November 9, 2022
FASB’s Statement on Auditing Standards (SAS) No. 145, Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement, provides revised guidance for the calendar year 2023 financial statement audits. The broad concept of improved risk assessment standards in SAS 145 will extend to other areas of an audit, like IT and material misstatements. These changes will result in a different audit process for most Atlanta companies. There will be a greater reliance on data and analytics, a new approach to risk assessment and a deeper analysis of information technology (IT) controls. Companies can prepare by gaining a better understanding of the revised risk concepts in SAS 145 and how controls will be assessed. To help clients, prospects, and others, Wilson Lewis has summarized the key details below.
The goal of SAS 145 is to provide more clarity surrounding audit risks and, ultimately, better audit quality. Many accounting firms fail to perform adequate risk assessments, resulting in a deficient audit for the company. Even without audit deficiencies, inaccurately evaluating risk can mask the company’s true financial position, knowingly or unknowingly. These updates will help to better define and contextualize risk for all financial statement users.
While SAS 145 doesn’t fundamentally change underlying risk concepts, it does clarify, revise, and add different audit requirements.
The following risk guidance is enhanced:
The following risk requirements are revised:
There are new requirements and guidance in SAS 145, too.
New concepts are introduced in SAS 145 to better frame the risk environment. Inherent risk, which is at the management assertion level, is defined as:
“the susceptibility of an assertion about a class of transactions, account balance, or disclosure to a misstatement that could be material, either individually or when aggregated with other misstatements, before consideration of any related controls.”
Inherent risk refers to an assertion that could lead to a material misstatement. It is addressed first in SAS 145 and on a risk spectrum. The risk spectrum considers the likelihood of a material misstatement occurring because of the risk and the magnitude of the potential misstatement. Just because a transaction or account balance is easy to review doesn’t necessarily mean it’s low risk. The inherent risk depends on the transaction or disclosure.
These factors are measured based on their potential for fraud or misstatement. Factors like incentives, pressure, opportunity, attitudes, and rationalization – elements in the fraud diamond model – are considered in the context of the potential likelihood of a material misstatement.
Both qualitative and quantitative factors frame inherent risk.
Private companies examining their system of internal controls should be looking not just at whether a particular control can mitigate risk but other factors that could directly or indirectly influence the risk environment.
These scenarios are examples of inherent risk factors that management may encounter.
Companies should also expect more documentation for these areas.
Along the same thread, significant risk arises when the inherent risk area is close to the upper end of the risk spectrum. This is a different approach from previous guidance.
Some risks will always be considered significant. The regulations state that:
“Areas of significant management judgment and unusual transactions may often be identified as significant risks. Significant risks are therefore often areas that require significant auditor attention.”
Since this is a revised approach, companies may not see the same scale for determining significant risks as in prior audits. The overall benefit is that, across the board, audits will be more in line with a consistent risk assessment standard.
Recognizing that the IT environment is changing and a larger part of the overall risk assessment, SAS 145 spends a great deal of time addressing IT general controls. Private companies will see increased audit scrutiny related to controls for IT applications, risks arising from the use of IT, and whether and how many existing controls would mitigate the risk of material misstatement.
Companies don’t need specific controls for every IT process but should have processes that address the overall risks of using IT. Entities that only use commercial software and don’t have access to the source code can use a more streamlined audit process for general IT controls.
Moving Forward
Another revision in SAS 145 should help to scale the risk assessment approach regardless of entity size. The new regulations remove the sections specific to “Considerations Specific to Smaller Entities.” This means the same level of risk assessment will be performed for all entities.
Although SAS 145 shifts the focus from risk response to risk assessment, it’s still a good idea for companies to implement a risk management strategy. A risk management strategy is a continuous process that identifies risks in tools, processes, and applications, whether they present as inherent or significant and how likely they are to influence material misstatements. From there, companies can proactively develop and implement relevant controls.
It is important to remember the new regulations are effective for periods ending on, or after December 15, 2023.
Contact Us
Several changes are coming to the financial statement audit process soon. Atlanta businesses should become familiar with the new regulations to determine what changes will need to be made to the audit preparation process. If you have questions about the information outlined above or need assistance with an audit or accounting concern, Wilson Lewis can help. For additional information, call 770-476-1004 or click here to contact us. We look forward to speaking with you soon.