The new statement supersedes SAS No. 122, as amended, section 315 of the same title, and amends various AU-C sections in AICPA Professional Standards, provideing extensive guidance regarding the use of information technology and the consideration of IT general controls.
It addresses the auditor’s responsibility to identify and assess the risks of material misstatement in the financial statements, enhancing requirements and guidance on identifying and assessing risks of material misstatement, in areas of understanding an entity’s system of internal control and assessing control risk.
Among the changes are the following:
*Revised requirements for evaluating design of controls within the control activities component, including general IT controls, and determining whether these have been implemented; *A new requirement to separately assess inherent risk and control risk; *A new requirement to assess control risk at the maximum level so if the auditor does not test the operating effectiveness of controls, the assessment of risk of material misstatement is the same as the assessment of inherent risk; *New guidance on scalability; *Revised requirements relating to audit documentation. * *"A conforming amendment to perform substantive procedures for each relevant assertion of each significant class of transactions, account balance, and disclosure, regardless of the assessed level of control risk (rather than for all relevant assertions related to each material class of transactions, account balance, and disclosure, irrespective of the assessed risks of material misstatement, as previously required).”