When Is SAS 145 Effective and What Are the Key Changes?
Effective for 2023 year-end audits, SAS 145 promotes a more integrated and scalable approach to evaluating an entity's risk of material misstatement.
The Auditing Standards Board of the American Institute of Certified Public Accountants (AICPA) has issued Statement on Auditing Standards (SAS) No. 145 to advance the quality of audits. This standard modernizes the process for identifying and assessing the risks of material misstatement in a company’s financial statements. SAS 145 clarifies and builds upon existing principles of audit risk rather than overhauling them. The standard aims to drive more insightful risk assessments, which in turn leads to a more robust and effective audit.
The Effective Date and Early Adoption
Statement on Auditing Standards No. 145 is effective for audits of financial statements for periods ending on or after December 15, 2023. For a company that operates on a standard calendar year, this means the standard applies to the audit of its December 31, 2023, financial statements. This effective date establishes a clear timeline for when audit firms must have their methodologies and practices updated to comply with the new requirements. The standard also permits early adoption, providing flexibility for firms that were prepared to implement the changes ahead of the mandatory deadline.
Key Revisions in Risk Assessment
SAS 145 introduces five specific inherent risk factors that auditors must consider:
- Subjectivity
- Complexity
- Uncertainty
- Change
- Susceptibility to misstatement due to management bias or other fraud risks
This framework moves the auditor away from a simple high, medium, or low assessment to a more nuanced evaluation, viewing risk along a spectrum. This approach is designed to lead to a more precise identification of potential issues within the financial statements.
The standard enhances the requirements for understanding a company’s system of internal control. Auditors must now perform more rigorous procedures to evaluate the design of key controls and confirm they have been implemented. There is a stronger emphasis on understanding and evaluating information technology (IT) general controls (ITGCs). This change recognizes the increasing reliance on IT systems, making it clear that auditors can no longer simply “audit around” an entity’s IT environment.
SAS 145 also revises the definition of a significant risk. A significant risk is now defined as an identified risk of material misstatement for which the assessment of inherent risk is close to the upper end of the spectrum of inherent risk. This change requires the auditor to apply professional judgment to determine which risks warrant special audit consideration.
The “Stand-Back” Requirement Explained
SAS 145 includes the “stand-back” requirement, which introduces a new checkpoint into the audit process. This provision mandates that the auditor, toward the end of the audit, must pause and reconsider the audit evidence obtained. The objective is to perform a holistic evaluation of the evidence gathered for relevant assertions related to significant classes of transactions, account balances, and disclosures.
This requirement acts as a final review to ensure the auditor’s work is complete and the evidence is sufficient to support the initial risk assessments. If, during this “stand-back” evaluation, the auditor identifies areas where planned substantive procedures were not performed, they must assess if the original risk assessment remains appropriate.
Auditor and Entity Preparation
For Auditors
Audit firms must update their internal audit methodologies to align with the new requirements for risk assessment and control evaluation. Firms need to develop and deliver comprehensive training for their staff, with a particular focus on the new inherent risk factors, the deeper dive into IT general controls, and the application of the “stand-back” requirement. Revising audit documentation templates is also necessary to ensure that the new procedures and judgments are properly recorded.
For the Audited Entity
Management at companies undergoing an audit should anticipate a shift in the nature of auditor inquiries. They can expect more detailed questions about their business processes, data governance, and the specific design of internal controls. Auditors will likely probe deeper into the company’s IT environment, including systems, applications, and controls over data. Company personnel should be prepared to provide more in-depth explanations and documentation in these areas than may have been requested in prior audits.