Chapter 3: Materiality and Risk Assessment

3. Introduction
International Standard on Auditing (ISA) deals with the auditor’s responsibility to apply the
concept of materiality in planning and performing an audit of financial statements. ISA 450
explains how materiality is applied in evaluating the effect of identified misstatements on the
audit of uncorrected misstatements, if any, on the financial statements and International Standard
on Auditing (ISA) also deals with the auditor’s responsibility to design and implement responses
to the risks of material misstatement identified and assessed by the auditor in accordance with
ISA 315 in an audit of financial statements.
The objective of the auditor is to obtain sufficient appropriate audit evidence regarding the
assessed risks of material misstatement, through designing and implementing appropriate
responses to those risks. For purposes of the ISAs 330, the following terms have the meanings
attributed below:
 Substantive procedure: An audit procedure designed to detect material misstatements at the
assertion level. Substantive procedures comprise: (i) Tests of details (of classes of
transactions, account balances, and disclosures); and (ii) Substantive analytical procedures.
 Test of controls: An audit procedure designed to evaluate the operating effectiveness of
controls in preventing, or detecting and correcting, material misstatements at the assertion
level. The auditor shall design and implement overall responses to address the assessed risks
of material misstatement at the financial statement level
3.1. Assessing audit risk
Audit risk means the risk that the auditor gives an inappropriate audit opinion when the
financial statement are materially misstated. Thus, it is the risk that the auditor may fail to
express an appropriate opinion in an audit assignment. Audit risk is a function of the risks of
material misstatement and detection risk
Audit Risk = Risk of Material Misstatement x Detection Risk
Risk of material misstatement may be defined as the risk that the financial statements are
materially misstated prior to audit. This consists of two components, described as follows at the
assertion level: Inherent risk: The susceptibility of an assertion about a class of transaction,
account balance or disclosure to a misstatement that could be material, either individually or

1|Page
when aggregated with other misstatements, before consideration of any related controls. Control
risk: The risk that a misstatement that could occur in an assertion about a class of transaction,
account balance or disclosure and that could be material, either individually or when aggregated
with other misstatements, will not be prevented, or detected and corrected, on a timely basis by
the entity’s internal control.
Misstatement refers to a difference between the amounts, classification, presentation, or
disclosure of a reported financial statement item and the amount, classification, presentation, or
disclosure that is required for the item to be in accordance with the applicable financial reporting
framework. Misstatements can arise from error or fraud.
3.1.1. Assessment of Risks - Matter of Professional Judgment
The assessment of risks is based on audit procedures to obtain information necessary for that
purpose and evidence obtained throughout the audit. The assessment of risks is a matter of
professional judgment, rather than a matter capable of precise measurement.
3.1.2. What is not included in Audit Risk?
(i) Audit risk does not include the risk that the auditor might express an opinion that the
financial statements are materially misstated when they are not. This risk is ordinarily
insignificant
(ii) Further, audit risk is a technical term related to the process of auditing; it does not refer
to the auditor’s business risks such as loss from litigation, adverse publicity, or other
events arising in connection with the audit of financial statements.
3.1.3. Risks of Material Misstatement at Two levels
The risks of material misstatement may exist at two levels:
I. The overall financial statement level- Risks of material misstatement at the overall
financial statement level refer to risks of material misstatement that relate pervasively to
the financial statements as a whole and potentially affect many assertions.
II. The assertion level for classes of transactions, account balances, and disclosures-
Risks of material misstatement at the assertion level are assessed in order to determine
the nature, timing, and extent of further audit procedures necessary to obtain sufficient
appropriate audit evidence. This evidence enables the auditor to express an opinion on
the financial statements at an acceptably low level of audit risk.

2|Page
3.1.4. Components of Risk of Material Misstatement
The risks of material misstatement at the assertion level consist of two components: (i) Inherent
risk and (ii) control risk. Inherent risk and control risk are the entity’s risks; they exist
independently of the audit of the financial statements.
Inherent risk is higher for some assertions and related classes of transactions, account balances,
and disclosures than for others. For example, it may be higher for complex calculations. External
circumstances giving rise to business risks may also influence inherent risk. For example,
technological developments might make a particular product obsolete. Inherent risk factors are
considered while designing tests of controls and substantive procedures. Category of auditor’s
assessment lower or higher, each category covers a range of degrees of inherent risk.
Example: A lack of sufficient working capital to continue operations or a declining industry
characterized by a large number of business failures.
Control risk is a function of the effectiveness of the design, implementation and maintenance of
internal control by management. However, internal control can only reduce but not eliminate
risks of material misstatement in the financial statements. This is because of the inherent
limitations of internal control.
Example: The possibility of human errors or mistakes, or of controls being circumvented by
collusion. Accordingly, some control risk will always exist. The ISAs provide the conditions
under which the auditor is required to test the operating effectiveness of controls in determining
the nature, timing and extent of substantive procedures to be performed.
Auditors assess control risk as Rely or not rely on Controls. When making control risk
assessments, consider: The control environment’s influence over internal control. A control
environment that supports the prevention, and detection and correction, of material
misstatements allows greater confidence in the reliability of internal control and audit evidence
generated within the entity. However it does not guarantee the effectiveness of specific controls.
We therefore, test the operating effectiveness of controls over significant class of transactions
(SCOTs) when we plan to take a controls reliance strategy.
Control risk assessment when control deficiencies are identified: When auditor identifies
deficiencies and report on internal controls, he determines the significant financial statement
assertions that are affected by the ineffective controls in order to evaluate the effect on control
risk assessments and strategy for the audit of the financial statements.

3|Page
3.1.5. Combined Assessment of the Risk of Material Misstatement
The ISAs do not ordinarily refer to inherent risk and control risk separately, but rather to a
combined assessment of the “risks of material misstatement”. However, the auditor may make
separate or combined assessments of inherent and control risk depending on preferred audit
techniques or methodologies and practical considerations. The assessment of the risks of
material misstatement may be expressed in quantitative terms, such as in percentages, or in
non-quantitative terms. In any case, the need for the auditor to make appropriate risk assessments
is more important than the different approaches by which they may be made. It can be concluded
from the above that
Risk of Material Misstatement= Inherent Risk x Control Risk
ISA 315 establishes requirements and provides guidance on identifying and assessing the risks of
material misstatement at the financial statement and assertion levels.
Detection risk: The risk that the procedures performed by the auditor to reduce audit risk to an
acceptably low level will not detect a misstatement that exists and that could be material, either
individually or when aggregated with other misstatements.
Illustration: XYZ Ltd is engaged in the business and running several stores dealing in variety of
items such as ready-made garments for all seasons, shoes, gift items, watches etc. There are
security tags on each and every item. Moreover, inventory records are physically verified on
monthly basis. Discuss the types of inherent, control and detection risks as perceived by the auditor.
SOLUTION
A. Inherent Risk: Because items may have been misappropriated by employees, therefore, risk
to the auditor is that inventory records would be inaccurate.
B. Control Risk: There is a security tag on each item displayed. Moreover, inventory records
are physically verified on monthly basis. Despite various controls being implemented at the
stores, still collusion among employees may be there and risk to auditor would again be that
inventory records would be inaccurate.
C. Detection Risk: Auditor checks the efficiency and effectiveness of various control systems
in place. He would do that by making observation, inspection, enquiry, etc. In addition to
these, the auditor would also employ sampling techniques to check few sales transactions
from beginning to end. However, despite all these procedures, the auditor may not detect the
items which have been stolen or misappropriated.

4|Page
3.1.6. Identifying and Assessing the Risks of Material Misstatement
Objective of Auditor as per ISA 315 “Identifying and Assessing the Risks of Material
Misstatement through Understanding the Entity and its Environment”, the objective of the
auditor is to identify and assess the risks of material misstatement, whether due to fraud or
error, at the financial statement and assertion levels, through understanding the entity and its
environment, including the entity’s internal control, thereby providing a basis for designing and
implementing responses to the assessed risks of material misstatement. This will help the auditor
to reduce the risk of material misstatement to an acceptably low level.
3.1.7. Risk Assessment Procedures
The audit procedures performed to obtain an understanding of the entity and its environment,
including the entity’s internal control, to identify and assess the risks of material misstatement,
whether due to fraud or error, at the financial statement and assertion levels.
Risk assessment procedure - a basis for the identification and assessment of risks of material
misstatement at the financial statement and assertion levels The auditor shall perform risk
assessment procedures to provide a basis for the identification and assessment of risks of
material misstatement at the financial statement and assertion levels. Risk assessment
procedures by themselves, however, do not provide sufficient appropriate audit evidence on
which to base the audit opinion.
3.1.7.1.What is included in Risk Assessment Procedures?
The risk assessment procedures shall include the following:
A. Inquiries of management and of others within the entity that in the auditor’s judgment may have
information that is likely to assist in identifying risks of material misstatement due to fraud or error.
B. Analytical procedures.
C. Observation and inspection
3.1.7.2.Types of Audit Risk:
Audit risk is the risk that auditors issued the incorrect audit opinion to the audited financial
statements. For example, auditors issued an unqualified opinion to the audited financial
statements even though the financial statements are materially misstated. In other words, the
material misstatements of financial statements fail to identify or detect by auditors.
Or the qualified opinion is issued as the result of immaterial misstatement found in financial
statements, which the correct opinion should be unqualified since the fact is financial statements

5|Page
are materially misstated. Audit risks come from two main different sources: Clients and
Auditors themselves.
The risks are classified into three different types: Inherent risks, Control Risks, and Detection Risks.
A. Inherent risk, which refers to the susceptibility of an assertion to a misstatement, due to
error or fraud, that could be material, individually or in combination with other
misstatements, before consideration of any related controls.
B. Control risk, which is the risk that a misstatement due to error or fraud that could occur in
an assertion and that could be material, individually or in combination with other misstatements, will
not be prevented or detected on a timely basis by the company's internal control. Control risk is a
function of the effectiveness of the design and operation of internal control.
Inherent risk and control risk are related to the company, its environment, and its internal
control, and the auditor assesses those risks based on evidence he or she obtains. The auditor
assesses inherent risk using information obtained from performing risk assessment
procedures and considering the characteristics of the accounts and disclosures in the
financial statements.
C. Detection Risk: In an audit of financial statements, detection risk is the risk that the
procedures performed by the auditor will not detect a misstatement that exists and that could
be material, individually or in combination with other misstatements. Detection risk is
affected by (1) the effectiveness of the substantive procedures and (2) their application by
the auditor, i.e., whether the procedures were performed with due professional care.
3.1.7.3.Audit Risks Model and Calculation:
The audit risks model can present audit risk as to the combination of inherent risks, control risks,
and detection risks. As mention above, inherent risks and control risks have come from clients,
whereas detection risks are control by auditors. All of these three risks are discussed below:
The audit risk model is an important planning innovation to help auditors consider the risk of the
audit, and the necessary amount of evidence to gather. The model is expressed as:
PDR = AAR
IR x CR
Where:
PDR = Planned detection risk
AAR = Acceptable audit risk.
IR = Inherent risk
CR = Control risk

6|Page
 For computational simplicity, the model can be expressed as:
Audit Risks = Inherent Risk X Control Risk X Deletion Risk
AAR = IR x CR x PDR
Or, expressed another way
AAR = IR X CR X PDR
Audit Risk an error Risk internal Risk the auditor
Risk will occur controls won't detect it won't detect it
It is important to be able to understand how changes in one factor affect (or do not affect) other
risk model factors.
PDR decreases --> Evidence increases
Changes in independent variables (AAR, IR, CR) affect PDR (but do not affect the other
independent variables). Evidence changes as a result of the change in PDR. In many cases, it is
more intuitive to think about the change in evidence, rather than the change in PDR
 AAR decreases - PDR decreases (evidence )
 IR decreases - PDR increases (evidence )
 CR decreases - PDR increases (evidence )
Logic:
 If you want to lower audit risk (more assurance), you must lower detection risk (more evidence).
 Less likelihood of errors, less evidence.
 More likely IC detects errors, less evidence
An extended version of the model also considers analytical procedures risk (risk of error given
results of analytical procedures). Fraud risk is generally assessed outside the risk model.
A. Planned detection risk - Is the risk that audit evidence for a segment will fail to detect a
material misstatement. Planned detection risk is the dependent variable that is solved for in
this equation, and determines the amount of evidence required. The other three factors
determine the auditor's detection risk, and the amount of evidence that must be gathered.
Detection risk is occurred because of the auditor part rather than the client part
There is an inverse relation between detection risk and evidence. Low detection risk implies
high evidence. Decrease in detection risk --> More evidence required
B. Acceptable audit risk - This is the probability that the auditor may unknowingly fail to
appropriately modify the opinion when the financial statements are materially misstated. The
lower the acceptable audit risk, the greater the evidence required (lower detection risk).

7|Page
 Some factors affecting acceptable audit risk, Distribution of ownership and debt, Likelihood of
business failure & Evaluation of management integrity
C. Inherent Risk - Estimate of the likelihood of material misstatements in a segment, before
considering effectiveness of the internal control structure. The greater the inherent risk, the
greater the amount of evidence required.
Some accounts are inherently more risky than others. Further, for a given account, certain
assertions/objectives are likely to be associated with higher inherent risk. For example, there is
more inherent risk with inventory than fixed assets.
D. Control Risk - This is the risk that the client's internal controls will not detect a material
misstatement. As control risk is lowered, less evidence is required (lower detection risk).
IR X CR combined is the risk (probability) that the account contains material error before
applying audit procedures and is referred to as the risk of material misstatement.
Example: Suppose that the auditor has determined that the planned audit risk for the accounts
receivable balance can be set at 0.05 based on the significance of the account to the financial
statements. By establishing such a low level of audit risk, the auditor is reducing the possibility
that the account may contain a material misstatement. Assume further that the auditor assesses
inherent risk for accounts receivable to be 0.80. After evaluating the internal control over the
revenue process, the auditor assesses control risk to be 0.60. Substituting the values for AR, IR
and CR into the equation indicates that the auditor should set detection risk at approximately
0.10 [DR = 0.05/(0.80 x 0.60)] for testing the accounts receivable balance. Thus, the auditor
establishes the scope of the audit for accounts receivable so that there is only a 10 percent
chance that a material misstatement, if present, is not detected.
An auditor may find it more appropriate to substitute qualitative terms to utilize the risk model.
For example, audit risk might be classified into three categories, very low, low and moderate. It
is unlikely that an audit planned in accordance with GAAS would consider a high level of audit
risk. The remaining component of the model may be classified into categories such as low,
moderate or high.
3.1.7.4.Why Do Auditors Need To Perform A Risk Assessment?
Auditors must perform risk assessments to ensure that all possible risks of misstatements that
might happen to the financial statements are identified. This is normally performed during and
after the audit plan. If certain risks are identified during the cause of the audit, the auditor should

8|Page
perform additional assessments to figure out the real size of the risks. The auditor should assess
audit risks before accepting the audit engagements by understanding the nature of its client’s
business and the complexity of financial reporting in that sector.
The auditor should also assess audit risks at the time they prepare the audit plan. Normally, this
is done by using a control framework to assess all angles of the business process. The auditor
might understand the client nature of the business, major internal control over financial
reporting, financial reporting system, and many more.
II. OTHER ASPECTS OF THE RISK MODEL
Assessment is done by segment/cycle, and often by objective within cycles. However, audit
risk is normally constant (a global judgment).
Audit risk: Auditor judgment that varies across clients, but is constant for the entire audit. Risk
the auditor is willing to assume based on use of financial statements and client's
financial condition.
Inherent risk: Assessed by the auditor based on client-specific factors. Some factors apply to
all cycles; some factors are specific to objectives within cycles.
Control risk: Assessed by the auditor, but determined by the client's controls. CR can't be
assessed as less than 100% (the maximum) unless the auditor tests controls.

3.2.Materiality
The concept of materiality is applied by the auditor in planning and performing the audit, and in
evaluating the effect of identified misstatements or non-compliance on audit conclusions.
FASB Concept Statement 2 defines materiality as: The magnitude of an omission or
misstatement of accounting information that, in the light of surrounding circumstances, makes it
probable that the judgment of a reasonable person relying on the information would have been
changed or influenced by the omission or misstatement.
Materiality is a fundamental concept in financial and compliance audit. It sets the level of
deviation that the auditor considers is likely to influence the decisions of the intended users. In
theory, deviations, or errors, are material if they, individually or aggregated with other errors,
would reasonably affect the underlying audit conclusions or the decisions of the addressees of
the audit report. The variety of users, determining materiality is a matter of professional judgment.
An item or group of items may be material due to their amount (quantitative materiality),
nature or the context in which the deviation occurs (qualitative materiality).There is a

9|Page
relationship between materiality and the level of audit risk. Furthermore, this threshold serves
as a determining factor both in the calculation of sample sizes for substantive testing and in the
interpretation of the audit results achieved.
Setting materiality limits helps the auditor to plan the audit so as to ensure that material
deviations are detected by audit tests and resources are employed economically, efficiently and
effectively. Auditing to a stricter (lower) materiality threshold requires more audit testing;
however, the auditor must avoid “over-auditing" in areas that do not merit extensive work.
Materiality is first and foremost a financial reporting, rather than auditing, concept. It isn’t
defined in ISA 320 Materiality in planning and performing an audit but the ISA highlights the
following key characteristics:
o Misstatements are considered to be material if they could influence the decisions of users of
the financial statements
o Judgments about materiality are based on surrounding circumstances, including the size and
nature of the misstatement
3.2.1. Why is materiality important?
As the basis for the auditor’s opinion, ISAs require auditors to obtain reasonable assurance about
whether the financial statements as a whole are free from material misstatement. The concept of
materiality is therefore fundamental to the audit. It is applied by auditors at the planning stage,
and when performing the audit and evaluating the effect of identified misstatements on the audit
and of uncorrected misstatements, if any, on the financial statements.
3.2.2. Materiality in different phases of audit
Materiality should be considered by the auditor during:
 Planning, to help assess material risks and determine the nature, timing and extent of audit
procedures;
 Examination, when considering new information that may require planned procedures to be
revised, and evaluating the effect of deviations;
 Reporting, when reaching final conclusions and, where required, forming an audit opinion.
The auditor should document the materiality levels and changes made thereto during the audit.

10 | P a g e
3.2.3. Types of materiality
1. Quantitative materiality is determined by setting a numerical value. The numerical value
is achieved by taking a percentage of an appropriate base, which both reflect, in the auditor's
judgment, the measures that users of the information are most likely to consider important.
 When establishing the overall audit strategy, the auditor shall determine materiality for
the financial statements or the audited population as a whole (overall materiality).
 Performance materiality is established while performing audit procedures on certain
account balances and/or transactions and is deliberately settled lower than the overall
materiality so that overall misstatements are kept under the overall materiality level.
2. Qualitative materiality: Certain types of misstatements or non-compliance, while not
quantitatively material, may because of their nature or because of the context in which they
arise be qualitatively material and thus have an impact on the audit conclusion reached.
Qualitative materiality includes items that may be either:
 Material by nature: this is related to inherent characteristics and concerns issues where
there may be specific disclosure requirements or high political or public interest. It
includes any suspicion of serious mismanagement, fraud, illegality or irregularity or
intentional misstatement or misrepresentation of results or information;
 Material by context: this concerns items that are material by their circumstance, so that
they change the impression given to users. It includes instances where a minor error may
have a significant effect, e.g. misclassification of expenditure as income, so that an actual
deficit is reported as a surplus in financial statements. Issues that are material by nature
or context are to be disclosed; however, only in exceptional cases are they to be taken
into consideration in the audit opinion.
3.2.4. APPLYING MATERIALITY
There are five steps in this process. The first two involve the planning; the latter three concern
evaluating the results of tests.
1. Set preliminary judgment
2. Allocate materiality to segments
3. Estimate total misstatement in segment
4. Estimate combined misstatement
5. Compare combined misstatement to materiality estimate

11 | P a g e
1. Set Preliminary Judgment about materiality: This is the maximum amount you believe
the financial statements can be misstated and not affect the judgment of users. The two key
components of this estimate are the base and the percentage.
Base (function of client) X Percentage (function of audit risk)
= Preliminary estimate of materiality
Base: The base for the preliminary judgment is usually net income (or an estimate of net
income, if the estimate is used before year-end). However, in the final evaluation stage,
it is necessary to consider all relevant bases.
Other bases may be used if more appropriate. For example, if net income is unusually low,
you might use total assets, retained earnings, or average net income for the past several
years. Revenue may be an appropriate base for governments or non-profits.
Percentage: 3 to 6% is typical percentages of net income used to establish materiality for public
companies. Lower percentages are more likely to be used with larger bases, such as
total revenues or total assets.
The actual percentage would be based on the risk of the audit:
 Lower materiality (i.e., 3% of net income) for higher risk (low acceptable audit risk)
 Higher materiality(i.e., 6% of net income) for a low risk audit (high acceptable audit risk)
The above are quantitative factors affecting materiality. It is also important to consider
qualitative factors. What might be some qualitative factors than effect materiality?
Qualitative factors that may affect establishing and evaluating materiality include: Material
misstatements in prior years, Potential for fraud or illegal acts, Small amounts may violate
covenants in a loan agreement and Small amounts may affect the trend in earnings.
Total assets, total revenues, or some form of net income are frequently used by auditors when
establishing materiality. When net income before taxes is relatively stable, predictable and
representative of the entity’s size, a rule of thumb to determine overall financial statement
materiality that is commonly used in practice is three to five percent of net income before taxes.
In determining where in the range to establish materiality, the auditor would generally use a
percentage at the lower end of the range if any of the following factors are present:
The preliminary estimate is geared toward planning - how much evidence will we need. There
is a direct link between materiality and evidence:
Increase in materiality --> less evidence required

12 | P a g e
2. Allocate materiality to segments - The next step is to allocate the Preliminary Judgment
about Materiality to audit segments. That is, establish the Tolerable Misstatement (or
tolerable error) materiality level for each audit segment (account or group of accounts).
It is the amount of planning materiality that is allocated to an account or class of
transactions. An account balance represents an individual line item on the financial
statements, such as accounts receivable or inventory. A class of transactions refers to a type
of transaction processed by the client’s accounting system, such as revenue or purchase
transactions. The purpose of allocating a portion of the preliminary judgment about
materiality is to plan the scope of audit procedures for the individual account balance or class
of transactions.
Qualitative factors, common computational benchmarks used in practice to determine
tolerable misstatement are 2 to 15 percent of the account (but never greater than materiality)
or 25 to 75 percent of preliminary planning materiality. These approaches result in an
allocation of combined tolerable misstatement that is greater than materiality. There are a
number of reasons why allocating combined tolerable misstatement greater than materiality
makes sense from an audit planning perspective.
3. Estimate Total Misstatement in Segment - Use the errors found in the sample tested to
estimate the total errors in the population of items in each account.
The error must be projected to the population. The auditor should consider sampling risk,
especially when the direct projection is close to tolerable misstatement.
Example:

Balance in accounts receivable 1,000,000

Account receivable tested 250,000
Overstatement errors found 10,000
Projected error = (10,000/250,000) x 1,000,000 = 40,000 + allowance for sampling error
We project errors because sample errors are our best indicator of errors in the portion of the
population we did not test.
Sampling error - Whether a sample is evaluated statistically or non-statistically, adequate
consideration must be given to sampling risk. Although sampling risk must be considered, it
does not necessarily have to be quantified. Sampling risk is present whenever less than 100% of
the population is tested.
13 | P a g e
4. Estimate Combined Misstatement - If the errors in a segment exceed materiality, an
adjustment should be proposed. If the errors are less than materiality, they should be
combined with errors in other segments to assess whether the combined errors are material.
Note that even though a misstatement may not be material to net income, it may be material
in relation to some other base, including the individual account balance.
5. Compare Combined Estimated Total Misstatements from with the Revised Judgment
about Materiality. (Your preliminary estimate must be revised to consider the actual
financial numbers)
If estimated total combined errors are less than materiality, an unqualified opinion may be
issued. Options available to the auditor when combined errors exceed materiality:
 Record an audit adjustment
 Perform more testing (provides better estimate of size of error, and also lowers the
projected error by lowering sampling risk)
 Qualify the opinion, we are likely to record an adjustment and/or perform more
testing before we would qualify the opinion.
ACCEPTABLE AUDIT RISK AND MATERIALITY
We know these two concepts are linked because they both help us decide how much evidence to
gather. How can we operationalize this interrelation?
For high acceptable risk, we would tend to high range of materiality estimate (ex. 6% net
income). For low acceptable audit risk, we would tend toward low estimates of materiality (i.e.
3% net income).
High AAR = Higher materiality percentage => (low risk audit)
Low AAR = Lower materiality percentage => (high risk audit

14 | P a g e