The AICPA Auditing Standards Board issued a new Statement on Auditing Standards (SAS) that is intended to clarify its views on how auditors should determine which areas pose the most risks of material misstatement in an audit engagement.
Statement on Auditing Standards (SAS) No. 145, Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement, is designed to help external auditors determine which areas pose the greatest risks of material misstatement in an audit engagement and spend more of their time performing procedures in those areas. When it takes effect, it will supersede SAS No. 122, as amended, section 315 of the same title, as well as various sections in AICPA Professional Standards.
While the standard applies to external audits, it is also of interest to internal auditors who can expect to see more scrutiny of financial reporting areas impacted by the new standard.
“The auditor’s risk assessment drives almost every part of the audit. As a result, the evaluation of risks sits at the core of audit quality,” said AICPA Chief Auditor Jennifer Burns, CPA. “SAS No. 145 supports the performance of quality audits by providing additional clarity and guidance in identifying and evaluating risks of material misstatement, while considering the evolving nature of business.”
SAS No. 145 addresses the auditor’s responsibility to identify and assess the risks of material misstatement in the financial statements. The SAS enhances the requirements and guidance on identifying and assessing the risks of material misstatement, in particular the areas of understanding the entity’s system of internal control and assessing control risk. The SAS revises the definition of significant risk, includes new guidance on maintaining professional skepticism, and includes a new “stand-back” requirement intended to drive an evaluation of the completeness of the identification of significant classes of transactions, account balances, and disclosures by the auditor. The SAS also includes extensive guidance regarding the use of information technology (IT) and the consideration of IT general controls.
Included in the Revised Standard
In addition, the SAS includes, among other things, the following:
- Revised requirements to evaluate the design of certain controls within the control activities component, including general IT controls, and to determine whether such controls have been implemented.
- New requirement to separately assess inherent risk and control risk.
- New requirement to assess control risk at the maximum level such that, if the auditor does not plan to test the operating effectiveness of controls, the assessment of the risk of material misstatement is the same as the assessment of inherent risk.
- New guidance on scalability.
- Revised requirements relating to audit documentation.
- A conforming amendment to perform substantive procedures for each relevant assertion of each significant class of transactions, account balance, and disclosure, regardless of the assessed level of control risk (rather than for all relevant assertions related to each material class of transactions, account balance, and disclosure, irrespective of the assessed risks of material misstatement, as previously required).
SAS No. 145 becomes effective for audits of financial statements for periods ending on or after December 15, 2023.