SAS 145: A roadmap towards risk-based auditing
The AICPA Auditing Standards Board (ASB) has recently issued an update to the risk assessment standards, SAS 145, Understanding the Entity and Its Environment and Assessing the Risk of Material Misstatement. This standard was developed to address gaps in risk assessment procedures identified by practice monitoring programs worldwide, and is intended to help auditors focus their time on the areas of greatest risk of material misstatement in an audit engagement.
With the ASB’s strategic objective of converging with the International Standards on Auditing (ISA) SAS 145 used ISA 315 (revised 2019), Identifying and Assessing the Risks of Material Misstatement, as a starting point.
SAS 145 will likely require firms to take a more data-driven approach to risk assessment and, when coupled with SAS 142, enable firms to rely less on substantive tests of detail and more on analytics. While SAS 145 is effective for audits of financial statements for periods ending on or after December 15, 2023, the standard presents such a fundamental shift in methodology that firms are thinking about their strategy now ahead of the 2022 busy season.
Roadmap of activities
Due to the lead time of understanding SAS 145 and the required change management processes to update existing audit methodology, we suggest firms consider the following timeline for implementation:
SAS 145 implementation timeline
The executive summary of the standard outlines several of the substantive changes but here are the three areas that we believe firms will struggle with from a procedural perspective.
The standard itself explains the key areas of enhancement:
- “Requirements and guidance related to the auditor’s risk assessment, in particular, obtaining an understanding of the entity’s system of internal control and assessing control risk”
- “Guidance that addresses the economic, technological, and regulatory aspects of the markets and environment in which entities and audit firms operate”
It’s important to note that SAS 145 does not alter the fundamental concepts of audit risk. Rather, the document provides clarification of certain aspects of risk identification and the assessment of material misstatement to improve overall audit quality.
For more information on how AI-enabled audit data analytics supports your team
Download our free audit approach white paper: MindBridge Audit Approach
The spectrum of inherent risk
SAS 145 takes a more granular approach to inherent risk and introduces new concepts to assist auditors in understanding the new requirements. This includes inherent risk factors (events or conditions that influence the susceptibility to misstatement of an assertion, such as fraud or error) and the spectrum of inherent risk:
“Depending on the degree to which the inherent risk factors affect the susceptibility of an assertion to misstatement, the level of inherent risk varies on a scale that is referred to as the spectrum of inherent risk. The spectrum of inherent risk provides a frame of reference in determining the significance of the combination of the likelihood and magnitude of a misstatement.” – SAS 145, page 12
The risk factors require the auditor to look at complexity, subjectivity, change, uncertainty, susceptibility to misstatement due to bias or fraud, qualitative or quantitative significance, and volume or lack of uniformity (ref. SAS 145, paragraphs A10-11). Then, the likelihood and magnitude of a possible misstatement should be assessed to determine where on the spectrum of inherent risk it falls. The higher the combination of likelihood and magnitude, the higher on the spectrum it falls; the lower the combination, the lower it falls.
According to paragraph A245, these assessments should be done at the assertion level. Firms will need to evolve their methodology to incorporate a fuller assessment of inherent risk, that trigger items such as significant risks and appropriate audit responses.
Enhanced requirements regarding IT general controls
“The auditor should, through performing risk assessment procedures, obtain an understanding of the entity’s information system and communication relevant to the preparation of the financial statements.” – SAS 145, paragraph 25
The standard puts an increased focus on understanding and evaluating IT General Controls (ITGC) as they pertain to financial statement generation. This includes these steps that the auditor must take:
- Identifying IT applications and other aspects of the environment that are subject to risks arising from the use of IT (ref. SAS 145, paragraph 28)
- Identifying the related risks arising from the use of IT and the controls to address them (ref. SAS 145, paragraph 29)
- Evaluating the effectiveness of controls in addressing risks of material misstatement (ref. SAS 145, paragraph 30)
- Determining whether such controls have been implemented (ref. SAS 145, paragraph 30)
An ITGC example to consider is that many firms have long used data tools to mechanically validate the completeness of their general ledger (GL) and assess their GL platform by comparing the results with their trial balances. As these use cases and complexities grow, validation of data at the beginning of the audit engagement will become critically important in the testing and documentation of a client’s IT environment.
New stand-back provision
The standard has a new provision that supports the evaluation of completeness, referred to as the “stand-back provision”. This provision requires the auditor to evaluate whether their determination of material classes of transactions, account balances, or disclosures as not significant (i.e., no relevant assertions identified) remains appropriate.
While there aren’t any documentation provisions cited specifically for this section, we anticipate firms needing to create procedures and documentation around the stand-back provision.
How MindBridge is helping firms to comply
For the three areas identified above, here’s how MindBridge’s audit data analytics features help firms adapt to SAS 145:
- Spectrum of inherent risk – key to this new requirement is identifying, understanding, and evaluating different risk factors. MindBridge control points are designed to compare client data against pre-defined areas of risk, providing visualizations and reports to understand levels of risk (risk scores), identify unusual transactions, and drill-down into the details.
- IT general controls – The MindBridge data ingestion process (or extract, transform, and load) includes a series of checks and validation steps that verify the client’s data sets and automatically identify areas that require further information or pose areas of risk.
- Stand-back provision – As MindBridge analyzes 100% of the client’s transaction data, assessments and data exploration can be performed on any data subset at any time, including the modification of analysis criteria. This multi-faceted approach means you can re-evaluate prior assessments and adapt to new information quickly.
With the release of SAS 145, firms should plan and implement their strategy now to be compliant by December 15, 2023. The timeline defined here offers a progressive approach to SAS 145 implementation and, combined with the risk assessment capabilities of MindBridge, positions firms towards a stronger audit approach and value for clients.