Obtaining evidence to confirm the design and operating effectiveness of controls used to support business objectives are completed during the audit process. One objective of this process is to look at the rate of deviations in an effort to determine if there is risk of material misstatement. In this post, we will look at different components that influence the risk of material misstatement. This includes the definition of material misstatement, identifying material misstatements in auditing, and examples of material misstatements. Additionally, I will cover what is the result of a material misstatement finding, and how to reduce the risk of its occurrence.
What is the Risk of Material Misstatement in SOC Auditing?
According to the AICPA, the definition of risk of material misstatement is defined as “the risk that the description of the service organization’s system that was implemented and operated is not presented in accordance with the description criteria or that controls were not suitably designed or operating effectively to provide reasonable assurance that the service organization’s service commitments and system requirements would be achieved.”
In SOC examinations, management is required to present their services in what is known as the description of the system. The description of the system outlines the services they provide, controls used to support their business objectives required to meet examination criteria, and any other pertinent information that would be important to understand as a user of the service. If the auditor feels that the information included is inaccurate or incomplete and the service provider refuses to include additional information, then the report can be considered materially misstated.
How Does an Auditor Assess Risk of Material Misstatement?
Since SOC audits are generally performed on an annual cadence, addressing risk of material misstatement is done by considering known information about the industry and organization, past audit testing and results, changes to regulations, known risks (qualitative and quantitative), and any changes to the business and the services provided. These items are reviewed and considered multiple times through the audit process (i.e planning, performing, and reporting). You may find this additional AICPA source helpful.
If at any time it is thought that there are risk factors that suggest a heightened level of risk of material misstatement, the auditor can choose to change the nature, timing, or extent of audit procedures. Additionally, some other methods used to address the assessed risk of material misstatement are included below:
- Ensuring that the audit team maintains a healthy level of professional skepticism.
- Using audit team members who are more experienced or have a specific understanding of an industry and associated risks.
- Using audit methods that are different from the past or other elements of surprise to mix up audit testing.
- Changing the nature, timing, or extent of testing during the examination to obtain enough information to gain assurance that controls are designed properly and as application, operating effectively.
What are Examples of Material Misstatement?
If during the examination, the auditor identifies that the description provided by management is inconsistent with testing, it is possible that there could be grounds for a material misstatement. This would also be the case if the nature of a discrepancy could mislead users of the report.
For example, management states that only current employees with a certain role have access to the production environment but testing reveals that not only are there employees with different roles with access to the production environment, but there was also a terminated employee who had held an administrative role with access. This scenario would likely be considered a material misstatement. In the event this scenario was discovered, the auditor would perform additional testing to determine whether access controls were effective and if there were any detective or monitoring controls in place that would mitigate the risk of unauthorized access.
Another scenario of a material misstatement would be if during the examination it is discovered that pertinent information presented in the system description did not have evidence to support the assertion of the evidence created conflict. For example, let’s say a Data Center represented to its users that it had certain environmental controls in place that were meant to provide state of the art protection of server racks. However, during the on-site portion the organization would not allow the auditors to complete a walkthrough of the data center, and information regarding preventative maintenance of the systems did not exist. That could give an auditor pause and suspect the presence of a material misstatement.
What Happens if it is Determined that there are Material Misstatements?
If during the audit examination an auditor determines that there is a material misstatement the best course of action is to work with the auditor to update the information. This will ensure that it is presented in accordance with description criteria and does not mislead the users of the report. However, if management does not modify the description, it is likely that the auditor will either withdraw from the engagement or the opinion of the report will be modified. Below is a chart to illustrate how the opinion will be modified. The information within this table is from the AICPA.
|Scenario||Auditor’s Professional Judgement Based on Examination Findings|
|Material but Not Pervasive||Material and Pervasive|
|Material Misstatement due to the description being materially misstated.||Qualified Opinion||Adverse Opinion|
|Material Misstatement due to the controls not being suitably designed to meet the SOC criteria or objective.||Qualified Opinion||Adverse Opinion|
|Material Misstatement due to the controls not operating effectively and therefore do not meet the SOC criteria or objective.||Qualified Opinion||Adverse Opinion|
In addition to modifying the opinion, the auditor will include an additional paragraph to provide context to the qualified opinion. These paragraphs will include language to describe the following scenarios:
- Description Includes Controls that Have Not Been Implemented
- Description Includes Information That Cannot Be Objectively Evaluated
- Description Omits Relevant Changes to Controls
- Description Omits CUECs
- Description Omits CSOCs
- Description Does Not Disclose That Service Organization Uses a Subservice Organization Description Includes Information Not Relevant to the Trust Services Category Addressed by Management
- Description Omits Applicable Trust Services Criteria
- Other Information Provided by the Subservice Organization is Materially Inconsistent with Information in the Description of the Service Organization’s System
Depending on the reason that the auditor has identified the material misstatement, the auditor will utilize one of the scenarios listed above and add details about the specific reason they have come to the determination that there is a material misstatement.
How Can the Risk of Material Misstatement Be Mitigated or Reduced?
The best way to mitigate or reduce the risk of a material misstatement issue is to have a program in place to review the evidence used to support the design and operating effectiveness of controls that are going to be used by auditors to gain assurance of management assertions. The review should be ongoing and a key part of identifying and assessing risks of material misstatements.
Risk of Material Misstatement Summarized
Providing reports that are useful to its users is not only an auditor’s job but also a part of our professional responsibilities. To do so, auditors work with service organizations to provide their users with a report that gives assurance that the assertions made within the report are complete, accurate, and represented fairly.
As part of this process, they are required to consider the risk of material misstatements. The information provided in this post should provide a look into the assessment of material misstatement and what that can mean. Subservice organizations and their readers should understand the importance of this requirement and what it means if a report is received with a modification of opinion as a result of a material misstatement.
Linford & Co is an independent auditing firm that specializes in a number of services, including SOC 1, SOC 2, FedRAMP, HITRUST assessments, HIPAA compliance audits, and more. If you have any additional questions or are interested in retaining our services, please contact us.
Jaclyn Finney started her career as an auditor in 2009. She started with Linford & Co., LLP. in 2016 and is a partner with the firm. She is a CISA with a special focus on SOC, HITRUST, FedRAMP and royalty examinations. Jaclyn works with her clients to provide a process that meets the needs of each customer and generates a tailored report that is useful to the client and the users of the report.