Auditing reimagined: SAS 145 and the rise of technology-enabled risk management

The introduction of Statement on Auditing Standards (SAS) No. 145, Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement (SAS 145)* in December of 2023 marked a significant shift in the financial statement auditing landscape. While the core objectives of our profession remain unchanged – delivering high-quality audits and ensuring the reliability of financial statements – SAS 145 provides auditors with a more refined and risk-centric approach and set of tools to achieving those goals.  

This article explores how this new standard changes the game for auditors, with topics including:

• Key changes to SAS 145
• How change to SAS 145 impact an auditor’s daily work
• How SAS 145 changes make risk assessments even more effective
• How auditors navigate the world of SAS 145 and artificial intelligence, data analytics, and other emerging technologies

*Link requires a subscription to CCH AnswerConnect.

Moving beyond the traditional: Embracing the risk-based mindset 

Previously, risk assessments relied heavily on understanding a client's internal controls (ICs) to determine control risk. A standardized approach was employed, often testing the existence and documentation of control procedures.  

While internal controls remain crucial, SAS 145 ushers in a new era of risk-based thinking. The focus has shifted to identifying and evaluating the specific risks that could lead to material misstatements at the assertion level. This creates a more tailored testing approach.  

Consider a manufacturing company with a history of significant inventory write-downs. Under the traditional approach, auditors might have simply verified the existence of documented procedures for cycle counts. However, under SAS 145, analysis is on the inherent risk of inventory misstatements. Factors like the complexity of the inventory (think high-value electronics vs. standard office supplies) or reliance on third-party logistics providers would influence our risk assessment.  

Next steps might include designing targeted procedures to assess the effectiveness of controls mitigating those specific risks. For example, observing physical inventory counts more closely, focusing more on high-risk inventory items, or performing additional testing of inventory valuation methods. 

A sharper focus on inherent risk

SAS 145 provides a clear definition of inherent risk as the susceptibility of an account balance, transaction type, or disclosure to a material misstatement, absent any controls. This concept empowers auditors to prioritize their audit efforts more effectively.  

For instance, a public company in the highly competitive tech industry might have a higher inherent risk for revenue recognition than a private company in a more stable industry. This would influence the nature, extent, and timing of our revenue audit procedures. This might mean performing more extensive analytical procedures on sales data, scrutinizing customer contracts for potential side agreements, or dedicating additional resources to testing the valuation of complex software licenses. 

Leveraging technology and data analytics

The rise of data analytics, AI, and other technologies presents exciting opportunities under SAS 145, providing the opportunity to gain deeper insights into potential risks by leveraging data mining techniques and continuous auditing tools. For example, analyzing trends in sales returns or customer complaints for a retail client might reveal areas with a higher inherent risk of fraudulent sales.  

Similarly, data visualization tools can help us identify unusual patterns in financial data, prompting further investigation. Imagine a sudden surge in accounts receivable aging for a company in a declining industry – this could be a red flag for potential bad debt. How AI, data analytics and other emerging technologies are likely to impact how auditors deal with the standard is examined standard in this article. 

Maintaining a healthy dose of professional skepticism 

Professional skepticism has always been a cornerstone of auditing, and SAS 145 underscores its importance. Auditors must constantly challenge management's explanations, critically analyze unusual trends, and be vigilant for potential red flags.  

Consider a scenario where a client reports a significant increase in investments during a period of declining profitability. This could be a sign of management attempting to manipulate financial ratios. Under SAS 145, auditors are expected to dig deeper, perform additional procedures to verify the existence and valuation of investments, and potentially consider bringing in a valuation specialist. 

The "stand-back" requirement: A holistic view of risk 

This new provision ensures a comprehensive risk assessment by requiring auditors to take a step back after completing the initial analysis. This involves critically assessing whether the auditor has identified all significant risks across the entire financial statement. This might necessitate brainstorming sessions with the audit team, consulting industry benchmarks, or reviewing recent news articles related to the client's specific industry. For example, overlooking the risk of a new environmental regulation impacting a client's waste disposal costs could lead to a significant deficiency in the audit.
 

Collaboration and communication: Key to successful implementation 

Successful implementation of SAS 145 hinges on effective collaboration and communication within the audit team. Sharing insights gleaned from inherent risk analysis, data analytics tools, and brainstorming sessions allows for a more comprehensive risk assessment. Furthermore, clear communication with clients regarding the identified risks fosters transparency and enables them to address any control weaknesses that may exist.

SAS 145 meets the future 

AI, data analytics, and other advanced technologies are poised to significantly impact how auditors deal with SAS 145, particularly in the following areas: 

Enhanced risk assessment 

Data mining can assist auditors in identifying inherent risks, something SAS 145 emphasizes, allowing auditors to analyze vast amounts of historical data and identify patterns and anomalies that might indicate areas of high inherent risk. 

Predictive analytics goes beyond historical analysis. It uses machine learning algorithms to predict potential risks based on current trends and industry forecasts.  

Streamlined audit procedures 

Continuous auditing. An approach encouraged by SAS 145, real-time data analytics can continuously monitor key financial metrics and transactions, allowing for more timely identification of potential issues compared to traditional periodic testing. 

Automated testing: AI-powered tools can automate routine audit procedures such as vouching transactions or performing analytical procedures on large datasets. This frees up auditor time for higher-level analysis and investigation of identified risks. 

Deeper insights and improved efficiency 

Data visualization tools can present complex data sets in a clear and visually compelling way, allowing auditors to quickly identify trends, outliers, and potential red flags. This can significantly enhance the effectiveness of the "stand-back" requirement in SAS 145, ensuring a comprehensive view of risks. 

Natural Language Processing (NLP) can be used to analyze vast amounts of unstructured data like emails, contracts, and board meeting minutes. This can help auditors uncover potential areas of concern or corroborate management's explanations. 

Challenges and considerations 

Explainability and transparency: While AI can identify risks, auditors must understand the "why" behind the identified risks. Overreliance on black-box AI models needs to be balanced with human judgment and professional skepticism. 

Data quality and security: The effectiveness of these technologies hinges on the quality and security of the underlying data. Auditors need to ensure data integrity and implement robust controls to mitigate cyber threats. 

Upskilling the workforce: As auditors' roles evolve, continuous learning and development opportunities will be essential. Auditors will need to develop skills in data analysis, technology integration, and critical thinking to leverage these tools effectively. 

Conclusion: A catalyst for enhanced audit quality

SAS 145 is not a wholesale overhaul of the auditing process. It is an evolution, equipping auditors with a more refined and risk-focused approach to identifying and evaluating material misstatements, enhanced further by AI and other technologies.  

By embracing the core principles of SAS 145, the audit profession elevates the quality of risk assessments, leading to more efficient and effective audits. This, in turn, fosters greater trust in the financial reporting process and protects the interests of investors and stakeholders. The journey of continuous improvement never ends, and SAS 145 empowers us to navigate the ever-changing auditing landscape with greater confidence and a sharper focus on delivering high-quality audits.