A user recently raised the question of the whether the use of CMA (or Monetary Unit) sampling within the transaction testing areas in our compliance engagements is appropriate.
Compliance engagements such as trust account audits typically involve the need to assess whether large amounts of documents (say receipts) have been completed according to applicable regulations.
In these cases the amount of the transaction recorded is not so much the issue but whether the specified procedures have been followed. Any breach of a regulation in this case is material.
This raises the questions of what is material in a compliance engagement and if we are using qualitative rather than quantitative methods to determine materiality then what is an appropriate way to select a sample for testing? Another question arising from this discussion is how does our assessment of control effectiveness influence our sample size?
I asked a couple of people who know a lot about these things for their thoughts. I summarise their comments below with my own commentary about how this applies within Audit Assistant.
What is material in a compliance engagement?
Any non-compliance is potentially material, and I would frame the planning documentation in that way. If, say, a real estate agent has taken even $5 from the trust account outside the provisions of the regulations that has to be reported to the REAA. So it is material. There could be situations where some non-compliance is immaterial, but I cannot picture them and I would not design standard documentation on any basis other than non-compliance = material.
Compliance engagements are often about qualitative information, not quantitative, although they may have a quantitative element. In the context of non-financial information, I find the Institute of Chartered Accountants in England and Wales (ICAEW) publication Materiality in Assuring Narrative Reporting is useful in determining what is material. It suggests that each of the following circumstances could be materially misleading:
· Omission of facts: could the omission of significant facts relevant to a claim result in a misleading position being represented?
· Misstatement of facts: could the misstatement of significant facts relevant to a claim result in a misleading position being represented?
· Misrepresentation of trends: are management making claims that do not represent the facts available?
· Bias in description of position or facts: are management focusing reporting on the positive and excluding negative matters?
· Unsubstantiated claims: are management making claims that would be regarded as important to, and be relied upon by, users, but that are not substantiated by facts?
I don’t think any issue of non-compliance will be material in all cases. Perhaps you can draw on the new NOCLAR provisions in the Code of Ethics (section 225) in this regard? For example - if it’s “clearly inconsequential” it is out. If it “may be fundamental to the business and operations, or to avoid material penalties” then it’s in, it’s obviously judgement on between.
SAE 3100 A25 says that:
The assurance practitioner should consider materiality in the context of quantitative and qualitative factors such as:
• the relative magnitude of instances of detected or suspected non-compliance with the applicable requirements;
• the nature and extent of the effect of these factors on the evaluation of compliance with the applicable requirements; and
• the interests of the intended users.
The assessment of materiality and the relative importance of quantitative and qualitative factors in a particular engagement are matters for the assurance practitioner’s professional judgement.
Elaborating on what qualitative factors include, ISAE (NZ) 3000 (revised) A96 includes examples such as:
• The interaction between, and relative importance of, various components of the subject matter information when it is made up of multiple components, such as a report that includes numerous performance indicators.
• The wording chosen with respect to subject matter information that is expressed in narrative form.
• The characteristics of the presentation adopted for the subject matter information when the applicable criteria allow for variations in that presentation.
• The nature of a misstatement, for example, the nature of observed deviations from a control when the subject matter information is a statement that the control is effective.
• Whether a misstatement affects compliance with law or regulation.
• Whether a misstatement is the result of an intentional act or is unintentional.
• When the subject matter information relates to a conclusion on compliance with law or regulation, the seriousness of the consequences of non-compliance.
It seems that comment 1 above is addressing a clearcut situation where we are reporting on compliance with a set of regulations, for example a Real Estate trust account job. In this case our materiality might well be "all breaches of the Regulations are considered material".
In contrast comment 2 is addressing what could fall in the wider net of Compliance Engagements. There might be an instance of where, taken in the context of the users expectations and the way that the regulations or contract is framed, some parts are much more significant than others.
ISAE (NZ) 3000 (revised) A100 gives an example of this kind of situation:
In a compliance engagement, the entity may have complied with nine provisions of the relevant law or regulation, but did not comply with one provision. Professional judgement is needed to conclude whether the entity complied with the relevant law or regulation as a whole. For example, the assurance practitioner may consider the significance of the provision with which the entity did not comply, as well as the relationship of that provision to the remaining provisions of the relevant law or regulation.
There may also be instances where qualitative as well as quantitative factors impact on materiality, so the auditor should consider both. Materiality could perhaps be stated as: "Any breach of the contract which significantly affects the users perception of compliance, and in terms of any item of expenditure under the contract if a misstatement exceeds $xxxx."
Application in Audit Assistant
Our Compliance Engagement standard Materiality page feeds quantitative data from the Trial Balance page and suggests some materiality ranges. In the case of an engagement which is all about compliance with regulations it is unlikely that the auditor will have uploaded any monetary data anyway. In this case a text based answer should be added such as suggested above: "all breaches of the Regulations are considered material". Performance materiality and trivial level will be similarly completed with perhaps an "as above" comment.
For a compliance engagement that does include quantitative data (such as whether an entity has complied with the terms of a grant contract say) the materiality calculator may be useful, and the materiality could use the second comment "Any breach of the contract which significantly affects the users perception of compliance, and in terms of any item of expenditure under the contract if a misstatement exceeds $xxxx." Performance materiality may then be applied to the $ amount and a trivial assessment is probably also relevant.
See following article discussing sample sizes and type of selection methods.