Summary of Changes Under the Risk Assessment Standards SAS 145. We have highlighted what needs to change when documenting Risk in your workpapers
Assertions
The definition of assertions is the same as it was before SAS No. 145, but it has two notable additions:
-
- The revised definition notes that assertions are representations “… with respect to the recognition, measurement, presentation, and disclosure of information in the financial statements, which are inherent in management, representing that the financial statements are prepared in accordance with the applicable financial reporting framework.”
- These assertions are used by the auditor to consider the different types of potential misstatements that may occur when “identifying, assessing, and responding to the risks of material misstatement.”
Relevant assertion
The definition defines a “relevant assertion” as a financial statement assertion having a reasonable possibility of containing misstatements that would cause a material misstatement of the financial statements. The revised definition states that a relevant assertion is “an assertion about a class of transactions, account balance, or disclosure [that] is relevant when it has an identified risk of material misstatement.” So if there is no identified risk of material misstatement it is not relevant, move on.
What is new?
Additionally, the new guidance introduces the concept of assessing the likelihood and magnitude of a misstatement collectively. “Likelihood” represents the possibility of a misstatement while “magnitude” represents the possibility of the misstatement being material. We have updated our workpapers to document the likelihood and added the following words. clarification that “the determination is based on inherent risk.”
As specified in SAS No. 145, the “spectrum of inherent risk” represents “the degree to which the level of inherent risk varies.”
SAS No. 145 now explicitly defines a significant class of transactions, account balance, or disclosure as one “for which there is one or more relevant assertions. What does that mean, if you do not have inventory on your balance sheet then you do not have to assess risk.
System of internal control
The meaning of controls is similar under both the current and revised guidance. However, under SAS No. 145, the term “controls” is now explicitly defined as “policies or procedures that an entity establishes to achieve the control objectives of management or those charged with governance.”
Both SAS No. 145 and the present guidance require the auditor to perform procedures addressing the entity’s internal control. Under SAS No. 145, however, the term “internal control” has been replaced with “system of internal control,” and the updated definition comprises five interrelated components of the COSO Internal Control — Integrated Framework ADD the words system of internal control,
Information technology-related considerations
SAS No. 145 now provides explicit definitions for the terms general information technology (IT) controls, IT environment, and information-processing controls. In addition, as IT utilization brings additional risk, the new guidance expressly defines risks arising from the use of IT.