Inherent Risk Assessment Documentation Requirements (and Myths) SAS 145 Peer Review MFCs -- Part II

Statement on Auditing Standards (SAS) 145, Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement, now requires the auditor to separately assess inherent risk at the assertion level (AU-C 315.35). As we have previously written, while this is a new requirement, many practitioners already had been separately assessing inherent risk as part of their audit methodology. In our previous report on the topic, Breaking Bad Habits on Inherent Risk, we stressed the importance of supporting inherent risk assessments without referencing internal controls or auditor procedures. In this report, in reaction to the initial Matters for Further Consideration (MFCs) citing the new requirements in SAS 145, we will outline the documentation requirements for inherent risk assessments and what we feel are best practices. We also will address the extent of documentation requirements. Based on review of the MFCs to date, it appears that some are asserting that these documentation requirements are more extensive than what AU-C 315 explicitly requires.