The auditor should consider the materiality of the audit and its relationship to audit risk when determining the nature, timing and extent of the audit procedures. When planning the audit, the auditor should consider potential weakness or absence of controls and whether such weakness or absence of controls could result in a significant deficiency or a material weakness in the information system. The auditor should consider the cumulative effect of minor control deficiencies or weaknesses and the absence of controls to translate into a significant deficiency or material weakness in the information system. The auditor’s report must disclose ineffective controls or lack of controls, the meaning of control deficiencies and the possibility of weaknesses, resulting in a significant deficiency or material weakness. Audit risk is the risk that the auditor is about to arrive at an incorrect conclusion, based on audit findings. Auditors should also be aware of the three components of audit risk, that is,the inherent risk, the control risk and the detection risk . During audit planning and execution, the auditor should attempt to reduce the audit risk to an acceptably low level and meet the audit objectives. This is achieved through an appropriate assessment of the related controls. Weakness in control is considered “material” if the lack of control results in a lack of reasonable assurance that the objective of control will be achieved.
Weakness classified as material implies:
- The controls are not in effect and / or the controls are not in use and / or the controls are inadequate;
- It guarantees the harmony fragmentation of the control environment;
- A material weakness is a significant deficiency, or a combination of significant deficiencies, which results in more than a remote possibility that an unwanted event will not be prevented or detected.
There is an inverse relationship between materiality and the level of audit risk acceptable to the auditor, that is, the higher the level of materiality, the lower the acceptability of the audit risk and vice versa. This allows the auditor to determine the nature, timing and extent of the audit procedures. For example, when planning for a specific audit procedure, the auditor determines that materiality is less, thereby increasing the risk of auditing. In this way, the auditor wants to compensate, either for the extension of the control test (to reduce the control risk assessment), or for the extension of the substantive test procedures (to reduce the detection risk assessment).
