< Back
A groundhog realizing SAS 145 is here

Top 5 Considerations for SAS 145

Posted on January 24, 2024 by | Tags: Audit considerations, Risk assessment, SAS 145, U.S. GAAS,

I’ve always liked the movie Groundhog Day, starring Bill Murray and Andie MacDowell. In the movie, Bill Murray plays a narcissistic, self-centered weatherman who is covering the annual Groundhog Day celebration in Punxsutawney, PA, although he’d rather be anywhere else. Fate sees him stuck in an endless time loop, repeating the same day, and the mistakes he makes, over, and over, and over again. This must be how PCAOB inspectors and peer reviewers feel when reviewing engagement teams’ testing (or lack thereof) of their clients’ internal controls!

Based on AICPA peer review data, nearly half of the audits reviewed were nonconforming because engagement teams did not properly address their clients’ internal controls. Wanting to stop the endless loop of audit deficiencies regarding internal controls, SAS 145 Understanding the Entity and Its Environment and Assessing Risks of Material Misstatement (SAS 145) was issued.

SAS 145 background

SAS 145 is effective for audits of financial statements for periods ending on or after December 15, 2023 (which is now!). Therefore it is critical to be prepared for the new guidance. 

According to the AICPA, the most common missteps related to internal control are:

  • Assuming some clients have no controls
  • Not understanding which control are relevant to the audit
  • Failing to evaluate the design and implementation of relevant controls
  • Inappropriately assessing control risk
  • Failing to link further procedures to control-related risks

Understanding that accounting firms were encountering these issues and that SAS 145 was going to be a BIG DEAL for them, we recently released a four-course collection as it pertains to the essential requirements of auditing internal control (for both PCAOB and U.S. GAAS audits). We also covered SAS 145 in our annual A&A update and talked about the “stand-back” assessment in this post.

SAS 145: Top 5 considerations

Here are the top 5 considerations we believe engagement teams must address to ensure they’re in compliance with the requirements of SAS 145:

1. Auditors must perform risk assessment procedures to obtain an understanding of the entity, its environment, the applicable reporting framework, and the components of the entity’s system of internal control, regardless of the auditor’s planned reliance on controls.

It’s that last point that, although required before, probably is the biggest consideration for engagement teams with respect to SAS 145. Think the “COSO cube” and the following components of the system of internal control:

  • The control environment
  • The entity’s risk assessment process
  • The entity’s process to monitor the system of internal control
  • The information system and communication
  • Control activities

You cannot ignore internal controls. Engagement teams must gain an understanding of each component, which leads us to our next consideration.

2. It would be very hard to gain an understanding of an entity’s system of internal control without performing walkthroughs.

A walkthrough involves following a transaction from origination through the entity’s processes, including information systems, until it is reflected in the entity’s financial records, using the same documents and IT that entity personnel use. Walkthrough procedures usually include a combination of:

  • Inquiry,
  • Observation,
  • Inspection of relevant documentation, and
  • Reperformance of controls.

Walkthroughs are usually documented by the engagement team using flowcharts, process narratives, or both. Although not specifically required by the standards, most experienced auditors believe walkthroughs are necessary to ensure compliance with SAS 145.

3. SAS 145 requires a separate assessment of inherent risk and control risk, and control risk cannot be assessed below the maximum without testing the operating effectiveness of internal controls.

A risk of material misstatement (RMM) exists when:

  1. There is a reasonable possibility of a misstatement occurring (that is, its likelihood), and
  2. If it were to occur, there is a reasonable possibility of the misstatement being material (that is, its magnitude).

RMM at the assertion level consists of inherent risk and control risk, and SAS 145 requires them to be assessed separately. In addition, SAS 145 revised the definition of significant risk as follows:

An identified risk of material misstatement

  1. For which the assessment of inherent risk is close to the upper end of the spectrum of inherent risk due to the degree to which inherent risk factors affect the combination of the likelihood of a misstatement occurring and the magnitude of the potential misstatement should that misstatement occur, or
  2. That is to be treated as a significant risk in accordance with the requirements of other AU0C sections (e.g., fraud and related party transactions).

4. SAS 145 specifically requires that auditors evaluate the design and determine implementation of identified controls.

In addition to gaining an understanding of control activities, for those identified controls, SAS 145 requires auditors to:

  • Evaluate whether the control is designed effectively to address the risk of material misstatement at the assertion level or effectively designed to support the operation of other controls; and
  • Determine whether the control has been implemented by performing procedures in addition to inquiry of the entity’s personnel.

The auditor should identify the following controls (hence the term “identified controls”) that address the risk of material misstatement at the assertion level:

  • Controls that address a significant risk (see consideration #3),
  • Controls over journal entries and other adjustments,
  • Controls for which the auditor plans to test operating effectiveness in determining the nature, timing, and extent of substantive procedures,
  • Other controls based on the auditor’s professional judgment, and
  • General IT controls (GITCs) that address the risks arising from the use of IT.

Check out that last point. I certainly didn’t learn a lot about GITCs in college, which is why I’d probably get an IT expert to be part of the engagement team.

5. Don’t forget about the “stand-back” assessment requirement and documenting that the assessment (and other requirements) of SAS 145 have been performed.

The “stand-back” assessment involves looking at all material transactions, accounts, and disclosures that have not been determined to be significant and evaluating if changes need to be made (i.e., if an account should have been identifed as significant). Although it’s a requirement, it can also be used by auditors as a tool to ensure that material transactions, balances, and disclosures haven’t been overlooked. For more information about the “stand-back” requirement, check out the previously mentioned blog post.

With respect to documentation, don’t forget that, in the eyes of reviewers and inspectors, “if you don’t document it, it wasn’t done!”

About GAAP Dynamics
We’re a DIFFERENT type of accounting training firm. We view training as an opportunity to empower professionals to make informed decisions at the right time. Whether it’s U.S. GAAP, IFRS, or audit training, we’ve trained thousands of professionals since 2001, including at some of the world’s largest firms. Our promise: Accurate, relevant, engaging, and fun training. Want to know how GAAP Dynamics can help you? Let’s talk!

Disclaimer
This post is for informational purposes only and should not be relied upon as official accounting guidance. While we’ve ensured accuracy as of the publishing date, standards evolve. Please consult a professional for specific advice.

New call-to-action
 
New call-to-action