California practitioners—especially those in small and mid-sized firms—are navigating an environment where time is compressed, staffing is lean and client expectations continue to rise. Efficiency is essential.

At the same time, peer review findings continue to highlight recurring deficiencies in risk assessment and documentation. Planning is rushed. Relevant assertions are not clearly identified. Procedures performed do not clearly respond to assessed risks. Documentation reflects conclusions, but not always the thinking behind them.

SAS No. 145 did not fundamentally change audit risk. But it did clarify and elevate how deliberately California practitioners must identify, assess and document risk.

This isn’t about more paperwork. It’s about better planning.

The Question That Drives My Planning

When I begin planning an audit, I ask myself a simple question: If I only had eight hours to perform this audit, where would I focus?

That question forces discipline. It eliminates mechanical thinking. It pushes me to identify what truly drives risk in the entity.

• What assertions are susceptible to material misstatement?

• Where is complexity?

• Where is subjectivity?

• Where is change or uncertainty?

• Where could management bias influence outcomes?

SAS 145 reinforces this mindset by emphasizing inherent risk factors, including complexity, subjectivity, change, uncertainty and susceptibility to management bias.

Before we evaluate controls, before we determine whether we plan to test operating effectiveness, we must understand the nature of the risk itself.

And that is where many audits begin to lose clarity.

Inherent Risk Is Not ‘After Controls’

One of the most common misunderstandings in practice is the blending of inherent risk and control considerations. For example, “Cash has low inherent risk because it’s kept in the bank” or “Revenue has low inherent risk because management reviews it monthly.”

Those are control considerations. Inherent risk must be assessed before considering controls.

Inherent risk relates to the susceptibility of an assertion to misstatement based on its nature. Controls may reduce the overall risk of material misstatement, but they do not reduce inherent risk.

Under SAS 145, inherent risk and control risk must be assessed separately. If controls are not tested, control risk is assessed at maximum.

For smaller firms in particular, this distinction is critical. Familiarity with a client can unintentionally lead to blending inherent risk with comfort over existing processes. The standard challenges us to slow down and separate the two clearly.

Significant Does Not Mean Material

Another important clarification under SAS 145 is the concept of a “significant class of transactions, account balance or disclosure.”

A class is significant when there is at least one relevant assertion with an identified risk of material misstatement.

This shifts the focus from auditing material balances simply because they are material, to auditing areas where assertion-level risk truly exists.

SAS 145 also requires what many refer to as a “stand-back” evaluation—an intentional pause to consider whether all significant classes have been properly identified.

In peer review, a common issue arises when:

• A risk is identified in documentation,

• But the audit program does not reflect a tailored response, or

• Extensive procedures are performed in low-risk areas simply because they always have been.

Both situations suggest that planning did not drive the audit.

The standard strengthens the expectation that risk assessment must clearly link to the nature, timing and extent of procedures performed.

Documentation Is About Rationale—Not Volume

SAS 145 enhances documentation requirements, particularly around:

• The evaluation of the design of identified controls

• Determination of implementation

• The rationale for significant judgments made in assessing risks

This does not mean longer memos or more checklists. It means documenting why we concluded what we concluded.

• If inherent risk is assessed as moderate, why?

• If an area is not significant, what supports that conclusion?

• If extended procedures are performed, how do they directly respond to identified risks?

An experienced auditor reviewing the file should be able to understand the logic behind the audit strategy without verbal explanation.

When documentation simply states conclusions without explaining reasoning, defensibility weakens. Thoughtful documentation strengthens both quality and confidence.

IT: The Overlooked Risk Driver

Even small entities rely heavily on automated systems, cloud platforms and system-generated reports.

If we do not understand how transactions are initiated and processed; how data flows through the system; who has access and how access is controlled; and how changes to programs are managed, then we cannot reasonably conclude that information used in our procedures is reliable.

Substantive procedures built on unreliable system reports do not produce reliable audit evidence.

SAS 145 modernizes risk assessment by requiring a clearer understanding of risks arising from the use of IT and related general IT controls.

For smaller practitioners, this does not mean becoming IT specialists. It means asking better questions, understanding system dependencies and documenting that understanding clearly.

What Happens When Planning Is Mechanical

Most peer review deficiencies do not stem from lack of effort. They stem from rushed or mechanical planning.

When planning becomes a formality:

• Risk assessments become generic.

• Relevant assertions are unclear.

• Significant classes are not thoughtfully determined.

• Procedures do not clearly respond to risks.

The downstream impact includes:

• Over-auditing low-risk areas.

• Under-auditing higher-risk areas.

• Rework during review.

• Increased inspection exposure.

More importantly, the audit becomes a compliance exercise rather than a value-driven engagement.

The Advisory Opportunity

When risk assessment is done well, the audit changes. A thoughtful planning discussion leads to a deeper understanding of the entity’s business model; economic pressures; operational challenges; accounting estimates and judgments; and system dependencies.

Clients recognize the difference between an auditor who checks boxes and one who understands their business.

The value of an audit is not simply issuing financial statements. It is identifying areas where processes may be vulnerable, where internal controls can improve and where reporting risk can be reduced.

SAS 145 supports that advisory mindset—if we allow it to.

Practical Implementation Takeaways

For firms looking to strengthen implementation:

• Protect time for meaningful planning discussions.

• Deliberately assess inherent risk factors before considering controls.

• Separate inherent risk and control risk clearly in documentation.

• Ensure identified risks directly tie to procedures performed.

• Document rationale—not just conclusions.

• Understand the IT environment before relying on system-generated data.

• Perform a stand-back evaluation to confirm significant classes are complete.

• Ask yourself: If time were limited, where would risk truly reside?

Moving Forward

SAS 145 is not about compliance for compliance’s sake. It is about discipline.

It asks us to think more critically, document more intentionally and align procedures more precisely with risk.

For smaller practitioners, this is not a burden. It is an opportunity to strengthen audit quality, navigate peer review with confidence, elevate the audit from mechanical execution to professional judgment, and ultimately, an to serve clients better.