New Auditing Standard Reflects Changing Risk Environment

Organizations and companies have been exposed to new and different types of risks over the past several months. Many have tested internal controls like never before, and in some cases, demonstrate the need for a more comprehensive strategy. Recognizing the need for financial statement audits to adapt to this reality, AICPA’s Auditing Standards Board has issued SAS 145. These new auditing standards go into effect for financial reporting periods starting next year and signal a shift in the financial statement audit’s role in risk assessment. It also represents a more data-driven, analytical approach to audits in a changing risk landscape. The goal is to improve audit quality and thus help entities lower and manage their unique risk profiles. To help clients, prospects, and others, Klatzkin has provided a summary of the key details below.

Introducing SAS 145

SAS 145 replaces SAS 122. It’s a response to common deficiencies in the auditor’s risk assessment identified in peer reviews. Out of matters for further consideration (MFC) in peer reviews, auditor’s risk assessment procedures made up 25 percent. SAS 145 doesn’t fundamentally change the auditing process, nor does it change underlying audit risk concepts.

Rather, the expanded definitions are meant to provide auditors with more nuanced guidance in an evolving, risk-based audit environment. At a high level, SAS 145 requires auditors to gain a more comprehensive understanding of an entity’s internal control systems and control risk. What’s also notable about the new standards is its focus on external aspects that could affect the risk assessment, like economic, technological, and regulatory impacts.

The standard has also been modernized related to IT considerations and to help auditors better determine risks of material misstatements.

SAS 145 will bring U.S. auditing standards more in line with international standards. Many fundamental parts of the new standards build on existing definitions, so much of the new content isn’t totally new and different – just adapted to a different risk environment.

Assertions and Risk Factors

The definition of assertions has been expanded to include context and to introduce the likelihood (the possibility of a misstatement) and magnitude (the potential for a misstatement to rise to a material level). A relevant assertion concerns “a class of transactions, account balance, or disclosure [that] is relevant when it has an identified risk of material misstatement.”

Under SAS 145, a relevant assertion is based on inherent risk. Inherent risk on its own is still unchanged, but the risk factors behind it are new. These are qualitative or quantitative “characteristics of events or conditions that affect the susceptibility to misstatement, whether due to fraud or error, of an assertion about a class of transactions, account balance, or disclosure, before consideration of controls.”

Risk factors involve:

• complexity,
• subjectivity,
• change,
• uncertainty,
• susceptibility to misstatement due to bias or fraud,
• qualitative or quantitative significance, and
• volume or lack of uniformity.

Significant risks would fall on the higher end of the continuum.

Risk Assessment

Unlike previous guidance, auditors will now be required to assess inherent risk and control risk separately.

Significant risk is now defined according to an identified risk of material misstatement, rather than response to the risk itself. Auditors no longer need to determine whether a financial statement risk is significant, only that identifying it could have an impact on assessing significant risks. Control risk isn’t mentioned.

SAS 145 does not require documentation of combined inherent and control risk.

Significant Class of Transactions, Account Balance, or Disclosure

This wasn’t specifically defined in generally accepted auditing standards until SAS 145, though the term is familiar.

A class of transactions, account balance, or disclosure “is considered significant when it has an identified risk of material misstatement at the assertion level [one or more relevant assertions]. … determination is made before consideration of any related controls.”

An example of a significant class would be if accounts payable has a relevant assertion or an identified risk of material misstatement.

Auditors will be required to focus first on significant classes of transactions, account balances, disclosures and other material amounts second. This is referred to as the stand-back provision, and it’s new.

Technology Controls

Recognizing the additional risk that comes with entities’ increased use of information technology (IT), SAS 145 defines new terms and provides extra context for risks associated with IT processes and controls.

General controls don’t need to be identified for every IT process, the standard states; rather, the auditor will identify risks associated with using IT services through evaluating IT applications and the entire IT environment.

The IT environment includes applications, infrastructure, processes, and personnel. IT risks are lower if an entity uses stand-alone applications, has a low transaction volume, and/or transactions have hard-copy backups. Automated applications increase the risk level.

What Does SAS 145 Mean for Organizations?

SAS 145 is an auditing standard, which means most of the legwork naturally falls on the auditor. Entities still need to understand the new framework and what it means for internal controls and risk profiles.

Clients may need to do a more thorough job over the coming months of identifying, mapping, and evaluating their own risk factors and potential control gaps. Risk varies according to internal and external factors, as SAS 145 emphasizes, so entities will have unique data points to document and benchmark.

It will also be important to better understand the role of IT processes and applications on overall risk. Entities may want to start by understanding SAS 145’s definition of IT controls and the IT environment to accurately analyze potential risks.

A more comprehensive, forward-looking risk management program translates to a more resilient organization. Based on findings from PwC’s 2022 Global Risk Survey, entities can consider five sets of actions to improve their risk management.

• Engage early with agile, iterative risk management capabilities.
• Take a wide view of risk, like using key performance indicators to measure performance and profitability metrics.
• Determine individual risk profiles to get a better return in terms of opportunities and growth.
• Enable consistent risk management capabilities across systems and processes.
• Pay more attention to the highest priority risks.

A better risk management program has been associated with better business outcomes and higher revenue, not to mention an easier financial statement audit.

Contact Us

The new standards update reflects the importance that IT processes play in managing risk. It also ensures these processes are properly tested to ensure an organization is protected. If you have questions about the information outlined above or need assistance with audit or accounting needs, Klatzkin can help. For additional information call 609-890-9189 or click here to contact us. We look forward to speaking with you soon.

©2022 Klatzkin & Company LLP. The above represents our best understanding and interpretation of the material covered as of this post’s date and should not be construed as accounting, tax, or financial advice. Please consult your tax advisor concerning your specific situation.