Practice Brief: SAS 145 Risk Assessment — What to Do Now
Bottom line: SAS No. 145 is already effective for periods ending on or after December 15, 2023 — if your workpapers, IT questionnaires, and risk matrices haven't been updated yet, they must be corrected before your next engagement closes.
🔴 Action Required
-
Update risk assessment workpaper templates to reflect the spectrum of inherent risk (complexity, subjectivity, change, uncertainty, fraud susceptibility) replacing the old binary significant-risk approach. — AU-C § 315.15, SAS No. 145
-
Develop or update IT questionnaires to capture IT general controls (program change, access, computer operations, program development) for every relevant engagement — failure to document ITGCs is a top deficiency risk. — AU-C § 315.42, SAS No. 145
-
Ensure all three required risk assessment procedures (inquiries, analytical procedures, observation/inspection) are documented for every engagement, including inquiries directed specifically at IT personnel and those recording complex transactions. — AU-C § 315.13, SAS No. 145
-
Document the five-component internal control understanding (Control Environment, Risk Assessment, Information System, Control Activities, Monitoring) for each engagement — boilerplate documentation is insufficient. — AU-C § 315.25–.74, SAS No. 145
-
For any identified significant risks, confirm that tests of details are planned — substantive analytical procedures alone are not permitted. — AU-C § 330.21, SAS No. 145
🟡 Monitor
-
The AICPA issued implementation guidance and practice aids to assist firms transitioning to SAS No. 145 — confirm your firm has incorporated these into its methodology.
-
For engagements where automated or IT-dependent manual controls will be relied upon, operating effectiveness testing of ITGCs will be required under AU-C § 330. — AU-C § 330, SAS No. 145
🟢 FYI
- For practitioners auditing SEC registrants (issuers): risk assessment is governed by PCAOB AS 2110, not SAS No. 145, and PCAOB AS 2201 additionally requires testing and opining on operating effectiveness of ICFR — a requirement that does not exist under SAS No. 145. — PCAOB AS 2110; AS 2201