Back

Include materiality levels in the audit terms.


CONTROL ID
01238
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain an audit program., CC ID: 00684

This Control has the following implementation support Control(s):
  • Include material changes in information processes, Information Systems, and assets that could affect audits in the audit terms., CC ID: 01239
  • Include material weaknesses, material failures, and material errors in information processes, Information Systems, and assets that could affect audits in the audit terms., CC ID: 01240


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • Selecting locations or business units for assessment should be based on degree of materiality of sales or other factors. For significant locations or business units that cannot be included in the assessment, the organization must disclose this in an addendum to the Internal Control Report. (Practice Standard § II.2(2)[1], On the Setting of the Standards and Practice Standards for Management Assessment and Audit concerning Internal Control Over Financial Reporting, Provisional Translation)
  • The organization is required to receive a certificate from the auditor(s) specifying where the organization is in corporate governance compliance and where the organization is not in corporate governance compliance. A copy of the certificate must be attached to the directors' report, which is sent a… (§ VII, Corporate Governance in listed Companies - Clause 49 of the Listing Agreement)
  • States that "assessment of what is material is a matter of professional judgment" on the part of the auditor. While general guidance isn't as specific in their categories as public company or banking and finance guidance, there are rough definitions of planning materiality, design materiality, and t… (§ 2.1.1 thru 2.1.5, ISACA IS Standards, Guidelines, and Procedures for Auditing and Control Professionals, May 15, 2009)
  • Management considers materiality in financial statement presentation. (§ 3 Principle 6 Points of Focus: External Financial Reporting Objectives - Considers Materialilty, COSO Internal Control - Integrated Framework (2013))
  • The amount of information needed for each entity to develop an enterprise-wide audit plan and to support individual auditing will vary. The enterprise-wide audit plan may require summary-level information only, and the individual audit level will require more detailed information in order to identif… (§ 5 (Support to Individual Auditing) ¶ 2, IIA Global Technology Audit Guide (GTAG) 3: Continuous Auditing: Implications for Assurance, Monitoring, and Risk Assessment)
  • Management considers materiality in financial statement presentation. (CC3.1 ¶ 5 Bullet 2 Considers Materiality, 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy (with Revised Points of Focus – 2022))
  • The service auditor should evaluate materiality with respect to the fair presentation of the system description. (¶ 2.23(a), Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2))
  • The service auditor should evaluate materiality with respect to the suitability of the design of the controls. (¶ 2.23(b), Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2))
  • The service auditor should evaluate materiality with respect to the control's operating effectiveness for a type 2 engagement. (¶ 2.23(c), Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2))
  • The service auditor should evaluate materiality with respect to the organization's compliance with its privacy practices statement, for type 2 engagements that address the privacy principle. (¶ 2.23(d), Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2))
  • The service auditor should consider materiality when evaluating if the controls are operating effectively to meet the applicable trust services criteria. (¶ 3.49, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2))
  • When establishing the overall strategy for and planning the examination, paragraph .16 of AT-C section 205 requires the service auditor to consider both qualitative and quantitative materiality factors. Due to the vast number of controls within even a small system, the service auditor needs to consi… (¶ 2.104, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • If the service auditor becomes aware, during the conduct of the examination, of information that would have caused the service auditor to have initially determined a different materiality, paragraph .17 of AT-C section 205 requires the service auditor to reconsider materiality. Chapter 3 of this gui… (¶ 2.109, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • When considering materiality regarding the suitability of design and operating effectiveness of controls, the service auditor should consider both qualitative and quantitative factors, as discussed beginning in paragraph 3.161. (¶ 3.08, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • Paragraph .17 of AT-C section 205 indicates the service auditor should reconsider materiality if the service auditor becomes aware of information during the examination that would have caused him or her to have initially determined a different materiality. (¶ 3.165, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • Effect of a control deficiency on third parties. A deficiency in controls may relate to the relationship between the service organization and its user entities or business partners. A deficiency in controls at the service organization that could also result in a deficiency in controls at a user enti… (¶ 3.163 Bullet 11, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • Establishing an overall strategy for the examination that sets the scope, timing, and direction of the engagement and guides the development of the engagement plan, including the consideration of materiality and the identification of the risks of material misstatement (see paragraph 2.92) (¶ 2.30 Bullet 4, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • The service auditor should consider both qualitative and quantitative factors when evaluating the suitability of design of controls. Qualitative factors the service auditor considers include the following: (¶ 3.163, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • Assessment of the risks of material misstatement is affected by many factors, including materiality considerations (see paragraph 3.05) and the service auditor's understanding of the effectiveness of the control environment or other components of internal control related to the service provided to u… (¶ 3.01, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • After performing the procedures and considering the guidance in paragraphs 3.79–3.105, the service auditor should accumulate instances in which controls were not suitably designed or were not properly implemented, which are considered deficiencies in the SOC 2® examination. As part of the evaluat… (¶ 3.104, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • Paragraph .17 of AT-C section 205 indicates that the service auditor should reconsider materiality if the service auditor becomes aware of information during the engagement that would have caused the service auditor to have initially determined a different materiality. (¶ 3.78, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • Intentional acts. A deficiency or deviation may be the result of an intentional or an unintentional act. An intentional act, particularly one perpetrated by service organization management or senior management, is likely to be considered more material than an unintentional act. (¶ 3.163 Bullet 10, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • In a SOC 2® examination, the service auditor needs to consider materiality during risk assessment and when determining the nature, timing, and extent of procedures to perform during the SOC 2® examination. Adoption of an appropriate materiality for each of the subject matters in the SOC 2® examin… (¶ 3.06, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • The service auditor's consideration of materiality is a matter of professional judgment and is affected by the service auditor's perception of the common information needs of the broad range of report users as a group. In this context, it is reasonable for the service auditor to assume that report u… (¶ 2.107, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • Paragraph .A15 of AT-C section 205 indicates that the service auditor should consider the concept of materiality in the context of qualitative factors (as discussed in the next paragraph) and quantitative factors (for example, when service organization management elects to disclose the percentage of… (¶ 3.74, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • The concept of materiality is not applied when reporting the results of tests of controls for which deviations have been identified because the service auditor does not have the ability to determine whether a deviation will have significance to an individual report user, beyond whether it prevents a… (¶ 4.16, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • Some relevant factors in determining whether to use the work of the internal audit function to obtain evidence about the operating effectiveness of controls include the pervasiveness of the control, the potential for management override of the control, and the degree of judgment and subjectivity req… (¶ 2.147, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • The extent of the service auditor's testing refers to the size of the sample tested or the number of observations of a control activity. The extent of testing is based on the service auditor's professional judgment after considering the tolerable rate of deviation, the expected rate of deviation, th… (¶ 3.134, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • Some relevant factors in determining whether to use the work of the internal audit function to obtain evidence about the operating effectiveness of controls include the pervasiveness of the control, the potential for management override of the control, and the degree of judgment and subjectivity req… (¶ 3.169, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • As discussed in chapter 2, the service auditor has a responsibility to consider known or suspected incidents of fraud and noncompliance with laws or regulations. Such incidents may include, for example, the intentional bypassing of controls and the intentional misstatement of one or more aspects of … (¶ 3.190, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • Interactions with third parties. Materiality considerations are based on factors such as the likelihood and magnitude of risks arising from interactions with user entities, business partners, subservice organizations, vendors, or others (referred to collectively as third parties) with access to the … (¶ 3.163 Bullet 5, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • When considering materiality regarding the description, the service auditor considers whether misstatements or omissions in the description, individually or in the aggregate, could reasonably be expected to influence decisions of specified parties to the SOC 2® report. For example, in a SOC 2® exa… (¶ 3.73, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • Relevance to compliance with laws and regulations. If the service organization is subject to requirements specified by laws or regulations related to security and the other trust services categories included within the scope of the SOC 2® examination, identified deficiencies and deviations related … (¶ 3.163 Bullet 4, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • Establishing an overall strategy for the examination that sets the scope, timing, and direction of the engagement and guides the development of the engagement plan, including the consideration of materiality and the identification of the risks of material misstatement (see paragraph 2.97) (¶ 2.36 Bullet 4, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • In accordance with paragraph .17 of AT-C section 205, the service auditor should consider materiality when establishing the overall engagement strategy. Because of the vast number of controls within a system, even at a small service organization, the service auditor needs to consider materiality dur… (¶ 2.135, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • Paragraph .A19 of AT-C section 205 states that materiality in an attestation engagement is considered in the context of qualitative factors and, when applicable, quantitative factors. The relative importance of each of those factors when considering materiality in a particular engagement is a matter… (¶ 2.136, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • If the service auditor becomes aware, during the conduct of the examination, of information that would have caused the service auditor to have initially determined a different materiality, paragraph .18 of AT-C section 205 states that the service auditor should reconsider materiality. Chapter 3 of t… (¶ 2.138, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • Developing a materiality threshold for evaluating control deviations (Although there is no requirement in the attestation standards to develop a threshold below which deviations would be considered immaterial, doing so may assist a service auditor in the development of appropriate procedures and in … (¶ 2.142 e., SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • In accordance with paragraph .17 of AT-C section 205, the service auditor should consider materiality both during risk assessment and when determining the nature, timing, and extent of procedures to perform during the SOC 2 examination. Adoption of an appropriate materiality for each of the subject … (¶ 3.07, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • Paragraph .A19 of AT-C section 205 states that materiality in an attestation engagement is considered in the context of qualitative factors and, when applicable, quantitative factors. The relative importance of each of those factors when considering materiality in a particular engagement is a matter… (¶ 3.08, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • When considering materiality regarding the suitability of design and operating effectiveness of controls, the service auditor should consider both qualitative and quantitative factors, as discussed beginning in paragraph 3.85. (¶ 3.10, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • Paragraph .A19 of AT-C section 205 indicates that the service auditor should consider the concept of materiality in the context of qualitative factors (as discussed in the next paragraph) and quantitative factors (for example, when service organization management elects to disclose the percentage of… (¶ 3.85, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • Paragraph .18 of AT-C section 205 indicates that the service auditor should reconsider materiality if the service auditor becomes aware of information during the engagement that would have caused the service auditor to have initially determined a different materiality. (¶ 3.90, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • When identifying such deficiencies, the service auditor considers whether the controls have the ability, as designed, to provide reasonable assurance that the service organization achieved its service commitments and system requirements based on the applicable trust services criteria if they operate… (¶ 3.117, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • The nature and materiality of misstatements that the control is intended to prevent, or detect and correct (¶ 3.126 Bullet 1, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • As discussed in chapter 2, the service auditor has a responsibility to consider known or suspected incidents of fraud and noncompliance with laws or regulations relevant to the examination. Such incidents may include, for example, the intentional bypassing of controls and the intentional misstatemen… (¶ 3.221, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • The materiality of a control deficiency is considered in the context of qualitative factors and, when applicable, quantitative factors. Qualitative factors the service auditor considers include the following: (¶ 3.190, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • Paragraph .18 of AT-C section 205 indicates that the service auditor should reconsider materiality if the service auditor becomes aware of information during the examination that would have caused a different materiality to have been determined initially. (¶ 3.192, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • Because the service auditor does not have the ability to determine whether a deviation will have significance to an individual report user, the concept of materiality would generally not be applied when determining whether a testing exception is a deviation to be reported in the results of tests of … (¶ 4.19, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • The service auditor considers materiality when evaluating whether the effects of identified control deficiencies, individually or in the aggregate, are material with respect to the opinion on control effectiveness. As discussed in chapter 1, "Introduction and Background," the service auditor does th… (¶ 3.187, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • Alignment between the processes and controls stated in the description and the underlying system controls implemented by the service organization. If the description includes a particular control, it is likely that report users will assume the control is material for the purposes of the SOC 2 examin… (¶ 3.190 Bullet 2, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • The service auditor should evaluate materiality to determine if management's description of the system is fairly presented. (¶ .17, SSAE No. 16 Reporting on Controls at a Service Organization)
  • The service auditor should evaluate materiality with respect to the suitability of control designs to meet its objectives. (¶ .17, SSAE No. 16 Reporting on Controls at a Service Organization)
  • For type 2 reports, the service auditor should evaluate materiality with respect to the operating effectiveness of the controls. (¶ .17, SSAE No. 16 Reporting on Controls at a Service Organization)
  • When establishing the overall engagement strategy, the practitioner should consider materiality for the subject matter. (AT-C Section 205.16, SSAE No. 18, Attestation Standards: Clarification and Recodification)
  • The practitioner should reconsider materiality for the subject matter if the practitioner becomes aware of information during the engagement that would have caused the practitioner to have initially determined a different materiality. (AT-C Section 205.17, SSAE No. 18, Attestation Standards: Clarification and Recodification)
  • When applicable, the practitioner agrees to apply any materiality limits established by the specified parties for reporting purposes. (AT-C Section 215.10 e., SSAE No. 18, Attestation Standards: Clarification and Recodification)
  • Agreed-upon materiality limits specified by the specified parties, if applicable (AT-C Section 215.14 l., SSAE No. 18, Attestation Standards: Clarification and Recodification)
  • The practitioner should report all findings from application of the agreed-upon procedures. Any agreed-upon materiality limits should be described in the practitioner's report. (AT-C Section 215.26, SSAE No. 18, Attestation Standards: Clarification and Recodification)
  • The nature and materiality of the information to the prospective financial information taken as a whole (AT-C Section 305.20 a., SSAE No. 18, Attestation Standards: Clarification and Recodification)
  • When applicable, a description of any agreed-upon materiality limits. (AT-C Section 215.35 i., SSAE No. 18, Attestation Standards: Clarification and Recodification)
  • When applicable, a description of any agreed-upon materiality limits. (AT-C Section 315.26 i., SSAE No. 18, Attestation Standards: Clarification and Recodification)
  • Management considers materiality in financial statement presentation. (CC3.1 Considers Materiality, Trust Services Criteria)
  • Management considers materiality in financial statement presentation. (CC3.1 ¶ 5 Bullet 2 Considers Materiality, Trust Services Criteria, (includes March 2020 updates))
  • Bank Secrecy Act (BSA) violations that are detected during an examination should be documented. (Pg 39, Bank Secrecy Act (aka The Currency and Foreign Transaction Reporting Act), September 2000)
  • The internal audit manager and the external auditor should work together to decide which findings are significant and should be reported to senior management and the Board of Directors. (Pg 23, FFIEC IT Examination Handbook - Audit, August 2003)
  • Materiality in the definitions found within US federal security guidance, whether financial or otherwise, is based on the concept that items of little importance, which do not affect the judgment or conduct of a reasonable person, do not require auditor investigation. Materiality has both quantitati… (§ VI.2, Federal Information System Controls Audit Manual (FISCAM), February 2009)
  • § 230.02 points out that even though quantitatively immaterial, certain types of misstatements could have a material impact on or warrant disclosure in the financial statements for qualitative reasons. But what defines the threshold for materiality? According to the regulatory guidelines followed b… (§ 230.02, § 230.05, § 230.08, § 230.11, § 230.12, GAO/PCIE Financial Audit Manual (FAM))
  • The concept of materiality should be used in audits of internal control over financial reporting in determining if deficiencies are significant deficiencies or material weaknesses. (¶ 22, PCAOB Auditing Standard No. 2)