Because the term materiality arose within the context of financial reporting and statement assurance, internal auditors have been challenged in adapting or creating a definition that is relevant for themselves and their stakeholders. In the context of financial reporting, materiality is relevant to three stakeholder groups: 1) preparers of financial statements, 2) auditors, and 3) users of financial statements. Although materiality decisions are made by only two of these three groups — preparers and auditors — most internal auditors’ conception of materiality likely has a user orientation. The auditor might ask, “How would a reasonably prudent investor react to the magnitude of misstatement (under- or over-reported amounts) or omission of a specific financial statement item in terms of its presentation and disclosure?”
Given this backdrop, the term materiality can be a significant cause of confusion in determining what to audit, how much to audit, what to correspondingly report, and for what matters it is necessary to gain consensus regarding management action. In many situations, stakeholders come to the table with their own concept of materiality — sometimes vaguely defined — that can be at odds with internal audit’s definition. Sometimes managers attempt to mitigate or downplay an issue and internal audit’s proposed recommendation because it reflects poorly on their performance in their respective areas of responsibility. In such instances, supposed lack of materiality can be used as the basis for an argument to convince internal audit that the issue under discussion has no real merit.
If internal auditors are not well-prepared to articulate and defend what they believe to be the relevant concept of materiality, the discussion of audit issues can easily become contentious or seriously impaired. It is therefore imperative that internal auditors fully understand the meaning and contexts of the term materiality so they are prepared to use it authoritatively and appropriately.
The Old Rule of Thumb
Historically, many stakeholders, and even many internal auditors who began their careers as certified public accountants or chartered accountants, were introduced to the materiality concept from a financial reporting and external audit standpoint. Here, the term referred to the significance of an item to the users of a set of financial statements, and the probability that its omission or misstatement would influence or change a decision by them. Although professional standards never defined the threshold for materiality as a fixed percentage of revenue, equity, or other financial statement value, and it is clear that qualitative factors play an equally important role as quantitative considerations, a widely used rule of thumb was that materiality was reached when a misstatement or omission was at least 5 percent of a given factor — such as net income or net assets. Accordingly, anything less than 5 percent often was considered immaterial for audit scoping or adjustment proposal purposes.
In 1999, the U.S. Securities and Exchange Commission’s (SEC’s) Staff Accounting Bulletin 99 (SAB 99)rejected the blanket concept that a misstatement or omission of less that 5 percent of a given factor is immaterial. The SEC had no objection to the rule of thumb as a starting point in assessing materiality, but quantifying in percentage terms the magnitude of a financial reporting misstatement was only the beginning of an analysis of materiality.
SAB 99 requires that a determination of materiality for financial reporting consider the quantitative and qualitative aspects of the matter under analysis as part of a full examination of all relevant considerations. Qualitative factors to consider in the materiality evaluation for financial reporting may include reaching budget or other projections, triggering or increasing executive compensation, masking a change in financial results or other trends, and achieving compliance with debt and other covenants. Combining quantitative and qualitative factors can make the materiality determination much more complex. The result of the SEC’s pronouncement was to make the old rule of thumb outdated even for financial reporting.
Before the U.S. Sarbanes-Oxley Act of 2002, materiality also was used in identifying serious weakness in internal control over the financial reporting
process. The American Institute of Certified Public Accountants defined material weakness as a condition where the internal control components do not reduce to a relatively low level the risk that:
- Misstatements caused by errors or fraud in amounts that could be material in relation to the financial statements may occur.
- Misstatements are not detected timely by employees in the normal course of performing their assigned functions.
In an attempt to establish more consistent and clearer guidance for Section 404 of Sarbanes-Oxley, the U.S. Public Company Accounting Oversight Board (PCAOB) defined a material weakness differently, and effectively developed three categories of financial reporting controls weaknesses (see “Categories of Financial Reporting Controls Weakness” at right). Under PCAOB Auditing Standard (AS) 5 (now codified as AS 2201), “The severity of a deficiency depends on:
- Whether there is a reasonable possibility that the company’s controls will fail to prevent or detect a misstatement of an account balance or disclosure.
- The magnitude of the potential misstatement resulting from the deficiency or deficiencies.”
Consistent with the SEC’s approach, the PCAOB in its standards avoids suggesting quantitative guidelines. The PCAOB says that materiality should not be based on a numerical formula because the facts and circumstances need to be professionally evaluated and considered for each situation.
Not surprisingly, when performing their Sarbanes-Oxley Section 404 assessments, many organizations find it difficult to differentiate between significant control deficiencies and material weaknesses. The organizations and their external auditors often still resort to quantifiable measures of specific impact to the financial statement to help establish a distinction.
Internal Auditing and Materiality
Unfortunately, quantifiable rules for materiality continue to be applied even to situations other than the fairness of the financial statements. However, for internal auditors the argument against using any materiality rule of thumb is amplified by the inherent and substantial differences between the roles of internal auditors and external auditors. In summary, very different assurances are provided by these different services. Internal auditors review and test controls at a significantly lower level of materiality than do external auditors, and routinely review a much broader range of risks than those for financial reporting. External audits are designed to report on historical data, whereas internal audits are generally focused on the efficiency, effectiveness, and compliance of current and future operations (see “Internal Audit Compared to External Audit” below right).
Dealing With the Issue
Internal auditors need means of measuring, assessing, or judging the performance of a broad swath of matters that are subject to audit. In the most general sense, the standards used for this purpose are referred to as audit criteria. Audit criteria are reasonable and attainable standards of performance and control against which compliance, the adequacy of systems and practices, and the efficiency and cost-effectiveness of staffing activities can be evaluated and assessed. To be realistic and useful, these criteria must be relevant, reliable, neutral, understandable, and complete. The aggregate of the internal auditor’s findings measured against the criteria, along with the exercise of professional judgment, permits the audit team to form a justifiable and defensible conclusion about each audit objective. An important threshold factor is the concept of materiality.
At times, internal auditors may be inclined to avoid dealing with complex concepts of materiality and significance. They may be tempted to throw up their hands and let someone else — senior management or the audit committee — make the call on the importance of identified issues and the need for corrective action. In this scenario, all issues would be delivered in an unfiltered and unprioritized fashion, with internal audit merely performing the role of information gatherer and reporter.
Many reasons exist as to why this approach would represent a sort of professional malpractice, and would likely lead to dissatisfaction with internal audit’s performance by its key stakeholders.
While internal auditors may frequently be confronted with issues that defy simple categorization and prioritization, they need to recognize their responsibility to provide an assessment of significance. Internal auditors are the experts on internal controls and that, by necessity, includes determining the impact that the quality of controls has on their organization’s activities.
The International Standards for the Professional Practice of Internal Auditing require internal auditors to add value and help improve the organization’s operations. They shortchange the value proposition if they do not demonstrate how their work product can directly meet these requirements. By sorting through the information they have gathered in their internal audit assignments, which necessitates the explication of internal auditors’ materiality judgments, they can move forward with the important and leave behind the unimportant.
Granted, this is not always an easy task. There is no mechanical application of a framework that will provide simple, indisputable answers. Because of the need to apply professional judgment and to consider and weigh many factors, different individuals evaluating similar facts and circumstances may reach different conclusions in certain situations. When this happens, internal auditors have to deal with the gray areas of the issue.
The Standards allow internal auditors to permit senior management to accept a level of residual risk, if they do not believe it is unacceptable to the organization. However, as stated in Standard 2600: Communicating the Acceptance of Risks, if internal auditors believe it is “unacceptable to the organization, the chief audit executive must discuss the matter with senior management. If the chief audit executive determines that the matter has not been resolved, the chief audit executive must communicate the matter to the board.”
Any other difficult issues may also require further attention to move them to consensus. This could involve the engagement of specialists, internally or externally, who provide subject matter expertise. Also, these very limited, infrequent, and contentious issues could be just the ones that are significant enough that involvement by senior management or the audit committee may be needed to reach resolution.
Issues that advance to this level should meet criteria that are established and understood in advance by internal audit, senior management, and the audit committee with an agreed-upon reporting protocol. Stakeholders typically express interest in categories of topics and issues, such as fraud and significant regulatory noncompliance, about which they want to be made aware and involved, regardless of materiality. To cover the other possibilities that require some assessment of importance, it is necessary to have a working definition of materiality for internal auditors and their stakeholders.
Guidelines for Materiality
|Definition of Materiality for Internal Auditing|
Materiality for internal auditing was defined in a 1994 IIA research report, The Internal Auditor’s Role in Management Reporting on Internal Control, as “any condition that has caused, or is likely to cause, errors, omissions, fraud, or other adversities of such magnitude as to force senior managers to undertake immediate corrective actions to mitigate the associated business risk and possible consequent damages to the organization.”
This definition is particularly relevant because of its general management perspective, not just a financial perspective. It also is risk based, enterprisewide, and action-oriented in dealing with risks.
While the revised and updated International Professional Practices Framework does not define the term materiality, the Glossary does contain the following definition for the term significance: “The relative importance of a matter within the context in which it is being considered, including quantitative and qualitative factors, such as magnitude, nature, effect, relevance, and impact. Professional judgment assists internal auditors when evaluating the significance of matters within the context of the relevant objectives.”
When evaluating the significance of the issues that audit work identifies, some guidelines can supplement the definition (see “Definition of Materiality for Internal Auditing” at right), help frame the evaluation, and determine significance. These guidelines help with the application of materiality in practice.
Materiality for External Auditors May Not Be Relevant Do not base materiality for matters of operational efficiency and effectiveness, safeguarding assets, and compliance with laws and regulations on the materiality concepts and levels considered by the external auditors for purposes of the examination of the financial statements or the Sarbanes-Oxley Section 404 internal control assessment. Very different assurance is being provided.
Incorporate Contextual Considerations Materiality should never be used as a sole or significant measure for prioritization and investigation in cases of suspected or illegal behavior or fraud. Put another way, zero tolerance or allowable error of zero should be established when considering illegal acts.
Consider Qualitative Factors The qualitative dimensions of an issue may be more important than the quantitative aspects. Customer service, public perception, cycle time, quality outcomes, and employee morale are examples of important considerations that are resistant to quantification efforts.
Context Matters Remember that not all quantifiable areas are the same. For example, the significance of errors and misstatements will be different for suspense accounts and related-party transactions because they involve greater risk than most other accounts or activities with similar balances.
Is It Pervasive or Isolated? Understand the root cause of the issue. The fact that it has or can easily recur makes it more of a concern than an isolated, explainable, one-time matter.
Improve Performance Lost opportunities to quantifiably enhance revenues and reduce and avoid costs, while not technically material or relevant to the current financial statements, can be materially important, and have a cumulative effect, in improving performance in future periods.
Build a Foundation
A foundation of dialogue with stakeholders can help internal auditors determine a mutually agreed upon framework based on quantitative and qualitative factors. Providing meaningful context to their reporting of issues can enhance internal auditors’ value to their organizations and assist stakeholders in establishing priorities, determining remediation, and escalating issues when necessary.