A&A Focus recap: A deep dive into SAS 145

The latest AICPA A&A Focus webcast, held on Aug. 7, provided valuable insights on key accounting and auditing topics for practitioners. Hosted by Bob Durak, director–A&A Technical Services, and Andrew Merryman, senior manager–A&A Technical Services, the one-hour program covered risk assessment procedures, specifically the requirement to evaluate the design of identified controls and determine where the control has been implemented. Further, the broadcast provided peer review updates, more on using technology in audits, and an overview of the AICPA Financial Reporting Framework for Small- and Medium-Sized Entities (FRF for SMEs).

Evaluating the design and implementation of controls under SAS 145

Diane Hardesty, CPA, managing director at EY and a member of the AICPA Auditing Standards Board (ASB), opened the subject matter expert portion of the broadcast with a deep dive into the requirements of Statement on Auditing Standards (SAS) No. 145, Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement, regarding evaluating the design and implementation of internal controls.

Hardesty explained that the ASB, in drafting SAS No. 145, aimed to clarify and enhance certain aspects of the risk assessment process to drive better risk assessments, rather than fundamentally changing how auditors identify and assess risks. A key goal was to make it clear when auditors are required to identify controls and evaluate their design and implementation.

Specifically, SAS No. 145 requires auditors to understand the design and implementation of:

1. Controls that address risks determined to be significant risks;
2. Controls over journal entries and other adjustments;
3. Controls where the auditor plans to test operating effectiveness; and
4. Other controls that the auditor considers appropriate based on professional judgment.

Hardesty emphasized that SAS No. 145 does not require identification and evaluation of controls for all components of internal control — only the control activities component. For other components like control environment and risk assessment process, auditors need only to obtain an understanding.

She also clarified that SAS No. 145 does not require evaluating the design and implementation of all controls related to each significant class of transaction, account balance, or disclosure. This addresses confusion that existed under the previous standard.

Regarding efficiency opportunities, Hardesty encouraged practitioners to consider testing operating effectiveness of controls where appropriate, as doing so can allow for changes in the nature, timing, and extent of substantive procedures. However, she cautioned against “wearing a belt and suspenders” by testing controls but not reducing substantive work accordingly.

Peer review matters

Jim Brackens, CPA, vice president–Ethics and Firm Quality at the AICPA, joined the broadcast and addressed concerns about a perceived shortage of peer reviewers. He explained that while the number of peer reviewers has declined, the number of firms requiring peer review has declined even more rapidly. The real issue is firms waiting too long to schedule their peer reviews.

Brackens encouraged firms to schedule peer reviews early, ideally six months in advance. He noted the AICPA has enhanced communications reminding firms to schedule early. Additionally, the AICPA Peer Review Board issued an exposure draft designed to permanently allow fully remote peer reviews, expanding the pool of available reviewers.

To help address the aging population of peer reviewers (average age of 69), the AICPA Peer Review Board is proposing allowing retired team captains to serve as team members for 18–24 months to mentor new team captains.

Brackens noted that the AICPA is also actively recruiting new peer reviewers through targeted campaigns. He highlighted benefits of being a peer reviewer, including serving the profession, improving audit quality, and enhancing one’s own skills and knowledge.

For firms struggling to find reviewers, Brackens recommended using the reviewer search function on the AICPA website. A new feature of the function allows firms to see which reviewers are willing to take on new clients. Firms can also email prpsupport@aicpa.com or call 919-402-4502 for assistance.

Using technology in your risk assessment procedures

Sara Watson, CPA, a director at Forvis Mazars and member of the ASB’s technology working group, returned to the broadcast, previously highlighting two other audit technology solutions, and discussed how practitioners can leverage technology to enhance risk assessment procedures. She highlighted the AICPA practice aid, Use of Automated Tools and Techniques in the Auditor’s Risk Assessment,  developed by the working group, that provides examples of using technology in risk assessment.

Watson explained there are two elements of technology maturity to consider: the maturity of the audited entity’s technology and the auditor’s use of technology. The practice aid provides examples across this spectrum.

For instance, even with limited client data, auditors can use tools to analyze the full general ledger and identify higher-risk areas. Watson gave the example of separating revenue streams and assigning risk scores, allowing for more targeted testing of higher-risk areas.

With more granular data access, auditors can perform even more sophisticated analyses. Watson referenced an example from the AICPA Audit Guide Guide to Audit Data Analytics, which examines the flow of transactions from purchase order to invoice, flagging issues like unauthorized pricing adjustments or unusual year-end activity by specific employees.

Watson emphasized that using technology allows auditors to be more efficient and focus on higher-risk areas, rather than taking a blanket approach to areas like revenue testing. This aligns with the risk-based approach encouraged by SAS No. 145.

For smaller firms looking to acquire technology tools, Watson recommended starting with analytics capabilities offered by existing software providers like Thomson Reuters or CCH. She also noted that tools like Excel and Power BI can be leveraged for data analysis.

An overview of the AICPA FRF for SMEs

Julie Killian, CPA, principal at Rehmann and chair of the AICPA Private Companies Practice Section Technical Issues Committee, provided an overview of the AICPA FRF for SMEs. This AICPA-developed framework offers an alternative to GAAP for certain private companies.

Introduced in 2013, the FRF for SMEs blends traditional accounting methods with some accrual income tax concepts. It is targeted at less complex entities that do not have regulatory requirements mandating GAAP financials.

Key characteristics of entities that may benefit from the framework include:

• Closely held, for-profit businesses;
• Controlling ownership that runs the company;
• Key financial statement users have direct access to management;
• Not operating in highly specialized industries;
• Not engaged in overly complex transactions; and
• No extensive foreign operations.

Killian outlined several advantages of the framework compared to GAAP:

• Uses historical cost measurement basis;
• Simplified consolidation model (no VIE considerations);
• Disclosure-only treatment for derivatives and stock compensation;
• Traditional revenue recognition approach;
• Simplified accounting for PP&E, goodwill, leases, and income taxes; and
• No concepts of other comprehensive income.

Killian noted that the framework saw increased adoption because it offered a simple alternative when the new revenue recognition standard came out under GAAP.

For companies considering adoption, Killian emphasized the importance of education — both for the company and for its financial statement users, such as banks. Her firm found success in creating mock FRF for SMEs financials to show side-by-side comparisons with GAAP statements. This helped demonstrate that key information was still available, often in a more straightforward presentation.

Killian also stressed that financial statements prepared under the FRF for SMEs can still be audited, reviewed, or compiled. This was an important point in gaining acceptance from banks and other users accustomed to requiring “audited financial statements.”

In other matters

In addition to the featured topical segments, the A&A Focus Series webcast provided updates across several timely emerging issues: 

• FASB issued a new chapter of its Conceptual Framework related to the measurement of items recognized in financial statements. Chapter 6 of FASB Statement of Financial Accounting Concepts No. 8, Conceptual Framework for Financial Reporting, represents the completion of FASB’s Conceptual Framework.

• FASB published a proposed Accounting Standards Update (ASU) aimed at easing some of the challenges related to the scope of financial reporting on a couple fronts. The ASU, according to a FASB news release, addresses stakeholder feedback by proposing:
  • Scope refinements to FASB ASC Topic 815, Derivatives and Hedging, specifically related to the application of derivative accounting to contracts with features based on the operations or activities of one of the parties to the contract; and
  • Scope clarification to Topic 606, Revenue From Contracts With Customers, specifically related to the diversity in accounting for a share-based payment from a customer that is consideration for the transfer of goods or services. 
• The International Auditing and Assurance Standards Board (IAASB) released new supplemental guidance on auditor reporting as it relates to the International Standard on Auditing (ISA) for audits of financial statements of less complex entities, known as the ISA for LCE, a news release said.
• As part of its ongoing effort to align implementation guidance with existing standards, the Federal Accounting Standards Advisory Board (FASAB) issued Technical Release (TR) 23, Omnibus Technical Release Amendments 2024: Conforming Amendments to Technical Releases 10, 16, 20, and 21.
  • FASAB news release
• The AICPA Employee Benefit Plan Audit Quality Center (EBPAQC), established by the AICPA to support firms that audit EBPs in accordance with the Employee Retirement Income Security Act of 1974 (ERISA), published a letter that describes a growing issue related to nondisclosure agreements (NDAs) and other agreements. The document recommends actions that auditors and firms can take to combat the unintended but unfortunate consequences of a technology-driven process.
  • JofA, “Warning for EBP Audit Firms: Service Agreements Can Create Headaches“
• Grant Thornton’s Q2 2024 CFO survey found that 58% of CFOs expressed optimism about the domestic economy — the highest percentage since the third quarter of 2021. Plus, a record 63% of finance leaders are confident in their organization’s ability to meet increased demand.
  • JofA, “CFO Optimism Reaches Highest Level in 3 Years, New Survey Shows“
• In the 15th annual edition of 2024 The State of Risk Oversight: An Overview of Enterprise Risk Management Practices, the AICPA and the North Carolina State University (NCSU) Poole College of Management have obtained expert insights from business leaders on the state of enterprise risk management practices and trends across industries of varying sizes doing business within the United States. This study provides an overview of risk oversight practices by delivering key data from 377 U.S.-based organizations.

The webcast concluded with a preview of next month’s A&A Focus, live on Sep. 4, which will feature discussions on required income tax disclosures, a recap of the August ASB meeting, more discussion of accounting for revenue, and more. Throughout 2024, the AICPA plans to leverage the A&A Focus Series as a vital channel to keep members apprised of new accounting, auditing, and reporting developments impacting their work across all industries and domains of practice. Members can access archives of past sessions at the A&A Focus Series webpage.

— Dave Arman, CPA, MBA, is senior manager–Audit Quality at AICPA & CIMA, together as the Association of International Certified Professional Accountants. To comment on this article or to suggest an idea for another article, contact Jeff Drew at Jeff.Drew@aicpa-cima.com.