I’ve always liked the movie Groundhog Day, starring Bill Murray and Andie MacDowell. In the movie, Bill Murray plays a narcissistic, self-centered weatherman who is covering the annual Groundhog Day celebration in Punxsutawney, PA, although he’d rather be anywhere else. Fate sees him stuck in an endless time loop, repeating the same day, and the mistakes he makes, over, and over, and over again. This must be how PCAOB inspectors and peer reviewers feel when reviewing engagement teams’ testing (or lack thereof) of their clients’ internal controls. Based on AICPA peer review data, nearly half of the audits reviewed were nonconforming because engagement teams did not properly address their clients’ internal controls. Wanting to stop the endless loop of audit deficiencies regarding internal controls, SAS 145 Understanding the Entity and Its Environment and Assessing Risks of Material Misstatement (SAS 145) was issued, and this new guidance is effective NOW! Is your audit firm ready?
Before we get to our top 5 considerations regarding the new guidance, let’s review the issues noted by peer reviewers. According to the AICPA’s report Enhancing Audit Quality: 2019 Highlights and Progress, the most common missteps related to internal control are:
- Assuming some clients have no controls
- Not understanding which control are relevant to the audit
- Failing to evaluate the design and implementation of relevant controls
- Inappropriately assessing control risk
- Failing to link further procedures to control-related risks
Understanding that accounting firms were encountering these issues and that SAS 145 was going to be a BIG DEAL for them, we recently released a four-course collection as it pertains to the essential requirements of auditing internal control (for both PCAOB and U.S. GAAS audits). You can learn more about the collection in this post. Also, if you’re one of our clients, we obviously covered SAS 145 in our 2-hour Audit Update and Hot Topics (2023) course, which is part of our annual A&A Update that we run for accounting firms of all sizes across the U.S.
However, going back through our blog posts, I realized that asides this post talking about the “stand-back” requirement of the new standard, we really didn’t have any other blogs specifically dedicated to SAS 145. Let’s fix that right now.
Here’s the top 5 considerations we believe that engagement teams must address to ensure they’re in compliance with the new requirements of SAS 145:
Auditors must perform risk assessment procedures to obtain an understanding of the entity, its environment, the applicable financial reporting framework, and the components of the entity’s system of internal control, regardless of the auditor’s planned reliance on controls.
It’s that last point that, although required before, probably is the biggest consideration for engagement teams with respect to SAS 145. Think the “COSO cube” and the following components of the system of internal control:
- The control environment
- The entity’s risk assessment process
- The entity’s process to monitor the system of internal control
- The information system and communication
- Control activities
You cannot just ignore internal controls. Engagement teams must gain an understanding of each component, which leads us to our next consideration.
It would be very hard to gain an understanding of an entity’s system of internal control without performing walkthroughs.
A walkthrough involves following a transaction from origination through the entity’s processes, including information systems, until it is reflected in the entity’s financial records, using the same documents and IT that entity personnel use. Walkthrough procedures usually include a combination of:
- Inspection of relevant documentation, and
- Reperformance of controls.
Walkthroughs are usually documented by the engagement team using flowcharts, process narratives, or both. Although not specifically required by the standards, most experienced auditors believe walkthroughs are necessary to ensure compliance with the new guidance.
The standard requires a separate assessment of inherent risk and control risk, and control risk cannot be assessed below the maximum without testing the operating effectiveness of internal controls.
A risk of material misstatement (RMM) exists when:
- there is a reasonable possibility of a misstatement occurring (that is, its likelihood), and
- if it were to occur, there is a reasonable possibility of the misstatement being material (that is, its magnitude).
RMM at the assertion level consists of inherent risk and control risk, and SAS 145 requires them to be assessed separately. In addition, SAS 145 revised the definition of significant risk as follows:
An identified risk of material misstatement
- For which the assessment of inherent risk is close to the upper end of the spectrum of inherent risk due to the degree to which inherent risk factors affect the combination of the likelihood of a misstatement occurring and the magnitude of the potential misstatement should that misstatement occur, or
- That is to be treated as a significant risk in accordance with the requirements of other AU0C sections (e.g., fraud and related party transactions).
The new standard specifically requires that auditors evaluate the design and determine implementation of identified controls.
In addition to gaining an understanding of control activities, for those identified controls, SAS 145 requires auditors to:
- Evaluate whether the control is designed effectively to address the risk of material misstatement at the assertion level or effectively designed to support the operation of other controls; and
- Determine whether the control has been implemented by performing procedures in addition to inquiry of the entity’s personnel.
The auditor should identify the following controls (hence the term “identified controls”) that address the risk of material misstatement at the assertion level:
- Controls that address a significant risk (see point #3),
- Controls over journal entries and other adjustments,
- Controls for which the auditor plans to test operating effectiveness in determining the nature, timing, and extent of substantive procedures,
- Other controls based on the auditor’s professional judgment, and
- General IT controls (GITCs) that address the risks arising from the use of IT.
Check out that last point. I certainly didn’t learn a lot about GITCs in college, which is why I’d probably get an IT expert to be part of the engagement team.
Don’t forget about the “stand-back” requirement and documenting that it, and other requirements of the standard have been performed.
The “stand-back” requirement involves looking at all material transactions, accounts, and disclosures that have not been determined to be significant and evaluating if changes need to be made. In other words, if an account should have been determined as significant. Although it’s a requirement, it can also be used by auditors as a tool to ensure that material transactions, balances, and disclosures haven’t been overlooked. For more information about the “stand-back” requirement, check out the previously mentioned blog post here.
With respect to documentation, don’t forget that, in the eyes of reviewers and inspectors, “if you don’t document it, it wasn’t done!”
Want to learn more about these considerations and the impact of SAS 145 on your audit engagements? If so, we are offering a free, CPE-eligible webinar on Friday, February 2, 2024 at 12 noon ET. In this webinar, we’ll discuss:
- Performing risk assessment procedures
- Assessing inherent risk and control risk
- Determining relevant/key controls (i.e., identified controls)
- Evaluating design and implementation of identified controls
- And much more!
You can register for the webinar here. All members of your engagement team are welcome to attend. It’s free and the best part, you’ll earn CPE!
Much like 6 more weeks of winter, audit deficiencies are less than ideal. I’m positive that our webinar will help ensure that your engagement team won’t see the shadow of repeat deficiencies. We hope to see you there!
About GAAP Dynamics
We’re a DIFFERENT type of accounting training firm. We don’t think of training as a “tick the box” exercise, but rather an opportunity to empower your people to help them make the right decisions at the right time. Whether it’s U.S. GAAP training, IFRS training, or audit training, we’ve helped thousands of professionals since 2001. Our clients include some of the largest accounting firms and companies in the world. As lifelong learners, we believe training is important. As CPAs, we believe great training is vital to doing your job well and maintaining the public trust. We want to help you understand complex accounting matters and we believe you deserve the best training in the world, regardless of whether you work for a large, multinational company or a small, regional accounting firm. We passionately create high-quality training that we would want to take. This means it is accurate, relevant, engaging, visually appealing, and fun. That’s our brand promise. Want to learn more about how GAAP Dynamics can help you? Let’s talk!
This post is published to spread the love of GAAP and provided for informational purposes only. Although we are CPAs and have made every effort to ensure the factual accuracy of the post as of the date it was published, we are not responsible for your ultimate compliance with accounting or auditing standards and you agree not to hold us responsible for such. In addition, we take no responsibility for updating old posts, but may do so from time to time.