# The External Audit and Materiality
In 2018, General Electric disclosed that the SEC and DOJ were investigating a $22 billion goodwill impairment in its power business and a $15 billion insurance reserve shortfall. What made the story sting for finance professionals was not the numbers alone—it was that KPMG had audited GE for 109 consecutive years and signed clean opinions the whole way down. The lesson embedded in that saga is the one most CFOs learn too late: an unqualified audit opinion is not a certificate of business health, and it is not a shield. It is a narrow, technical statement that the financials are free of *material* misstatement. Understanding exactly what that word "material" carries—and what the audit actually tests—is the difference between a CFO who runs the audit and one who is run by it.
Most executives imagine auditors recomputing every transaction. They don't. Modern external audit is a risk-based assurance exercise, not a recount. The auditor's job is to reduce audit risk—the risk of issuing a clean opinion on materially misstated financials—to an acceptably low level. That risk decomposes into a formula every CFO should internalize:
Audit Risk = Inherent Risk × Control Risk × Detection Risk
Inherent risk and control risk belong to *your* business and *your* control environment; the auditor can only assess them. Detection risk is the only lever the auditor directly controls, through the nature, timing, and extent of testing. This matters enormously for you: the stronger your controls, the less substantive testing the auditor must perform. A company with weak controls forces the auditor toward exhaustive substantive procedures—more sampling, more confirmations, more late nights, and a bigger fee. Control quality is not a compliance cost; it is an audit-efficiency asset.
Auditors organize their work around
The testing toolkit is narrower than folklore suggests:
The critical CFO insight: auditors focus disproportionately on estimates and judgments, not on high-volume routine transactions. Goodwill impairment, loan loss allowances, revenue recognition on long-term contracts, pension assumptions, deferred tax valuation allowances—these are where opinions are won and lost, because they require management judgment and are therefore where misstatement (intentional or not) hides. GE's downfall lived entirely in estimates: goodwill and insurance reserves. When you prepare for an audit, spend your energy where the auditor will: on the schedules that depend on *your* assumptions.
Materiality is the most misunderstood concept in the audit relationship, and the one where a sharp CFO gains the most leverage. The governing definition, from the accounting standards, is that information is material if omitting or misstating it could reasonably be expected to influence the decisions of the primary users of the financial statements. It is fundamentally about the *user*, not the *auditor's* convenience.
In practice, the auditor computes materiality in three layers, and you should understand all three.
The auditor selects a benchmark and applies a percentage. Common conventions:
The benchmark choice is a judgment call, and it drives everything downstream. A company hovering near breakeven creates a materiality problem: 5% of a tiny pre-tax income produces an absurdly low threshold, so auditors switch to a revenue or asset benchmark. As a CFO, you want to understand and, where appropriate, *discuss* the benchmark rationale early—because it sets the sensitivity of the entire audit. This is not manipulation; it is ensuring the auditor's model reflects the economic reality of your business rather than a mechanical default.
Here is the number that actually governs your audit workload. Performance materiality is set *below* overall materiality—typically 50%–75% of it—to create a buffer for the aggregation of undetected misstatements. If overall materiality is $10 million, performance materiality might be $6.5 million, and that lower figure determines how granularly the auditor tests. A weak control environment or a history of adjustments pushes performance materiality toward the low end (more testing); a clean track record moves it higher (less testing). Your audit history directly prices your current audit.
Below this line (often 5% of overall materiality), misstatements are not even accumulated. Above it, they go on the Summary of Uncorrected Misstatements—the schedule of audit differences you either book or explain away.
The subtlety every senior finance executive must grasp: materiality is not purely quantitative. A misstatement below the numerical threshold can still be material by nature. Examples that turn a $50,000 error into a material one:
The classic case is the company that "just makes" consensus EPS quarter after quarter by exactly a penny. Statistically improbable, and any competent auditor treats a small adjustment that flips the miss-to-beat as material regardless of dollar size. If you find yourself managing to a threshold, assume your auditor sees the same pattern the SEC would.
The audit is a project you manage, not an event that happens to you. Drama in an audit is almost always a symptom of poor process, not bad luck. Four disciplines separate the smooth audits from the death marches.
1. Front-load the judgment conversations. The most expensive fights happen in the final weeks over a revenue-recognition position or an impairment trigger that could have been socialized in planning. Bring your hardest technical calls to the auditor *early*—ideally in an interim or planning meeting—with a written position paper: the facts, the applicable standard, your analysis, and your conclusion. You are not asking permission; you are documenting that you reached a defensible judgment *before* the number was struck. Auditors reward preparation and punish surprises.
2. Own the PBC (Prepared By Client) list like a program plan. The PBC list is the auditor's request for schedules and evidence. Late, sloppy, or reconciled-on-the-fly deliverables are the single largest driver of audit friction and fee overruns. Assign owners, set internal deadlines ahead of the auditor's, and quality-check every schedule so it ties to the trial balance *before* it leaves your building. A clean PBC process signals a clean control environment, which in turn lowers the auditor's assessed control risk—a virtuous cycle.
3. Manage the audit differences schedule proactively. When the auditor proposes an adjustment, you have three moves: book it, support your original position with evidence, or argue it's immaterial and pass it. The mistake is treating every passed adjustment as a win. Uncorrected misstatements accumulate, and a stack of "immaterial" items that all push earnings the same direction is itself a red flag—it looks like directional bias, which auditors are trained to challenge. Correct the errors that are genuinely errors; reserve the immateriality argument for items where your judgment is genuinely defensible.
4. Prepare the audit committee, not just the auditor. Under modern standards the auditor communicates directly with the audit committee about Critical Audit Matters (CAMs) or Key Audit Matters (KAMs)—the areas of highest judgment, now disclosed in the audit report itself. A CFO caught unaware when the auditor raises a CAM with the committee has lost control of the narrative. Know what your CAMs will be (they mapmapUsing software to automate repetitive marketing tasks and campaigns, enabling personalisation at scale across channels like email, web, and social.View full definition → to your significant estimates), and walk the committee through your reasoning *before* the auditor does.
Knowledge check
1. What does an unqualified (clean) audit opinion actually communicate about a company?
2. In the formula Audit Risk = Inherent Risk × Control Risk × Detection Risk, why does the distinction between these components matter to a CFO?
3. Why is strong internal control quality described as an 'audit-efficiency asset' rather than merely a compliance cost?
4. Select ALL correct answers about the nature of a modern external audit.
Select all the correct answers.
5. Select ALL correct answers about how a CFO can influence the audit through the risk model.
Select all the correct answers.
The GE-KPMG story raises the uncomfortable question underneath every long audit relationship: is the auditor still independent after 109 years? Independence is the asset that makes the opinion worth anything, and it is fragile in ways CFOs routinely underestimate.
Independence has two dimensions. Independence in fact is the auditor's actual objectivity. Independence in appearance is whether a reasonable observer would perceive a conflict. Regulators enforce both, because appearance erosion destroys trust even when actual objectivity survives.
The practical minefields for a CFO:
The counterintuitive CFO stance: a healthy audit relationship contains productive tension. An auditor who never pushes back is not doing you a favor—they are increasing the odds you are the next restatement. Protect independence not because compliance demands it, but because the auditor's skepticism is a free, expert stress test of your most consequential judgments. The moment you treat the auditor as a vendor to be managed into compliance, you have converted your best early-warning system into a liability.
1. Invest in controls to buy audit efficiency. Strong controls lower assessed control risk, shrink substantive testing, reduce fees, and shorten the audit. Weak controls do the opposite—control quality is priced directly into your audit.
2. Aim your preparation at estimates and judgments, not routine transactions. Auditors concentrate on impairments, reserves, revenue recognition, and other assumption-driven balances. Bring written position papers on your hardest calls to the *planning* meeting, not the final weeks.
3. Understand all three materiality layers—and remember materiality is qualitative too. Know your benchmark rationale, your performance materiality, and your trivial threshold. A sub-threshold error that flips a loss to a profit, hits a covenant, or lets you meet consensus is material regardless of size.
4. Run the PBC list and the audit-differences schedule as managed processes. Owners, internal deadlines, tie-outs before delivery. Don't hoard passed adjustments—an accumulation biased one direction is itself a red flag.
5. Protect auditor independence as a strategic asset, not a compliance chore. Route all non-audit services through audit-committee pre-approval, respect cooling-off and rotation rules, and treat auditor skepticism as a free stress test of the judgments that could end your career.