The New Importance of Materiality

CPAs can use this familiar concept to identify key control exceptions.

THE SARBANES-OXLEY REQUIREMENT FOR COMPANIES to develop key control processes has brought new attention to the well-known concept of materiality. CPAs need to be able to identify key control exceptions and apply materiality to determine their financial impact.

MATERIALITY IS BASED ON THE ASSUMPTION a reasonable investor would not be influenced in investment decisions by a fluctuation in net income less than or equal to 5%. This “5% rule” remains the fundamental basis for working materiality estimates.

WHEN REVIEWING THE MATERIALITY OF FINANCIAL statement misstatements that are uncorrected/unrecorded, an error can fall into three ranges—inconsequential, consequential and material. Companies must record errors that fall within the material misstatement range for the independent auditor to give an unqualified opinion.

COMPANIES SHOULD BASE WORKING MATERIALITY levels for control deficiencies on PCAOB Auditing Standard no. 2, which says consequential control deficiencies must be reported to the registrant’s audit committee under Sarbanes-Oxley section 302.

ACCOUNTING ESTIMATION PROCESSES GENERALLY do not result in control deficiencies or uncorrected/unrecorded misstatements if they are reasonable. If the estimation process is flawed, broken or unreasonable, then a related control deficiency exists.

JAMES BRADY VORHIES, CPA, CIA, CISA, is manager of risk monitoring and Sarbanes-Oxley compliance for a Fortune 500 company in Dallas. He is the author of Key Controls: The Solution for Sarbanes-Oxley Internal Control Compliance. His e-mail address is .

f you think you understand materiality and its uses, think again. The Sarbanes-Oxley Act of 2002 has put demands on management to detect and prevent material control weaknesses in a timely manner. To help management fulfill this responsibility, CPAs are creating monthly key control processes to assess and report on risk. When management finds a key control does not meet the required minimum quality standard, it must classify the result as a key control exception.

To develop the controls Sarbanes-Oxley requires, CPAs need to be able to identify key control exceptions. They also must correctly apply a familiar concept—materiality—to determine the financial impact of such exceptions. This article explains the four types of key control exceptions CPAs may encounter as well as how to apply materiality to evaluate each one.

For many years accountants have used quantitative estimates to help them identify potentially material transactions and events. Working materiality levels or quantitative estimates of materiality generally are based on the 5% rule, which holds that reasonable investors would not be influenced in their investment decisions by a fluctuation in net income of 5% or less. Nor would the investor be swayed by a fluctuation or series of fluctuations of less than 5% in income statement line items, as long as the net change was less than 5%. This theory has been and remains the fundamental concept behind working materiality estimates today.

Materiality is not a simple calculation. Because the qualitative analysis is very complex, almost everyone—including CPAs—uses quantitative estimates to identify potential materiality issues.

Materiality is not a simple calculation. Rather it is a determination of what will vs. what will not affect the decision of a knowledgeable investor given a specific set of circumstances related to the fair presentation of a company’s financial statements and disclosures concerning existing or future debt and equity instruments. However, because such a qualitative analysis is very complex, almost everyone—including CPAs—uses quantitative estimates to identify potential materiality issues.

But this approach does not provide the entire solution. The summary to Staff Accounting Bulletin no. 99, Materiality (available on the SEC Web site at ), said, “This bulletin expresses the views of the staff that exclusive reliance on certain quantitative benchmarks to assess materiality in preparing financial statements and performing audits of the financial statements is inappropriate; misstatements are not immaterial simply because they fall beneath a numerical threshold.”

The “normal” calculation of the 5% working materiality level takes an SEC registrant’s pretax net income from continuing operations and normalizies it by adjusting for unusual events not anticipated in the current year. CPAs then adjust the estimate for unusual events expected in the current year and use 5% of the year’s adjusted net income estimate as the basic working materiality threshold. Errors in the company’s books and records that are less than this amount are considered immaterial and do not require financial statement adjustments to obtain an unqualified audit opinion. Errors equal to or greater than this amount require adjustments.

To assist CPAs in helping management meet its responsibilities under Sarbanes-Oxley, there are four perspectives of working materiality, each with its own distinct quantitative calculations and limits. To know which materiality level to apply, CPAs must determine the type of financial statement effect or “exception” at hand. The first is familiar to most CPAs—the actual financial statement misstatement or error. It generally is a dollar error that can be calculated exactly. The second exception is an internal control deficiency caused by the failure in design or operation of a control. The third actually is not an exception at all; it is a large variance in an accounting estimate compared with the actual determined amount. The fourth exception is financial fraud by management or other employees to enhance a company’s reported financial position and operations results.

Under section 302 of Sarbanes-Oxley, companies must review their disclosure controls and procedures quarterly, identify all key control exceptions and

Determine which are internal control deficiencies.

Assess each deficiency’s impact on the fair presentation of their financial statements.

Identify and report significant control deficiencies or material weaknesses to the board of directors’ audit committee and to the company’s independent auditor.

Many CPAs call actual financial statement misstatements or errors uncorrected/unrecorded misstatements. Under the normal financial audit process, auditors accumulate and report these dollar errors on a similarly named schedule that usually lists two types of financial statement errors:

Incorrectly recorded financial statement amounts. These transactions generally were recorded incorrectly because they were in the wrong amount or the wrong account. The latter is tantamount to being improperly accounted for in accordance with GAAP.

Financial statement amounts that should have been recorded but were not. In almost all cases CPAs can calculate uncorrected/unrecorded misstatements to an exact dollar amount. If the error is based on a needed adjustment that was estimated, then generally it resulted from an internal control weakness or a control deficiency. The normal materiality evaluation process is to review each item individually and then all items in the aggregate based on the working materiality levels for each company to determine whether to adjust the financial statements.

Generally, the solution to uncorrected/unrecorded misstatements is very easy—management simply adjusts the financial statements. However, when these errors are discovered and whether the company can determine the correct accounting in a timely manner affect its ability to record these entries for the correct reporting period.

In determining working materiality levels for uncorrected/unrecorded misstatements, there are several generally used methods. Each is based on the 5% rule as a calculated percentage of that materiality limit. Any uncorrected/unrecorded misstatement that approaches 5% would, in theory, cause a “material misstatement” in the company’s financial statements. CPAs must undertake appropriate qualitative analysis to determine whether a material misstatement actually occurred. If so, the solution again is simple; management only needs to appropriately record the uncorrected/unrecorded misstatement for the financial statements to be considered fairly stated in all material respects.

In reviewing the materiality of uncorrected/unrecorded misstatements, errors can fall in one of three ranges—inconsequential, consequential or material misstatements. Very small uncorrected/unrecorded misstatements have no consequence on the financial statements and need not be identified or considered. This is based on the theory there are only a small number of these items. CPAs should accumulate a large number of like errors and consider them as a single error. Items that are singularly or in the aggregate small enough that they don’t need to be reported on the schedule of uncorrected/unrecorded misstatements may be “inconsequential” from a materiality perspective. As a general practice management should attempt to limit these mistakes and search for and record identified errors.

Since a company’s independent auditor usually accumulates uncorrected/unrecorded misstatements and presents them to management and the audit committee quarterly, these misstatements become consequential when the auditor includes them on this schedule and reports them to the committee. Having these errors and not adjusting the financial statement means the statements are misstated by the amount of the errors.

An error or aggregation of errors that reaches the 5% rule is a “material misstatement” of the financial statements and must be recorded in order for the independent auditor to give an unqualified audit opinion. CPAs usually record these amounts and many smaller consequential ones to adjust the financial statements and eliminate uncorrected/unrecorded misstatements.

The second perspective on working materiality levels, an internal control deficiency caused by the failure of a control, is required by sections 302 and 404. PCAOB Auditing Standard no. 2, An Audit of Internal Control Over Financial Reporting Performed in Conjunction With an Audit of Financial Statements, defines the materiality levels SEC registrants should use to determine the materiality of control deficiencies.

Any internal control failure could be a control deficiency. Such deficiencies usually are the result of a failure in control design or operation. A design failure results when management has not established a sufficient amount of internal control or control activities to achieve a control objective; an operation failure occurs when an adequately designed control does not operate properly. According to Auditing Standard no. 2, such failures can be significant deficiencies or material weaknesses if they result in a large enough impact on the financial statements.

CPAs should recommend companies base working materiality levels for control deficiencies on Standard no. 2, resulting in a three-part materiality range. Control deficiencies are considered consequential if they would result in “more than a remote likelihood that a misstatement of the company’s annual or interim financial statements that is more than inconsequential will not be prevented or detected.” Inconsequential control deficiencies obviously fall short of the consequential range, but consequential control deficiencies must be reported to the registrant’s audit committee under Sarbanes-Oxley section 302 paragraph 5(a).

When a significant deficiency causes a material misstatement—as defined again by the 5% rule—it becomes a material weakness. According to the PCAOB definition, “a material weakness is a significant deficiency or combination of significant deficiencies that result in more than a remote likelihood that a material misstatement of the annual or interim financial statements will not be prevented or detected.”

The working materiality ranges for both uncorrected/unrecorded misstatements and for control deficiencies thus range from inconsequential to consequential to material misstatements. However, the actual materiality levels for the ranges are different. What is material and considered a material misstatement or material weakness based on the 5% rule calculation is, of course, the same.

Uncorrected/unrecorded misstatements generally are related to control deficiencies. Whenever such a misstatement exists, CPAs must ask whether the actual dollar misstatement is the result of a control deficiency. However, the amount of the uncorrected/unrecorded misstatement is not necessarily the amount of the deficiency. For example, a trader may fail to record a trade and the error may go unnoticed for several reporting periods. While the amount of the uncorrected/unrecorded misstatement is exactly the amount of the unrecorded trade, the control deficiency is based on the dollar volume of trades that could have gone unrecorded before such an error was found, based on the mitigating controls that eventually would have discovered and prevented such mistakes. This emphasizes the importance of designing adequate mitigating controls in a company’s overall internal control plan. Any time a key control fails, management must have effective mitigating controls that will prevent the resulting potential financial statement error from becoming material.

CPAs must understand that control deficiencies can exist whenever there is an internal control failure or design deficiency—whether or not an actual financial statement misstatement occurred. The materiality of the control deficiency must be determined based on the potential financial statement misstatement that could have occurred, regardless of whether one actually happened and irrespective of the dollar error of any actual financial statement mistake.

Quantitative factors play a large role in determining the potential misstatement that could have resulted from an existing control deficiency. The PCAOB focused specifically on the likelihood of a misstatement occurring. For example, an employee may have committed a fraud by overriding an internal control and stealing an actual dollar amount. This amount would be the uncorrected/unrecorded misstatement. However, the control deficiency amount is based on how much could have been stolen because of the internal control weaknesses weighted by the likelihood of someone stealing this amount.

The third perspective on working materiality levels concerns variances from original estimates. Because estimation processes are evaluated based on their adequacy, an accounting estimation generally would not result in a control deficiency or an uncorrected/unrecorded misstatement if it was reasonable given

The available technology.

The process was “normal” for the industry.

The company’s independent auditor reviewed and approved it.

Estimating financial events and balances is a necessary evil, given management’s need to report on the income and state of assets at artificial points in time. As long as the estimation process is reasonable, CPAs can’t conclude a control deficiency exists when the actual amount is compared with the estimate, regardless of how large the variance given that a better estimate was not possible.

If the estimation process is flawed, broken or unreasonable, a control deficiency exists. An uncorrected/unrecorded misstatement also may exist—the difference between the estimate calculated and recorded in error vs. what the correct estimate should have been.

The fourth perspective on working materiality is financial fraud. Section 303(a), “Improper Influence on Conduct of Audits,” says it is unlawful for any officer or director of an issuer, or any other person acting under their direction, to “take any action to fraudulently influence, coerce, manipulate, or mislead any independent public or certified accountant engaged in the performance of an audit of the financial statements of that issuer for the purpose of rendering such financial statements materially misleading.”

Section 303(a) concerns fraud performed for the company by management or employees who intended to materially misrepresent the entity’s financial position and results of operations. How much of a misrepresentation is required to be material? The answer is twofold.

Fraud generally is not limited by amount but rather by intent. In other words, if the intent was to defraud someone by $1 or by $1 million it’s still fraud. It’s not the amount that makes it fraud. As Staff Accounting Bulletin no. 99 explains, a material misrepresentation is not tied to the amount of the misrepresentation but rather occurs whenever there was intent to misrepresent the registrant’s financial position and results of operations and such a misrepresentation occurred. Therefore, if somebody makes a $10,000 entry giving a company the one cent it needs to meet its earnings target and the entry was not based on GAAP but rather on management’s need to meet this target, the entry was a material misrepresentation. This explains why management’s intent always should be to fairly present in all material respects the results of operations and condition of assets when recording any accounting entries into the company’s books and records.

A fraud on the part of an employee(s) or management that is against the company follows the normal uncorrected/unrecorded misstatements and control deficiency materiality rules and levels. A fraud by management or employee(s) that is for the company falls under section 303(a).

For example, any fraud where employees attempt to help the company by artificially enhancing earnings for financial position would be a fraud for the company. On the other hand a fraud where someone attempts to harm the company by misusing or misappropriating its assets for their own benefit would be against the company.

CPAs must understand each of the four perspectives of materiality to be able to estimate the effect of key control exceptions on an SEC registrant’s fair presentation of its financial statements in compliance with sections 302 and 404. But it’s equally important to develop an ongoing key control risk reporting process that ensures the timely identification of these issues. The right processes will minimize key control exceptions and meet every accountant’s goal of providing fair and complete financial information.


Cybersecurity threats proliferating for midsize and smaller businesses

This report details how SMBs can properly protect private information from breaches, design and implement a cybersecurity policy, and create safeguards for training and education.


Test yourself on these often confused words

The spelling checker on your word processing program can do only so much to flag problems. Your best insurance is to learn the troublesome words that trip up writers and use them correctly by the standards of formal, written English.