Articles on Internal Auditing

Materiality and Reportable Conditions
Compiled by Mark R. Simmons, CIA CFE

To form an opinion as to whether control systems provide managers with reasonable assurance that desired business outcomes will be achieved, the auditor has to consider the issue of materiality. No control system is perfect or one hundred percent effective. But an effective control system should always prevent, or detect and correct, "material" errors, omissions, fraud or other adversities that impact on achieving desired business outcomes. The problem we auditors face is defining what "materiality" means from the manager's perspective.

Internal Auditor's Role in Management Reporting on Internal Control, a research report published by the Research Foundation of the Institute of Internal Auditors, defines materiality as "any condition that has caused, or is likely to cause, errors, omissions, fraud or other adversities of such magnitude as to force senior managers to undertake immediate corrective actions to mitigate the associated business risk and possible consequent damages to the organization".

According to the research report, the control processes for identifying material weaknesses are working if, during the course of routine operations, the control system successfully identifies and addresses:
non-persistent and non-pervasive weaknesses that have caused, or are likely to cause, errors, omissions, fraud or other adversities of such magnitude as to force senior managers to undertake immediate corrective actions to mitigate the associated business risk and possible consequent damages to the organization.

Material weaknesses are persistent if the same problem appeared in prior periods; or the same problem has arisen elsewhere in the organization.

Material weaknesses are pervasive if the effects of the problem seriously imperil safeguarding of assets; or the effects of the problem seriously imperil the achievement of operating, reporting or compliance objectives.

A condition is "serious" if it has caused, or is likely to cause, errors, omissions, fraud or other adversities that increase business risk and possible consequent damages to the organization, but does not require senior managers to undertake immediate corrective actions to mitigate the associated impact on operations or outcomes.

The authors of the research report suggest that auditors have five decision options regarding a professional opinion about the system of controls:

  1. the system is well controlled - there are virtually no internal control weaknesses; (or)
  2. the system is highly satisfactory - there are opportunities for improvement, but no reportable conditions; (or)
  3. the system is marginally satisfactory - the audit identified a serious condition, but it has not caused, or is not likely to cause, errors, omissions, fraud or other adversities of such magnitude as to force senior managers to undertake immediate corrective actions to mitigate the associated business risk and possible consequent damages to the organization; (or)
  4. the system is unsatisfactory - the audit identified a serious condition that has caused, or is likely to cause, errors, omissions, fraud or other adversities of such magnitude as to force senior managers to undertake immediate corrective actions to mitigate the associated business risk and possible consequent damages to the organization.; (or)
  5. the system is unreliable - the audit identified a persistent or pervasive serious condition that has caused, or is likely to cause, errors, omissions, fraud or other adversities of such magnitude as to force senior managers to undertake immediate corrective actions to mitigate the associated business risk and possible consequent damages to the organization.

Items three through five above are "Reportable Conditions". A "reportable condition" means that:

  • the problem is serious, but not material; or
  • the problem is material but not persistent or pervasive; or
  • the problem is material and persistent or pervasive.

The report indicates that as long as the control process identifies and corrects the problem, or assesses the consequences of inaction, regarding reportable conditions and material weaknesses, then it is unlikely that the reportable condition will be material and pervasive or persistent. If this is the case, then the control system is working. However, if the reportable conditions and material weaknesses were detected by the audit, but not by the control system, then the auditor should evaluate the circumstances and consider issuing a qualified or adverse opinion in the report.

It is the auditor's professional judgement that determines what "serious" and "material" actually mean in the context of a given audit. How does the auditor determine this? There are several ways, depending on the specific circumstances. Some examples are:

  • Discussions with senior management, line managers and staff, and suppliers and customers of the audit client;
  • The auditor's experience and knowledge of control systems and related risks;
  • The requirements of laws and regulations;
  • The exposure to fraud, waste or abuse; and
  • The monetary value or impact of goods, services, transactions, events or outcomes.

The threshold for reportable conditions should be evaluated during the planning phase of the audit work; discussed with senior management; and discussed with the responsible manager at the entrance conference. Prior to initiating substantive audit work, the auditor should have a clear and agreed upon definition of what will constitute a reportable condition for the activity or function being reviewed.

The purpose of this article has been to provide an overview of concepts developed and presented in The Internal Auditor's Role in Management Reporting on Internal Control, published by the Research Foundation of the Institute of Internal Auditors. The interpretations presented here are those of the author. Readers are encouraged to refer to that publication for a full discussion of this topic in order to form their own opinions.

Copyright © 1995 Mark R. Simmons, All rights reserved

Home | Bio  | Internal Auditing | Fraud Investigation | Request to Reprint

© 1996-2008 Mark R Simmons, CIA, CFE. All rights reserved. Updated 05-Jun-2008
Designed and maintained by Web Wise Concepts, LLC for http://www.facilitatedcontrols.com