September 25, 2022

What Is the Meaning of Significant Risk?

Risk in a financial statement takes on many forms. It can be a material misstatement or can manifest as an undefined intangible that’s highlighted in a footnote. Auditors spend the most time in financial statement audits on identifying and assessing material misstatements because of the impact on the company’s financial position. Yet, risk assessments made up 25 percent of audit deficiencies in 2020 peer reviews, so there’s clearly more work to do to shore up this aspect of financial reporting.

Understanding and documenting significant risks will take on heightened importance with the 2023 roll-out of SAS 145, Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement.  Under the new guidance, there were several changes made designed to ensure the assessment and identification of risk factors occur more robustly. To help clients, prospects, and others, Wilson Lewis has provided a summary of the key details below.

Background: What Is Material Misstatement?

Most business owners aren’t accounting and corporate finance experts. That is why they bring in external advisors, yet it is still important to understand some of the basic concepts underpinning the financial statement.

Material misstatement doesn’t necessarily mean that there’s fraud. It does indicate that information is incorrect to the point of potentially impacting economic and financial decisions.  Several factors can cause material misstatements including weak internal controls and reporting, lack of oversight, or external factors like a bad economy or rapidly changing industry conditions.

Breaking that down further, the risk of material misstatement can also exist at the assertion level. In this regard, there are two types of risk to consider: inherent and control risk. Inherent risk refers to what the auditor views as a potentially higher risk, and control risk refers to potential failures in internal controls.

To assess audit risk, the financial statements are examined with the intent of understanding the company’s business environment and internal controls. This is where the risk assessment comes in.

The Client’s View of Risk Assessments

Each audit is different, but generally, with full-scope financial statement audits, risk assessment looks like this:

• Interview managers and other stakeholders familiar with the financial statements
• Conduct analytical procedures to test and review internal controls
• Observe transactions, test calculations, control processes, and investigate potential inconsistencies
• Discuss audit findings with management and ascertain management’s responsibility over the financial statements
• Perform other risk assessment procedures as needed

Throughout, the auditor will examine risk from several perspectives, including

• Fraud
• Economic, accounting, or other developmental factors
• Complex transactions
• Related party transactions
• Subjectivity
• Irregular transactions

These procedures form the basis of every financial statement audit and are often customized to suit specific industries and even clients. Because there’s no single formula or approach, risk assessment is often left to the auditor’s discretion.

What’s New in SAS 145?

Improving risk assessment standards is meant to also improve audit quality through a better understanding of a company’s internal controls, consideration for IT risks, and a heightened focus on material misstatements. SAS 145 was also developed closer in line with international financial reporting standards.

With that in mind, clients should be aware of the new risk assessment standards auditors will have in place next year. SAS 145, Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement, imposes more stringent requirements for risk assessment and issues clarifying guidance on how to address the “economic, technological, and regulatory aspects of the markets and environment in which entities and audit firms operate.”

Among the more notable revisions and new requirements are:

• Assessment of risk in IT controls (revised)
• Assessment of inherent and control risk separately (new)
• Definition of significant risk (revised)
• Performance of substantive procedures for each significant class of transactions, account balance, and disclosure (revised)

Assessing inherent and control risks separately can be done in different ways.  There is no single prescribed way of doing this. More documentation will be required all around so that any auditor, even one without any previous knowledge, could form an understanding of risk assessment procedures.

Additionally, SAS 145 removes the “Considerations Specific to Smaller Entities” sections. In doing so, the standard aims to recognize that smaller entities can have complex audits and a pared-down version of risk assessment may not be in management’s best interest.  

Changing Definition of Risk

Due to historical inconsistencies with which significant risk was determined, SAS 145 specifically defines significant risk as:

“An identified risk of material misstatement for which the assessment of inherent risk is close to the upper end of the spectrum of inherent risk due to the degree to which inherent risk factors affect the combination of the likelihood of a misstatement occurring and the magnitude of the potential misstatement should that misstatement occur, or that is to be treated as a significant risk in accordance with the requirements of other AU-C sections.”

There are some risks that will always be considered significant.

Moving forward, SAS 145 will impose special audit requirements for significant risks. A key part of this process is understanding the spectrum of inherent risk and risk factors. The spectrum of risk depends on the possibility that a misstatement could occur and to what extent it matters both quantitatively and qualitatively.

This is a new concept and will bring more audits in line with the same risk assessment standard. Currently, auditors may use a numeric scale or a high/medium/low scale to evaluate risk.

Other Definitions

Other terms that will help clients gain a better understanding of SAS 145 include the following.

• Assertions are “representations, explicit or otherwise, with respect to the recognition, measurement, presentation, and disclosure of information in the financial statements, which are inherent in management, representing that the financial statements are prepared in accordance with the applicable financial reporting framework. Assertions are used by the auditor to consider the different types of potential misstatements that may occur when identifying, assessing, and responding to the risks of material misstatement.”
• Inherent risk is “the susceptibility of an assertion about a class of transactions, account balance, or disclosure to a misstatement that could be material, either individually or when aggregated with other misstatements, before consideration of any related controls.”
• Control risk is “the risk that a misstatement that could occur in an assertion about a class of transactions, account balance, or disclosure and that could be material, either individually or when aggregated with other misstatements, will not be prevented, or detected and corrected, on a timely basis by the entity’s system of internal control.”
• Direct controls are precise enough to address risks of material misstatement at the assertion level.
• Indirect controls support direct controls. Although indirect controls are not sufficiently precise to prevent or detect and correct, misstatements at the assertion level, they are foundational and may have an indirect effect on the likelihood that a misstatement will be prevented or detected on a timely basis.

Timeline and Other Considerations

SAS 145 will be effective for audits of financial statements for periods ending on or after December 15, 2023.

Auditors will still bring their own levels of experience, professional judgment, and methodology to the audit engagement. On the client side, there won’t appear to be much difference with the new auditing standard; however, clients should be prepared for a closer inspection of the internal control environment and more communication at the beginning of and during audit procedures.

Contact Us

The changes outlined in the recently issued SAS 145 guidance provide additional safeguards to ensure risk factors are properly identified. This will translate into a more effective audit for Georgia companies. If you have questions about the information outlined above or need assistance with your next audit, Wilson Lewis can help. For additional information call 770-476-1004 or click here to contact us. We look forward to speaking with you soon.