When Is SAS 145 Effective and How to Prepare for It

Statement on Auditing Standards (SAS) No. 145, issued by the Auditing Standards Board (ASB) of the American Institute of Certified Public Accountants (AICPA), enhances audit quality by improving the auditor’s risk assessment process. It revises and replaces previous standards related to understanding the entity and assessing risks of material misstatement, including AU-C Section 315A. SAS 145 clarifies and strengthens how auditors identify and evaluate potential misstatements in financial statements, leading to more effective risk assessment and higher quality audits.

When the Standard Becomes Applicable

SAS 145 is effective for audits of financial statements for periods ending on or after December 15, 2023. This means auditors must apply its provisions for any financial statements covering a period that concludes on or after this date. For example, an audit of a calendar year-end company for the period ending December 31, 2023, would fall under this new standard. Early adoption of SAS 145 was permitted, and some firms chose to implement it ahead of its mandatory effective date.

Core Principles of the Standard

SAS 145 introduces fundamental concepts and significant changes to the audit risk assessment process. The standard enhances requirements for auditors to gain a deeper understanding of the entity and its environment, including its system of internal control. This comprehensive understanding forms the basis for identifying and assessing risks of material misstatement.

The standard revises the definition of “significant risk.” Previously, it was defined as one requiring special audit consideration. Under SAS 145, a “significant risk” is an identified risk of material misstatement where the assessment of inherent risk is close to the upper end of the spectrum of inherent risk. This new definition emphasizes the likelihood and magnitude of potential misstatements before considering controls.

SAS 145 introduces inherent risk factors, which are characteristics of events or conditions affecting the susceptibility of an assertion to misstatement before considering controls. These factors include complexity, subjectivity, change, uncertainty, and susceptibility to misstatement due to management bias or other fraud risk factors. Auditors must consider these factors when assessing inherent risk at the assertion level.

The standard also emphasizes placing risks on a “spectrum of inherent risk.” This spectrum represents the degree to which the level of inherent risk varies based on the combination of likelihood and magnitude of a possible misstatement. A higher combination of likelihood and magnitude places the risk higher on the spectrum, indicating greater inherent risk. This framework helps auditors determine the nature, timing, and extent of further audit procedures.

SAS 145 significantly enhances requirements for understanding the entity’s system of internal control. The term “internal control” has been replaced with “system of internal control,” aligning with the five components of the COSO Internal Control—Integrated Framework. Auditors must identify general IT controls that address risks from IT use and evaluate their design and implementation. This includes understanding how IT systems and related controls contribute to preventing or detecting material misstatements.

A new provision in SAS 145 is the “stand-back” requirement. This mandates that auditors pause and evaluate the completeness of their identification of significant classes of transactions, account balances, and disclosures. It requires auditors to assess whether their risk assessment truly reflects all information obtained during the risk assessment procedures. This step ensures a comprehensive view of risks, preventing oversight of material audit areas.

SAS 145 also clarifies the definition of a “relevant assertion,” stating that an assertion is relevant when it has an identified risk of material misstatement. The determination of a relevant assertion is based on inherent risk, emphasizing that it is made before considering any related controls. This focus on inherent risk and the combination of likelihood and magnitude provides a clearer basis for identifying assertions that require audit attention.

Preparing for Compliance

Preparing for compliance with SAS 145 involves several practical steps for audit firms and individual auditors. A primary aspect of preparation is providing thorough training and education to audit teams on the revised concepts, definitions, and requirements of SAS 145. This training should cover the nuances of inherent risk factors, the spectrum of inherent risk, and the enhanced understanding of internal controls, including general IT controls.

Audit methodologies, templates, and workpapers require updates to align with the new risk assessment framework. This includes incorporating new documentation requirements for inherent risk factors and the spectrum of inherent risk. Firms need to ensure their audit programs are tailored to address identified risks, particularly those deemed significant.

Technology and audit tools may need to be updated or utilized differently to support the enhanced risk assessment and documentation requirements. Data analytics and AI-powered tools can assist in identifying inherent risks and streamlining audit procedures by analyzing large datasets for patterns and anomalies. This shift can lead to more data-driven risk assessments and potentially less reliance on extensive substantive testing.

Engagement planning will also need adjustments, focusing on obtaining a deeper understanding of the entity, its controls, and the specific assessment of inherent risks. The “stand-back” requirement, for instance, necessitates a deliberate evaluation of whether all significant risks have been appropriately identified. This can involve brainstorming sessions and a top-down approach to ensure comprehensive risk identification.

Quality control systems within audit firms should be reviewed and adjusted to ensure consistent application of the new standard across all engagements. This includes addressing new documentation requirements, such as the evaluation of the design and implementation of certain identified controls. Firms must ensure their procedures adapt to the standard’s requirements and maintain audit quality.