Corporate governance and auditing

Corporate governance

The meaning of corporate governance

A company is governed by its directors on behalf of the shareholders. Arguably, the directors also govern on behalf of other ‘stakeholders’ in the company, such as its employees. Corporate governance is the system by which a company is directed and controlled.

In many countries, rules or guidelines on ‘best practice’ in corporate governance have been developed. These are either applied on a voluntary basis or imposed by law.

An important aspect of corporate governance is the relationship between the owners of a company (its equity shareholders) and its governors (the board of directors). The strength of the relationship between owners and governors depends largely on the quality of the communication between them. The most important method of communication is the annual financial statements and accompanying reports (the ‘report and accounts’).

To promote good corporate governance, the financial statements should be reliable. This means that the directors should present reliable and relevant information in the financial statements, and those financial statements should be subject to independent audit to provide assurance to the shareholders.

The responsibility of directors for the management of risks

Another issue in corporate governance is the management of risks. Companies face many different risks, but most risks can be divided into two categories:

• Business risks or ‘enterprise risks’. These are the risks associated with investing in products and services, and competing in markets.
• Governance risks. These are the risks that errors (deliberate or accidental) may occur due to weaknesses in existing ‘internal’ controls. For example, there may be excessive risks that financial transactions will be recorded incorrectly in the accounting system, or there may be an unacceptable risk that fraud could occur and remain undetected. There may be risks of failure to comply with regulations or laws. There may also be risks of operational errors in day-to-day operating activities, due to human error, machine breakdowns or poor supervision by management.

It is the responsibility of executive management to put in place a suitable system of internal controls to manage the risks of the company.

In the UK, internal controls are divided into three categories for the purpose of corporate governance:

• financial controls
• compliance controls (to ensure compliance with laws and regulations) operational controls.

Examples of financial controls are:

• controls that safeguard the assets of the company
• controls that ensure that adequate accounting records are maintained
• controls over the preparation and delivery of the annual financial statements.

Although it is the responsibility of management to design and implement internal controls, it is the responsibility of the company’s governors (directors) to satisfy themselves that the system of internal control is adequate and that it functions properly.

The main issues in corporate governance

Corporate governance has attracted a large amount of attention in recent years, although measures to promote good corporate governance vary substantially between different countries.

The initial demand for better corporate governance occurred as a result of several ‘corporate scandals’, with major companies either collapsing or coming close to collapse. In the UK, several corporate failures in the 1980s (such as Maxwell Communications Corporation and Polly Peck International) were subsequently blamed on poor governance. In the US, corporate governance legislation was introduced in 2002 following the spectacular collapse of Enron and WorldCom, and other corporate scandals. There have also been major cases in Continental Europe, such as Ahold (the Netherlands) and Parmalat (Italy). Still more recently the collapse of several commercial and investment banks, notably Lehman Brothers in the US in 2008, raised questions about the adequacy of corporate governance, particularly risk management, in banks.

There are several key issues in corporate governance, although their perceived importance varies between different countries:

1. There should be an effective board of directors. The directors should be independent-minded and should collectively have a wide range of skills, knowledge and experience. The board of directors should not be under the control or influence of an ‘all-powerful’ chairman and/or chief executive officer, who is able to dictate the board’s decisions.
2. The board of directors should have clearly-defined responsibilities that it must not delegate, and it should carry out these responsibilities properly.
3.  The directors should govern the company in the best interests of its shareholders (and possibly also other stakeholders); they should not run the company in their own self-interest.
4. The financial statements of the company should be reliable. (In many cases of corporate collapse, the financial statements were proved to have been misleading and unreliable.)
5. Risks should be controlled, and the directors should provide assurance to the shareholders about the systems of controls and risk management.
6. The remuneration of directors should be fair. Directors should not fix their own remuneration, and their remuneration package should provide them with incentives to achieve the objectives of the company that are in the best interests of the shareholders. Directors should not be rewarded for failure. 
7. There should be active, open and constructive dialogue between the company’s directors and its shareholders, in particular its major shareholders.

As far as audit and assurance are concerned, the main relevant aspects of corporate governance are items (4) and (5) above.

 The role of the auditor in corporate governance

 The external auditor

The external auditor is part of the corporate governance system.

• He provides an independent check on the integrity of the financial information prepared by the directors for the use of shareholders and other stakeholders 
• He may have a responsibility for forming an opinion on the extent to which the directors have complied with specific corporate governance regulations (accepted voluntarily or imposed on them by law).

In order to fulfil these roles, the external auditor will examine the company’s systems and controls. However, he is not responsible for those systems or controls. Responsibility remains with the directors and executive management.

The external auditor is also required by ISA 260 Communication of audit matters to those charged with governance to provide management periodically with observations arising from the audit that are significant and relevant to management’s responsibility to oversee the financial reporting process. These observations might include:

• weaknesses in internal control found by the auditor, or
• accounting policies adopted by the entity which the auditor considers inappropriate.

In addition, all good corporate governance systems have procedures and arrangements designed to maintain the independence of the external auditor. For example:

• the external auditor may be required to report to an audit committee, as well as to work with the chief executive officer and finance director
• the nature and extent of non-audit services provided by the audit firm may be kept under review, to make sure that the auditor:

              − has not become excessively dependent on the company and its executive
                 management for fee income, and
             − is not in danger of becoming too familiar with the company’s management
                and systems of operation

• suitable procedures may be established for the discussion of contentious issues where the auditors and the finance director/chief executive officer have strong differences of opinion.

The internal auditor

Senior management is responsible for putting in place a system of internal controls that will prevent or detect errors and fraud. An internal audit function may be used by management as a means of monitoring these systems of internal control.

An internal audit function can therefore be used to obtain assurance that the system of internal controls is adequate and that it is functioning properly.

Companies are not required by law to have an internal audit function. However, in the UK, listed companies are required to set up an audit committee which is required each year to:

• monitor and review the effectiveness of internal audit activities, or
• where there is no internal audit function, to consider the need for an internal audit function and make a recommendation to the board. (The reasons for not having an internal audit function should also be explained in the annual report and accounts.)

Other companies and entities may also choose to have an internal audit function, because of the assurance it should provide about the adequacy of internal controls.

Systems of corporate governance

A voluntary or statutory approach

Many countries now have minimum corporate governance requirements. Typically, they are imposed only on listed companies, although smaller companies are also encouraged to comply. (Listed companies are companies whose shares are officially ‘listed’ by the financial markets regulator and traded on a major stock market.) In addition, some public sector organisations are also showing an increased emphasis on corporate governance matters.

In many countries, corporate governance guidelines are based on a voluntary code of practice rather than statutory regulation.

This is largely the case in the UK, where the Combined Code on Corporate Governance is applied to listed companies. Although this Code does not have any statutory force, the Listing Rules of the Financial Services Authority Stock Exchange require listed companies to comply with every aspect of the Code or to explain their reasons for any non-compliance. This is known as ‘comply or explain’. There are also some statutory requirements relating to corporate governance in the UK, such as the statutory requirement for an annual audit and a requirement for an annual ‘directors’ remuneration report’ on which the shareholders must be invited to vote.

A statutory approach to the regulation of corporate governance has been taken in the United States, in the form of the Sarbanes-Oxley Act (2002). This was introduced primarily as a result of the corporate failures in 2001 and 2002, including Enron and WorldCom. (One of the requirements of the Sarbanes-Oxley Act is for the chief executive and chief financial officer of each stock market corporation to submit an annual report to the Securities and Exchange Commission about the adequacy of their internal control system. This report must be supported by a formal statement from the external auditors.)

The detailed provisions of corporate governance regulations vary from country to country. The examiner has made it clear that you are not required to have a detailed knowledge of the regulations in any particular country. However, you should be aware of general principles underlying the regulation and application of best practice in corporate governance.

General principles of corporate governance

The five principles set out below were developed by the Organisation for Economic Co-operation and Development (OECD). They are intended to provide a general model of a good corporate governance system.

The OECD Principles state that a corporate governance framework should achieve the following objectives:

1. Protect shareholders’ rights, such as voting rights and the right to transfer ownership in shares.
2. Ensure the equitable treatment of all shareholders, including minority and foreign shareholders. All shareholders should have the opportunity to obtain effective redress for any violation of their rights.
3. Recognise the rights of stakeholders as established by law and encourage active co-operation between corporations and stakeholders in creating wealth, jobs, and the sustainability of financially secure enterprises.
4. Ensure that timely and accurate disclosure is made on all material matters regarding the corporation, including the financial situation, performance, ownership, and governance of the company.
5. Ensure the strategic guidance of the company, the effective monitoring of management by the board, and the board’s accountability to the company and the shareholders. This includes ensuring:

          − the integrity of the corporation’s accounting and financial reporting

             systems, including the independent audit

         − that appropriate systems of control are in place, in particular, systems for

            monitoring risk, financial control, and compliance with the law.

Items (4) and (5) above have the greatest relevance to audit and assurance.

Example of a corporate governance system

Although, as stated above, you are not required to have a detailed knowledge of the regulations in any particular country, it is useful to see how the above principles are reflected in a specific corporate governance system. The main principles of the UK’s Combined Code are therefore set out below by way of an example of a current corporate governance system. The principles have been expanded upon where they are of particular relevance to external auditors.

Directors

1. Every company should be headed by an effective board, which is collectively responsible for the success of the company
2. There should be a clear division of responsibilities between the running of the board (the chairman) and the running of the company’s business (the chief executive)
3. The board should include a balance of executive and non-executive directors. 
4. There should be a formal procedure for appointing new directors to the board.
    
5. The board should be provided with timely information to enable it to discharge its duties.
6. The board should undertake a formal annual evaluation of its own performance and that of its committees and individual directors.
7. All directors should be submitted for re-election at regular intervals, subject to continued satisfactory performance.

Remuneration

1. Levels of remuneration should be sufficient to attract, retain and motivate directors, but should not be more than is necessary.
2. There should be a formal procedure for fixing directors’ remuneration. No director should be involved in deciding their own remuneration.

Accountability and audit

1. The board should present a balanced assessment of the company’s position and prospects.
2. The board should maintain a sound system of internal control to safeguard the company’s assets.
3. The board should maintain an appropriate relationship with the company’s auditors.

Relations with shareholders

1. There should be a dialogue with shareholders based on the mutual understanding of objectives.
2. The board should use the AGM to communicate with investors and encourage their participation.

Example

Mrs  Smith  is  both  Chief  Executive  Officer  (CEO)  and  Chairman  of  your  client.  The  board  of  directors  consist  of  five  executive  and  two  non‐executive  directors.  Board  salaries  are  set  by  Mrs  Smith  based  on  her  assessment  of  all  the  board  members,  including herself, and not their actual performance .

Required

Explain why your client does not meet international codes of corporate governance,  why this may cause a problem for the company, and recommend changes.

Answer

Chief Executive Officer (CEO) and Chairman

Why  codes  are  not  met:  Mrs  Smith  is  both  CEO  and  Chairman  of  the  company.  Good  principles  of  corporate  governance  state  that  the  person  responsible  for  running  the  company  (the  CEO)  and  the  person  responsible  for  controlling  the  board (the chairman) should be different people.

Why a problem: This is to ensure that no one individual has unrestricted powers of  decision.

Recommendation:  That  Mrs  Smith  is  either  the  CEO  or  the  Chairman  and  that  a  second individual is appointed to the other post to ensure that Mrs Smith does not  have too much power.  

Composition of board

Why  codes  are  not  met:  The  current  board  ratio  of  executive  to  non‐executive  directors is 5:2.

Why a problem:  This means that the executive directors can dominate the

board  proceedings.  Corporate  governance  codes  suggest  that  there  should  be  a  balance of executive and non‐executive directors so this cannot happen. 

Recommendation:  That  the  number  of  executive  and  non‐executive  directors  is  equal to help ensure no one group dominates the board. This will mean appointing  more non‐executive directors.  

Board remuneration

Why codes are not met: Board remuneration is set by Mrs Smith. 

Why a problem: This process breaches principles of good governance because the  remuneration  structure  is  not  transparent  and  Mrs  Smith  sets  her  own  pay.  Mrs  Smith    could  easily  be  setting  remuneration  levels  based  on  her  own  judgements  without any objective criteria. Remuneration should also be linked to performance,  to encourage a high standard of work.

Recommendation:  That  a  remuneration  committee  is  established  comprising  three  non‐executive  directors.  This  committee  would  set  remuneration  levels  for  the  board,  taking  into  account  current  salary  levels  and  the  performance  of  board  members. 

The use of audit committees

An audit committee is a sub-committee of the board of directors. The role of the audit committee is to carry out some delegated functions in connection with the external audit and internal audit, and to report and make recommendations to the main board of directors.

The requirement for an audit committee varies between countries. In the European Union, all listed companies are required to establish an audit committee.

In the UK’s Combined Code, these arrangements are fulfilled by establishing an audit committee consisting entirely of independent non-executive directors. The audit committee provides a counter-balance to the working relationship between the external auditors and the executive management of the company.

By having a requirement for the external auditor to have certain dealings with the audit committee, it should be possible to:

• reduce the dependence of the auditors on the executive management (in particular the chief executive officer and finance director) 
• monitor the independence of the auditors
• provide assurance to the board that the auditors are performing their tasks to a suitable standard.

Functions of an audit committee

The functions of an audit committee may include the following tasks and responsibilities:

• To monitor the integrity of the financial statements, and to review any significant financial reporting judgements that have been used in the preparation of the statements.
• To review the adequacy of the company’s internal financial controls, and possibly also its other internal controls (compliance controls and operational controls).
• To monitor the effectiveness of the internal audit function in the company. 
• To make recommendations to the board about the appointment, re-appointment or removal of the external auditors, for submission to a vote by the shareholders. 
• To approve the remuneration and terms of engagement of the external auditors. 
• To monitor the independence and objectivity of the external auditors and the effectiveness of the audit process.
• To review and implement a policy on the employment of the external auditors to provide non-audit services to the company, so that the policy maintains the objectivity and independence of the auditors in their audit work.

The audit committee does not remove the need for the executive management to work directly with the external auditors. However, it provides an important extra channel of communication with the external auditors, to ensure that they fulfil their responsibilities properly.

Benefits and disadvantages of an audit committee 

The existence of an audit committee should:

• increase user confidence in the credibility of financial information published by the company
• assist directors in meeting their responsibilities
• strengthen the independence of the external auditors by providing a point of liaison for them
• lead to better communication between the external auditors and the board of directors.

However, there are disadvantages, such as:

• the additional cost (and time) involved in having an audit committee
• the creation of a ‘two-tier’ board of directors: those directors closely involved in the preparation of the financial statements and the annual audit, and those who are not involved
• fear amongst executive directors that the aim of the audit committee is to ‘catch them out’
• placing an excessive burden on those non-executive directors who are members of the audit committee.

The meaning of Audit and Assurance

The meaning of audit

Definition and objective of audit

An audit is an official examination of the accounts (or accounting systems) of an entity (by an auditor).
 

When an auditor examines the accounts of an entity, what is he looking for?
 

The main objective of an audit is to enable an auditor to convey an opinion as to whether or not the financial statements of an entity are prepared according to an applicable financial framework.
The applicable financial reporting framework is decided by:

• legislation within each individual country, and
• accounting standards (for example, International Accounting Standards/ International Financial Reporting Standards).

The auditor seeks to express an opinion as the result of the audit work that he does. The type of work carried out by an auditor in order to reach his opinion is described in later chapters.

Concepts of accountability, stewardship and agency

An audit of a company’s accounts is needed because in companies, the owners of the business are often not the same persons as the individuals who manage and control that business.

• The shareholders own the company.
• The company is managed and controlled by its directors.

The directors have a stewardship role. They look after the assets of the company and manage them on behalf of the shareholders. In small companies the shareholders may be the same people as the directors. However, in most large companies, the two groups are different.

The relationship between the shareholders of a company and the board of directors is also an application of the general legal principle of agency. The concept of agency applies whenever one person or group of individuals acts as an agent on behalf of someone else (the principal). The agent has a legal duty to act in the best interests of the principal, and should be accountable to the principal for everything that he does as agent.

As agents for the shareholders, the board of directors should be accountable to the shareholders. In order for the directors to show their accountability to the shareholders, it is a general principle of company law that the directors are required to prepare annual financial statements, which are presented to the shareholders for their approval.

The audit report: independence, materiality and true and fair

Audit has a very long history. The concept of an audit goes back to the times of the Egyptian and Roman empires. In medieval times, independent auditors were employed by the feudal barons to ensure that the returns from their stewards and their tenants were accurate.

Over time, the annual audit was developed as a way of adding credibility to the financial statements produced by management. The statutory audit is now a key feature of company law throughout the world.

An auditor reports to the shareholders on the financial statements produced by a company’s management.

The key features of the audit report are as follows:

• The auditors producing the report are independent from the directors producing the financial statements
• The report gives an opinion on whether the financial statements “give a true and fair view”, or “present fairly” the position and results of the entity.
• The report considers whether the financial statements give a true and fair view in all material respects. The concept of materiality is applied in reaching an audit opinion.

Independence of the auditor

The external auditor must be independent from the directors; otherwise his report will have little value. If he is not independent, his opinion is likely to be influenced by the directors.

In contrast to external auditors, internal auditors may not be fully independent from the directors, although they may be able to achieve a sufficient degree of independence. The work and status of internal auditors is covered in a later chapter.

The concept of independence of the auditor is considered in more detail in a later chapter.

True and fair view (fair presentation)

The auditor reports on whether (or not) the financial statements give a true and fair view, or present fairly, the position of the entity as at the end of the financial period and the performance of the entity during the period. The auditor does not certify or guarantee that the financial statements are correct.

Although the phrase ‘true and fair view’ has no legal definition, the term ‘true’ implies free from error, and ‘fair’ implies that there is no undue bias in the financial statements or the way in which they have been presented.

In preparing the financial statements, a large amount of judgement is exercised by the directors. Similarly, judgement is exercised by the auditor in reaching his opinion. The phrases ‘true and fair view’ and ‘present fairly’ indicate that a judgement is being given that the financial statements can be relied upon and have been properly prepared in accordance with an appropriate financial reporting framework.

Materiality concept

The auditor reports in accordance with the concept of materiality. He gives an opinion on whether the financial statements present fairly in all material respects the financial position and performance of the entity.

Information is materiality if, on the basis of the financial statements, it could influence the economic decisions of users should it be omitted or misstated.

For example, the shareholders of a company with assets of $1 million will not be interested if petty cash was miscounted with the result that the amount of petty cash is overstated by $10. This is immaterial. However, they will be interested if there are receivables in the statement of financial position of $200,000 which are not in fact recoverable and which should therefore have been written off as a bad debt.

Applying the concept of materiality means that the auditor will not aim to examine every number in the financial statements. He will concentrate his efforts on the more significant items in the financial statements, either:

• because of their (high) value, or
• because there is a greater risk that they could be stated incorrectly.

The statutory requirement for audit

Most countries impose a statutory requirement for an annual (external) audit to be carried out on the financial statements of most companies.

However, in many countries, smaller companies are exempt from this requirement for an audit. Other entities, such as sole traders, partnerships, clubs and societies are usually not subject to a statutory audit requirement. Small companies and these other entities may decide to have a voluntary audit, even though this is not required by law.

The meaning of assurance

Definition of assurance

‘Assurance’ means confidence. In an assurance engagement, an ‘assurance firm’ is engaged by one party to give an opinion on a piece of information that has been prepared by another party. The opinion is an expression of assurance about the information that has been reviewed. It gives assurance to the party that hired the assurance firm that the information can be relied on.

Assurance can be provided by:

• audit: this may be external audit, internal audit or a combination of the two review.

A statutory audit is one form of assurance. Without assurance from the auditors, the shareholders may not accept that the information provided by the financial statements is sufficiently accurate and reliable. The statutory audit provides assurance as to the quality of the information.

The provision of this assurance should add credibility to the information in the financial statements, making the information more reliable and therefore more useful to the user.

However, there are differing levels or degrees of assurance. Some assurances are more reliable than others.

Levels of assurance

The degree of assurance that can be provided about the reliability of the financial statements of a company will depend on:

the amount of work performed in carrying out the assurance process, and the results of that work.

Assurance provided by audit

An audit provides a high, but not absolute, level of assurance that the audited information is free from any material misstatement. This is often referred to as reasonable assurance.
The assurance of an audit may be provided by external auditors or internal auditors. 

• An external audit is performed by an appropriately qualified auditor, appointed by the shareholders and independent of the company.
• Internal audit is a function or department set up within an entity to provide an appraisal or monitoring process, as a service to other functions or to senior management within the entity. Typically, internal auditors are employees of the entity. However, it is also common for entities to ‘outsource’ their internal audit function, and internal audit work is sometimes carried out by firms of external auditors.

Many of the practical auditing procedures that will be described in later chapters are the same for both internal and external audit work.

Assurance provided by review

A review is a ‘voluntary’ investigation. In contrast to “reasonable” level of assurance provided by an audit, a review into an aspect of the financial statements would provide only a moderate level of assurance that the information under review is free of material misstatement. The resulting opinion is usually (although not always) expressed in the form of negative assurance.

Negative assurance is an opinion that nothing is obviously wrong: in other words, ‘nothing has come to our attention to suggest that the information is misstated’.

A review does not provide the same amount of assurance as an audit. An external audit provides positive assurance that, in the opinion of the auditors, the financial statements do present fairly the financial position and performance of the company.

The higher level of assurance provided by an audit will enhance the credibility provided by the assurance process, but the audit work is likely to be:

• more time-consuming than a review, and so
• more costly than a review.

Negative assurance is necessary in situations where the accountant/auditor cannot obtain sufficient evidence to provide positive assurance. For example the management of a client entity may ask the audit form to carry out a review of a cash flow forecast. A forecast relates to the future and is based on many assumptions, and an auditor therefore cannot provide positive assurance that the forecast is accurate. However he may be able to provide negative assurance that there is nothing he is aware of to suggest that the forecast contains material errors.