Embed Size (px)
Citation preview
Audit Materiality (G6)
JALAL HAFIDI
BIJAN BARIKBIN
CAITLYN E CARNEY
MEGAN A STEPHENS
Background: Material Weakness
What is a material weakness?• Controls are _____ and/or controls are _____
and or/controls are _____.
Background: S12 Audit Materiality
When Determining the Nature, Timing and Extent…Audit materiality and its relationship to audit risk
Potential weakness/absence of controls
Cumulative effect of deficiencies or weaknesses and absence of controls
• Disclose ineffective controls or absence of controls and the significance of the control deficiencies and possibility of resulting in material weakness.
Identify
Consider
Report
Need for Guideline: IS vs. Financial Audits
Financial IS
• Monetary • Physical access controls
• Quality control• Personnel
management• Password generation
Planning: Assessing Materiality
Professional judgment
IS auditors should consider: Level of error acceptable Potential to become material
Planning: Assessing Materiality
When should a financial auditor’s measure of materiality be considered in an IS audit?
Meeting Audit Objectives: Identify relevant control objectives & material control Determine what to examine based on risk tolerance rate
Planning: Assessing Materiality
What types of “information assets” should be verified in the assessment of materiality?
Classification of Information Assets: Confidentiality, Integrity, Availability (CIA) Access Control Rules Criticality & Risk Exposure
Materiality of Deficiencies: IT General Controls Application Controls
Planning: Assessing Materiality
Consider how deficiencies effect an application, and how it will act when aggregated against all of the other control deficiencies.
They all can effect the organization, individually and as a whole!
Planning: Assessing Materiality
Why should the auditor obtain sign-offs from stakeholders?
Are there any reasons an auditor should not have stakeholders sign off?
By not fixing a control’s deficiency, it could become material to the audit and to the organization.
Not only should stakeholders discuss known material weaknesses, but the auditor should have them sign off on acknowledging them.
Factors in Materiality
• Effectiveness of countermeasures.
• Number of accesses per period– Transactions/inquiries/etc.
• Reporting & files maintained– Nature/timing/extent
• Materials handled– Nature/quantity
• SLAs and costs of penalties• Penalties for lack of compliance
– Legal, regulatory, contractual, public health, and safety
• Critical for business processes supported by system/operation
• Number and type of application• Number of users• Number of managers/directors
(based on privileges)• Criticality of the network
communications.• Cost of system• Potential cost of errors.• Cost of loss of information
– In terms of time and money to reproduce
What do you think is the most important factor?
Why?
Reporting
What should be reported ?
The materiality of any errors found Control weaknesses (potential materiality)
In order to obtain a statement of assurance regarding IS controls (unqualified opinion):
The controls should be placed according to the standards and they meet their objectives Free of material weakness
Reporting Cont’d
If the controls don’t meet their objectives, the IS auditor should issue qualified or adverse opinion
The IS auditor should consider reporting to management weaknesses that are not material
Who has the final decision about what should be reported?
IS Auditor NOT the management
Conclusion
Who do external auditors report to?A. ManagersB. EmployeesC. Board of directorsD. Audit Committee
How can small errors or weaknesses become material over time?
Thank you
Questions
