Auditors will begin applying the new risk assessment standards in audits of 2023 calendar year-end governmental clients, periods ending on or after December 15, 2023. SAS No. 145, Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement, provides the new guidance.
So, how does SAS No. 145 change your audit processes? We will answer this question in two newsletter articles. This is Part I. Part II will be published next month.
Auditors will continue to focus on the potential for material misstatements. So, conceptually, you will continue to use similar processes, asking yourself, “Where are material misstatements most likely to occur?” Then, plan your audit tests accordingly.
Key Changes Summary
Key changes in the risk assessment standards addressed in Part I of this article include the following:
- Separate assessments of inherent risk and control risk
- New definition of significant risk
- Focus on inherent risk factors and the spectrum of risk
As you read the remainder of this article, pay particular attention to the definitions in SAS No. 145 as they relate to these key changes. Also, notice the emphasis on inherent risk. We’ll explore additional key changes in Part II of this article next month.
Inherent Risk and Control Risk Assessments
SAS No. 145 requires separate assessments of inherent risk and control risk. You may think, “We’ve done this for years,” and you are correct if you have been using our audit guidance. Our risk assessment forms address both inherent and control risk. However, the prior risk assessment standards did not require these separate assessments. Therefore, this change in the standards may not feel like a change.
One noticeable change, however, is in the definition of significant risk. Formerly, the response to risk (an area needing special audit consideration) was the determinant of significant risk. Now, SAS No. 145 defines significant risk in terms of its intrinsic makeup. In other words, the nature of the account or disclosure characterizes significant risk, not the response.
Significant Risk
SAS No. 145 defines significant risk in the following manner:
A significant risk is an identified risk of material misstatement for which the assessment of inherent risk is close to the upper end of the spectrum of inherent risk due to the degree to which inherent risk factors affect the combination of the likelihood of a misstatement occurring and the magnitude of the potential misstatement should that misstatement occur.
Notice the definition focuses on two factors:
- Likelihood of misstatement
- Magnitude of misstatement
So, as you define significant risks in your governmental engagements, consider classes of transactions, account balances, and disclosures with high inherent risks—those close to the upper end of the risk spectrum. Additionally, consider those areas where high-magnitude misstatements might occur. For example, a material complex estimate might be a significant risk. Why? Because of its inherent risk factors.
Inherent Risk Factors and the Spectrum of Risk
SAS No. 145 defines inherent risk factors as follows:
Characteristics of events or conditions that affect the susceptibility to misstatement, whether due to fraud or error, of an assertion about a class of transactions, account balance, or disclosure, before consideration of controls. Such factors may be qualitative or quantitative and include complexity, subjectivity, change, uncertainty, or susceptibility to misstatement due to management bias or other fraud risk factors insofar as they affect inherent risk.
An estimate might be complex, subjective, and susceptible to fraudulent manipulation. Such factors cause the inherent risk to be extremely high—or, as SAS No. 145 says, “close to the upper end of the spectrum of inherent risk.” If the estimate is material and has these characteristics, it’s probably a significant risk.
SAS No. 145 does not define “close to the upper end of the spectrum of inherent risk” in terms of low, moderate, or high. Nor does the standard suggest a numerical expression. But it might help to think of inherent risk on a scale of 1 to 10, with a 9 or 10 as “close to the upper end.” You can still document the risk as low, moderate, or high.
For instance, suppose an inmate sues a county government for a significant amount. In this example, it is probable the government will lose the case, but the dollar exposure is unknown. As auditors consider the liability’s valuation assertion, they might assess the inherent risk as “close to the upper end of the spectrum of inherent risk” due to the subjectivity of the amount. If a significant risk is present, valuation is a relevant assertion. We’ll define what a relevant assertion is next month in Part II of this article.
Part II Topics
Part II of this article will address the following topics:
- Relevant assertion definition
- Focus on significant classes of transactions, account balances, and disclosures
- Standback requirement
- Emphasis on information technology controls
© 2024 Thomson Reuters/PPC. All rights reserved.