Calendar year 2023 audits will require auditors to follow revised risk assessment guidance. Changes to the concept of significant risk may impact how you perform risk assessment procedures and how you design further audit procedures to address identified risks.
Understanding the changes to significant risk is critical as you undertake audits under SAS No. 145, Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement. Remember, proper risk assessment forms the foundation of your audit. With new guidance becoming effective, you need to know and be able to apply that guidance. All quoted material in this article comes directly from SAS No. 145, except where noted.
Significant risk revised: Definition changes under SAS No. 145
Understanding which risks qualify as "significant" is important, in part because auditors should enhance their responses to those risks. For example, SAS No. 145 requires auditors to identify controls that address significant risks and to evaluate whether the controls have been designed effectively and implemented. Further, AU-C Section 330, Performing Audit Procedures in Response to Assessed Risks and Evaluating the Audit Evidence Obtained, includes special audit considerations in the form of specific requirements related to significant risks because of the nature of the risk and the likelihood and potential magnitude of misstatement related to the risk.
Paragraph .12 of SAS No. 145 defines "significant risk" as "an identified risk of material misstatement for which the assessment of inherent risk is close to the upper end of the spectrum of inherent risk due to the degree to which inherent risk factors affect the combination of the likelihood of a misstatement occurring and the magnitude of the potential misstatement should that misstatement occur, or that is to be treated as a significant risk in accordance with the requirements of other AU-C sections."
Historically, auditors thought of a significant risk as one that required special audit consideration. In other words, an auditor's planned response to a risk determined whether it was considered significant. In practice, the AICPA Auditing Standards Board (ASB) noted "a lack of consistency with which significant risks are determined," as highlighted by inspection findings. The ASB believed "one of the main reasons for this inconsistency lies in the definition of significant risk" and believes that the revised definition will address this issue (quoting from Exposure Draft: Proposed Statement on Auditing Standards, Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement).
Going forward, your assessment of inherent risk determines whether a risk of material misstatement qualifies as a significant risk. This does not mean that significant risks don't require special consideration. Significant risks are just that, significant. You must still respond to them appropriately and apply the requirements of AU-C Section 330.
The revised definition also considers where the risk falls on the "spectrum of inherent risk." To identify significant risks under SAS No. 145, the auditor needs to first understand this spectrum.
Spectrum of inherent risk and risk factors
The "spectrum of inherent risk" is a new concept in SAS No. 145. What is it?
Auditors consider the inventory of inherent risk factors identified, such as complexity, subjectivity, or uncertainty, from all risk assessment processes performed, including the auditor's required understanding of the entity. Paragraph .12 of SAS No. 145 tells us inherent risk factors represent "characteristics of events or conditions that affect the susceptibility to misstatement, whether due to fraud or error, of an assertion about a class of transactions, account balance, or disclosure, before consideration of controls" [emphasis added].
Based on their understanding of inherent risk factors, auditors can assess the likelihood ("the possibility that a misstatement may occur" [emphasis added]) and magnitude of a misstatement ("the qualitative and quantitative aspects of the possible misstatement" [emphasis added]).
Note that it is the combination of likelihood and magnitude that matters. The "intersection [emphasis added] of the magnitude and likelihood of the material misstatement on the spectrum of inherent risk" ultimately determines risk levels, including whether a risk should be deemed significant.
Applying the spectrum of inherent risk
Today, some firms use a low/medium/high scale, while others may use a numeric scale. This feature of a firm's methodology remains applicable because the spectrum of inherent risk is itself a scale. How an inherent risk potentially affects misstatement indicates where that risk belongs on the spectrum.
Under SAS No. 145, you have a significant risk if your inherent risk is, per the definition provided, "close to the upper end of the spectrum of inherent risk due to the degree to which inherent risk factors affect the combination of the likelihood of a misstatement occurring and the magnitude of the potential misstatement should that misstatement occur."
By focusing your attention on auditing those areas with higher risks of being materially misstated, which includes those identified significant risks, you set yourself up to perform an effective and efficient audit.
Are certain risks always significant?
When applicable, significant risks also include those that are to be treated as a significant risk in accordance with the requirements of other AU-C sections.
Although determining which assessed risks of material misstatement fall close to the upper end of the spectrum of inherent risk and, therefore, are significant risks involves professional judgment, guidance in other AU-C sections includes further requirements. For example, AU-C Section 240, Consideration of Fraud in a Financial Statement Audit, provides additional requirements in relation to the identification and assessment of the risks of material misstatement due to fraud. AU-C Section 550, Related Parties, does the same with respect to related-party transactions that are also significant unusual transactions.
The release of SAS No. 145 provides improved guidance for identifying and assessing the risks of material misstatement. Understanding the revised concept of significant risk and related elements has implications for effective audit responses. As part of the audit process, comprehending the changes in significant risk aids auditors in managing their efforts from day one and, ultimately, enacting appropriate responses to identified risks.
— Dave Arman, CPA, MBA, is the senior manager–Audit Quality at the Association of International Certified Professional Accountants, representing AICPA & CIMA. To comment on this article or to suggest an idea for another article, contact Courtney Vien at Courtney.Vien@aicpa-cima.com.