Are You Ready for Risk Assessment Version 2.0?

Are You Ready for Risk Assessment Version 2.0?

Even though the guidance in AU-C 315A, Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement, has been a fundamental requirement in audits for approximately 15 years, it’s proper application by auditors has continued to be an issue as identified by practice monitoring programs.

Issued in October 2021, Statement on Auditing Standards 145 (SAS 145), Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement, updates the risk assessment standards, superseding AU-C 315A and other risk assessment audit sections. These improvements give auditors greater power to accomplish their mission: to identify and assess risks of material misstatement and issue appropriate audit opinions. The standard is principles-based and neutral regarding audit methodology. So, audit methodologies may vary depending on the audit approaches and tools used. SAS 145 improves risk assessment processes and related documentation without changing key audit risk concepts.

Practical Consideration: SAS 145 is effective for audits of financial statements with periods ending on or after December 15, 2023.

In this article, we’ll provide insight into the more significant risk assessment changes in SAS 145 and how they will affect your future audits of nonprofit organizations.

What Is Risk Assessment?

In broad terms, risk assessment is a filtering process that allows you to focus on potential material misstatements. While a nonprofit organization might have numerous transactions, the auditor’s primary concern is whether material misstatements are present. Risk assessment draws our eyes to potential problem areas using concepts such as significant audit areas, relevant assertions, inherent risk, and control risk.

Separate Inherent and Control Risk Assessments

SAS 145 requires separate assessments of inherent risk and control risk by assertion. Previously, auditors were only required to assess the combined risk of material misstatement.

The PPC risk assessment summary form in the 2023 edition of PPC’s Guide to Audits of Nonprofit Organizations will continue to provide separate inherent risk and control risk columns, as it did before SAS 145. Interestingly, SAS 145 doesn’t require a combined assessment of the risk of material misstatement. Even so, PPC’s risk assessment summary form will continue to provide a combined risk of material misstatement assessment.

Defining Inherent and Control Risks

Inherent risk and control risk comprise the risk of material misstatement. Under SAS 145, inherent risk represents the susceptibility of an assertion about a class of transactions, account balance, or disclosure to misstatement that could be material, by itself or in combination with other misstatements. Inherent risk is determined before considering related controls. Control risk, on the other hand, is the risk that potential material misstatement in an assertion about a class of transactions, account balance, or disclosure, by itself or in combination, wouldn’t be timely prevented, or detected and corrected, by the system of internal control.

Inherent risk is risk due to the nature of the class of transactions, account balance, or disclosure. Control risk is high if a nonprofit organization’s controls are insufficient to prevent or detect and correct the errant information.

Assessing Control Risk at Maximum and Inherent Risk Considerations

Auditors can assess control risk as high even when controls are designed and implemented appropriately because they plan to use a fully substantive audit approach, meaning they won’t test controls for operating effectiveness. If the auditor assesses control risk below maximum, however, a test of controls for operating effectiveness is required. This is unchanged from the current standards. If, however, the auditor isn’t testing controls for operating effectiveness, SAS 145 requires the auditor to assess control risk at the maximum and the risk of material misstatement is assessed at the same level as inherent risk. This is clarified in SAS 145. Consequently, the inherent risk assessment is vital in determining audit responses.

SAS 145 provides a list of inherent risk factors to assist the auditor in assessing inherent risk. Inherent risk factors are qualitative and quantitative characteristics of events or conditions that affect the susceptibility to misstatement (whether due to error or fraud) and include complexity, subjectivity, change, uncertainty, and susceptibility to management bias or other fraud. SAS 145 introduces the concept of the spectrum of inherent risk, which is the degree to which the inherent risk factors affect the susceptibility of an assertion to misstatement.

Practical Consideration: When using PPC’s Guide to Audits of Nonprofit Organizations, the auditor assesses inherent risk at low, moderate, and high. This approach remains unchanged upon implementation of SAS 145.

Significant Risks

SAS 145 modifies the definition of and requirements relating to significant risks. Significant risks represent an identified risk of material misstatement at the higher end of the spectrum of inherent risk, based on the degree of inherent risk factors impacting the likelihood and magnitude of potential misstatement. Significant risks also include certain other risks defined as such in the other sections of the auditing standards, such as fraud risks and related-party transactions that are also significant unusual transactions. Prior to SAS 145, a significant risk was defined as one requiring special audit consideration.

Under SAS 145, auditors are required to determine if assessed risks of material misstatement are significant risks, as well as identifying controls that address significant risks for testing design and implementation.

Relevant Assertions

Only certain assertions about a class of transactions, account balance, or disclosure are relevant or important enough to audit. A relevant assertion has an identified risk of material misstatement. A risk of material misstatement occurs when there is a reasonable possibility (i.e., more than remote) of a misstatement occurring and, if it does occur, a reasonable possibility of it being material. Relevant assertion determination only considers inherent risks; that is, before consideration of related control risk.

Significant Classes of Transactions, Account Balances, and Disclosures

Previously, auditing standards didn’t define the term significant class of transactions, account balance, or disclosure. SAS 145 clarifies this by indicating that a class of transactions, balance, or disclosure is significant if it contains one or more relevant assertions.

Practical Consideration: In PPC’s Guide to Audits of Nonprofit Organizations, the audit methodology calls classes of transactions account balances or disclosures audit areas, a term familiar to PPC users.

For significant audit areas, the auditor performs risk assessment procedures such as walkthroughs, assesses inherent and control risks, plans responses, and carries out those procedures.

A significant change in the conforming amendments to SAS 145 is that AU-C 330.18 now requires substantive procedures for each relevant assertion for each significant class of transactions, account balances, and disclosures (i.e., significant audit area). The new standard requires auditors to perform substantive procedures for each relevant assertion in a significant audit area, regardless of the assessed level of control risk. Before SAS 145, the auditor was required by AU-C 330.18 to perform substantive procedures for all relevant assertions for each material class of transactions, account balance, and disclosure, regardless of the assessed risk of material misstatement. SAS 145 adds a “stand back” requirement to AU-C 315 as a safeguard, requiring auditors to reconsider any material audit areas not deemed significant (i.e., no identified risk of material misstatement, and no substantive testing required) and evaluate whether that determination remains appropriate.

System of Internal Control, Identified Controls, and IT Controls

SAS 145 replaces the term internal control with system of internal control. SAS 145 notes that the system of internal control has five interrelated components. Most auditors are already familiar with these five components. The auditor is required to obtain an understanding of each internal control component to evaluate the system of internal control.

While SAS 145 requires an understanding of control activities to be obtained throughout the significant transaction classes, the auditor is also required to evaluate the design and determine implementation of certain controls, which will be referred to as identified controls in PPC terminology. For each identified control, the auditor also needs to consider risks arising from the entity’s use of information technology (IT) and identify general IT controls that address those risks.

We’ll take a deeper dive into the topics of the system of internal control, identified controls, and IT controls under SAS 145 in a future edition of this newsletter.

Increasing Complexity of Entities and Audit Firms

Businesses and auditors live in a brave new world of evolving economic, technological, and regulatory change. SAS 145 provides guidance to address such changes, including:

  • •  The use of data analytics software and visualization techniques.
  • •  Performance of risk assessment on large volumes of data using automated tools and techniques.

Scalability and Complexity

SAS 145 removes the Considerations Specific to Smaller Entities sections previously in AU-C 315A, but it includes scalability information elsewhere in the standard. Why? Because some small entities are complex, and some large entities are non-complex. Complexity drives the scale of the audit rather than the size of the entity. Scalability means an audit for a complex entity will look quite different than one for a non-complex entity. The higher the risk of material misstatement, regardless of the entity’s size, the greater the response (the nature and volume of procedures and documentation).

Professional Skepticism

SAS 145 enhances guidance on professional skepticism through several provisions, including an emphasis on the understanding of the entity and its environment as a basis for exercising professional skepticism during the audit. Among other things, the SAS also underscores the benefits of professional skepticism in the engagement team discussion.

Practical Consideration: The full text of SAS 145 is available on Checkpoint at checkpoint.riag.com or at aicpa-cima.com.

© 2023 Thomson Reuters/PPC. All rights reserved.