AU312: Defining Audit Risk and Materiality

AU 312, “Audit Risk and Materiality in Conducting an Audit,” was an auditing standard issued by the American Institute of Certified Public Accountants (AICPA). It provided guidance for auditors on two core concepts in auditing. This standard has been superseded and is no longer in effect, but the principles it established have been integrated into current auditing literature.

For audits of non-public companies, the concepts are now in AU-C Section 320, “Materiality in Planning and Performing an Audit.” For public company audits, governed by the Public Company Accounting Oversight Board (PCAOB), the relevant standard is AS 2105, “Consideration of Materiality in Planning and Performing an Audit.” This article explains the concepts of audit risk and materiality that remain central to modern financial statement audits.

The Concept of Audit Risk

Audit risk is the risk that an auditor expresses an inappropriate audit opinion when the financial statements are materially misstated. In simpler terms, it is the chance that an auditor gives a “clean” opinion on financial statements that contain significant errors. Auditors cannot obtain absolute assurance, only reasonable assurance, because of the nature of financial reporting, audit procedures, and the need for an audit to be conducted within a reasonable time and at a reasonable cost. To manage this, auditors break audit risk down into three components.

• Inherent Risk (IR): The susceptibility of a financial statement assertion to a misstatement that could be material, before considering any related internal controls. This risk is inherent to a business’s operations and environment. For instance, valuing complex financial instruments has a higher inherent risk than valuing a simple bank account because it involves more judgment. An auditor assesses inherent risk but cannot change it.
• Control Risk (CR): The risk that a material misstatement will not be prevented, or detected and corrected, on a timely basis by the company’s internal controls. This risk is a function of the effectiveness of the entity’s internal control system. If a company has weak controls over its revenue recognition process, the control risk for revenue-related assertions is higher.
• Detection Risk (DR): The risk that the procedures performed by the auditor will not detect a material misstatement that exists. This is the only component of audit risk that the auditor can directly influence. The level of detection risk is managed by adjusting the nature, timing, and extent of audit procedures.

These three components are linked in the audit risk model: Audit Risk = Inherent Risk x Control Risk x Detection Risk. This model is not a rigid mathematical formula but a framework auditors use to understand the relationship between the risks and to plan their audit approach.

The Concept of Materiality

Materiality is a concept of relative significance. Information is considered material if its omission or misstatement could reasonably be expected to influence the economic decisions of users of the financial statements. A fact is considered material if there is a substantial likelihood that it would be viewed by a reasonable investor as having significantly altered the total mix of available information. This judgment involves both quantitative and qualitative considerations.

When determining materiality, auditors consider quantitative factors by establishing a benchmark as a starting point, such as a percentage of a key financial figure. Common benchmarks include pre-tax income, total revenues, or total assets. For example, an auditor might use 5% of pre-tax income as an initial quantitative threshold, choosing the benchmark most relevant to the company’s financial statement users.

Materiality is not solely a numerical exercise, as qualitative factors can render a quantitatively small misstatement material. A misstatement might be qualitatively material if it:

• Changes a net loss into net income.
• Helps the company meet analysts’ earnings expectations.
• Allows it to avoid violating a debt covenant.
• Relates to fraud or an illegal act, as even a small amount could have significant repercussions.

Auditors use different levels of materiality. The first is materiality for the financial statements as a whole, or planning materiality, which is the overall threshold. From this, the auditor determines performance materiality, set at a lower amount, often in the range of 50% to 75% of overall materiality. Performance materiality is used when designing audit procedures for individual accounts to reduce the probability that the sum of all uncorrected and undetected misstatements exceeds the overall materiality level.

Relating Risk and Materiality in Audit Planning

The concepts of audit risk and materiality are linked and form the basis of the audit plan. This involves a dynamic relationship between the auditor’s assessment of risk and the determination of materiality. The two have an inverse relationship that shapes the amount and type of audit work performed to reduce overall audit risk to an acceptably low level.

The auditor first assesses the Risk of Material Misstatement (RMM), which is the combination of inherent and control risk, based on their understanding of the company and its internal controls. The audit risk model shows that for a given level of audit risk, the acceptable level of detection risk is inversely related to the assessed RMM. If an auditor determines that the RMM is high, they must set a lower acceptable level of detection risk to keep overall audit risk low.

A lower detection risk requires the auditor to obtain more persuasive audit evidence by modifying the nature, timing, and extent of planned audit procedures. For nature, the auditor might shift from less persuasive procedures like inquiry to more persuasive ones like direct inspection or re-performance. For timing, procedures might be moved from an interim date to year-end. For extent, the auditor would increase sample sizes for tests of details or analytical procedures.

The level of materiality also influences the plan. A lower materiality threshold means that smaller misstatements are considered important, requiring the auditor to gather more evidence to detect them. Consequently, a lower materiality level, much like a higher assessed RMM, leads to an increase in the scope and extent of audit testing.

Evaluating Audit Findings

The final stage involves using materiality to evaluate the results of the audit work, a process distinct from planning. The auditor must accumulate all misstatements found, except for those that are “clearly trivial.” This accumulation includes both known misstatements and likely misstatements.

Known misstatements are factual errors with no doubt, such as a mistake in applying an accounting principle. Likely misstatements are the auditor’s best estimate of misstatements in a population, often derived from projecting errors found in an audit sample to the entire account balance. For example, a 2% error rate in a sample of accounts receivable would be projected to the entire balance to estimate the likely misstatement.

The auditor aggregates these misstatements and compares the total to the overall materiality level from planning. This evaluation is not just a numerical comparison; the auditor must also consider the size and nature of the misstatements, individually and in aggregate, in relation to specific accounts and the financial statements as a whole.

If the aggregate of uncorrected misstatements approaches or exceeds the materiality level, the auditor will request that management correct the misstatements. If management refuses, the auditor must consider the implications for the audit opinion. An amount of uncorrected misstatement that is material will require the auditor to issue a modified audit report, such as a qualified or an adverse opinion, indicating that the financial statements are not fairly presented.