If you’re a finance leader, there’s a new auditing standard on your radar. SAS 145 marks the most significant update to audit risk assessment in over a decade. But it’s more than a list of new requirements—it’s a shift in how internal controls are evaluated, emphasizing both documented procedures and potential risks. And it calls for finance teams to take a more active role in prevention.
Let’s break down SAS 145, how it impacts accounts payable processes, and how AP teams can be a powerful ally in this new era of compliance.
Risk assessment goes deeper
For years, risk assessments in audits haven’t changed. Under AU-C 330 of the AICPA’s Auditing Standards, auditors traditionally evaluated internal controls—the policies and procedures that govern financial operations—to determine how well a business protected assets, stayed compliant, and maintained accurate records. If internal controls were well-documented and appeared to be working, that often checked the box.
But SAS 145 pushes for a deeper understanding of what could go wrong. Instead of starting with internal controls, auditors now start by identifying and evaluating specific risks that could lead to inaccuracies or misstatements in your financial reporting.
The question has changed from “Do you have controls?” to “Where are you exposed—and how are those exposures being actively managed?”
What’s changed in risk assessment
SAS 145 focuses on enhancing audit risk assessment by providing a more refined and risk-focused approach, emphasizing inherent risk and its factors, and requiring auditors to identify and evaluate IT controls. It introduces a more structured and focused approach, particularly in identifying inherent risks—those risks of material misstatement that exist before internal controls are considered.
Key changes to risk assessment with SAS 145 include:
- Greater emphasis on inherent risk factors like complexity, subjectivity, and fraud susceptibility
- A refined definition and process for identifying significant risks
- Mandatory evaluation of IT general controls—auditors can no longer "audit around" them
- Scalability across both large enterprises and smaller organizations
- Increased focus on audit assertions such as accuracy, completeness, and classification
The standard raises the bar on transparency, documentation, and internal control. Auditors under SAS 145 now need to:
- Evaluate both manual and automated controls across the AP process
- Examine how exceptions are tracked and resolved
- Assess fraud risk with greater skepticism and scrutiny
- Determine whether controls are not just documented, but truly effective
What AP leaders need to know
Although SAS 145 is written for auditors, its impact extends deep into the day-to-day AP operations–particularly in areas that have historically relied on manual processes or informal workflows.
For AP leaders, this means “business as usual” may no longer meet the threshold. You’ll need to show that you understand your biggest areas of risk—whether that’s unauthorized payments, duplicate invoices, or incomplete approvals—and that you have real mechanisms in place to prevent, detect, and resolve those risks in real time. Ad hoc approvals, disconnected systems, or undocumented workarounds may now raise red flags for auditors.
To be audit-ready in the age of SAS 145, AP teams need to shift from reactive to proactive control and oversight. That starts with three key focus areas:
1. Process clarity. Ensure your procure-to-pay workflows are clearly defined, documented, and consistently followed—especially around invoice intake, approvals, and payment authorization.
2. Control visibility. You should be able to show exactly who performed each step, when, and under what policy. This includes tracking how exceptions are managed and who has final authority on high-risk transactions.
3. Technology and manual oversight. Understand how your systems and people interact—where automation strengthens control, and where manual touchpoints introduce risk. Know where overrides can happen, and ensure they’re logged and reviewed.
Key Questions for AP and Finance Leaders to Ask
❓Are our approval workflows fully traceable and tamper-proof?
❓Can we clearly demonstrate how we prevent and detect duplicate payments, unauthorized approvals, or fraud?
❓Are our AP systems secured, governed, and aligned with IT control expectations?
SAS 145 shifts the audit conversation from documentation to demonstration. AP leaders who invest in automation and control visibility now will be far better positioned to satisfy audit demands—and avoid last-minute compliance scrambles.
How AP Automation Supports SAS 145 Compliance
If your AP process still depends on spreadsheets, email approvals, or outdated legacy systems, SAS 145 is likely to spotlight your organization’s vulnerabilities. The standard places new emphasis on transparency, control precision, and risk mitigation—areas where manual workflows often fall short.
AP automation helps bridge that gap by embedding compliance into every step of the process. From invoice intake to final payment, intelligent systems enforce internal controls, ensure policy adherence, and create a clear audit trail—all essential under SAS 145. It embeds control, consistency, and visibility into every step of the process—helping your team meet the higher expectations set by SAS 145 and stay audit-ready year-round.
Automation addresses the key areas of the rule in the following ways:
Structured, documented workflows. Automation enforces standardized invoice intake, matching, and approval paths. Every transaction follows a repeatable, policy-driven process to reduce variability and strengthen internal control reliability.
Real-time audit trails. Every action within the AP system is automatically recorded, timestamped, and attributed—providing a clear, end-to-end history of approvals, exceptions, and changes. This makes responding to audit requests fast and straightforward.
Built-in compliance controls. Automated platforms are designed to align with regulatory standards. They enforce approval hierarchies, apply business rules consistently, and help maintain full documentation to support compliance with both internal policies and external regulations.
Centralized, searchable data. All AP activity is stored in a secure, centralized location—eliminating fragmented records across spreadsheets, emails, or filing cabinets. Auditors and internal teams can easily locate supporting documentation when needed.
Intelligent exception and fraud management. Automation flags anomalies, such as duplicate invoices, suspicious payment patterns, or unauthorized vendor changes, in real time. That means teams can detect and address risks before they become compliance issues or audit findings.
Strengthened IT and access controls. Role-based permissions, system logging, and data encryption are embedded into modern AP platforms, helping meet SAS 145’s increased focus on IT control environments.
Scalable oversight in complex environments. In high-volume or multi-entity organizations, automation simplifies complexity. It reduces manual errors, increases transparency, and ensures consistent policy enforcement across locations, departments, and business units.
Features like these help AP teams you go beyond checking a compliance box to building a defensible, resilient process that leaves you audit-ready at all times.
Are you ready for the big risk reset?
SAS 145 is now in effect for audits of periods ending on or after December 15, 2023. Turn these new standards into an opportunity for stronger controls and reduced risk in your AP processes. Get a demo of Quadient AP Automation today.
Jill brings over 15 years of industry experience in financial services marketing. She is a passionate and motivated digital marketing professional with extensive experience in multi-channel marketing with a proven record of driving results for growing and established financial services brands like American Express, Billtrust, Heartland Payments Systems, and CAN Capital. Jill is experienced in planning and executing integrated marketing campaigns across channels: web, content, paid media, email, influencer marketing, social, SEO, and events.