Various auditing standards now require the outside auditor to evaluate the effectiveness of governance oversight and related performance. Historically, audit programs have been considered confidential. They are proprietary in nature, and, arguably, disclosing areas of inquiry could better allow the audited entity to avoid or hide the detection of financial misstatement and fraud.
But, what is, or what should be the intent of the old and new auditing standards that require auditor inquiry and evaluation regarding governance related matters? It seems to me that the intent is different from the historical intent of audit programs. With respect to governance, does the auditor have a concern that the audit committee, or the board, or even the CFO will become aware of the areas of inquiry and evaluation, and that as a result, any of those people will be able to circumvent the governance related auditing process? Instead, for example, if an audit committee knew what governance areas will be evaluated, and what questions would be asked, wouldn’t the audit committee work to ensure that those areas of governance are in accord with requirements that the auditor will be looking for? And, shouldn’t that be the intent of governance audit and evaluation--to better ensure that prudent or best practices are followed?
Of course, the audit committee, the board, or the CFO could misrepresent the truth of the sufficiency of governance, but they could do so even if they did not have prior knowledge of the areas of inquiry. In any event, regardless of the responses provided, the auditor may still want to independently confirm that the responses are in fact correct.
So, what are some of the possible governance areas in the auditing standards for which disclosure of auditing program inquiry areas and specific inquiries might be beneficial? The following are possible examples:
SAS 114, The Auditor's Communication with Those Charged with Governance, states in part that other planning matters that the auditor may consider discussing with those charged with governance include:
-The views of those charged with governance about the appropriate people in the entity’s governance structure with whom to communicate; the allocation of responsibilities between those charged with governance and management; the entity's objectives and strategies, and the related business risks that may result in material misstatements; matters those charged with governance consider warrant particular attention during the audit, and any areas where they request that additional procedures to be undertaken; significant communications with regulators; and other matters those charged with governance believe are relevant to the audit of the financial statements.
-The attitudes, awareness, and actions of those charged with governance concerning the entity's internal control and its importance, including how those charged with governance oversee the effectiveness of internal control, and the detection or possibility of fraud.
-The actions of those charged with governance in response to developments in financial reporting, laws, accounting standards, corporate governance practices, and other related matters.
-The actions of those charged with governance in response to previous communications with the auditor.
SAS 99, Consideration of Fraud in a Financial Statement, states that the auditor should inquire directly of the audit committee (or at least its chair) regarding the audit committee's views about the risks of fraud and whether the audit committee has knowledge of any fraud or suspected fraud affecting the entity. The auditor also should obtain an understanding of how the audit committee exercises oversight of the entity's assessment of the risks of fraud and the programs and controls the entity has established to mitigate those risks.
SAS 109, Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement, provides that during the process of an audit, the outside auditor should obtain an understanding of the five components of internal control sufficient to assess the risk of material misstatement of the financial statements whether due to error or fraud, and to design the nature, timing and extent of further audit procedures.
Statement on Auditing Standards 109 describes control environment as setting the tone of the organization, and influencing the control consciousness of its people. The primary responsibility for the prevention and detection of fraud and error rests with those charged with governance and the management of the entity. In evaluating the design of the entity's control environment, the outside auditor is required to consider the entity's processes in the following areas:
-Communication and enforcement of integrity and ethical values;
-Commitment to competence;
-Participation of those charged with governance, including the audit committee and possibly the board of directors;
-Management's philosophy and operating style;
-Assignment of authority and responsibility; and
-Human resource policies and practices.
With respect to evaluation of the participation of those charged with governance, SAS 109 specifically identifies independence from management, the experience and stature of those charged with governance, the extent of their involvement in and scrutiny of activities, the information that those charged with governance are provided, the degree to which difficult questions are raised and pursued with management, the ability of those charged with governance to evaluate the actions of management, interaction with internal and outside auditors, communications between management and those charged with governance, and the ability of those charged with governance to understand the entity's business transactions and evaluate whether financial statements are presented fairly in conformity with generally accepted accounting principles.
SAS 112, Communicating Internal Control Related Matters Identified in an Audit Statement on Auditing Standards 112, provides in part that each of the following is an indicator of a control deficiency that should be regarded as at least a significant deficiency and a strong indicator of a material weakness in internal control:
-Ineffective oversight of the entity's financial reporting and internal control by those charged with governance;
-An ineffective internal audit function or risk assessment function for an entity for which those functions are important to the monitoring or risk assessment component of internal control; and
-An ineffective control environment.
What do you think?
Dave Tate, CPA, Esq.
* * * * *