assurance
‘Materiality’ gets less material
assurancenews
BY chris schellman
These documents typically provide only
cursory descriptions of the similarities and
differences between the standards. One of
the differences most commonly cited is the
“materiality” concept introduced by SSAE 16.
Without a detailed explanation, one might
assume that materiality means new leeway
and discretion in terms of disclosures within
SSAE 16 reports, especially as it relates to testing exceptions, but that assumption would
be very wrong.
Before going any further, let’s examine the
single paragraph of SSAE 16 that introduces
the materiality concept: “While planning and
performing the engagement, the service au-
ditor should evaluate materiality with respect
to the fair presentation of management’s de-
scription of the service organization’s sys-
tem, the suitability of the design of controls to
achieve the related control objectives stated
in the description and, in the case of a Type
2 report, the operating effectiveness of the
controls to achieve the related control objec-
tives stated in the description.”
The concept is self-explanatory. Service
auditors are directed to use materiality when
forming the basis for their opinion. This is
good information to know, but does this
mean that materiality can also be applied
when disclosing testing exceptions?
For that answer, we look to paragraph .A27
of the SSAE 16 explanatory material, which
states: “The concept of materiality is not ap-
plied when disclosing, in the description of
the tests of controls, the results of those tests
when deviations have been identified. This is
because, in the particular circumstances of a
specific user entity or user auditor, a devia-
tion may have significance beyond whether
or not, in the opinion of the service auditor, it
prevents a control from operating effectively.
For example, the control to which the devia-
tion relates may be particularly significant in
preventing a certain type of error that may be
material in the particular circumstances of a
user entity’s financial statements.”
So the answer to the question is a resounding no. The otherwise innocuous sentence
highlighted above is actually a very important
change from the SAS 70 standard because it
closes a loophole, of sorts. The word “mate-
as we prepare for the replacement of sas 70 by ssae 16,
articles and vendor whitepapers are flooding the landscape.
The switch from SAS 70 to SSAE 16 changes some concepts
Auditors will
no longer be
permitted to
hypothesize
about what
may or may
not be
relevant.
Chris Schellman is the president and
founder of service audit provider SAS 70
Solutions Inc. He has led over 600 SAS 70
audits over the past decade.
riality” only appears twice in the SAS 70 audit
standard, and neither occurrence is pertinent
to this discussion. But as anyone familiar
with Type 2 SAS 70 audit reports knows, the
auditor’s test results are normally stated as,
“No relevant exceptions noted” when there
are no testing deviations. And therein lies the
issue — relevance.
Relevance is a matter of opinion, and when
it comes to CPAs, opinions vary widely. I
would like to believe that every service audi-
tor discloses all testing deviations, thus avoid-
ing the need to speculate about the relevance
of test results. However, we know that some
CPA firms use relevance as a mechanism for
withholding certain testing exceptions that
they deem to be irrelevant. Although this is a
legitimate act when reporting under the SAS
70 standard, it prevents user entities and
user auditors from having the opportunity
to make their own decisions regarding the
relevance and materiality of testing devia-
tions. This practice also has the inherent risk
that the CPA could erroneously conclude that
a testing deviation is irrelevant when it would
otherwise be deemed critically relevant by
one or more report users.
AUDIT FIRMS OFFER ADVICE
ON NEW CLIENTS
NEW YORK — Asking the right questions
when considering accepting new audit
clients, or continuing a relationship with
an existing client, is the key to establishing a quality relationship, according to
a new paper issued by a group of audit
firm networks.
Client Acceptance and Continuance
summarizes the current practices in
several of the large networks of international accounting firms and examines
how asking the right questions can help
ensure that only those entities that meet
the same standards of quality as the audit
firm be accepted or continued.
The document was issued by the
Transnational Auditors Committee, the
executive committee of the Forum of
Firms, an association of networks of international accounting firms that perform
transnational audits. The committee is
also part of the International Federation
of Accountants.
“Any business wishing to establish
quality relationships with quality clients
needs robust processes in place,” said
Forum of Firms chair Robert Dohrer. “Un-
derstanding the best practices in this area
will hopefully contribute to all accounting
firms being able to strengthen their ap-
proach and create more mutually benefi-
cial auditor-client relationships — which
ultimately will contribute to improved
public confidence in the industry.”
The paper focuses on how the large
networks of international accounting
firms have implemented the require-
ments of International Standard on
Quality Control 1, Quality Control for
Firms that Perform Audits and Reviews of
Financial Statements, and Other Assur-
ance and Related Services Engagements,
in their client acceptance and continu-
ance policies and procedures. The paper
also discusses related tools and devices
that firms have employed to strengthen
their client acceptance and continuance
decision-making processes.
Client Acceptance and Continuance
can be downloaded free of charge from
the Forum of Firms section of the IFAC
Publications & Resources site at http://
web.ifac.org/publications.
