AUDITING
What’s new with SAS No. 145? New standard increases audit profession’s focus on risk-based auditing.
Statement on Auditing Standards No.
145 (SAS 145), Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement, supersedes SAS 122, as amended, Section 315, of the same title, and amends various AU-C sections in AICPA Professional Standards. The American Institute of CPAs (AICPA) Accounting Standards Board (ASB) issued SAS 145 as a response to common issues related to auditor’s risk assessment identified through practice monitoring programs not only in the United States, but worldwide. Given the results of peer reviews conducted in the United States in 2020 that indicated AU-C Section 315 was the leading source of matters for further consideration (MFCs), the ASB determined issuing SAS 145 would provide relevant guidance to the ever-changing audit environment.
Tamara Greear, CPA
Per the standard itself, “SAS No. 145 does not fundamentally change the key concepts underpinning audit risk, which is a function of the risks of material misstatement and detection risk. Rather, SAS No. 145 clarifies and enhances certain aspects of the identification and assessment of the risks of material misstatement to drive better risk assessments and, therefore, enhance audit quality.” If SAS 145 doesn’t “fundamentally change key concepts,” what does it change? To say that the standard is voluminous in content is probably an understatement, and therefore covering its changes, even in minimal detail, is not feasible in the span of this article, so I will highlight a few key points. SAS 145’s overarching premise is to enhance the following: • Requirements and guidance related to the auditor’s risk assessment, in particular, obtaining an understanding of the entity’s system of internal control and assessing control risk. • Guidance that addresses the economic, technological and regulatory aspects of the
16
DISCLOSURES
•
SPRING 2022
markets environment in which entities and audit firms operate. In addition to these broader enhancements, the SAS includes the following: • Revisions to requirements for evaluating the design of certain controls, including IT controls, within the control activities component and whether the controls have been implemented. • Requirement for the separate assessment of inherit risk and control risk. • Requirement for control risk to be assessed at the maximum level. So, if the auditor does not plan to test the operating effectiveness of controls, the assessment of the risk of material misstatement is the same as the assessment of inherent risk. • Revision to the definition of significant risk. Guidance on scalability. • Guidance on maintaining professional skepticism. • New “stand-back” requirement designed to cause the auditor to evaluate the completeness of their identification of significant classes of transactions, account balances and disclosures. • Revisions to requirements for audit documentation. • Conforming amendment for performance of substantive procedures for each relevant assertion of each significant class of transactions, account balance and disclosure regardless of the assessed level of control risk. All of this seems very simple and straight forward, right? Let’s take a brief look at just a few of the points to try and make the broader terms a little clearer u
