Define materiality levels in IT compliance audits.

UCF ID: 01238

Control Type: Process or Activity

Status: Live

Supporting and supported controls

This control directly supports:

Verify that an internal audit program policy exists. [UCF Control ID 00684]

This control has the following supporting controls:

Define material change within information processes, information systems, and IT assets that could affect IT audits. [UCF Control ID 01239]

Define material weaknesses, failures, and errors within information processes, information systems, and IT assets that could affect IT audits. [UCF Control ID 01240]

Authority documents complied with:

PCAOB Auditing Standard No. 2, ¶ 22; Bank Secrecy Act (aka The Currency and Foreign Transaction Reporting Act), September 2000, Pg 39; FFIEC IT Examination Handbook – Audit, August 2003, Pg 23; Federal Information System Controls Audit Manual (FISCAM), February 2009, § VI.2; GAO/PCIE Financial Audit Manual (FAM), § 230.02, § 230.05, § 230.08, § 230.11, § 230.12; ISACA IS Standards, Guidelines, and Procedures for Auditing and Control Professionals, May 15, 2009, § 2.1.1 thru 2.1.5; Corporate Governance in listed Companies – Clause 49 of the Listing Agreement, § VII

Sarbanes Oxley Guidance

The concept of materiality should be used in audits of internal control over financial reporting in determining if deficiencies are significant deficiencies or material weaknesses. [¶ 22, PCAOB Auditing Standard No. 2]

Banking and Finance Guidance

Bank Secrecy Act (BSA) violations that are detected during an examination should be documented. [Pg 39, Bank Secrecy Act (aka The Currency and Foreign Transaction Reporting Act), September 2000]

The internal audit manager and the external auditor should work together to decide which findings are significant and should be reported to senior management and the Board of Directors. [Pg 23, FFIEC IT Examination Handbook – Audit, August 2003]

US Federal Security Guidance

Materiality in the definitions found within US federal security guidance, whether financial or otherwise, is based on the concept that items of little importance, which do not affect the judgment or conduct of a reasonable person, do not require auditor investigation. Materiality has both quantitative and qualitative aspects. [§ VI.2, Federal Information System Controls Audit Manual (FISCAM), February 2009]

§ 230.02 points out that even though quantitatively immaterial, certain types of misstatements could have a material impact on or warrant disclosure in the financial statements for qualitative reasons.
But what defines the threshold for materiality? According to the regulatory guidelines followed by the Sarbanes-Oxley auditors, it is the judgment of the auditor. They state that “consideration of materiality is a matter of professional judgment and is influenced by [the auditor’s] perception of the needs of a reasonable person who will rely on the financial statements” (§ AU 312.10.).
In order for an organization to develop materiality thresholds, the project team should consider materiality concepts in developing a strategy and approach for documenting and evaluating an overarching framework and the control objectives within it.
§ 230.05 the GAO’s audit manual goes on to describe 3 classifications of materiality for planning and performing an audit (which can also be used for deciding an organization’s overall control framework):
• Planning materiality is a preliminary estimate of materiality, in relation to the financial statements taken as a whole, used to determine the nature, timing, and extent of substantive audit procedures and to identify significant laws and regulations for compliance testing.
§ 230.08 states that the “auditor should estimate planning materiality in relation to the element of the financial statements that is most significant to the primary users of the statements (the materiality base).”
§ 230.11 Planning materiality “generally should be 3 percent of the materiality base”
• Design Materiality is the portion of planning materiality that has been allocated to line items, accounts, or classes of transactions (such as disbursements). This amount will be the same for all line items or accounts.
§ 230.12 Defines design materiality for the audit at 1/3rd of planning materiality “to allow for the precision of audit procedures.”
• Test materiality is the materiality actually used by the auditor in testing a specific line item, account, or class of transactions. Based on the auditor's judgment, test materiality can be equal to or less than design materiality. Test materiality may be different for different line items or accounts. [§ 230.02, § 230.05, § 230.08, § 230.11, § 230.12, GAO/PCIE Financial Audit Manual (FAM)]

General Guidance

States that “assessment of what is material is a matter of professional judgment” on the part of the auditor. While general guidance isn’t as specific in their categories as public company or banking and finance guidance, there are rough definitions of planning materiality, design materiality, and testing materiality.
Within the world of IT, ISACA defines planning materiality as the “aggregate level of error acceptable to management.”
The ISACA definition that most closely fits design materiality would assign this the value of the “potential for the cumulative effect of small errors or weaknesses to become material.”
The ISACA equivalent to this is defining relevant test materiality and control objectives and determining, based on design materiality, which controls to examine. In their definition “a material control is a control or group of controls without which control procedures do not provide reasonable assurance that the control objective will be met.” They then list several measures which should be considered to assess materiality:
• Criticality of the business processes supported by the system or operation
• Cost of the system or operation (hardware, software, staff, third-party services, overheads, or a combination of these)
• Potential cost of errors (possibly in terms of lost sales, warranty claims, irrecoverable development costs, cost of publicity required for warnings, rectification costs, health and safety costs, unnecessarily high costs of production, high wastage, etc.
• Number of accesses/ transactions /inquiries processed per period
• Nature, timing and extent of reports prepared and files maintained
• Nature and quantities of materials handled (e.g. where inventory movements are recorded without values)
• Service level agreement requirements and cost of potential penalties
• Penalties for failure to comply with legal and contractual requirements
• Penalties for failure to comply with public health and safety requirements
• Consequences to shareholders, organization or management of irregularities going unresolved [§ 2.1.1 thru 2.1.5, ISACA IS Standards, Guidelines, and Procedures for Auditing and Control Professionals, May 15, 2009]

Asia and Pacific Rim Guidance

The organization is required to receive a certificate from the auditor(s) specifying where the organization is in corporate governance compliance and where the organization is not in corporate governance compliance. A copy of the certificate must be attached to the directors' report, which is sent annually to all shareholders. [§ VII, Corporate Governance in listed Companies – Clause 49 of the Listing Agreement]

Metrics

The metrics associated with this control are as follows:

Report on the percentage of information security requirements from applicable laws and regulations that are included in the internal/external audit program and schedule. [UCF Control ID 02069]