Revisiting risk assessment

By Laura Hay, CPA, CAE, OSCPA executive vice president

Deficiencies in audit risk assessment procedures are the leading source of Matters for Further Consideration (MFCs) in the peer review program.

Statement on Auditing Standards (SAS) No. 145, Understanding the Entity and Its Environment and Assessing the risks of Material Misstatement , enhances the requirements and guidance for the auditor’s risk assessment, particularly in obtaining an understanding of the entity’s system of internal control and assessing control risks.

A risk-focused audit approach prevents the inefficiencies of over-auditing, or under-auditing resulting in deficiencies.

Effective for audits of financial statements for periods ending on or after December 15, 2023, SAS No 145 supersedes SAS No. 122, as amended, section 315 of the same title, and amends various AU-C sections in AICPA Professional Standards . Early implementation is permitted.

Significant changes

Significant changes introduced by SAS No, 145 include:

• New requirement to separately assess inherent risk and control risk

• Revised definition of “significant risk”

• Revised requirements to evaluate the design of internal controls within the control activities component, including general IT controls, and to determine whether such controls have been implemented

• New requirement to assess control risk at the maximum level such that, if the auditor does not plan to test the operating effectiveness of controls, the assessment of the risk of material misstatement is the same as the assessment of inherent risk.

• New guidance on scalability

• New guidance on maintaining professional skepticism

• New guidance on the evolving business environment, including economic, technological and regulatory aspects of markets and environments in which entities operate.

• New “stand-back” requirement to evaluate the completeness of the auditor’s identification of significant classes of transactions, account balances and disclosures

• A conforming amendment to perform substantive

procedures for each relevant assertion of each significant (rather than material, as previously required) class of transactions, account balance and disclosure, regardless of the assessed level of control risk

• Revised documentation requirements

SAS No. 145 does not fundamentally change the key concepts underpinning audit risk, which is a function of the risks of material misstatement and detection risk. The standard seeks to clarify and enhance the auditor’s identification and assessment of the risks of material misstatement to drive better risk assessment and enhance audit quality.

Obtaining an understanding of the entity’s system of internal control

The term “internal control” has been changed to “system of internal control” including five components.

1. The control environment

2. The entity’s risk assessment process

3. The entity’s process to monitor the system of internal control

4. The information system and communication

5. Control activities

Obtaining an understanding of the entity’s system of internal control is a requirement for the identification and assessment of the risks of material misstatement, regardless of the auditor’s planned controls reliance strategy. The standard clarifies that this overall understanding is achieved through performing procedures sufficient to gain an understanding of each of the five components of the system of internal control.

Inherent risk, control risk, and significant risk

Inherent risk factors, the spectrum of inherent risk, and the separate assessments of inherent risk and control risk were introduced in SAS No. 143, Auditing Accounting Estimates and Related Disclosures . SAS No. 145 elaborates that these concepts are applicable to all types of classes of transactions, account balances and disclosures, not just those involving accounting estimates.

Because of the close interaction between SAS No. 143 and SAS No. 145, their effective dates have been aligned.

The standard clarifies that it is important to consider inherent risk on its own when making the determination that an assertion is susceptible to material misstatement. The spectrum of inherent risk is based on the intersection of likelihood and magnitude of misstatement. If potential misstatement is material and the risk is higher on the spectrum, then there is “significant risk”.

Scalability

SAS No. 145 removes the “Consideration Specific to Smaller Entities” sections of the previous standards and incorporates scalability throughout the standard, recognizing that the size of an entity is not necessarily an indicator of its complexity, as some smaller entities may be complex, and some larger entities less complex.

The standard recognizes that some aspects of an entity’s system of internal control may be less formalized but still present and functioning, considering the nature and complexity of the entity. When the entity’s systems and processes lack formality, the auditor may still be able to perform risk assessment procedures through a combination of inquiries and other procedures, such as observation or inspection of documents.

Professional skepticism

The standard clarifies that gaining an appropriate understanding of the entity and its environment is a necessary foundation for professional skepticism in the audit. The standard highlights the need for effective

collaboration and communication among the audit team, and the exercise of professional skepticism when presented with contradictory evidence during risk assessment procedures.

Evolving business environment

SAS No. 145 includes a new explicit requirement to understand the entity’s IT environment, including IT applications and supporting IT infrastructure, which includes processes and personnel who support business operations and achievement of business strategies.

In addition to expanding the auditor’s understanding of the environment in which the client operates, the standard recognizes the ability of the auditor to use automated tools and techniques, including data analytics, when performing risk assessment procedures.

SAS No. 145 seeks to improve consistency in applying risk assessment procedures in the audit. Embracing the core principles of risk-based thinking, rather than a compliance culture will assist the profession in enhancing audit quality and effectiveness.

Laura Hay, CPA, CAE, is the executive vice president of The Ohio Society of CPAs and the staff liaison to the Accounting, Auditing, Professional Ethics Committee and Peer Review Committee. She can be reached at Lhay@ohiocpa.com or 614.321.2241