IS Audit and Assurance Guideline 2204 Materiality 



The guideline is presented in the following sections:

  1. Guideline purpose and linkage to standards
  2. Guideline content
  3. Linkage to standards and COBIT 5 processes
  4. Terminology
  5. Effective date

1. Guideline Purpose and Linkage to Standards

1.0 Introduction

This section clarifies the:
1.1 Purpose of the guideline
1.2 Linkage to standards
1.3 Term usage of ‘audit function’ and ‘professionals’

1.1 Purpose

1.1.1 The purpose of this guideline is to clearly define the concept ‘materiality’ for the IS audit and assurance professionals and make a clear distinction with the materiality concept used by financial audit and assurance professionals.
1.1.2 The guideline assists the IS audit and assurance professionals in assessing materiality of the subject matter and considering materiality in relationship to controls and reportable issues.
1.1.3 IS audit and assurance professionals should consider this guideline when determining how to implement the standard, use professional judgement in its application, be prepared to justify any departure and seek additional guidance if considered necessary.

1.2 Linkage to Standards

1.2.1 Standard 1201 Engagement Planning
1.2.2 Standard 1202 Risk Assessment in Planning
1.2.3 Standard 1204 Materiality
1.2.4 Standard 1207 Irregularity and Illegal Acts

1.3 Term Usage

1.3.1 Hereafter:
  • ‘IS audit and assurance function’ is referred to as ‘audit function’
  • ‘IS audit and assurance professionals’ are referred to as ‘professionals’

2. Guideline Content

2.0 Introduction

The guideline content section is structured to provide information on the following key audit and assurance engagement topics:
2.1 IS vs. financial audit engagements
2.2 Assessing materiality of the subject matter
2.3 Materiality and controls
2.4 Materiality and reportable issues

2.1 IS vs. Financial Audit Engagements

2.1.1 IS professionals require a different yardstick to measure materiality, as compared to their colleagues working on financial audit engagements. Financial professionals normally measure materiality in monetary terms, because what they audit is also measured and reported in monetary terms. IS professionals normally perform audits of non-financial items, e.g., program development controls, program change controls, physical access controls, logical access controls and computer operation controls on a variety of systems. Therefore, IS professionals may need guidance on how materiality should be assessed to plan their audit engagements effectively, how to focus their efforts on high-risk areas and how to assess the severity of any errors or weaknesses found.

2.2 Assessing Materiality of the Subject Matter

2.2.1 The assessment of what is material is a matter of professional judgement. It includes consideration of the effect and/or the potential effect on the enterprise’s ability to meet its business objectives in the event of errors, omissions, irregularities and illegal acts that may arise as a result of control weaknesses in the area being audited. Where the IS audit objective relates to systems or operations that process financial transactions, the financial professional’s measure of materiality should be considered while conducting the IS audit.
2.2.2 To assess materiality, professionals should establish a classification of information assets in terms of:
  • Confidentiality, availability and integrity
  • Access control rules on privileges management
  • Degree of criticality and risk to the business
  • Compliance with laws and regulations
The assessment should include consideration of:
  • The nature of data and information processed and stored
  • IS hardware
  • IS architecture and software (applications and operating systems)
  • IS network infrastructure
  • IS operations
  • Production, development and test environments
  • Applicable laws and regulations
2.2.3 More detailed examples of factors that could be considered to assess materiality are:
  • Criticality of the business processes supported by the system or operation
  • Criticality of the information databases supported by the system or operation
  • Number and type of applications developed
  • Number of users who use the information system
  • Number of managers and directors who work with the information system classified by privileges
  • Criticality of the network communications supported by the system or operation
  • Cost of the system or operation (hardware, software, staff, third-party services, overhead or any combination of these)
  • Potential cost of errors (possibly in terms of lost sales, warranty claims, irrecoverable development costs, cost of publicity required for warnings, rectification costs, health and safety costs, unnecessarily high costs of production, high wastage, etc.)
  • Cost of loss of critical and vital information in terms of money and time to reproduce, but also loss of reputation and image
  • Number of accesses/transactions/inquiries processed per period<
  • Nature, timing and extent of reports prepared and files maintained
  • Nature and quantities of materials handled (e.g., where inventory movements are recorded without values)
  • Service level agreement requirements and cost of potential penalties
  • Penalties for failure to comply with legal, regulatory and contractual requirements
  • Penalties for failure to comply with health, safety and environmental requirements
  • Specific definitions of, or considerations about, materiality provided by legislative or regulatory authorities
  • Transfer of IT operations to a third party, which causes a significant change in compliance regulatory requirements, e.g., data privacy and protection, trade control rules, financial requirements
2.2.4 The indication of higher importance subject areas should be used to reduce audit risk appropriately by either extending the test of controls (reduce control risk) and/or extending the substantive testing procedures (reduce detection risk).
2.2.5 Professionals should re-evaluate established materiality when changes in particular circumstances or additional information come to their attention that might influence materiality of systems or operations. The most common situations in which this could happen include:
  • Materiality was established initially on estimations or on preliminary information that differs significantly from the actual situation.
  • Events or changes in conditions since materiality was set have a significant impact on the ability of the enterprise to meet its business objectives.

2.3 Materiality and Controls

2.3.1 To meet the audit objectives, professionals should identify the relevant control objectives and, based on the risk tolerance level, determine what should be examined. With respect to a specific control objective, a control or group of controls is material if the absence of the control results in failure to provide reasonable assurance that the control objective will be met.
2.3.2 Professionals should consider materiality when determining the nature, timing and extent of the audit procedures to be applied to test a control or group of controls. Material controls should be tested more thoroughly, frequently and extensively compared to non-material controls to reduce the audit risk.
2.3.3 While assessing materiality, professionals should consider:
  • The level of error acceptable to management, the professionals, appropriate regulatory agencies and other stakeholders
  • The potential for the cumulative effect of multiple small errors or weaknesses to become material
2.3.4 Before the start of the audit engagement field work, professionals should consider obtaining sign-off from appropriate stakeholders acknowledging that any existing material weakness that stakeholders are aware of in the enterprise has been disclosed.
2.3.5 When professionals discover control deficiencies, they should evaluate the effect on the overall audit opinion or conclusion. When evaluating the effect, professionals should take into account different aspects of the occurrence of the control deficiencies, including:
  • Size
  • Nature
  • Particular circumstances
2.3.6 When testing material controls, professionals should evaluate the effect of compensating controls in mitigating risk associated with a discovered control deficiency. The control deficiency should be classified as:
  • A material weakness, when the compensating controls are ineffective
  • A significant deficiency, when the compensating controls are partially effective
  • An inconsequential deficiency, when the compensating controls reduce the risk to an acceptable level
2.3.7 Multiple errors or control failures might cause a cumulative effect, which professionals should consider in determining the overall materiality of control deficiencies.
2.3.8 Professionals should determine whether any IT general control deficiency is material. The significance of such deficient IT general controls should be evaluated in relation to their effect on application controls, i.e., whether the associated application controls are also ineffective. If the application deficiency is caused by the IT general control, then it is material. For example, if an application-based tax calculation is materially wrong and was caused by poor change controls to tax tables, then the application-based control (calculation) and the general control (changes) are materially weak.
2.3.9 Professionals should evaluate an IT general control’s deficiency in relation to its effect on application controls and when aggregated against other control deficiencies. For example, a management decision not to correct an IT general control deficiency and its associated reflection on the control environment could become material when aggregated with other control deficiencies affecting the control environment.
2.3.10 Professionals should also note that failure to remediate a deficiency could become material, e.g., after management and those charged with governance have been alerted to the deficiency.
2.3.11 Control deficiencies are always material in areas where they have been overridden resulting in fraud or illegal acts.

2.4 Materiality and Reportable Issues

2.4.1 In determining the findings, conclusions and recommendations to be reported, professionals should consider both the materiality of any errors found and the materiality of errors that could arise as a result of control weaknesses.
2.4.2 Where the audit engagement is used by management to obtain a statement of assurance regarding IS controls, an unqualified opinion on the adequacy of controls should mean that the controls in place are in accordance with generally accepted control practices to meet the control objectives, devoid of any material control weakness.
2.4.3 A control weakness should be considered material and, therefore, reportable, if the absence of the control results in failure to provide reasonable assurance that the control objective will be met. If the audit engagement work identifies material control weaknesses, professionals should consider issuing a qualified or adverse opinion on the audit objective.
2.4.4 Depending on the objectives of the audit engagement, professionals should consider reporting to management weaknesses that are not material, particularly when the cost of strengthening the controls is low. In addition, professionals could advise on resolutions for the weaknesses identified.

3. Linkage to Standards and COBIT 5 Processes

3.0 Introduction

This section provides an overview of relevant:
3.1 Linkage to standards
3.2 Linkage to COBIT 5 processes
3.3 Other guidance

3.1 Linkage to Standards

The table provides an overview of:
• The most relevant ISACA Standards that are directly supported by this guideline
• Those standard statements that are most relevant to this guideline

Note: Only those standard statements relevant to this guideline are listed.

Standard Title
Relevant Standard Statements
1201 Engagement Planning IS audit and assurance professionals shall develop and document an IS audit or assurance engagement project plan, describing the:
  • Engagement nature, objectives, timeline and resource requirements
  • Timing and extent of audit procedures to complete the engagement
1202 Risk Assessment In Planning  IS audit and assurance professionals shall identify and assess risk relevant to the area under review when planning individual engagements.

IS audit and assurance professionals shall consider subject matter risk, audit risk and related exposure to the enterprise.
1204 Materiality IS audit and assurance professionals shall consider potential weaknesses or absences of controls while planning an engagement, and whether such weaknesses or absences of controls could result in a significant deficiency or a material weakness.

IS audit and assurance professionals shall consider audit materiality and its relationship to audit risk while determining the nature, timing and extent of audit procedures.

IS audit and assurance professionals shall consider the cumulative effect of minor control deficiencies or weaknesses and whether the absence of controls translates into a significant deficiency or a material weakness.

IS audit and assurance professionals shall disclose the following in the report:
  • Absence of controls or ineffective controls
  • Significance of the control deficiencies
  • Likelihood of these weaknesses resulting in a significant deficiency or material weakness
1207 Irregularity and Illegal Acts IS audit and assurance professionals shall consider the risk of irregularities and illegal acts during the engagement.

IS audit and assurance professionals shall maintain an attitude of professional scepticism during the engagement.

IS audit and assurance professionals shall document and communicate any material irregularities or illegal act to the appropriate party in a timely manner.

3.2 Linkage to COBIT 5 Processes

The table provides an overview of the most relevant:
  • COBIT 5 processes
  • COBIT 5 process purpose
Specific activities performed as part of executing these processes are contained in COBIT 5: Enabling Processes.
COBIT 5 Process
Process Purpose
EDM03 Ensure risk optimisation. Ensure that IT-related enterprise risk does not exceed risk appetite and risk tolerance, the impact of IT risk to enterprise value is identified and managed, and the potential for compliance failures is minimised.
MEA02 Monitor, evaluate and assess the system of internal control. Ensure that IT-related enterprise risk does not exceed risk appetite and risk tolerance, the impact of IT risk to enterprise value is identified and managed, and the potential for compliance failures is minimised.

3.3 Other Guidance

When implementing standards and guidelines, professionals are encouraged to seek other guidance, when considered necessary. This could be from IS audit and assurance:
  • Colleagues from within the organisation and/or outside the enterprise, e.g., through professional associations or professional social media groups
  • Management
  • Governance bodies within the organisation, e.g., audit committee
  • Other guidance (e.g., books, papers, other guidelines)

4. Terminology

Audit risk The risk of reaching an incorrect conclusion based upon audit findings. The three components of audit risk are:
  • Control risk
  • Detection risk
  • Inherent risk
Material weakness A deficiency or a combination of deficiencies in internal control, such that there is a reasonable possibility that a material misstatement, will not be prevented or detected on a timely basis.

Weakness in control is considered material if the absence of the control results in failure to provide reasonable assurance that the control objective will be met. A weakness classified as material implies that:
  • Controls are not in place and/or controls are not in use and/or controls are inadequate
  • Escalation is warranted
There is an inverse relationship between materiality and the level of audit risk acceptable to the IS audit or assurance professional, i.e., the higher the materiality level, the lower the acceptability of the audit risk, and vice versa.
Materiality An audit concept regarding the importance of an item of information with regard to its impact or effect on the subject matter being audited. An expression of the relative significance or importance of a particular matter in the context of the engagement or the enterprise as a whole.
Significant deficiency A deficiency or a combination of deficiencies, in internal control, that is less severe than a material weakness, yet important enough to merit attention by those responsible for oversight

Note: A material weakness is a significant deficiency or a combination of significant deficiencies that results in more than a remote likelihood of an undesirable event(s) not being prevented or detected.

5. Effective Date

5.1 Effective Date

This revised guideline is effective for all IS audit/assurance engagements beginning on or after 1 September 2014.