The new auditing standard Statement on Auditing Standards (SAS) No. 145, Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement, streamlines the audit process and addresses compliance issues. Additionally, embracing a top-down approach to how risks of material misstatement and relevant management assertions are addressed could lead to more efficient audits.
SAS No. 145 does not change the fundamental audit risk concepts. Instead, as auditors identify and assess risks of material misstatement, they’ll have additional clarity and guidance from SAS No. 145 that will lead to more effective risk assessments and enhance overall audit quality.
The standard at a glance
The AICPA® Auditing Standards Board (ASB) issued the robust standard — 211 pages — and here are some revisions you can expect:
New requirement: Separate assessments of inherent risk and control risk
Changes in the definition of significant risk
New application guidance when controls are relevant to information technology
Updated guidance on scalability for less complex entities
Revised definition of “relevant assertions”
Introduction of a “stand-back” requirement where auditors evaluate their completed identification of the levels of risk for transactions, account balances and disclosures
The introduction of SAS No. 145 amends various AU-C sections in AICPA Professional Standards and will supersede SAS No. 122, Overall Objectives of the Independent Auditor and the Conduct of an Audit in Accordance with Generally Accepted Auditing Standards. SAS No. 145 is effective for audits of financial statements ending on or after Dec. 15, 2023. This includes calendar year audits beginning in January.
Additionally, while SAS No. 145 is a rewrite of AU-C section 315, Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement, Tom Groskopf, CPA, and director at Cincinnati-based Barnes Dennig clarified that “it doesn’t fundamentally change the overarching concepts of identifying, assessing and responding to those risks.”
Groskopf, who is also the technical director of the AICPA® Center for Plain English Accounting understands that SAS No. 145 presents a lot of information on its pages. “Take the time to read it, digest it, learn about it and ask questions about it.” The challenge for everyone is to break old habits.
Early implementation of the standard is encouraged to ensure auditors have adequate time to prepare and become familiar with the concepts.
A top-down approach
At a high level, said Groskopf, the top-down approach helps the auditor identify and address risks of material misstatement and the relevant assertions.
Embracing a top-down approach to addressing risks of material misstatement “aligns well with the new stand-back requirement in SAS No. 145 as well as the new guidance on scalability,” Groskopf said. SAS No. 145, as codified in AU-C section 315, does not contain the term “top down,” and, as a result, there is no explicit requirement to use a top-down approach. However, organizations that use a top-down approach may find their audits become more effective and efficient.
The environment in which audit firms operate is complicated with the compounding factors of economic, technological, and regulatory aspects, the complexities of auditing standards and challenges to internal control structures.
“For that reason, it really encourages the auditor to think more broadly about what risks of material misstatement are present in the financial statement and less prescriptively,” Groskopf added. “[A top-down approach] fundamentally shifts the focus to risk of material misstatement as opposed to what could be perceived as a back-end, form-driven compliance exercise.”
SAS No. 145 is scalable for engagements of all sizes
Smaller entities, Groskopf said, often perceived risk assessment as too difficult, given their resources. The scalability provisions within SAS No. 145 address these concerns and make quality risk assessments more attainable.
Additionally, early this winter, the AICPA will release an updated risk assessment guide to provide more clarity and relevant guidance on how firms can scale their risk assessments for a wide range of engagements.
“[SAS No. 145] makes it certainly clearer that lengthy risk assessments are not necessarily required for less complex entities,” Groskopf said, referring to a 20-page example in the previous risk assessment guide that may have led to this perception. Every risk assessment does not necessarily need pages upon pages of data and information.
Untangle a complex business landscape
By directing the focus of the auditors and ensuring they emphasize the most pressing concerns, SAS No. 145 will lead to more effective audits, Groskopf said.
“The business environment has become so complex,” Groskopf said. “It’s the risk assessment that tells you where to pivot and to focus. Otherwise, how do you know what to draw your attention to in the audit?”