How can the determination of audit materiality and audit risk affect the audit job?

Materiality = quantity and quality

Both the amount (quantity) and nature (quality) of misstatements are relevant to deciding what is material.

Nội dung chính Show

Materiality = quantity and quality
How does materiality apply in an audit?
What is Meant by Materiality and How is Materiality Used in Auditing?
What is Audit Risk and Materiality?
How Do You Plan Materiality?
Materiality Summed Up
Related Posts:
How does materiality affect the audit work performed by auditors?
What is audit materiality and how does it relate to audit risk?
How materiality will effect the audit process?
What impact did audit risk have on the materiality calculation?

How does materiality apply in an audit?

The objective of a financial statement audit is to enable the auditor to express an opinion as to whether the financial statements are prepared, in all material respects, in accordance with an applicable financial reporting framework. This is a separate responsibility and a separate decision from that made by the entity itself when preparing the financial statements.

In auditing, materiality means not just a quantified amount, but the effect that amount will have in various contexts.

During the audit planning process the auditor decides what the level of materiality will be, taking into account the entirety of the financial statements to be audited. Materiality relates to both the content of the financial statements and the level and type of testing to be done. The decision is based on judgements about the size, nature and particular circumstances of misstatements (or omissions) that could influence users of the financial reports. In addition, the decision is influenced by legislative and regulatory requirements and public expectations.

If, during the audit, the auditor acquires information that would have caused it to determine a different materiality level, it will revise the materiality level accordingly.

Determining materiality in an attestation audit can be challenging when the scope of the audit cannot be quantitatively measured. As stated in an AICPA Discussion Paper, “When providing assurance services, it’s important that practitioners understand what information will most significantly impact stakeholders’ decision-making process, which is central to a practitioner’s consideration of engagement materiality.” In this post, we will cover topics such as materiality in auditing, AICPA materiality considerations such as the risk for attestation engagements, and finally materiality responsibilities specific to SOC 1 and SOC 2 reports. For SOC reports we specifically will focus on materiality as it relates to the suitability of design, system description, and operating effectiveness of controls.

What is Meant by Materiality and How is Materiality Used in Auditing?

In attestation engagements, auditors are required to use their expertise when determining materiality when the scope does not include information that can be quantitatively measured. While there is no materiality calculation in SOC audits like in financial state audits, auditors are still required to consider how materiality could end in a misstatement for each specific engagement. During the planning and completion of the audit, some of the following factors are as follows:

Whether factors, such as performance indicators, could impact the audit outcome.

Information provided by the client is missing key information or misleading to users of the report.
Assertions made by management that the operation of controls is effective when testing reveals that there are exceptions.
Noncompliance with laws or regulations that could cause a misstatement.
If a misstatement was the result of an intentional or unintentional event.
If a misstatement was the result of a relationship with a third party or engaging party.

Based on the list of sample considerations listed above, auditors can consider the materiality of misstatement while performing walkthroughs of internal controls and gathering evidence.

What is Audit Risk and Materiality?

The AICPA defines the risk of material misstatement as “the risk that the subject matter is not in accordance with (or based on) the criteria in all material respects or that the assertion is not fairly stated, in all material respects.”

As part of audit procedures, and as a way of mitigating audit risk and risk of material misstatement, the auditor is required to perform risk assessment procedures. Risk assessment procedures can include the following:

Characteristics of information being audited.

Depending on the service being examined, whether or not a specialist is required to assist with the audit.
Evaluating quantitative and qualitative materiality factors.
Determine the objectives of analytical procedures.
Determine the procedures needed to provide a reasonable opinion.

How Do You Plan Materiality?

While performing attestation audits, such as SOC 1 and SOC 2 examinations, the auditor considers audit risk and materiality when determining the nature, timing, and extent of audit procedures. Depending on the services provided, industry, or type of information being stored, risk factors can change. This also affects the nature, timing, and extent of testing. For example, if a client works in the health industry, the nature of testing may require a mix of inspection, observations, and inquiry tests.

Additionally, the timing is dependent on the complexity of the company. The more complex a company is, it increases the likelihood that they end up testing on a more frequent basis. Finally, the extent of audit procedures determines whether the auditor will rely on automated testing or increase testing frequency to determine if controls are operating consistently.

Examination audits, such as SOC 1 and SOC 2, consider materiality in four main areas of the audit: suitability of design, system description, testing and operating effectiveness of controls, and reporting.

Suitability of Design: During an examination, auditors are required to consider whether the design of controls are suitable in meeting either the objective of the control or criteria. If controls are not designed properly, this can lead to a material misstatement if there are no other controls in place to meet the objective or criteria.
System Description: Within all SOC reports, management is required to provide a description of the system and services being examined as part of the audit. If management provides information that is inaccurate or misleading, and will not make updates to correct the information, the auditor will be forced to notate a material misstatement. It is up to management to portray a system description that is accurate and clear for its users, and the auditor’s job to confirm this to be true during the examination.
Testing and Operating Effectiveness of Controls: In addition to the design of controls, when it’s applicable, auditors also test to confirm the operating effectiveness of controls. During testing, auditors will consider whether exceptions identified during testing meet or exceed the tolerable rate of deviation or the maximum number of exceptions allowed. Or in some cases, the auditor may determine that controls only operated for a portion of the audit period. In both cases, it will be up to the auditor to determine whether the exceptions met or exceeded the threshold for a material misstatement.
Reporting: Materiality and specifically a material misstatement based on exceptions is generally determined by the auditors as part of testing and operating effectiveness of controls as mentioned above. It is important to note that this concept is different from the reporting of an exception. Auditors DO NOT have the ability to determine whether a specific exception meets the threshold of materiality. As such, they are required to report ALL exceptions noted as part of an audit.

To sum up the information presented above, if there are exceptions that the auditor believes meet the threshold and is considered material, the result and specific reasoning can be found in the auditor’s opinion. In SOC 1 and SOC 2 reports, this deviation can be found in either section I or section II, depending on the layout of the report. On the other hand, if an exception is found but does not meet materiality, details of that exception can be found in testing of the controls, in section IV. Additionally, most reports will have an “Other Information” section which includes additional details around the exception and what the company is doing to mitigate the risk of an exception occurring in the future.

Materiality Summed Up

Determining materiality, especially in attestation audits, requires that the auditor consider those things that are not quantifiable so that report users are not misled by the opinions presented within the reports. If your company is thinking about or currently undergoing an audit, it is key for your organization to be transparent with the auditor. This will allow them to properly plan for possible misstatements and provide users of the report the information they are interested in understanding. Ultimately, this will help avoid a material misstatement by miscommunicating a control design or system description. And finally, having a consistent process in place that is trackable and clear will help avoid material misstatements that can come from testing and operational effectiveness of controls.

Linford & Co offers a variety of services, including SOC 1 Audits, SOC 2 Audits, HITRUST Assessments, and more. Contact us if you would like to speak to an auditor about what we can do for you and your company.

Jaclyn Finney started her career as an auditor in 2009. She started with Linford & Co., LLP. in 2016 and is a partner with the firm. She is a CISA with a special focus on SOC, HITRUST, FedRAMP and royalty examinations. Jaclyn works with her clients to provide a process that meets the needs of each customer and generates a tailored report that is useful to the client and the users of the report.

A Guide to Audit Assurance: How Do Assurance, Attestation, and Auditing Fit Together?
Agile Auditing from an Insider’s Perspective
Understanding Audit Procedures: A Guide to Audit Methods & Test of Controls
SOC Audit Failure: Common Audit Mistakes to Avoid
Why Is Internal Audit Planning Critical To An Effective Audit?
Management Responsibility in an Audit - Who Does What in a SOC Audit?

How does materiality affect the audit work performed by auditors?

Judgements about materiality are made in the light of surrounding circumstances. They are affected by auditors' perceptions of the financial information needs of users of the financial statements, and by the size or nature (or both) of a misstatement. The concept of materiality is therefore fundamental to the audit.

What is audit materiality and how does it relate to audit risk?

risk when conducting an audit. Information is material if its omission or misstatement could influence the economic decisions of users taken on the basis of the financial statements. Materiality depends on the size of the item or error judged in the particular circumstances of its omission or misstatement.

How materiality will effect the audit process?

In auditing, materiality means not just a quantified amount, but the effect that amount will have in various contexts. During the audit planning process the auditor decides what the level of materiality will be, taking into account the entirety of the financial statements to be audited.

What impact did audit risk have on the materiality calculation?

Higher risk could cause an auditor to reduce tolerable misstatement at the financial statement level to 40% or 50% of planning materiality. Lower risk could cause an increase in the factor to 80% or 90%.