SAS 145 and IT General Controls: What Organizations Need to Know

The release of SAS 145 (Statement on Auditing Standards No. 145) represents a significant shift in how auditors evaluate and respond to the risks of material misstatements, particularly in complex IT environments. As IT General Controls (ITGCs) underpin key financial processes and reporting systems, understanding and aligning with SAS 145’s updates is crucial for organizations preparing for audits, especially SOC 1 and SOC 2 engagements.

What is SAS 145?

SAS 145, titled Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement, enhances and modernizes the auditor’s approach to risk assessment. Effective for audits of financial statements for periods ending on or after December 15, 2023, SAS 145 emphasizes:

• A Deeper Understanding of Controls: Expands the requirement to understand an entity’s control environment and risk assessment processes, with a specific focus on IT systems.
• Risk Spectrum Clarification: Introduces concepts like the inherent risk spectrum and a more granular evaluation of risks of material misstatements.
• Enhanced Communication: Requires better documentation and articulation of control evaluations, including IT-related risks.

For IT-intensive environments, SAS 145 amplifies the importance of evaluating ITGCs and how they support financial reporting and mitigate risks.

Key ITGC Updates in SAS 145

Emphasis on IT-Dependent Controls

• SAS 145 requires a deeper analysis of controls embedded in IT systems, including automated controls and system interfaces.
• Auditors must assess how IT systems and related controls contribute to identifying, preventing, or detecting material misstatements.

ITGC Areas of Focus The standard underscores the need to evaluate ITGCs in the following areas:

• Access Management: Ensuring only authorized users have access to financial systems.
• Change Management: Managing modifications to IT systems to prevent unauthorized or erroneous changes.
• Data Integrity: Verifying the reliability of data flows and interfaces between systems.
• System Operations: Assessing the effectiveness of backups, recovery processes, and IT infrastructure reliability.

Documentation and Evidence

• SAS 145 places greater importance on documenting the understanding of IT environments and their role in mitigating risks.
• Auditors must demonstrate how ITGCs influence their risk assessment and audit procedures.

How SAS 145 Impacts SOC 1 and SOC 2 Audits

SOC 1 and SOC 2 audits frequently involve the evaluation of ITGCs, as these controls are integral to ensuring the reliability of financial reporting (SOC 1) and the security, availability, processing integrity, confidentiality, and privacy of systems (SOC 2). SAS 145’s updates reinforce this connection:

For SOC 1 Audits:

• Emphasizes the critical role of IT systems in processing financial transactions and generating accurate financial reports.
• Increases scrutiny on IT controls supporting financial reporting processes.

For SOC 2 Audits:

• Aligns with the Trust Service Criteria by requiring detailed evaluation of IT systems that impact security, availability, and other criteria.
• Enhances the focus on continuous monitoring and dynamic risk assessment within IT environments.

Challenges Organizations Face with SAS 145

Increased Complexity in IT Evaluations

Organizations often struggle to understand the interplay between IT systems and financial reporting risks. SAS 145’s heightened focus on ITGCs adds complexity, requiring:

• Thorough documentation of IT systems and processes.
• Clear mapping of IT controls related to financial reporting risks.

Documentation Burden

The standard’s emphasis on detailed documentation places a significant burden on companies with limited internal resources or expertise.

Communication with Auditors

Auditors’ enhanced responsibilities under SAS 145 may lead to increased requests for information and clarifications, requiring organizations to:

• Provide comprehensive and accurate responses.
• Collaborate effectively to ensure audit timelines and objectives are met.

How Compass Can Help with SAS 145

At Compass, we specialize in simplifying compliance and audit preparation for organizations navigating SAS 145’s requirements. Here’s how we can support your team:

ITGC Assessment and Enhancement

We help organizations identify and strengthen ITGCs to meet the enhanced expectations of SAS 145:

• Access Management: Ensure user access controls align with best practices to protect critical financial systems.
• Change Management: Develop and implement robust procedures for managing system changes.
• Data Integrity: Evaluate and validate the accuracy of data flows and system interfaces.
• System Operations: Assess the effectiveness of IT infrastructure and disaster recovery plans.

Risk Assessment Mapping

We provide:

• A clear mapping of IT systems and controls to financial reporting risks.
• Tailored risk assessments that address SAS 145’s inherent risk spectrum.

Documentation Support

Our team ensures your documentation meets SAS 145’s stringent requirements:

• Comprehensive narratives of IT environments and controls.
• Detailed evidence of ITGC effectiveness.
• Tailored reports to support auditor inquiries and enhance transparency.

Training and Awareness

We provide training programs for your team to:

• Understand SAS 145’s requirements and their implications for IT.
• Build internal capabilities for ongoing ITGC evaluation and improvement.

Collaboration with Auditors

Our experts act as liaisons between your organization and external auditors, ensuring:

• Efficient communication and alignment on expectations.
• Timely resolution of auditor questions or concerns.

Benefits of Partnering with Compass for SAS 145

Expertise in ITGCs and Audits

With decades of experience in IT auditing and compliance, our team brings unparalleled expertise to ensure your ITGCs meet and exceed SAS 145’s requirements.

Tailored Solutions

We understand that every organization is unique. Our approach is customized to address your specific IT environment, risks, and objectives.

Reduced Audit Burden

By streamlining your preparation efforts, we minimize the time and resources needed to achieve compliance.

Long-Term Value

Our services not only address immediate SAS 145 challenges but also enhance your IT control environment for sustained compliance and operational efficiency.

Closing Thoughts

SAS 145 marks a new era in audit risk assessment, particularly for IT-intensive environments. Its focus on ITGCs underscores the importance of robust controls in safeguarding financial reporting and achieving compliance. At Compass, we are committed to guiding organizations through these changes with expertise, precision, and a client-centric approach. By partnering with us, you can confidently navigate SAS 145’s requirements, strengthen your IT control environment, and build a foundation for long-term success. Contact us today to learn how we can support your organization's compliance and risk management needs.