Auditing Standards: Key Changes Introduced with SAS 143 and SAS 145

The release of Statement on Auditing Standards (SAS) No. 143, Auditing Accounting Estimates and Related Disclosures, (SAS 143) and SAS No. 145, Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement (SAS 145), marks an evolution in auditing standards, providing auditors with comprehensive guidance on testing accounting estimates and related disclosures, including fair value accounting estimates, and requirements related to obtaining an understanding of the entity’s system of internal controls in this increasingly complex economic, technological and regulatory accounting landscape.

SAS 143 Auditing Accounting Estimates and Related Disclosures

Effective for audits of financial statements for periods ending on or after Dec. 15, 2023, this new standard requires auditors to delve deeper into the uncertainties surrounding accounting estimates and identify any potential management bias. This requires a more thorough evaluation of the assumptions and methodologies used in making accounting estimates, particularly those involving significant judgment such as fair value measurements. 

SAS 143 requires a more detailed risk assessment process, specifically tailored to address the complexities involved in identifying and auditing accounting estimates, including fair value estimates. The standard provides detailed guidance on designing audit procedures that are responsive to the assessed risks of material misstatement associated with accounting for estimates. This includes assessing the suitability of the valuation models used and the integrity of the underlying data for fair value estimates.

SAS 143 now necessitates a more defined auditing process for the documentation and assessment of fair value estimates, demanding greater transparency and accountability in the estimation process. It aims to improve the quality and reliability of fair value estimates, thereby enhancing the trust of investors and other stakeholders in financial statements.

What Are the Key Changes to SAS 143?

Key changes in the auditing standards effective with the adoption of SAS 143 include:

  • Emphasizes the need for auditors to focus on factors that contribute to estimation uncertainty and exercise professional skepticism when evaluating the assumptions and methodologies used to develop fair value estimates
  • Mandates a more detailed risk assessment process, specifically tailored to address the complexities involved in auditing accounting estimates, including fair value estimates
  • Requires auditors to evaluate whether the accounting estimate and related disclosures are reasonable within the context of the applicable financial reporting framework, including the determination as to whether the methods, assumptions and data used are permitted

Potential Impact and Audit Procedures Relative to SAS 143

For private equity and venture capital firms, a significant portion of the audit process is dedicated to the evaluation of estimates, including fair value estimates. With the adoption of SAS 143, the auditor’s focus will now shift more heavily to obtaining an understanding of the factors and assumptions used in developing the estimate and, in turn, will require greater transparency and accountability from management in the estimation process. The auditor may perform the following steps when evaluating accounting estimates:

  • Method: Assess if the method used by management aligns with the applicable financial reporting framework and whether the method is appropriate under the circumstances and consistent over periods. If the method is not consistent, the auditor will determine whether the change in the method indicates management bias.  
  • Significant Assumptions: Determine whether the assumptions and judgments used by management in the accounting estimate are suitable within the context of the applicable financial reporting framework, whether they consider both positive and negative potential outcomes, and whether they are consistent with prior periods and other business activities. The auditors will also assess whether the assumptions and judgements made by management indicate bias. In doing so, management's intent and capability to act on specific courses will be considered by the auditor.
  • Data: It is required that the auditor also evaluate the reliability of the data used in determining the accounting estimate, whether the data was developed by management or obtained from independent sources. This requirement may result in the need for the auditor to better understand the sources of the data used in the accounting estimate.  In addition to an evaluation of reliability, SAS 143 also emphasizes the requirement to determine whether the source of data used in the accounting estimate is consistent with prior periods and whether that determination indicates management bias. Finally, SAS 143 also emphasizes the auditor’s responsibilities for determining whether the data is relevant in the context of the selected method and assumptions used in developing the estimate.
  • Management's Point Estimate and Disclosures: When management chooses a precise value (referred to as a point estimate) instead of a range, SAS 143 mandates the auditor scrutinize alternative outcomes and assumptions. It also requires evaluation of whether management's judgment could be biased.   

In conclusion, SAS 143 significantly enhances the auditing standards that will have an impact on audits of private equity and venture capital firms, particularly in the assessment of fair value accounting estimates.

SAS 145 Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement

As with SAS 143 above, SAS 145 is also effective for all audits of financial statements for periods ending on or after Dec. 15, 2023. SAS 145 revised several aspects of the risk assessment process, including the requirements specific to the auditor’s responsibilities with regard to obtaining an understanding of an entity's system of internal control. Particularly, SAS 145 revised the auditor’s requirements related to the evaluation of design and implementation of certain controls, including information technology general controls (ITGC). This standard does not change the fundamental concepts of audit risk; however, it mandates a more detailed risk assessment process and enhances certain aspects of the identification of risk factors.

An entity’s IT environment plays an increasingly important role in its system of internal control, given the reliance on technology, applications and cloud providers in initiating and recording many transactions. While the auditor has always been required to obtain an understanding of key IT applications used by the entity, SAS 145 has revised and enhanced the requirements of the auditor in understanding and evaluating the design and implementation of the entity’s IT environment and internal controls.

Specifically, under SAS 145, the auditor is required to identify ITGCs that address the risks arising from the use of IT and to evaluate their design and determine whether they have been implemented by the entity. The auditor will first determine which IT applications are in scope based, in part, on the risk assessment of the financial statement accounts supported by IT applications.

ITGCs are grouped into one of four domains, which cover different aspects of IT systems and processes to ensure the integrity, confidentiality and availability of information and the effectiveness of related controls.

The four domains are as follows:

  • Security and Access – controls that allow users to access the information necessary for their job responsibilities, which facilitates appropriate segregation of duties and controls to recertify or evaluate user access for ongoing authorization over granting and revoking of access to IT applications, cloud providers and financial folders
  • Systems Change – controls over the process to design, program, test and migrate changes (patches, upgrades, workflows and report changes) into a production environment and controls that segregate access to make changes from migrating changes to a production environment
  • System Development – controls over initial IT application acquisition, development or implementation or in relation to other aspects of the IT environment and controls over the conversion of data from a prior system to a new system, development, implementation of a new system and creation of new reports for the new system
  • Computer Operations – controls to monitor financial reporting programs for successful execution (job schedules and batch jobs) and controls to ensure backups of financial reporting data occur as planned and that such data is available and able to be accessed for timely recovery in the event of an outage or cyberattack

Not all domains may be applicable in a given year for each IT application identified; however, those that do apply will be evaluated for design and implementation for the relevant ITGCs within the applicable domain.

Next Steps

If you have any questions or need guidance regarding these auditing standards, please connect with us.

Published on February 19, 2024