Determining materiality in an attestation audit can be challenging when the scope of the audit cannot be quantitatively measured. As stated in an AICPA Discussion Paper, “When providing assurance services, it’s important that practitioners understand what information will most significantly impact stakeholders’ decision-making process, which is central to a practitioner’s consideration of engagement materiality.” In this post, we will cover topics such as materiality in auditing, AICPA materiality considerations such as the risk for attestation engagements, and finally materiality responsibilities specific to SOC 1 and SOC 2 reports. For SOC reports we specifically will focus on materiality as it relates to the suitability of design, system description, and operating effectiveness of controls.
What is Meant by Materiality and How is Materiality Used in Auditing?
In attestation engagements, auditors are required to use their expertise when determining materiality when the scope does not include information that can be quantitatively measured. While there is no materiality calculation in SOC audits like in financial state audits, auditors are still required to consider how materiality could end in a misstatement for each specific engagement. During the planning and completion of the audit, some of the following factors are as follows:
Whether factors, such as performance indicators, could impact the audit outcome.
- Information provided by the client is missing key information or misleading to users of the report.
- Assertions made by management that the operation of controls is effective when testing reveals that there are exceptions.
- Noncompliance with laws or regulations that could cause a misstatement.
- If a misstatement was the result of an intentional or unintentional event.
- If a misstatement was the result of a relationship with a third party or engaging party.
Based on the list of sample considerations listed above, auditors can consider the materiality of misstatement while performing walkthroughs of internal controls and gathering evidence.
What is Audit Risk and Materiality?
The AICPA defines the risk of material misstatement as “the risk that the subject matter is not in accordance with (or based on) the criteria in all material respects or that the assertion is not fairly stated, in all material respects.”
As part of audit procedures, and as a way of mitigating audit risk and risk of material misstatement, the auditor is required to perform risk assessment procedures. Risk assessment procedures can include the following:
Characteristics of information being audited.
- Depending on the service being examined, whether or not a specialist is required to assist with the audit.
- Evaluating quantitative and qualitative materiality factors.
- Determine the objectives of analytical procedures.
- Determine the procedures needed to provide a reasonable opinion.
How Do You Plan Materiality?
While performing attestation audits, such as SOC 1 and SOC 2 examinations, the auditor considers audit risk and materiality when determining the nature, timing, and extent of audit procedures. Depending on the services provided, industry, or type of information being stored, risk factors can change. This also affects the nature, timing, and extent of testing. For example, if a client works in the health industry, the nature of testing may require a mix of inspection, observations, and inquiry tests.
Additionally, the timing is dependent on the complexity of the company. The more complex a company is, it increases the likelihood that they end up testing on a more frequent basis. Finally, the extent of audit procedures determines whether the auditor will rely on automated testing or increase testing frequency to determine if controls are operating consistently.
How is Materiality Used in Auditing?
Examination audits, such as SOC 1 and SOC 2, consider materiality in four main areas of the audit: suitability of design, system description, testing and operating effectiveness of controls, and reporting.
- Suitability of Design: During an examination, auditors are required to consider whether the design of controls are suitable in meeting either the objective of the control or criteria. If controls are not designed properly, this can lead to a material misstatement if there are no other controls in place to meet the objective or criteria.
- System Description: Within all SOC reports, management is required to provide a description of the system and services being examined as part of the audit. If management provides information that is inaccurate or misleading, and will not make updates to correct the information, the auditor will be forced to notate a material misstatement. It is up to management to portray a system description that is accurate and clear for its users, and the auditor’s job to confirm this to be true during the examination.
- Testing and Operating Effectiveness of Controls: In addition to the design of controls, when it’s applicable, auditors also test to confirm the operating effectiveness of controls. During testing, auditors will consider whether exceptions identified during testing meet or exceed the tolerable rate of deviation or the maximum number of exceptions allowed. Or in some cases, the auditor may determine that controls only operated for a portion of the audit period. In both cases, it will be up to the auditor to determine whether the exceptions met or exceeded the threshold for a material misstatement.
- Reporting: Materiality and specifically a material misstatement based on exceptions is generally determined by the auditors as part of testing and operating effectiveness of controls as mentioned above. It is important to note that this concept is different from the reporting of an exception. Auditors DO NOT have the ability to determine whether a specific exception meets the threshold of materiality. As such, they are required to report ALL exceptions noted as part of an audit.
To sum up the information presented above, if there are exceptions that the auditor believes meet the threshold and is considered material, the result and specific reasoning can be found in the auditor’s opinion. In SOC 1 and SOC 2 reports, this deviation can be found in either section I or section II, depending on the layout of the report. On the other hand, if an exception is found but does not meet materiality, details of that exception can be found in testing of the controls, in section IV. Additionally, most reports will have an “Other Information” section which includes additional details around the exception and what the company is doing to mitigate the risk of an exception occurring in the future.
Materiality Summed Up
Determining materiality, especially in attestation audits, requires that the auditor consider those things that are not quantifiable so that report users are not misled by the opinions presented within the reports. If your company is thinking about or currently undergoing an audit, it is key for your organization to be transparent with the auditor. This will allow them to properly plan for possible misstatements and provide users of the report the information they are interested in understanding. Ultimately, this will help avoid a material misstatement by miscommunicating a control design or system description. And finally, having a consistent process in place that is trackable and clear will help avoid material misstatements that can come from testing and operational effectiveness of controls.
Linford & Co offers a variety of services, including SOC 1 Audits, SOC 2 Audits, HITRUST Assessments, and more. Contact us if you would like to speak to an auditor about what we can do for you and your company.
Jaclyn Finney started her career as an auditor in 2009. She started with Linford & Co., LLP. in 2016 and is a partner with the firm. She is a CISA with a special focus on SOC, HITRUST, FedRAMP and royalty examinations. Jaclyn works with her clients to provide a process that meets the needs of each customer and generates a tailored report that is useful to the client and the users of the report.