Audit Materiality (G6) JALAL HAFIDI BIJAN BARIKBIN CAITLYN E CARNEY MEGAN A STEPHENS

Background: Material Weakness What is a material weakness? Controls are _____ and/or controls are _____ and or/controls are _____.

Background: S12 Audit Materiality When Determining the Nature, Timing and Extent… Audit materiality and its relationship to audit risk Potential weakness/absence of controls Cumulative effect of deficiencies or weaknesses and absence of controls Disclose ineffective controls or absence of controls and the significance of the control deficiencies and possibility of resulting in material weakness. Identify Consider Report

Need for Guideline: IS vs. Financial Audits FinancialIS MonetaryPhysical access controls Quality control Personnel management Password generation

Planning: Assessing Materiality  Professional judgment  IS auditors should consider: Level of error acceptable Potential to become material

Planning: Assessing Materiality When should a financial auditor’s measure of materiality be considered in an IS audit?  Meeting Audit Objectives: Identify relevant control objectives & material control Determine what to examine based on risk tolerance rate

Planning: Assessing Materiality What types of “information assets” should be verified in the assessment of materiality?  Classification of Information Assets: Confidentiality, Integrity, Availability (CIA) Access Control Rules Criticality & Risk Exposure  Materiality of Deficiencies: IT General Controls Application Controls

Planning: Assessing Materiality  Consider how deficiencies effect an application, and how it will act when aggregated against all of the other control deficiencies.  They all can effect the organization, individually and as a whole!

Planning: Assessing Materiality Why should the auditor obtain sign-offs from stakeholders? Are there any reasons an auditor should not have stakeholders sign off?  By not fixing a control’s deficiency, it could become material to the audit and to the organization.  Not only should stakeholders discuss known material weaknesses, but the auditor should have them sign off on acknowledging them.

Factors in Materiality Effectiveness of countermeasures. Number of accesses per period –Transactions/inquiries/etc. Reporting & files maintained –Nature/timing/extent Materials handled –Nature/quantity SLAs and costs of penalties Penalties for lack of compliance –Legal, regulatory, contractual, public health, and safety Critical for business processes supported by system/operation Number and type of application Number of users Number of managers/directors (based on privileges) Criticality of the network communications. Cost of system Potential cost of errors. Cost of loss of information –In terms of time and money to reproduce What do you think is the most important factor? Why?

Reporting  What should be reported ? The materiality of any errors found Control weaknesses (potential materiality)  In order to obtain a statement of assurance regarding IS controls (unqualified opinion): The controls should be placed according to the standards and they meet their objectives Free of material weakness

Reporting Cont’d  If the controls don’t meet their objectives, the IS auditor should issue qualified or adverse opinion  The IS auditor should consider reporting to management weaknesses that are not material Who has the final decision about what should be reported? IS Auditor NOT the management

Conclusion Who do external auditors report to? A.Managers B.Employees C.Board of directors D.Audit Committee How can small errors or weaknesses become material over time?

Thank you Questions