By: Josh McGowan, DBA, CPA, and Steve Grice, Ph.D., CPA
The Auditing Standards Board (ASB) issued SAS 145, Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement, in 2021. SAS 145 updates AU-C 315 by enhancing the guidance related to understanding an entity and assessing risks of material misstatement. In recent years, deficiencies in auditors' risk assessment procedures have been identified as a major issue during peer reviews. Examples of these deficiencies include failure to assess risk at the assertion level, no linkage of procedures performed to the risk assessment, and no documentation of specific responses to the risk assessment. The issuance of SAS 145 by the ASB attempts to address these issues and achieve the goal of aligning the United States’ Statements on Auditing Standards (SAS) with the International Standards on Auditing (ISA). The ASB utilized ISA 315 as the foundation for SAS 145 to strengthen auditing standards and elevate audit quality.
SAS 145 doesn't alter the core concepts of audit risk; it provides enhanced guidance and clarification for auditors to identify and assess risks of material misstatement. The new guidance continues to recognize that audit risk is a function of the risk of material misstatement and detection risk. Also, the risk of material misstatement continues to be the product of inherent risk and control risk. The ASB anticipates that SAS 145 will result in improved risk assessments and, ultimately, improved audit quality. SAS 145 also includes guidance on modernizing risk assessment as it pertains to an entity's utilization of information technology (IT). In addition, SAS 145 updates guidance related to assessing control risk and inherent risk separately, assessing control risk at a maximum level when internal controls are not tested for effectiveness, professional skepticism and scalability.
Auditors will note that many of the requirements within SAS 145 have been conducted in practice for multiple years. While this is correct, it is important to note that SAS 145 turns many audit “best practices” into explicit requirements. The major topics related to SAS 145 are described below. SAS 145 is effective for audits of financial statements for periods ending on or after Dec. 15, 2023.
System of Internal Control
To begin, SAS 145 introduces the term "system of internal control" to replace "internal controls," reflecting the ASB's perspective that an entity's internal control system comprises five interconnected components. These components include the control environment, risk assessment process, the process to monitor the system of internal control, information system and communication, and control activities. The control environment, the entity's risk assessment process and the entity's process to monitor the system of internal control are typically considered indirect controls. The entity's information system and communication typically consist of direct and indirect controls. Lastly, an entity's control activities are almost always direct controls. The five components of the internal control system are outlined below:
Control Environment
SAS 145 transforms much of the existing application guidance of AU-C 315 into explicit requirements. Through risk assessment procedures, the auditor is now required to understand the following about the control environment:
• The set of controls, processes and structures that address:
o Management's role in promoting a strong company culture, integrity, and ethical values;
o The distinction between governance and management, and the independent oversight of internal controls;
o The distribution of authority and responsibility within the entity;
o The entity's strategies for attracting, developing, and retaining skilled personnel;
o The methods employed to ensure individual accountability in pursuing internal control objectives.
Utilizing this understanding, the auditor will evaluate whether:
• management, with the oversight of those charged with governance, has created and maintained a culture of honesty and ethical behavior;
• the control environment provides an appropriate foundation for the other components of the entity’s system of internal control considering the nature and complexity of the entity; and
• control deficiencies identified in the control environment undermine the other components of the entity’s system of internal control.
Entity’s Process for Risk Assessment and Monitoring the System of Internal Control
SAS 145 does not include significant changes to the auditor's responsibility for understanding the entity's risk assessment process or the entity's process for monitoring the system of internal control. SAS 145 does include a minor revision that requires an understanding of how an entity evaluates the monitoring of the effectiveness of internal controls.
Information System and Communication
Auditor responsibilities related to understanding the entity's information system and communication will also not change significantly under SAS 145. Auditors are reminded that understanding an entity's information system is essential. An entity's information system includes the financial reporting process used to prepare the entity's financial statements, including disclosures. SAS 145 introduces a minor requirement for auditors to understand how an entity communicates significant matters internally. For instance, auditors should understand how the CFO communicates the controller's roles and responsibilities within the organization.
Control Activities
SAS 145 substantially enhances the auditor's obligations in understanding an entity's control activities. SAS 145 specifically draws attention to IT-related controls. Further, regarding the updated understanding of control activities discussed below, the auditor is still required to evaluate whether each control is designed effectively and whether or not the control has been implemented. The updated guidance related to control activities is shown in italics below.
The auditor must identify the following controls that address risks of material misstatement at the assertion level (see paragraph 27 for AU-C 315):
a. Controls that address a risk determined to be a significant risk.
SAS 145 requires the auditor to identify controls that address a significant risk. The updated definition of “significant risk” is shown below.
Significant risk - An identified risk of material misstatement:
1. for which the assessment of inherent risk is close to the upper end of the spectrum of inherent risk due to the degree to which inherent risk factors affect the combination of the likelihood of a misstatement occurring and the magnitude of the potential misstatement should that misstatement occur, or
2. that is to be treated as a significant risk in accordance with the requirements of other AU-C sections. For example, AU-C 240, Consideration of Fraud in a Financial Statement Audit, requires the auditor to treat the risk of material misstatement due to fraud as a significant risk.
As noted previously, SAS 145 has an enhanced focus on inherent risk. Inherent risk factors and assessing inherent risk are discussed later in this article. Although the identification of significant risks is similar to pre-SAS 145, auditors are now explicitly required to understand the control activities implemented by management to reduce these risks. This understanding is required, regardless of whether the auditor intends to evaluate the operating effectiveness of the controls. By identifying these controls, auditors can gain insight into management's strategy for addressing significant risks. Moreover, this understanding can assist auditors in creating substantive procedures associated with significant risks, as stipulated by AU-C section 330.
b. Controls over journal entries and other adjustments as required by AU-C section 240.
This requirement is similar to the pre-SAS 145 guidance.
c. Controls for which the auditor plans to test operating effectiveness in determining the nature, timing, and extent of substantive procedures, which should include controls that address risks for which substantive procedures alone do not provide sufficient appropriate audit evidence.
The auditor is not required to test the operating effectiveness, but if testing is planned, the auditor is first required to identify and understand these control activities.
d. Other controls that, based on the auditor’s professional judgment, the auditor considers are appropriate to enable the auditor to meet the objectives of risk assessment procedures in respect to risks at the assertion level.
The auditor must use the knowledge obtained from the abovementioned requirements to determine whether extra attention to other controls is necessary. Some other controls the auditor might consider include:
• Controls related to accounting estimates (refer to SAS 143, Auditing Accounting Estimates and Related Disclosures).
• Controls related to reconciling records to the general ledger.
Based on controls identified in the paragraphs above, the auditor should identify the IT applications and the other aspects of the entity’s IT environment that are subject to risks arising from the use of IT.
For the IT applications and other aspects of the IT environment identified in the guidance above, the auditor should identify the following:
a. The related risks arising from the use of IT.
b. The entity’s general IT controls that address such risks.
The guidance related to understanding IT controls has been significantly enhanced. Auditors will be required to identify risks from the utilization of IT and the corresponding controls established to address these IT risks. The first step of this process involves identifying IT applications and other aspects of the entity's IT environment that are susceptible to risks. SAS 145 offers application guidance designed to aid auditors entitled "Considerations for Understanding IT," which features a section related to the identification of IT applications vulnerable to risks. A summary of the key points in this appendix is provided below:
• Comprehend the entity's IT environment, including the nature and extent of information-processing controls.
• Identify IT applications that the entity depends on for accurate processing and maintaining financial information integrity.
• Evaluate the significance of automated controls within the identified IT applications.
- If the entity relies on automated controls or automated calculations within an IT application, it may be more likely that the IT application is subject to risks arising from the use of IT.
• Determine if the entity has access to source code and the extent of program or configuration changes.
- If the entity can change the source code and make program changes, this could represent that the IT application is subject to a higher level of risk.
• Understand the risk of inappropriate access or changes to data.
• Identify system-generated reports that may be used as audit evidence (AR aging report, Inventory valuation report, etc.)
- If the auditor plans to rely on these reports for audit evidence, the IT application is most likely subject to risks arising from the use of IT.
• Identify the data sources used by IT applications, such as databases or data warehouses.
- Data warehouses could be IT applications subject to elevated risk.
- Other aspects of an IT environment to be considered are the operating system and the network.
• Identify IT applications associated with highly automated and paperless transaction processing.
• Determine the IT applications involved in processing that are subject to risks arising from the use of IT.
Exhibit 1 lists considerations provided in Appendix E of SAS 145 that could also help an auditor decide whether an IT application is subject to risks related to the use of IT.
Once the IT applications and other aspects of the IT environment have been identified, the auditor is tasked with identifying the risks related to the use of IT and the general IT controls that address these risks. These controls will most likely be related to one of the following aspects of an entity’s IT environment.
Applications: Controls will depend on the application’s functionality and access paths. For example, more complex controls might be needed for highly integrated applications with complex security options compared to applications supporting account balances with transaction-only access.
Database: Controls will address risks related to unauthorized changes to financial reporting information. These risks may be related to direct database access or access to the database through the execution of a script.
Operating System: Controls may be related to unauthorized access. Unauthorized access could result in adding unauthorized users, installing non-approved software, installing malware or several other unauthorized actions.
Network: Controls might address risks arising from network segmentation, remote access and authentication. Network controls could be relevant when an entity has a significant need for remote access.
Appendix F of the SAS 145 application guidance contains examples of general IT controls. These examples are shown in the Exhibit 2.
For each control identified, the auditor:
a. evaluates whether the control is designed effectively to address the risk of material misstatement at the assertion level or effectively designed to support the operation of other controls.
b. determines whether the control has been implemented by performing procedures in addition to inquiry of the entity’s personnel.
Evaluating control designs and determining their implementation is not a new concept in the updated AU-C 315 guidance. However, SAS 145 expands the scope of controls to be examined, particularly in the realm of IT controls. This change aligns with the ASB’s objective of enhancing the auditor’s focus on an entity’s IT environment and associated IT controls. Auditors can no longer simply bypass an entity’s IT system; rather, it becomes a central aspect of the risk assessment process under SAS 145.
As an auditor is likely to spend more time evaluating IT controls under SAS 145, the guidance does provide relief related to automated controls. Although evaluating the design and determining the implementation of controls are not sufficient to test their operating effectiveness, the auditor may use these results as a test of the operating effectiveness for automated controls within the IT environment. If an auditor chooses to utilize the results as noted above, the auditor should be comfortable with general IT controls providing consistent operation of the automated IT controls.
Inherent Risk and Control Risk
SAS 145 now explicitly requires the auditor to utilize this information to understand the entity’s inherent risk factors. Inherent risk factors may affect the susceptibility of assertions about classes of transactions, account balances or disclosures to misstatement. An auditor should understand that inherent risk factors may influence the likelihood of occurrence or the magnitude of misstatements. The application guidance lists the following inherent risk factors related to the preparation of information required by the financial framework:
• Complexity – occurs based on the nature of the information or the way the information is prepared.
• Subjectivity – Arises from inherent limitations in the ability to prepare required information in an objective manner, due to limitations in the availability of knowledge or information, such that management may need to make an election or subjective judgment about the appropriate approach to take and about the resulting information to include in the financial statements.
• Change – Results from events or conditions that, over time, affect the entity’s business or the economic, accounting, regulatory, industry or other aspects of the environment in which it operates, when the effects of those events or conditions are reflected in the required information.
• Uncertainty – Arises when the required information cannot be prepared based only on sufficiently precise and comprehensive data that is verifiable through direct observation.
• Susceptibility to misstatement due to management bias or other fraud risk factors – Results from conditions that create susceptibility to intentional or unintentional failure by management to maintain neutrality in preparing the information. Management bias is often associated with certain conditions that have the potential to give rise to management not maintaining neutrality in exercising judgment (indicators of potential management bias), which could lead to a material misstatement of the information that would be fraudulent if intentional.
Exhibit 3 provides examples of events and conditions (grouped by the relevant inherent risk factor) discussed in Appendix B of SAS 145 that could indicate the existence of risks of material misstatement at the assertion level.
SAS 145 explicitly requires auditors to identify inherent risk factors by understanding the entity, its environment, the applicable financial reporting framework, and its accounting policies. This will assist the auditor in separately assessing inherent risk, which is now mandated by SAS 145. As introduced in SAS 143, auditors should view inherent risk on a spectrum. Although inherent risk assessment is common in audit best practices, SAS 145 now mandates separate assessments of inherent risk and control risk.
Auditors should think of inherent risk on a spectrum and assess it on a scale ranging from low to high or from 1 to 10. When evaluating inherent risk, auditors should consider the intersection of the likelihood and magnitude of material misstatement. The likelihood of a misstatement is based on the chance of it occurring, while the magnitude of a misstatement is based on its qualitative and quantitative aspects. High inherent risk results from high likelihood and magnitude of a potential misstatement. However, various combinations, such as a lower likelihood with a very high magnitude, determine the risk’s position on the inherent risk spectrum. It is also essential to consider the risks of material misstatement at the financial statement level that could influence the assessment of inherent risk for risks of material misstatement at the assertion level. For example, management’s evaluation of going concern issues could lead the auditor to determine that there is a significant risk with the related financial statement disclosures.
The guidance does not prescribe a specific method for the separate assessment of inherent risk and control risk, leaving it up to the auditor’s professional judgment to determine the most appropriate approach. However, the guidance does state that if an auditor opts not to test the operating effectiveness of controls, control risk must be assessed at the maximum level, which means that the assessment of the risk of material misstatement will equal the assessment of inherent risk. For example, if control risk is assessed at 100% (the maximum level) and inherent is set at 75%, the risk of material misstatement would be 25% since the risk of material misstatement is the product of inherent risk and control risk. Consequently, testing the operating effectiveness of controls becomes necessary if the auditor aims to support a control risk assessment below the maximum level.
Professional Skepticism
Throughout SAS 145, professional skepticism receives significant emphasis. Auditors should always plan and perform audits with a professionally skeptical mindset. The AICPA defines professional skepticism as an attitude that encompasses a questioning mind and critical evaluation of audit evidence. The auditor uses their understanding of the entity, its environment and the applicable framework as a foundation for maintaining professional skepticism during the audit. A few examples of the application of professional guidance are noted below:
• Consider all information that may serve as audit evidence.
• Be aware of information that contradicts previous findings and investigate further.
• Evaluate the accuracy and reliability of information provided by management and those responsible for governance.
• Stay alert for indicators suggesting the possibility of misstatement due to fraud or errors.
• Review gathered audit evidence to determine if it supports the assessment of the risks of significant misstatements based on the entity’s nature and circumstances.
Scalability
AU-C 315 currently includes application sections labeled “Considerations Specific to Smaller Entities.” SAS 145 eliminates these sections; however, much of the content remains with appropriate revisions. By removing these sections, the ASB recognizes that a smaller entity does not necessarily mean a less complex entity. Therefore, the revised application guidance is referred to as “scalability considerations.” SAS 145 contains application guidance specific to both less- and more-complex entities. Although this guidance is helpful to auditors, it should be remembered that the requirements of SAS 145 apply to all entities, regardless of their complexity.
Stand-back Requirement
Finally, SAS 145 introduces a new “stand-back” requirement related to the evaluation of the completeness of the auditor’s identification of significant classes of transactions, account balances and disclosures. The new guidance is shown below.
For material classes of transactions, account balances, or disclosures that have not been determined to be significant classes of transactions, account balances or disclosures, the auditor should evaluate whether their determination remains appropriate.
The new guidance will require an auditor to revisit material classes of transactions, account balances and disclosures once they have an understanding of the entity and its accounting policies. The auditor will determine if the decision not to consider certain material items as significant is still appropriate.
** Note: Sections of this article were prepared under contract with Surgent Accounting and Financial Education. They are repurposed for this article with permission from Surgent.
About the Authors
Steve Grice, Ph.D., CPA, is a Scholar-in-residence at Troy University School of Accountancy. He can be reached at sgrice@troy.edu.
Josh McGowan, DBA, CPA, is an Associate Director of the School of Accountancy at Troy University. He can be reached at jmcgowan@troy.edu.
This article was originally published in the July/August 2023 Tennessee CPA Journal.
