Download paper

Audits: Materiality, Risks, and Internal Controls

The audit process is a set of eight sections, including materiality, risks, and internal controls. Auditors determine with reasonable certainty that financial statements are free from material misstatements.

The only way auditors can complete this task is by determining the level of misstatements during audit planning, starting with preliminary judgments, and ending at using materiality when evaluating the audit findings. Auditors must consider various risks associated with planning and completing an audit. Risks which could affect the completion of an audit along with the chance of legal repercussions.

The overarching theme of planning and conducting an audit is the level of internal controls within the business, which includes its policies and procedures. Auditors are responsible for auditing their client’s financial statements, following the Generally Accepted Auditing Standards (GAAS), while looking for material misstatements so they can obtain reasonable assurance that the financial statements are free from material misstatements.

One of the objectives of an auditor is to establish that the financial statements are free from material misstatements. Arens, Elder, & Beasley (2014) define materiality as, “the magnitude of an omission or misstatement of accounting information that, in the light of surrounding circumstances, makes it probable that the judgment of a reasonable person relying on the information would have been changed or influenced by the omission or misstatement” (p. 248). Determining the appropriate audit report to the issue is part of planning the audit and designing the audit approach. Materiality is fundamental to that planning, as well as a significant factor when considering which report to issue.

Top Experts
Verified expert
4.8 (756)
Writer Jennie
Verified expert
4.8 (467)
Professor Harris
Verified expert
4.9 (457)
hire verified expert

Investors rely on the data found in the financial statements to make decisions regarding investments, so, if management intentionally or accidentally omitted pertinent information from those statements, investors could make the wrong decision. Due to the power materiality holds over investor decisions, auditors must use their professional judgment regarding the level of misstatements allowed in the financial statements, based on sufficient evidence. According to Mautz & Sharaf (1961), “a combination of all or several of the various types of audit evidence ass to the probability that the auditor’s decision that the proposition is valid” (p. 105). When determining the level of material misstatements, the auditor must consider three factors that affect the materiality threshold during preliminary judgment. The first of those factors is relativity. While planning the audit, the auditor must consider the size of the company they are auditing because that will determine the materiality threshold. Relativity is all about perspective.

To a large corporation, a small error would be nothing, but to a small company, it could be detrimental. Georgiades (2018) stated, “judgments about materiality are made within the context of surrounding circumstances. The nature or size of a misstatement, or both, affects judgments made about materiality.” Materiality is relative, so auditors must set benchmarks by selecting critical accounts containing information users of the financial statements need. Benchmarks include net sales, gross profit, total or net assets, and net income before taxes. Once auditors have selected the appropriate benchmark, they must determine if material misstatements could affect other accounts, like total assets. The income statements and balance sheets are affected the most, so the auditor must consider this when determining the materiality level. The auditor is required to document their preliminary judgment in addition to how they determined that level. In other words, the limit of material misstatements the auditor will allow, which account they used as their primary benchmark and the qualitative factors which defined the limit. When looking at financial statements, the level of materiality will be different for each individual account. The difference is due to the potential of specific accounts having a higher chance of material misstatements. Those accounts which have a higher interaction rate make it easier for management to accidentally classify transactions incorrectly as well as potentially hide the intentional error.

There are two categories of misstatements, known and likely. Known misstatements are those transactions placed in the wrong account or recorded incorrectly. Likely misstatements are the more serious of the two. If an auditor disagrees with the recorded account balance or the manager’s level of misstatements based on audit sampling, the auditor would determine a percentage amount which is then multiplied by the account balance to get an estimated error. Errors do occur, which is why having an auditor review the financial statements for material misstatements helps both the business and any potential investors. Materiality is an essential factor in auditing. Not only can materiality affect investor’s decisions, but the level of materiality also determines the level of audit risk.

Auditors face many risks while planning the audit and looking for material misstatements. Tuovila (2019), defines audit risk as “the risk that financial statements are materially incorrect, even though the audit opinion states that the financial reports are free of any material misstatements.” Essentially, the auditor runs the risk of giving an unqualified opinion because they were not able to find any material misstatements. There are five types of risks auditors face when looking for incorrect data, four of which compose the formula in the audit risk model. The four types of risk included in the formula are planned detection risk, acceptable audit risk, inherent risk, and control risk. The audit risk model, according to Botez (2015), “estimates the degree of assurance required for important tests when it takes into account the level of audit risk and the assessment of both inherent and control risks.” The best thing about the audit risk model is that it forces the auditor to examine each component of the formula closely. The first type of risk is the planned detection risk (PDR). This risk is reliant on the other three in the risk model, so when one-factor changes, the planned detection risk changes. The planned detection risk is the risk that the gathered evidence will fail to find misstatements above performance materiality. This risk helps auditors determine the level of substantive evidence to gather in relation to the planned detection risk.

The formula to determine the planned detection risk is, acceptable audit risk divided by inherent risk times control risk “AAR ÷ (IR x CR).” The second type of risk is the inherent risk (IR), which uses the auditor’s assessment about the financial statements while ignoring internal controls. Internal controls are ignored during the inherent risk because they are part of control risk. If there is a high chance of misstatements, then the inherent risk is high. Because of the chance of high inherent risk, the CPA firm conducting the audit should have an experienced member of their staff conducting the audit. The third factor in the audit risk model formula is control risk (CR). The control risk is the risk that a business’s internal controls would not be able to find or stop misstatements. To test this risk, the auditor assigns a high-risk factor to control risk. The better a businesses’ internal controls are the lower the risk factor to control risk would be. According to Jenner (2012), the combination of “inherent and control risk is the risk of material misstatement, and they are considered the ‘client’s risk’ which the auditor is faced with when performing the audit.” AU-C § 315.03 details the objective of the auditor to identify and assess the risk of material misstatements, whether it is due to fraud or simple errors.

The last factor in the audit risk model, determined during audit planning, is the acceptable audit risk (ACR). This risk is the maximum numerical percentage an auditor is willing to take that they would provide the wrong audit opinion. A lower percentage of risk means the auditor wants a higher level of certainty while a higher percentage of risk means the auditor would consider a lower level of certainty that they provide the correct audit opinion. At times, auditors prefer the term audit assurance rather than acceptable audit risk. Audit assurance is the counterpart of acceptable audit risk. For example, if an acceptable audit risk were 5%, then the audit assurance would be 95%. The audit risk model is another subjective component, based on assumptions and estimates, so there will be times the auditor will have to change the data when they receive new information or results.

While it is plausible the audit risk model will have to be changed; it should happen sparingly. The last type of risk auditors must consider is engagement risks. Arens et al. (2014), defines engagement risk as “the risk that the auditor or audit firm will suffer harm after the audit is finished, even though the audit report was correct” (p. 261). Even after the audit is complete, the auditor and CPA firm still have to worry about the client and investor. If the client or investor feels as if the audit caused them harm, then they would sue the audit firm. There is a factor that could affect engagement risk. The factor is the degree of user’s reliance on the financial statements, which can result in a lowered acceptable audit risk. If investors rely heavily on the financial statements when making an investment decision, and if the business fails due to an audit failure, more harm would befall the audit firm. At any time, the investor can choose to sue an audit firm, whether it is justified or not, and unfortunately, there is nothing the audit firm can do to prevent it. Auditors are susceptible to numerous levels of risk when they are planning and performing an audit. With the knowledge that those risks could occur, auditors can better understand their environment and client’s financial statements, allowing them a better opportunity to find material misstatements.

Internal controls are essential for any business to maintain. The level of internal controls depends on management and how well they are maintaining the company’s policies and procedures. Investopedia (2019), defines internal controls as the “mechanisms, rules, and procedures implemented by a company to ensure the integrity of financial and accounting information, promote accountability, and prevent fraud.” Management is responsible for setting the internal controls of the business, and without proper internal controls, there would be a break down between employees and management, which affects profits and the ability to remain in business. When designing those internal controls, management tries to meet three objectives, including reliable financial reporting, effective operations, and compliance with laws and regulations. Section 404 of the Surbanes-Oxley Act, which passed after the WorldCom scandal, requires management to report on the effectiveness of the company’s internal control over financial reporting. Flostoiu (2012), claims that “the internal control is a dynamic process, permanently adapting its tools and techniques to a cultural change of the institution which is determined by the level of the competence of managers.” Internal controls are important because they can prevent errors which would have previously led to misstatements.

While managers determine the internal controls the business uses, it is up to the auditor to test the internal controls to verify they are strong enough to prevent material misstatements. Try as they might, internal controls will never be 100% effective, no matter what management does so, reasonable assurance is the best they can do. AU-C § 319.02 (n.d.), stated that “the auditor should obtain an understanding of internal control sufficient to plan the audit by performing procedures to understand the design of controls relevant to an audit of financial statements and determining whether they have been placed in operation.” There are five components to the internal control framework, including control environment, risk assessment, control activities, information and communication, and monitoring. The first of those components, control environment, is important to the other components because if there is not an operational control environment, the other topics would likely not result ineffective internal controls. According to Arens et al. (2014), “the control environment consists of the actions, policies, and procedures that reflect the overall attitudes of top management, directors, and owners of an entity above internal control and its importance to the entity” (p. 293).

Since management determines the internal controls for their corporation, if the auditor is not able to trust in their ethics or integrity, then they would additionally not be able to trust the effectiveness of those internal controls. An additional aspect of ethics and integrity lies with managers hiring competent employees because if the employees are not competent, then the auditor cannot expect the internal controls to be efficient. The second component of the internal control framework is risk assessment. Managers use the risk assessment when considering competition, product technologies becoming obsolete, and shortages of materials due to droughts or other factors. It is up to management to consider any and all risks that could affect their company, and then make any necessary changes to their internal controls to combat those risks. The third component of the internal control framework is control activities. Control activities include policies and procedures used by management to guarantee the required actions address risks before meeting their objectives. Managers need control over business functions to ensure there is no crossover between controls. For example, an employee who oversees receiving assets should not have access to the journal entries. By separating these two positions, the manager is reducing the risk of embezzlement, thereby increasing their internal controls.

The next element in the framework is information and communication. Information and communication include a set procedure from initiation to reporting an accounting transaction which helps to maintain accountability. When testing a company’s internal controls, the auditor looks at their accounting system to help understand the major types of transactions and how those transactions went from start to finish. The last activity in the internal control framework is monitoring. Monitoring is very important for management and their internal controls because it entails management to assess the quality and performance of the internal controls periodically. By assessing the quality and performance, they can determine if the controls are functioning accurately.

While management is responsible for creating and maintaining internal controls, the auditor is also responsible for evaluating them and then report their findings to the audit committee. Wilkins and Haun (2014), state that “CPAs can use the framework and its underlying directions on operational, reporting, and compliance objectives to advise small and entrepreneurial organizations on how they can improve both their business operations and bottom line.” Internal controls are essential to any business to ensure an accurate and fair audit opinion, which is why it is imperative for upper management to test their controls constantly.


BIBLIOGRAPHY \l 1033 AICPA. (n.d.). Section 404(b) of Sarbanes-Oxley Act of 2002. Retrieved June 20, 2019, from AICPA:
Arens, A. A., Elder, R. J., & Beasley, M. S. (2014). Auditing & Assurance Services: An Integrated Approach (15th ed.). Upper Saddle River, New Jersey: Pearson.
Botez, D. (2015). Study Regarding the Need to Develop an Audit Risk Model. Audit Financiar, 13(125), 69-74. Retrieved June 20, 2019, from,url,cookie,uid&db=bth&AN=102356140
Flostoiu, S. (2012, May 1). Internal/Managerial Control-Subject of the Public Internal Audit. Scientific Research & Education in the Air Force-AFASES, 1, 87-94. Retrieved June 20, 2019, from,url,cookie,uid&db=mth&AN=82405327
Georgiades, G. (2018, September 30). A Refresher on Materiality in Conducting an Audit: AU-C Section 320, Materiality in Planning and Performing an Audit. GAAS Update Service, 18(18), 1-7. Retrieved June 19, 2019, from,url,cookie,uid&db=bth&AN=132185440
Jenner, N. (2012, September 1). Where’s the Risk in Risk-Based Auditing? New Jersey CPA,(35), 20-21. Retrieved June 19, 2019, from,url,cookie,uid&db=bth&AN=79462165
Kenton, W. (2019, May 1). Internal Controls. Retrieved June 21, 2019, from Investopedia:
Mautz, R. K., & Sharaf, H. A. (1961). The Philosophy of Auditing. American Accounting Association. Retrieved June 18, 2019, from
PCAOB. (2010, December 15). AU Section 319: Consideration of Internal Control in a Financial Statement Audit. Retrieved June 20, 2019, from PCAOB:
PCAOB. (2018). AU Section 312: Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement. Retrieved June 20, 2019, from PCAOB:
Shaffer, D. (2018, October 1). The Secret to a Clean Opinion: Strong Internal Control. Armed Forces Comptroller, 63(4), 16-18. Retrieved June 21, 2019, from,url,cookie,uid&db=mth&AN=133402945
Tuovila, A. (2019, May 23). Audit Risk. Retrieved June 20, 2019, from Investopedia:
Wilkins, A. M., & Haun, A. L. (2014, October 1). Reframing the Discussion on Internal Control. CPA Journal, 84(10), 48-51. Retrieved June 21, 2019, from,url,cookie,uid&db=bth&AN=98865148


Cite this page

Audits: Materiality, Risks, and Internal Controls. (2020, Sep 18). Retrieved from

Are You on a Short Deadline? Let a Professional Expert Help You
Let’s chat?  We're online 24/7