Introduction

The implementation of Statement on Auditing Standards (SAS) 145, Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement, marked a significant update to AU-C 315. Effective for audits of periods ending on or after December 15, 2023, the standard reshaped how auditors approach risk assessment and documentation.

As the first wave of 2023 audits enters peer review, early Matters for Further Consideration (MFCs) have emerged. These initial observations offer valuable insights into how firms are adapting to SAS 145 and where challenges remain. Six firms were cited in the preliminary report, with half of the cases resulting in nonconforming engagements.

Common Compliance Issues Identified

Across firms, peer reviewers highlighted recurring themes of noncompliance and documentation gaps:

• Significant Risk Designations: Inconsistent diligence in determining what qualifies as a significant risk.
• Inherent Risk Assessments: Improper reliance on controls when assessing inherent risk, despite SAS 145’s clarification that inherent risk factors must be evaluated before considering controls.
• Internal Controls Over Journal Entries: Insufficient work in evaluating design and implementation of controls related to journal entries and other adjustments.
• Control Risk Assessments: Control risk assessed below maximum without testing operating effectiveness.
• Risk of Material Misstatement (RMM): Failure to align RMM with inherent risk when control risk was set at maximum, as required by AU-C 315.38.

Firm-Level Observations

Firm A – Inherent Risk Assessment Issues

• Inherent risk was not set to high for assertions tied to significant risks.
• Improper revenue recognition was flagged as a fraud risk across all assertions, but the resulting RMM was less than high.
• Controls were implicitly relied on without testing their effectiveness.
• Engagements were deemed nonconforming.

Firm B – Low Inherent Risk for a Significant Risk Assertion

• A significant risk was documented, yet the inherent risk for the related assertion was assessed as low.
• The inconsistency led to a nonconforming engagement.

Firm C – Control Risk Below Maximum Without Testing Controls

• Control risk was rated low or moderate without testing operating effectiveness, contrary to AU-C 315.38.
• Substantive testing was performed, but the approach did not meet SAS 145 requirements.

Firm D – Lack of Documentation of Controls Over Journal Entries

• Firms performed substantive tests but did not document design and implementation work for journal entry controls, such as access or approval controls.
• Reviewers flagged this as a repeated issue across engagements.

Firm E – Overuse of Significant Risk Designations

• Excessive risks were designated as “significant,” including areas (e.g., straight-line rent in REIT audits) that reviewers deemed immaterial or not industry-appropriate.
• Over-identification led to incomplete responses to significant risks and insufficient substantive testing.
• Engagements were classified as nonconforming.

Firm F – Misaligned Risk Assessments

• Inherent risk was assessed low, while control risk was assessed high without control testing.
• RMM was recorded as moderate instead of aligning with inherent risk, violating AU-C 315.38.
• Inherent risk documentation also improperly referenced controls.

What These Findings Signal

These preliminary peer review results provide the profession with early warning signs about SAS 145 implementation. The most frequent shortcomings were tied to:

• Misapplication of the standard’s clarified definitions of significant and inherent risks.
• Documentation weaknesses around control testing and journal entry processes.
• Residual reliance on pre-SAS 145 practices or outdated third-party aids that are no longer consistent with AU-C 315.38.

While these early MFCs are drawn from a narrow sample, they suggest that similar issues may become widespread as more engagements are reviewed.

Conclusion

The rollout of SAS 145 has brought new rigor to risk assessment, but early peer review findings highlight that firms are still adapting to its demands. Nonconforming engagements often stemmed from insufficient documentation, incorrect designation of risks, and inconsistencies in applying control risk assessments.

As adoption continues, firms should monitor these focus areas closely, update their practice aids, and invest in staff training to ensure compliance. Peer reviewers are expected to scrutinize these areas in the coming review cycles, making them critical priorities for firms seeking to align with the new standard.

Share via