In order to understand the concept of materiality and risk it is necessary to appreciate the objective of an Audit. An Audit is an evaluation of a person, organisation or a system. They are performed to determine the validity and the reliability of the information provided and also provides an assessment of the systems internal control. The objective of an audit of financial statements is to enable the auditor to express an opinion on whether the financial statements are prepared in compliance with an identified financial reporting framework such as Generally Accepted Accounting Principles (GAAP). Due to practical constraints, the auditor is satisfied with only reasonable assurance that the information is free from material error or emissions, hence why statistical sampling is often used in audits. If the financial information is free from material misstatements, then the information is said to give a true and fair view to the user.
When planning an audit, two factors need to be assessed; materiality and risk. Materiality is a concept within auditing which relates to the importance or the significance of an amount or a transaction, both qualitative and quantitative information. It can be defined by the International Standards of Auditors (ISA) 320. (See appendix A)
Calculated judgments are made by auditors to assess the significance of an error or omission. The item is considered material if it influences the user in their economic decision. However, the size of the item is important because if it's not large and not significant then the item in question will not be classed as material, but the auditor must be aware of creeping materiality where many small insignificant items build up to become material. Therefore designing an audit plan initially establishes an acceptable materiality level for both the amount (quantity) and nature (quality) of misstatements.
Common examples of materiality misstatements are inventories, trade receivables, and sales where the numbers can easily be manipulated. The calculation of materiality can be related to risk where the materiality levels can be more closely monitored. According to "Porter et al Principles of External Auditing 2008" certain materiality levels have been stated as an indication. For example Arriva's turnover in 2008 was £3042.2m and the estimated materiality level would be between 0.5% - 1.0%. The calculation is not a set amount and varies with different auditor judgments and there isn't a correct or incorrect answer. However, using this percentage, the materiality level turnover for 2008 would be up to £30.4m. This means there is a standard deviation of £30.4m meaning if the turnover is between £3072.6m and £3011.8m then the auditor will class it as immaterial and nothing risky. Anything outside of this materiality threshold would be classed as being material, although the auditor may use their own professional judgment to increase or decrease the materiality percentage accordingly.
Cash & cash equivalent shown on Arriva's balance sheet for 2008 is £147.7m. A vague materiality level is given of 2%; hence movement between £150.7m and £144.7 is classed as immaterial. Cash needs to be assessed carefully as it is very liquid and at the time of auditing the figures can be different due to constant income & expenditures.
Bench marks assist auditors to assess financial information by providing an acceptable level of materiality. There is no rule of thumb to calculate materiality, it is upon the auditors professional judgment and set before the plan stage of an audit. For example, if the auditor determines that the bench mark for acceptable materiality is too low during the audit, the audit risk is increased. The auditor can compensate for this in one of two ways; either reduce the level of control risk if possible, backing this by carrying out extended or additional tests of control; or by reducing detection risk by changing the nature, timing and extent of planned substantive procedures. This is where the relationship between materiality and audit risk occurs, as the higher the materiality level, the lower the audit risk and vice versa. This relationship is also considered when determining the nature, timing and extent of the audit procedure.
In relation to materiality, there are two types of risk factors involved; Audit risk and Business risk.
Audit risk is the risk of the auditor giving the wrong opinion and contains three main elements; Inherent Risk, Detection Risk & Control Risk.
Inherent Risk is when the account or section being audited is materially misstated without bearing in mind the internal controls due to error or fraud. It is something that cannot be removed and controls for risky areas may need to be assessed. An example of inherent risk relating to Arriva is most their transactions are cash based and there may be a large risk that the cash is not being recorded or the cash is going into the drivers pocket and isn't being shown on the company's financial records. Areas as such need to be controlled and the use of receipts or top-up card systems may reduce these risks. Analysis of previous years or a comparison of competitor's accounts may give the auditor a good indication of any fraudulent or risky activities. Key factors to look at when analysing inherent risk include the nature of the business, integrity of directors and management, objectives & strategies etc.
Control risk is the auditor's judgment that the entity's financial statements contain a likelihood that certain assertions are materially misstated which will not be detected by the entity's internal control system. An example of control risk is if an entity has competent and able valuers valuing a high priced item which is inherently high risk then the control risk will be low compared to an entity without the skilled and able valuers. The result of inherent risk & control risk is known as the risk of material misstatement (RMM) and represents the risk that the auditor effectively has to respond to when auditing.
Detection risk is the chances that the material misstatement will not be found by the auditor's substantive testing. The detection risk shows what the acceptable rate is of the auditor given that the audit risk and the auditor's assessment of inherent and control risk is accepted. This means that if the detection risk is high, the auditor will do less substantive testing compared to where the detection risk is lower. Detection risk can be altered at the auditor's professional judgment whereas inherent risk and control risk are independent of the audit.
Therefore in whole, audit risk is:
Audit risk = Inherent Risk x Detection Risk x Control Risk.
Business risk relates mainly to the entity's goals and objectives. It is essentially the potential cost incurred if the business does not achieve its strategic plans. The assessment and management of business risk has evolved into formalised enterprise risk management (ERM) in many entities. Examples of risks which may fail the business to meet its objectives include major changes in the working environment, new personnel, rapid growth etc. When assessing the business risk, the auditor must consider the going concern concept; this is when you assume that the entity will normally continue trading into the foreseeable future (normally within 12 months.) This is a risk because if a loan is taken out by the entity, for example which needs to be repaid after 4 years then the company may not be trading at that time and therefore will not be able to repay. From an audit perspective; if the business has a going concern risk, the company may not be able to pay the auditors in the future. This then gives the auditor an indication as whether or not to accept the client. The auditor should also have clear knowledge and understanding of the economy and business that they are working in, so that they can provide a tailor made approach and design the audit work specifically for the client so all risks are acknowledged.
Examples of risks according to Arriva's annual report 2008 are:
Market Risk; a large amount of Arriva's income comes from the national public transports budgets and consequently if the budget amount varies, it can have a positive or negative effect on the entity's prospects. The group constantly monitors the national public transport budgetary policies to ensure that they are aware and understand the possible changes so that there are no unexpected changes to the group which directly affect them.
Interest rate and fuel price risk; Derivative instruments are used to manage the group's exposure to changes in cash flows arising from movements in interest rates and fuel prices. The derivatives are designated as cash flow hedges, and hedge accounting is used where it has been shown that the hedge relationship is highly effective. This also relates to the commercial risk where there can be uncertainties over the current economic situation and volatility levels. For example Arriva has £797m worth of loans which aren't fixed according to note 17 in the financial statement. If the interest rates increase just 1% then it could incur additional charges of up to nearly £8m. This is classed as a business risk.
The international standard on auditing 315 (appendix B) involves the auditor to recognise any material misstatement within the company but should also bear in mind the business's environment, for example the industry, nature, objectives of the entity. Objectives and strategy are an important factor to look at as the entity's aim may be to make a loss for a few years, in which case the objectives has been achieved.
"Including the entity's internal control."
For example when looking at the internal control, if someone needs to authorise a payment of £500k but signs for £1m, then the entity's internal control would be classed as weak and therefore the risks increase.
When assessing the material misstatement the auditor must assess whether it was due to fraud or error. The investigation needs to question whether it was done deliberately or not. If yes, then it was fraud, if no then it may well be an error.
If any materially misstated items need to be further investigated, then ISA 315 Para 7 (appendix C) should be considered. An auditor should ask questions and enquire within the entity to any persons in any department, analyse trends and relationships and just generally monitor day to day running or the entity. In accordance to Para 12, if the auditor intends to use prior material, any changes that have occurred have to be taken into consideration e.g. management buy outs, bonus variances etc. Also external information may be a good source of information, for example contacting banks for actual balances.
ISA 330 is the auditor's responses to the assessed risks. This standard is interlinked with the ISA 315 where the risk, if any is assessed and identified. ISA 330 states what the auditor should do in response to the findings of any material misstatements (Appendix D)
If any potential risk is detected by the Auditor, then the auditor should enquire further into the risk. For example, the auditor can check the bank balance, request any external confirmations of contracts, terms, transactions or agreements from any other entity or other third parties. An instance of this occurring in an entity like Arriva is, if the manager is under pressure to meet earnings expectations, there will be a risk that the management could manipulate sales. Managers may improperly recognise revenue by invoicing sales before they occur. In such cases, auditors need to design external confirmation procedures to confirm amounts, terms of sale, dates etc.
In some cases the ability or the willingness of the party which the auditor needs confirmation from may not be there. Therefore to overcome this problem the auditor must select a sample of parties of whom to ask confirmation from and if a few parties refuse to respond then the auditor still has valid information from similar parties. The party may refuse to comment due to one of the following reasons; may not accept responsibility for responding, may consider it too costly or time consuming, may consider the potential legal liabilities resulting from responding etc.
In conclusion, there is an inverse relationship between risk and materiality; the higher the materiality level, the lower the audit risk and vice versa. This relationship is taken into account when determining the nature, timing and extent of the audit procedures. If after planning, the auditor explores that the acceptable materiality level is lower than planned, then the audit risk is increased. For example, low risk is given to the risk that relates to a particular assertion in an account balance which is misstated by an extremely large amount, but the risk that the figures could be misstated by an extremely small amount may be high. An auditor will consider these concepts before, during and after the audit. ISA 315/320/330 all assist auditors to align to the auditing requirements to ensure that the financial statements present a true and fair view. This brings consistency and makes comparability easier from one set of accounts to another.
Word Count - 2163
Appendices
Appendix A
ISA 320:
"Information is material if its omission or misstatement could influence the economic decisions of users taken on the basis of the financial statements. Materiality depends on the size of the item or error judged in the particular circumstances of its omission or misstatement. Thus, materiality provides a threshold or cut-off point rather than being a primary qualitative characteristic which information must have if it is to be useful."
Appendix B
ISA 315:
"Identifying and Assessing the Risks of Material Misstatement through Understanding the Entity and Its Environment"- effective date 15/12/09
Appendix C
ISA 315 Para 7:
"The risk assessment procedures shall include the following:
(a) Inquiries of management and of others within the entity.
(b) Analytical procedures.
(c) Observation and inspection."
Appendix D
ISA 330:
"The auditor shall consider whether external confirmation procedures are to be performed as substantive audit procedures."
