U2

AUDITING
Governance and the Auditor

SHAREHOLDERS
OPERATIONAL
AUDIT

INTERNAL
AUDITORS

CORPORATE
GOVERNANCE

AUDITOR

AUDIT
COMMITTEE
BOARD

Unit 2 concept map

This map represents the core concepts that well be covering
in this unit, and the relationships between them.

Unit 2: Auditing: Governance and the Auditor

2.2

Study organiser
Before you begin this unit, please check through your study organiser. It shows
the topics that well be covering, the
the skills you need to acquire (the learning
outcomes)) and the activities youll do to help you acquire these skills.
Topic
2.1 Whats
governance?

Learning Outcomes

Describe the nature of governance

Activities
Activity 2.1
Review Question
2.11 Page 85

2.2 The auditor and

governance

Appreciate the role of the auditor in

governance

2.3 Issues in
governance

Discuss
iscuss the issues of internal control,
risks and operational audits in the
governance processes

2.4 Internal and

operational
auditing in the
governance
process

2.5 Enhancing
accountability
through the audit
committee

2.6 Governance in the

public sector

Activity 2.2
Review Question
2.12 Page 85

Activity 2.3
Acknowledge the roles of internal
and operational audits in the
governance processes

Review Question
2.15 Page 85

Activity 2.4
Consider the significance of the role
of the audit committee in governance

Professional
Application
Question 2.33 Page
86
Activity 2.5

Describe the nature of governance

and type of audits in the public sector

Review Question
2.20 Page 85

Study time
It should take you 10 -12
12 hours to complete this topic.

Unit 2: Auditing: Governance and the Auditor

2.3

Introduction
This chapter introduces you to the concept of governance which is applicable to
all entities. The complexity of governing an enterprise involves applying the
concept to an environment where there is a range of expectations and competing
interests among different stakeholders. The governing body must find an
appropriate balance between business performance and management controls.
The following section explains the broad nature of governance, with an
appreciation of business performance and accountability.

Reference
Textbook:
Chapter Two
Modern Auditing: Assurance Services, Leung, Coram, Cooper, Richardson, 5th
Edition, Wiley.
Most contents are paraphrased from the text. For a full understanding, you
must read Chapter Two of the text.

2.1 What is Governance?

Governance is the exercise of economic and administrative authority necessary to
run an entity's affairs. It is by which decisions are made in accordance with the
laws and other applicable regulations and company policies and procedures. The
concept of governance applies to all forms of organizations, both private and
public.
In the private sector, the essence of governance relates to the structure of
separation of ownership and management, referred to as the agency structure. In
the agency structure, members (or shareholders) of the company rely on the
management (agents). These agents are the board of directors and managers who
manage the company on behalf of the members. The origin of corporate
governance ensures that management accepts the accountability measures
through which they demonstrate the effectiveness of their performance.
The main pillars in corporate governance are accountability and transparency,
which are the methods by which companies are managed. The independent
auditor plays an important role within the corporate governance framework. The
independent auditor provides an objective assurance to the fairness of an 'account'
that is prepared by the management, thus adding credibility to the conduct of the
agent and their performance.

Unit 2: Auditing - Governance and the Auditor

2.4

Enterprise governance: a Framework

Enterprise governance integrates different aspects of accountability and helps
explain the role of auditing and assurance services.
Figure 2.1 on page 48 of the text shows that enterprise governance is premised on
the entire accountability framework of an organization and is mainly based on
corporate governance best practices.
The following reading provides more detailed explanation and examples of the
above matter.
Pause now and prepare to do the reading below.
Read Section 2.1 of the Textbook Chapter 2.

2.2 The Auditor and Governance

The independent auditor acts as an external assurer of financial reports. There are
also internal governance practices such as the internal auditor and the audit
committee. This section deals with the governance role of the external and
internal auditor, the audit committee and those charged with these responsibilities
in the public sector.

Overall Objectives of the Auditor

In Unit 1 we discussed the types of audit and assurance services that are
performed by an auditor. In general an auditor is a qualified professional who
performs audits, reviews and assurance services in a competent and objective
manner in accordance with a set of criteria which include applicable laws,
professional pronouncements and other quality control procedures. ASA 200,
250, 260, 265, 315, and 330 provide comprehensive duties and responsibilities of
the external auditor and the nature of interactions with the management. Please
read pages 48-49.

The role of the auditor in enterprise governance

The audit function provides the assurance of verifiability, compliance and
accountability of the organization, a role that the external auditor performs.

Unit 2: Auditing - Governance and the Auditor

2.5

The major role of external auditor is to give an independent opinion on the truth
and fairness of the financial statements of the organization. Depending on the
jurisdiction in which the organization is based, the external auditor may also be
required to ensure that the organization and the board of directors have complied
with all relevant legislation and regulations. The auditor works closely with those
charged with the governance of the organization, in particular the audit
committee where one exists. There have been major changes to guidelines for
corporate governance practices in Australia (CLERP 9) and USA (Sarbanes
Oxley Act) in recent times.
Auditing and assurance services include those assurance services that deal with
historical financial information (financial reports).

Corporate governance (conformance) and the

auditing function
Corporate governance is the framework of rules, relationships, systems and
processes within and by which authority is exercised and controlled in
corporations. It covers the structure, the systems and the relationships among
parties such as the board of directors, management, auditors, regulators,
shareholders and the public. It influences how the objectives of the company are
set and achieved, how risk is monitored and assessed, and how performance is
optimized. The principles of corporate governance are highlighted in the various
rules such as the listing requirements of stock exchanges and regulations such as
the corporations act. Read pages 50-51 on how the OECD revised its corporate
governance principles to strengthen three main areas.

Business governance (performance) and auditing

and assurance services
The role of monitoring performance is largely the responsibility of the board.
However, the application of tools, techniques and practices directly involves the
accountant and some of the assurance services provided in assisting management
and the board.
The accountants and auditors play a significant role in strengthening both
corporate and business governance. For the detailed roles of accountants and
auditors please read page 52.

Unit 2: Auditing - Governance and the Auditor

2.6

The audit trinity concept

The external audit, internal audit and the audit committee are the tripartite in the
governance process. The audit function is to perform some defined duties that
complement and interlock with those of the other members.
Audit committees have in the recent times taken on a key role to oversee both the
internal audit and external audit functions, ensuring that their work is properly
coordinated; review the company's financial matters and the related governance
practices, including the code of conduct; monitor compliance; and address
internal control weaknesses, environmental issues and risk management. The
audit trinity concept is reproduced in Figure 2.2 on page 53.

The following reading provides more detailed explanation and examples of the
above matter.
Pause now and prepare to do the reading below

Read Section 2.2 of the Textbook Chapter 2.

2.3 Issues in Governance

There are several issues of governance and accountability that have direct impact
on the auditor's work. We discuss this in the next section.

Internal Control and risk management

Internal controls and risk management have been very important in effective
governance and accountability framework for many years. More recently new
regulations and rules have been enacted to place greater responsibility on
management and to also place importance on internal controls and risk
management. Corporations also are placing greater importance in employing
internal auditors. In the US, the Sarbanes-Oxley Act, the US Securities and
Exchange Commission and in Australia, the ASX corporate governance
principles; require chief executive officers and chief financial officers to 'certify'
the adequacy of internal control and risk management systems.

Unit 2: Auditing - Governance and the Auditor

2.7

Risk management is referred to as the entire culture, process and system

established to manage opportunities and minimize or control adverse risks. Risk
management is regarded as an integral and dynamic part of management and
involves integrated processes to enhance overall decision making and monitoring.
A typical risk management system involves planning; understanding the
company's risk appetite and profile; identifying, ranking, monitoring, reducing
and reporting risks; implementing controls; and taking preventive and follow-up
actions. Figure 2.3 on page 55 shows a typical risk management system.
The Committee of Sponsoring Organizations of the Treadway Commission
(COSO), the body that established the framework of internal control and
introduced Enterprise Risk Management - Integrated Framework. The framework
details the essential components of enterprise risk management (ERM) and the
context in which they are effectively implemented.
The eight interrelated components of ERM are listed on page 56, which is
derived from the way management runs a business.
Figure 2.4 on page 57 indicates that there is a direct relationship between
objectives, components and units. The auditor should use professional judgment
to assess audit risk and to design audit procedures to ensure risk is reduced to an
acceptably low level. Internal control evaluation is an important component of
audit risk assessment. Therefore the auditor should gain an understanding of
whether the internal control structure can ensure that the conduct of the business
is orderly, including the ability to prevent and detect fraud, error, noncompliance, and the misappropriation of assets. The auditor should gain an
understanding of the business and the company environment to appreciate risks
that might be embedded within the nature of the business and the approach
undertaken by the management in dealing with such risks. These are inherent
risks. Moreover, the auditor in planning the audit will spend time reviewing the
internal control of the company in order to assess the likelihood of control
failures which is referred to as control risk. Both inherent risks and control
risks are components of audit risk and we will discuss them in detail in Unit 8.
Table 2 on page 57 will list the objective within the ERM framework that can
help auditors to assess inherent and control risks. The auditor assessment of
inherent risk and control risk is linked with each of the eight components, where
each component is then viewed according to the risk objectives at strategic,
operational, reporting compliance and resource management levels. Table 2.1
suggests that some of the components can form basis of the auditors
determination of inherent risks, and others can be used to identify control risks

Unit 2: Auditing - Governance and the Auditor

2.8

Financial misstatements earnings management

Earnings management is a major issue in the preparation of financial statements.
Earnings management is a deliberate act to produce financial statements that are
not true and fair. It is an attempt to influence people's perceptions of the
performance of the entity. Earnings management is an issue of judgment and may
result in the financial report not being true or fair. Earnings management can
sometimes amount to fraud, often referred to as financial statement fraud.
There are many incentives for management and this be motivated by political
considerations, executive remuneration, the ambiguity and inability of accounting
standards to deal with complex transactions, or situations including financial
distress or related party transactions. The capital market may also present
incentives where pressure comes from expected market performance, analysts'
forecasts, management transition and so on. Many earnings management
techniques involve accruals, revenue recognition, restructuring charges,
estimating of liabilities, delaying sales, and manipulating research and
development write-offs. Auditors need to be aware of the possible earnings
management methods and maintain professional skepticism toward management
judgment in the preparation of financial reports.
The following reading provides more detailed explanation and examples of the
above matter.
Pause now and prepare to do the reading below

Read Section 2.3 of the Textbook Chapter 2.

2.4 Internal and Operational Auditing

in the Governance Process
There are many other services that professional accountants may provide as other
audit and assurance services. This section describes some of the key audit roles
performed by professional accountants that may add value to the enterprise.

Internal Auditing
Internal auditing has been regarded as the key component of the governance
process in organizations. It involves a function that evaluates and improves an
organizations risk management, control and governance processes to improve
Unit 2: Auditing - Governance and the Auditor

2.9

efficiency and effectiveness of all phases in an organization. Institute of Internal

Auditors (IIA) is the professional body that provides certification for membership
(CIA, Certified Internal Auditor).
The objective of internal auditing is to help members of an organization to
effectively discharge their responsibilities. Details of scope of internal auditors is
provided on page 61. There is usually a close relationship between internal
auditors and an entity's outside independent auditors. External auditors may use
the work of internal audit as supplementary but not substitute their own work for
financial statement audit. One of the responsibilities of the chief audit executive
or the audit committee is to coordinate the work of internal auditors with the
work of the external auditor. Although they have a close working relationship,
internal and independent auditors have important differences, as outlined in Table
2.2 on
page 61.
Independent auditors provide audit services on contract at a fee and are
independent of the entity they audit. In contrast, internal auditors work in a staff
capacity, and most of the times are independent of the rest of the entity. They may
report to the board of directors, audit committees and sometimes chief financial
officers. Sometimes, the internal audit function is outsourced.
The degree of independence of the internal and external audits is one of
the primary differences. External auditors are expected to remain
completely independent of the management. External auditors use of
work of internal auditors in no way reduces the responsibility of the
external auditor to maintain independence.
The US Sarbanes-Oxley Act prohibits audit firms from providing internal audit
services to their audit clients in order to avoid the self-review threat. The
independent auditor focuses mainly on historical information when issuing an
opinion on an entity's financial statements. In contrast, there is no limit to the
scope of the work of an internal auditor, who is concerned with the economy,
efficiency and effectiveness of an entity's operational procedures and activities.
Independent auditor's reports have a standard format and audit opinions are
expressed in accordance with specified circumstances. They are also widely
distributed to members and third parties. In contrast, internal auditor's reports are
for internal consumption and distributed mainly to management and their format
varies considerably, depending on the nature of the audit being undertaken.

Unit 2: Auditing - Governance and the Auditor

2.10

Operational auditing
Operational auditing is a non-financial operations audit and is used to evaluate
management's performance, management's planning and quality control systems,
and specific operating activities and departments. Operational auditing is referred
to as value-for-money or performance auditing or efficiency and effectiveness
audit.
An operational audit may include elements of a compliance audit, a financial
audit
and an information systems audit. It involves establishing performance indicators,
agreeing the standards and criteria for measurement, and evaluating actual
performance against targeted performance.
Thus operational auditing focuses on the future, in direct contrast to a financial
statement audit, which has a historical focus. Unlike a financial statement audit,
an operational audit does not end with a report on the findings, but extends to
making recommendations. Operational audits are an important element of
internal auditing. Three approaches for operational audit have been suggested as
risk-based audit, value-for-money audit and process audit. Details are listed on
page 63.
Typically there are five phases to an operational audit and each phase must be
completed. These phases are (1) preliminary preparation, (2) field survey, (3)
program development, (4) audit application and (5) reporting and follow up.
Details of these phases are listed on pages 63 and 64.

The widening role of internal audit

Since the enactment of US Sarbanes-Oxley Act, the role of internal auditors has
been enhanced. In the main, sections 404 and 302 of the Sarbanes-Oxley Act
translated into detailed auditing standards requirements. Many companies use the
internal auditors to fulfill the Section 404 and 302 provisions.
The following reading provides more detailed explanation and examples of the
above matter.
Pause now and prepare to do the reading below

Read Section 2.4 of the Textbook Chapter 2.

Unit 2: Auditing - Governance and the Auditor

2.11

2.5 Enhancing Accountability

through the Audit Committee
Since the large corporate collapsed in early 2000, audit committees have been
mandated in the US. Audit committees are required to enhance effective internal
accountability within organizations, in both the private and public sectors.
An audit committee facilitates is a committee for the board and is established to
provide a forum where directors, management and auditors can discuss and
resolve issues relating to risk management and financial reporting obligations. In
most instances internal auditors or chief audit executives should work directly
under the audit committee in order to foster objectivity and organization-wide
support. In contrast, external auditors have a responsibility to report to
shareholders, but their objective views can be of value to the directors'
governance process through involvement by the audit committee.

The role and objectives of the audit committee

There are several objectives of an effective audit committee and these are listed
on page 66. In January 2003, following the US Sarbanes-Oxley Act, the US
Securities and Exchange Commission (SEC) proposed new rules requiring
national securities exchanges and associations to prohibit the listing of any
security whose issuer does not comply with the standards on audit committees
established by the Sarbanes-Oxley Act. There are several requirements under this
rule, including requirement audit committees be independent. These requirements
are summarized on page 66.
Neither the South Pacific Stock Exchange listing requirements nor any other
regulations require the establishment of audit committee within the South Pacific
Region. However, many companies have voluntarily formed audit committees to
enhance corporate governance processes.

The following reading provides more detailed explanation and examples of the
above matter.
Pause now and prepare to do the reading below

Read Section 2.5 of the Textbook Chapter 2.

Unit 2: Auditing - Governance and the Auditor

2.12

2.6 Governance in the Public Sector

Auditing is a very important component of all government. While the theories
that apply to the private sector are applicable to the public sector, there are some
variations in the audit approach that are due mainly to the different environment
in which public sector entities operate.

The requirements of public accountability

Figure 2.6 on page 70 outlines a typical structure of a parliamentary system in a
democratic state. All countries may not have the same parliamentary system.
However knowledge of the parliamentary system is necessary for understanding
the process of accountability in the public sector.
In a typical parliamentary structure there is the legislature which comprises the
head of state and the two houses of Parliament - the upper house (the Senate) and
the lower house (the House of Representatives). To become law, a legislative Bill
has to be passed by both houses.
The government is formed by the winning party with the losing party (parties)
form the opposition. The leader of the government is appointed as the Prime
Minister and he chooses his ministers who form the Cabinet. Government
services are provided through agencies, (ministries) government authorities and
companies (state owned enterprise) or other controlled entities.
The accountability process starts with Parliament allocating resources to the
agencies, setting terms for the use of the resources and specifying the expected
outcomes of the programs. The process ends with these agencies reporting back
to Parliament on the use of allocated resources, and the results achieved. The
auditor-general is the independent auditor who is appointed by the Parliament.
The auditor general undertakes the audit and reporting function, and provides an
assurance to Parliament that public resources have been utilized as directed. The
auditor general report is debated in Parliament and the Public Accounts
Committee normally follows up with the audit report.

Parliamentary committees
Parliamentary committees are set up by Parliament or by statute for a specific
purpose. A purpose of the committee may be to review the expenditure of public
finances or to review agency budgets and may consist of representatives from
both houses of Parliament.

Unit 2: Auditing - Governance and the Auditor

2.13

Audit mandates and the Office of the Auditor

General
The Office of the Auditor General is established in the Constitution and the
appointment is done by Parliament. Appointment and reporting procedures may
differ in each country. Government auditors perform their duties in accordance
with audit mandates, which specify the type of audit required and what to audit.
Increasingly, most governments now require audits to conform to the applicable
accounting and auditing standards issue by the International Accounting
Standards Board (IASB). Audit mandates are usually embodied in legislation,
but in some cases they are determined by arrangement or contract.

Financial statement audits

The Auditor General is responsible for the audit of state owned entities (SOE). In
this the Auditor General conducts independent financial statement audits of
public sector entities. The results of the audit are presented in an audit report,
which expresses the auditor's opinion on whether the financial statements as a
whole and the information contained therein fairly present each entity's financial
position and the results of its operations and cash flows.

Performance auditing
Performance audit is defined as:
An independent, objective and systematic assessment of public sector entities'
programs, resources, information systems, performance measures, monitoring
systems and legal and policy compliance. Performance audits play an important
role in improving the administration and management practices of public sector
entities. Performance audits involve the evaluation of the implementation of
specific government programs, policies, projects and activities. They also
examine how well administrative support systems operate. Performance audits
can include the consideration of:
economy (minimizing cost)
efficiency (maximizing the ratio of outputs to inputs)
effectiveness (the extent to which intended outcomes were
achieved)
Legislative and policy compliance.
Figure 2.7 on page 76 provides a brief cycle of performance audit that shows the
processes of planning, evidence gathering and reporting.
There are four types of performance audit:
1.

audits of a program or activity in a single entity

2.

protective security audits (examines security arrangements)

Unit 2: Auditing - Governance and the Auditor

2.14

3.

cross-entity audits (reviews the same activity in a number of entities or

the administration of a program by a number of entities)

4.

Follow-up audits (reviews the implementation of recommendations from

a previous audit).

Performance engagements
The aim of a performance engagement is to enable the assurance practitioner to
express a conclusion designed to enhance the degree of confidence of the
intended users other than the responsible party by reporting on assertions or
information obtained directly concerning the economy, efficiency or effectiveness
of an activity against identified criteria. There are two types of performance
engagements: (1) performance audit engagements which provide reasonable
assurance; and (2) performance review engagements which provide limited
assurance.

Objective of a Performance Engagement

The audit, in concluding a performance opinion uses professional
judgment. The performance of an activity is assessed against the identified
criteria and as listed on page 78, whether:

Performance is within the tolerances of materiality

Performance is outside the tolerances of materiality
Economy, efficiency or effectiveness:
- in terms of management systems or an entitys management in
order to contribute to improvements
- of the operations of an entity or an activity of an entity
- of the internal controls applied by an entity in relation to an
activity
- in the implementation of government policies or programs and
the application of government grants
- in terms of financial prudence in the application of public
resources
- of administrative arrangements.
The validity and reliability of performance measurement systems
and/or statements published by the responsible party in annual
reports.
Compliance with legislation and accompanying instruments and the
identification of breaches.
Intended and unintended impacts of the implementation of
government policies or programs and the extent to which
community needs and stated objectives of an activity or entity have
been met.
Probity processes and identification of weaknesses.

Unit 2: Auditing - Governance and the Auditor

2.15

Ethical requirements
Ethical requirements include adherence to independence and application of the
appropriate
code of ethics (the professional accounting body's code of ethics).
The assurance practitioner shall comply with the fundamental ethical
principles of integrity, objectivity, professional competence and due care,
confidentiality and professional behavior. Details of all ethical codes can
be found in the respective professional accounting bodys ethical
pronouncements.

Quality control
There are many quality control procedures that assurance practitioners need to
implement for proper quality control system. These are the same as the quality
control elements of an audit.

Initiation or acceptance
There are several factors that assurance practitioners must consider before
accepting an assurance engagement. Pages 78 and 79 outline these factors.

Matters to be agreed upon on the terms of

engagement
In accepting an assurance engagement, terms of the engagement must be clearly
communicated and agreed upon. Any changes must be agreed in writing. The
terms and the changes must adhere to the relevant legislation.

Quantitative and Qualitative Factors

The list of quantitative and qualitative factors that assurance practitioners must
consider when assessing materiality and performance engagement risk is found
on page 79. Please refer to this list.

Assurance Report Content

Performance engagements assurance report of a performance engagement shall
contain the elements listed on Page 79. Please refer to this report.

Reporting Findings, Recommendations and

Responsible Party Comments
Where reasonable assurance is provided, conclusions of the assurance practitioner
shall be expressed in positive form. In providing limited assurance, a negative

Unit 2: Auditing - Governance and the Auditor

2.16

form is used. Where both positive and negative forms are expressed, the
practitioner shall clearly separate the two types of conclusions.
The assurance report may be expanded by assurance practitioner to include
other information and explanations that that are not intended to affect their
conclusions. Examples of other information include:

Disclosure of materiality levels.

Findings relating to particular aspects of the performance

engagements.

Recommendations.

Comments received from the responsible party."

Modifications to the Assurance Report

When auditors are unable to express an unqualified conclusion, a
modifications assurance report is issue issued with either:
(a) a qualified conclusion;
(b) an adverse conclusion; or
(c) a disclaimer of conclusion."

Qualified Conclusions, Adverse Conclusions and

Disclaimers of Conclusion
When an auditor is unable to issue an unqualified conclusion because of some
matter that is material in nature, a qualified, adverse or disclaimer conclusion is
issued. An example of this would be where there is disagreement with
management with application of an accounting standard and the effect of the
matter is or may be material. In this case an unqualified conclusion cannot be
issued. We discuss the types of audit report and circumstances on which they are
issued in Unit 12 (Chapter 7).
The following reading provides more detailed explanation and examples of the
above matter.
Pause now and prepare to do the reading below

Read Section 2.6 of the Textbook Chapter 2.

Unit 2: Auditing - Governance and the Auditor

2.17

SUMMARY
This unit has introduced to you the concept of governance and corporate
governance and role of internal auditors, external auditors and audit committees
play within the governance framework. We also discussed auditing within the
public sector and the role of the auditor general and how this is linked to
accountability of public resources.

Activities
Turning now to your text book, look at the activities below and note your answers
down in your notebook.
These activities will be discussed in the tutorial sessions.

Activity 2.1
From Page 85, work on Review Question 2.11.

Activity 2.2
Again on Page 85, work on Review Question 2.12.

Activity 2.3
Work on Review Question 2.15 on Page 85.

Activity 2.4
Attempt the Professional Application Question 2.33 on Page 86

Activity 2.5
Lastly attempt Review Question 2.20 found on Page 85.

Unit 2: Auditing - Governance and the Auditor

2.18