Uncategorized

SAS 145: Understanding the Entity and Assessing Risks of Material Misstatement

SAS 145 is the AICPA standard that reshaped how non-issuer auditors understand a company and assess where its financial statements could be materially wrong. Issued by the Auditing Standards Board in October 2021 and effective for audits of periods ending on or after December 15, 2023, it replaced the old risk-assessment standard and recodified the requirements in AU-C 315. The headline change is conceptual: it forces auditors to separate inherent risk from control risk and to assess inherent risk along a spectrum rather than as a single bucket.

Key takeaways

  • SAS 145, Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement, is codified as AU-C 315 and is effective for audits of financial statements for periods ending on or after December 15, 2023 (AICPA SAS No. 145; AU-C 315).
  • It requires the auditor to assess inherent risk and control risk separately, rather than as a combined risk of material misstatement, so the auditor must consciously decide whether to test the operating effectiveness of controls (AU-C 315.34).
  • It introduces the spectrum of inherent risk, assessed by combining the likelihood and magnitude of a possible misstatement, with significant risks identified at the upper end of the spectrum (AU-C 315.28, .31, .32).
  • It expands the requirements for understanding the entity’s information technology, including identifying IT applications and other aspects of the IT environment subject to risks from the use of IT, and the related general IT controls (AU-C 315.26).
  • It adds a stand-back provision requiring the auditor to evaluate the completeness of the identified classes of transactions, account balances, and disclosures, including material items not otherwise identified as significant (AU-C 315.36).

What is SAS 145?

SAS 145 is Statement on Auditing Standards No. 145, the AICPA Auditing Standards Board’s revision of the risk-assessment standard for audits of non-issuers. It carries the title Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement, and it supersedes the prior SAS No. 122 version of AU-C 315. The standard is codified as AU-C Section 315 in the AICPA Professional Standards.

Risk assessment is the foundation of the audit. An auditor cannot test everything, so the work is concentrated where the financial statements are most likely to be materially misstated. AU-C 315 is the standard that tells the auditor how to find those areas. It requires obtaining an understanding of the entity and its environment, the applicable financial reporting framework, and the entity’s system of internal control, and then using that understanding to identify and assess the risks of material misstatement at the financial statement level and at the assertion level for classes of transactions, account balances, and disclosures.

SAS 145 did not change the fundamental purpose. It sharpened the mechanics. The Auditing Standards Board converged the standard with the equivalent international standard, ISA 315 as revised, and in doing so addressed long-standing criticism that auditors were defaulting to a combined risk assessment and a fully substantive approach without ever consciously deciding whether controls were worth testing.

Why SAS 145 matters

SAS 145 matters because risk assessment failures are the root cause of most audit deficiencies. When peer reviewers and regulators inspect deficient audits, the problem usually traces back to a risk assessment that was too coarse to direct the work where it needed to go. By requiring a separate assessment of inherent risk and control risk, and by spreading inherent risk across a spectrum, SAS 145 makes it harder for an auditor to wave a hand at risk and move on.

The separation of inherent risk and control risk has a direct practical consequence. Under the combined model, an auditor could land on a single risk of material misstatement without ever articulating why. Under SAS 145 the auditor must first assess inherent risk on its own, then decide whether to rely on the operating effectiveness of controls. If the auditor does not test controls, control risk is assessed at maximum and the auditor’s substantive procedures must address the full assessed inherent risk. That is a more honest and more auditable chain of reasoning, and it ties directly to how firms approach internal controls testing.

The expanded IT requirements matter because almost every modern entity processes its transactions through software. SAS 145 requires the auditor to identify the IT applications and other aspects of the IT environment that are subject to risks arising from the use of IT, and to identify the general IT controls that address those risks. An auditor who plans to rely on automated controls or system-generated reports has to understand the general IT controls, such as access security and change management, that keep those automated controls and reports reliable. This is the same control discipline that underlies a SOC 2 audit, viewed from the financial statement auditor’s side.

How SAS 145 works (the requirements)

AU-C 315 walks the auditor through obtaining an understanding, identifying risks, and assessing them. The steps build on one another.

Understand the entity and its environment

The auditor obtains an understanding of the entity’s organizational structure, ownership, business model, industry, regulatory factors, and the applicable financial reporting framework (AU-C 315.19). This understanding is the lens through which the auditor identifies what could go wrong in the financial statements. The standard treats this understanding as a basis for identifying risks, not as an end in itself.

Understand the system of internal control

The auditor obtains an understanding of each component of the entity’s system of internal control: the control environment, the entity’s risk assessment process, the process to monitor the system of internal control, the information system and communication, and control activities (AU-C 315.21 through .27). For the components other than control activities, the auditor evaluates whether the controls are appropriately designed and have been implemented. For control activities, the auditor identifies the controls that address risks of material misstatement at the assertion level, including those over significant risks and those over journal entries.

Understand the IT environment (AU-C 315.26)

The auditor identifies the IT applications and other aspects of the IT environment that are subject to risks arising from the use of IT. For those, the auditor identifies the related general IT controls. This is the codified version of what auditors used to do informally. SAS 145 makes the IT understanding an explicit, structured requirement rather than an optional add-on.

Identify and assess the risks of material misstatement

The auditor identifies risks of material misstatement at the financial statement level and at the assertion level (AU-C 315.28). At the assertion level, the auditor assesses inherent risk separately by considering the likelihood and magnitude of a possible misstatement, and assesses control risk separately based on whether the auditor plans to rely on the operating effectiveness of controls (AU-C 315.34). If the auditor does not plan to test controls, control risk is set at maximum.

The spectrum of inherent risk and significant risks

Inherent risk is assessed along a spectrum. The higher the combination of likelihood and magnitude, the higher on the spectrum the risk sits (AU-C 315.31). A significant risk is one assessed close to the upper end of the spectrum of inherent risk, or one required to be treated as a significant risk by other standards (AU-C 315.32). Significant risks receive specific audit responses and cannot be addressed solely by relying on controls without testing them.

The stand-back provision (AU-C 315.36)

After identifying significant classes of transactions, account balances, and disclosures, the auditor stands back and evaluates whether that identification is complete. The auditor considers material classes, balances, and disclosures that were not identified as significant and confirms they were appropriately excluded from heightened attention. The provision is a check against tunnel vision.

Combined risk model versus the SAS 145 separate model

Element Prior approach (combined risk) SAS 145 (separate inherent and control risk)
Risk of material misstatement Could be assessed as a single combined risk at the assertion level. Inherent risk and control risk assessed separately at the assertion level (AU-C 315.34).
Inherent risk granularity Often a binary or three-point classification (low, moderate, high). Assessed on a spectrum by combining likelihood and magnitude of a possible misstatement (AU-C 315.31).
Significant risk definition Defined by a list of factors without explicit positioning on a spectrum. A risk assessed at or near the upper end of the spectrum of inherent risk (AU-C 315.32).
Control risk when controls are not tested Could be implicit in a combined assessment. Assessed at maximum, and substantive procedures must respond to the full inherent risk (AU-C 315.34).
IT understanding Required but less structured. Explicit identification of IT applications, IT environment risks, and related general IT controls (AU-C 315.26).
Completeness check No formal stand-back step. Stand-back provision evaluating completeness of identified classes, balances, and disclosures (AU-C 315.36).

The change is not that auditors must now test controls. It is that the decision about whether to test controls must be explicit. An auditor can still run a fully substantive audit, but under SAS 145 that choice means control risk is at maximum and the substantive work must carry the full assessed inherent risk. The comparison with assurance levels in our audit vs review vs compilation guide is useful here, because the depth of risk assessment is one of the things that separates an audit from lesser engagements.

Worked example: assessing inventory risk under SAS 145

Assume an auditor is planning the audit of Northgate Manufacturing for the year ending December 31, 2025. Inventory is material and includes work in process valued using a standard cost system that runs through the company’s ERP. Here is how the assessment runs under AU-C 315.

Understanding. The auditor learns that inventory turns slowly, that standard costs were last updated 18 months ago, and that the ERP automatically applies overhead absorption rates to work in process. The auditor identifies the ERP inventory module as an IT application subject to risks from the use of IT (AU-C 315.26).

Inherent risk on the spectrum. For the valuation assertion, the auditor considers likelihood and magnitude. The likelihood of misstatement is elevated because standard costs are stale and overhead rates may no longer reflect actual costs. The magnitude is large because inventory is material. The auditor places valuation high on the inherent risk spectrum and treats it as a significant risk (AU-C 315.31, .32).

Control risk decision. The auditor evaluates whether to rely on the company’s control that requires a quarterly review and update of standard costs. If the auditor plans to rely on it, the auditor must test its operating effectiveness and must also understand the general IT controls over the ERP that keep the overhead calculation reliable (AU-C 315.26, .34). If the auditor decides not to test controls, control risk for valuation is set at maximum and substantive procedures must address the full inherent risk.

Response. Because valuation is a significant risk, the auditor designs specific substantive procedures: recomputing standard costs against recent actual costs, testing the overhead absorption rate, and evaluating lower-of-cost-or-net-realizable-value writedowns on slow-moving stock. A significant risk cannot be addressed by control reliance alone without testing those controls.

Stand-back. After identifying inventory valuation, existence, and other significant areas, the auditor stands back and confirms that other material balances, such as accrued warranty and capitalized tooling, were appropriately evaluated for whether they too warranted significant-risk treatment (AU-C 315.36).

The result is a risk assessment that is explicit at every junction: inherent risk positioned on a spectrum, a conscious control-reliance decision, structured IT understanding, and a completeness check.

Recent changes (effective dates, superseding standards)

SAS 145 is itself the recent change. It was issued in October 2021 and is effective for audits of financial statements for periods ending on or after December 15, 2023. For calendar-year audits that meant the December 31, 2023 audits performed in early 2024 were the first under the new standard.

Common pitfalls under this standard

Frequently asked questions

When does SAS 145 take effect?
SAS 145 is effective for audits of financial statements for periods ending on or after December 15, 2023. For a calendar-year entity, the December 31, 2023 audit was the first one performed under the standard.
What is the biggest change in SAS 145?
The requirement to assess inherent risk and control risk separately rather than as a combined risk of material misstatement, and to assess inherent risk along a spectrum based on the likelihood and magnitude of a possible misstatement (AU-C 315.34, .31).
Does SAS 145 require auditors to test controls?
No. An auditor can still take a fully substantive approach. But if the auditor does not test the operating effectiveness of controls, control risk is assessed at maximum and the substantive procedures must respond to the full assessed inherent risk (AU-C 315.34).
What is the spectrum of inherent risk?
It is the range across which inherent risk is assessed by combining the likelihood and the magnitude of a possible misstatement. Risks toward the upper end of the spectrum may be significant risks requiring specific audit responses (AU-C 315.31, .32).
What is the stand-back provision?
It is the requirement in AU-C 315.36 to evaluate whether the identification of significant classes of transactions, account balances, and disclosures is complete, including consideration of material items that were not identified as significant. It is a completeness check on the risk assessment.
How does SAS 145 change the IT requirements?
It requires the auditor to explicitly identify the IT applications and other aspects of the IT environment subject to risks arising from the use of IT, and to identify the related general IT controls that address those risks (AU-C 315.26). Reliance on automated controls or system reports depends on understanding those general IT controls.
Does SAS 145 apply to audits of public companies?
No. SAS 145 is an AICPA standard for audits of non-issuers, codified as AU-C 315. Audits of issuers follow PCAOB standards, primarily AS 2110 for risk assessment, which is separate literature.
How does SAS 145 interact with the auditor’s response standard?
It feeds directly into AU-C 330. The separate assessments of inherent and control risk under AU-C 315 drive the nature, timing, and extent of further audit procedures the auditor designs under AU-C 330. A higher assessed inherent risk with control risk at maximum calls for more persuasive substantive evidence.

Bottom line

SAS 145 revised AU-C 315 to make risk assessment more explicit and more disciplined for non-issuer audits effective for periods ending on or after December 15, 2023. It separates inherent risk from control risk, spreads inherent risk across a spectrum of likelihood and magnitude, structures the understanding of IT, and adds a stand-back completeness check. The practical effect is that the auditor must consciously decide whether controls are worth testing and document why the audit is focused where it is.

Sources and methodology

AICPA Statement on Auditing Standards No. 145, Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement, codified as AU-C Section 315, including AU-C 315.19 (understanding the entity), .21 through .27 (system of internal control), .26 (IT applications and general IT controls), .28 (identifying risks), .31 (spectrum of inherent risk), .32 (significant risks), .34 (separate assessment of inherent and control risk), and .36 (stand-back provision). Companion standard AU-C 330, Performing Audit Procedures in Response to Assessed Risks. Effective for audits of financial statements for periods ending on or after December 15, 2023. Converged with IAASB ISA 315 (Revised 2019). PCAOB AS 2110 is the separate issuer risk-assessment standard. See also our learn hub, the internal controls testing guide, the audit vs review vs compilation explainer, and the SOC 2 audit guide.