagement team gathers to hold discussions about the application of the applicable financial reporting framework and the susceptibility of the entity's financial statements to material misstatement.
Risk assessment remains fundamental to effective audits. The changes in SAS No. 145 are meant to enhance auditors' performance. Properly assessing inherent risk, through the consideration of the newly included inherent risk factors, will allow the auditor to more effectively and efficiently perform further audit procedures and improve overall audit quality.
Learn how to overcome the challenges commonly faced when conducting risk assessment in conjunction with SAS No. 145. Attend the Risk Assessment Under SAS No. 145 webcast offered now through January.
— Dave Arman, CPA, MBA, is the senior manager–Audit Quality at the Association of International Certified Professional Accountants, representing AICPA & CIMA. To comment on this article or the suggest an idea for another article, contact Courtney Vien at Courtney.Vien@aicpa-cima.com.