MenuClose
 Log Out
Cart 0 items
Site Search
Course Search

What’s new with SAS No. 145?

New standard increases audit profession’s focus on risk-based auditing.
June 14, 2022
  1. Home
  2. What’s new with SAS No. 145?

By Tamara Greear, CPA

Statement on Auditing Standards No. 145 (SAS 145), Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement, supersedes SAS 122, as amended, Section 315, of the same title, and amends various AU-C sections in AICPA Professional Standards.

The American Institute of CPAs (AICPA) Accounting Standards Board (ASB) issued SAS 145 as a response to common issues related to auditor’s risk assessment identified through practice monitoring programs not only in the United States, but worldwide. Given the results of peer reviews conducted in the United States in 2020 that indicated AU-C Section 315 was the leading source of matters for further consideration (MFCs), the ASB determined issuing SAS 145 would provide relevant guidance to the ever-changing audit environment. 

Per the standard itself, “SAS No. 145 does not fundamentally change the key concepts underpinning audit risk, which is a function of the risks of material misstatement and detection risk. Rather, SAS No. 145 clarifies and enhances certain aspects of the identification and assessment of the risks of material misstatement to drive better risk assessments and, therefore, enhance audit quality.”

If SAS 145 doesn’t “fundamentally change key concepts,” what does it change? To say that the standard is voluminous in content is probably an understatement, and therefore covering its changes, even in minimal detail, is not feasible in the span of this article, so I will highlight a few key points. SAS 145’s overarching premise is to enhance the following:

  • Requirements and guidance related to the auditor’s risk assessment, in particular, obtaining an understanding of the entity’s system of internal control and assessing control risk.
  • Guidance that addresses the economic, technological and regulatory aspects of the markets environment in which entities and audit firms operate.

In addition to these broader enhancements, the SAS includes the following:

  • Revisions to requirements for evaluating the design of certain controls, including IT controls, within the control activities component and whether the controls have been implemented.
  • Requirement for the separate assessment of inherit risk and control risk.
  • Requirement for control risk to be assessed at the maximum level. So, if the auditor does not plan to test the operating effectiveness of controls, the assessment of the risk of material misstatement is the same as the assessment of inherent risk.
  • Revision to the definition of significant risk.
  • Guidance on scalability.
  • Guidance on maintaining professional skepticism.
  • New “stand-back” requirement designed to cause the auditor to evaluate the completeness of their identification of significant classes of transactions, account balances and disclosures.
  • Revisions to requirements for audit documentation.
  • Conforming amendment for performance of substantive procedures for each relevant assertion of each significant class of transactions, account balance and disclosure regardless of the assessed level of control risk.

All of this seems very simple and straight forward, right? Let’s take a brief look at just a few of the points to try and make the broader terms a little clearer for those of us who may think this sounds anything but simple on first glance.

Separate assessment of inherent and control risk

While some existing software auditing tools focus many practitioners toward separately assessing inherent risk and control risk, this has never been a requirement of the standards. SAS 145 now requires separate assessment of these two risks at the assertion level. The standard, however, does not require documentation of a combined inherent and control risk. 

Definition of significant risk

The newly revised definition of significant risk focuses on the risk itself, and more specifically as an identified risk of material misstatement. Previously, significant risk was about the response to the risk itself as to whether it required special audit consideration. The new definition indicates the following:

“A significant risk is an identified risk of material misstatement for which the assessment of inherit risk is close to the upper end of the spectrum of inherent risk due to the degree to which inherit risk factors affect the combination of the likelihood of a misstatement occurring and the magnitude of the potential of the misstatement should that misstatement occur.”

SAS 145’s new definition uses the terms “likelihood” and “magnitude” in conjunction with inherent risk while not referencing control risk. It no longer requires a determination of whether a financial statement risk is a significant risk, but indicates an identified risk of material misstatement at the financial statement level may have impact on assessment of significant risks at the assertion level.

Scalability

As practitioners are already aware, size does not always correlate to complexity. Smaller entities cannot just have the assumption of less complexity. Correspondingly, larger entities are not always complex. Per SAS 145, complexity, not the entity’s size, determines how to apply the standard. It recognizes that an entity may have a less formalized system of internal control while indicating that system may still be functioning given the complexity of the particular entity. Even if the entity has a less formal internal control system, SAS 145 still allows for methodology for the auditor to perform risk assessment procedures. Auditors should use professional judgment in evaluating risk procedures within the standard in relation to the determination of the complexity of each unique entity.

Effective date of SAS 145

The elements discussed here are only a small part of the overall content of SAS 145, and review of the full content of the standard is recommended for successful implementation and application.

SAS 145 is effective for audits of financial statements for periods ending on or after Dec. 15, 2023.  

While change is not always easy or enjoyable, if the results of peer reviews are any indication, perhaps it’s time for that change as it relates to audit risk assessment — if for no other reason than a fresh perspective of existing processes.
Henry Ford once said, “If you always do what you’ve always done, you’ll always get what you’ve always got.”  

Tamara Greear, CPA, is partner at Rodefer Moss & Co., PLLC, in Norton. She is currently chair of the VSCPA Accounting & Auditing Advisory Committee, which she has served on since 2016.