ACCA P1 Governance, Risk and Ethics - 2011 - Study text - Emile Woolf Publishing
Подождите немного. Документ загружается.
Paper P1: Governance, risk and ethics
194 © Emile Woolf Publishing Limited
In commenting on a similar problem, the Smith Report concluded that lots depends
on the audit committee members’ personal qualities. They need to be strong, well-
informed and independent of mind. However, we should be reasonable in our
expectations. The job is very hard and some committees will find it difficult to meet
the highest standards.
2.3 The audit committee and the external auditors
The audit committee should be responsible for monitoring the company’s relations
with its external auditors, including their appointment and remuneration. The
operational relationship between a company and its external auditors is the
responsibility of management, but the audit committee needs to ensure that:
the auditors remain independent, so that they can provide independent views to
the company, and also
the auditors do their job properly.
Appointment of external auditors
The Smith Report stated that the audit committee should have the main
responsibility for making a recommendation to appoint, re-appoint or remove the
external auditors.
The recommendation should be made to the board of directors.
If the board does not agree with the recommendation of the audit committee, the
committee should make a statement in the directors’ report to shareholders,
explaining its recommendations and why the board as a whole has disagreed.
In many countries, the board makes a recommendation about the appointment
or re-appointment of the auditors to the shareholders. The final decision is taken
by the shareholders, although they almost always agree with the
recommendation of the board.
The Smith Report also recommended that each year the audit committee should
assess the qualifications, expertise resources and independence of the external
auditors, to satisfy itself that these remain adequate.
Terms of appointment and remuneration
When the external auditors are appointed or re-appointed each year, the company’s
management and the auditors discuss the terms of engagement for the auditors for
the next annual audit cycle.
The Smith Report recommended that the audit committee should review and agree
these terms of engagement at the start of each audit. The scope of the audit should
be discussed by the committee with the auditor, and if the committee is not satisfied
that the audit work is adequate, it should ask for additional work to be undertaken.
The audit fee is negotiated between management and the auditors. The audit
committee should satisfy itself that this fee is appropriate, and that an effective
audit can be performed for such a fee.
Chapter 9: Internal control, audit and compliance
© Emile Woolf Publishing Limited 195
2.4 Monitoring the independence of the external auditors
It is essential that the external auditors should be independent of the company and
its management. They provide a report to the shareholders of the company, and the
shareholders rely on the professional independence of the auditors, to confirm that
the financial statements present a true and fair view. (Otherwise the auditors can be
relied on to give a qualified audit report.) Confidence in the financial reporting
system depends on shareholder or investor confidence in the independence of the
audit opinion in the auditor’s report.
Threats to auditor independence
There are several ways in which the independence of an auditor’s opinion may be
threatened.
Familiarity threat. An auditor who carries out the audit for the same company
for many years may become very familiar with the company and its
management, and may even become friendly with some senior managers or
directors. When the auditor becomes familiar with the company’s management,
he may be less inclined to doubt what they are telling him. After several years of
providing ‘clean’ audit reports, he may think that there will never be any reason
to write a qualified audit report, because nothing materially ‘wrong’ will ever
happen with the client’s accounts. When this happens, his judgement will no
longer be independent and so cannot be trusted.
Self-interest threat. An audit firm may avoid asking ‘awkward questions’ and
challenging the company’s management when they think that by annoying the
client, they will lose audit work (and non-audit work) in the future. The auditor
may therefore decide to accept what management tells him, and avoid asking
too many questions, in order to obtain more work from the client.
Intimidation threat. The management of a client company may threaten to move
the audit (and non-audit work) to another firm of accountants, unless the
auditors are less challenging with their questions and get on with completing the
audit as quickly as possible.
Self-review threat. A firm of auditors may be engaged to check the work that
has been done by other employees of the audit firm. This would happen, for
example, if an audit firm is engaged to provide its staff to do book-keeping and
accounts work for the client, or to act in a managerial capacity in the client’s
accounts department. If this happens, the auditors would have to review the
work done by the firm itself, when it comes to doing the annual audit. The
auditors may believe that the accounts work does not need to be investigated in
depth, since it has been done by the firm’s own staff. This would seriously
undermine the independence of the auditors (and is the reason why professional
accountancy bodies do not permit members or member firms to carry out certain
types of non-audit work for clients).
Advocacy threat. A threat to an auditor’s independence would also occur if the
audit firm is engaged to defend the company’s position in a legal dispute. The
auditor should provide a fair and independent opinion. If he is engaged to take
the side of the client in a dispute, he could not possibly be independent.
The audit committee is responsible for monitoring the independence of the external
auditors, and ensuring that the external auditors are independent of the company
Paper P1: Governance, risk and ethics
196 © Emile Woolf Publishing Limited
and its management. If evidence of a loss of independence has occurred, or is
suspected, the audit committee may recommend a change of auditor.
An assessment of the auditors’ independence should take into consideration the
non-audit work performed for the company by the audit firm, as well as the audit
work. The annual assessment by the audit committee should take into consideration
any ethical standards or guidelines issued by the professional accounting
body/bodies.
Assessing auditor independence
The independence of the external auditors should be assessed in several ways.
When auditors are appointed for the first time, the audit committee should ask
for a statement from the audit firm that the auditors and their staff have no
family, financial, employment, investment or business relationship with the
company, other than in the normal course of business.
Each year the audit committee should obtain information from the audit firm
about the policies and processes that it uses for ensuring the continued
independence of the auditors. This should include information about any
requirements or regulations relating to the rotation of audit partners and staff.
(For example, if it is accepted practice that a senior audit partner should not be
responsible for the audit of a client company for more than five years, the audit
firm should state that it is complying with this requirement; it might also
indicate how it intends to provide for the ‘succession’ of a new audit partner for
the company at the appropriate time in the future.)
The audit committee should agree with the board the company’s policy on the
appointment to its full-time staff of individuals who were previously a part of
the audit team and are now moving directly from the audit firm to the company.
Recruiting former auditors could affect the relationship of the company with the
audit firm, and damage the independence of the auditors. This policy on
recruitment should take account of ethical guidelines to auditors from the
accountancy bodies.
The audit committee should check periodically that the policy on the
recruitment of former auditors is complied with by the company.
The audit committee should check that the audit firm complies with ethical
guidelines issued by the accountancy bodies and regulatory issues, such as:
- the rotation of audit partners
- the amount of fee income that the audit firm receives from the company, in
relation to the overall fee income of (1) the audit firm or (2) a regional office
of the audit firm, or (3) an individual audit partner.
The risk that the external auditors might lose their independence from a company is
sometimes called the hazards of auditor capture.
Example
Audit firm Arthur Andersen, one of the five largest audit firms in the world,
collapsed in 2002 due to a big loss of audit clients. The loss of clients happened as a
consequence of the collapse of energy company Enron, an audit client of Arthur
Andersen.
Chapter 9: Internal control, audit and compliance
© Emile Woolf Publishing Limited 197
A reason given to explain the failure of the audit firm to identify financial
irregularities in Enron was the lack of independence of the audit firm, and in
particular its office in Houston, Texas (where Enron had its headquarters).
The Houston office had grown too dependent on Enron as a source of fee income,
and had lost its willingness to ask searching questions to Enron’s management.
Example
The annual audit of GFH plc, a UK public limited company, has been conducted by
the same firm of auditors for ten years. The company has recently appointed a
member of the audit team to be its new head of internal control. During the year, the
chief accountant of GFH plc married a senior partner in the audit firm.
In its annual assessment of the independence of the audit firm, how should the
audit committee respond to these developments?
Answer
The audit committee should have agreed a policy with the board of directors about
the appointment of audit team members to management positions in the company.
The policy may set limits on the number of former auditors who should be
employed, and the status in the management hierarchy to which they should be
appointed. The audit committee should check the company’s policy to find out
whether the appointment of the new head of internal audit breaches the policy rules.
The chief accountant holds a senior position within the accounting department at
GFH and the marriage of the chief accountant to a senior partner in the audit firm
could have a serious effect on the independence of the audit firm. The audit team
might be unwilling (or less inclined) to question statements made to them during
the audit by the chief accountant.
The audit committee should consider whether this development means that it
would be appropriate for the company to consider a change of audit firm.
Auditor independence and non-audit work
The independence of the external auditors might be affected by non-audit work that
the firm performs for the company. There are two main reasons why independence
might be affected.
The total fee income for the audit firm from the company, from audit work and
non-audit work, might be a large proportion of the firm’s total annual income.
When this situation occurs, the audit firm might be reluctant to annoy the
company’s management, because it does not want to lose any work – and
income – from the company.
The audit team might be required to audit the (non-audit) work done by other
employees of the firm. The audit team might be reluctant to question or criticise
Paper P1: Governance, risk and ethics
198 © Emile Woolf Publishing Limited
their colleagues, because this might damage the reputation of the audit firm in
the opinion of the company’s management.
The Smith Report recommended that the audit committee should be responsible for
developing and recommending to the board the company’s policy on giving non-
audit work to its external audit firm. The chosen policy should ensure that by giving
non-audit work to the auditor, the auditor’s independence will not be affected.
A part of this policy should specify three categories of non-audit work, and allocate
each type of non-audit work to one of these categories:
Non-audit work that should not be given to the audit firm. The general principle
should be that the audit firm should not be given any non-audit work where:
- employees of the audit firm have to make management decisions for the
company, or
- employees of the audit firm have to act as advocates for the company, or
- the audit team will have to audit the work done by other employees of the
audit firm (for example, book-keeping services).
Non-audit work that can be given to the audit firm without the need to refer the
matter to the audit committee.
Non-audit work where a case-by-case decision is necessary, and the matter
should be referred to the audit committee for a decision.
The UK Combined Code states that it is a responsibility of the board to ensure
auditor independence and ‘the annual report should explain to shareholders how, if
the auditor provides non-audit services, auditor objectivity and independence is
safeguarded.’
2.4 The audit committee and the external audit process
The audit committee should review the audit plans and audit work of the external
auditor, to make sure that these are satisfactory.
Audit plan
At the start of the annual audit cycle, the audit committee should ensure that an
appropriate audit plan has been prepared. It should also check whether the
resources that the audit firm proposes to use for the audit are sufficient, and that the
audit team will have the required seniority, experience and expertise.
Review of the findings of the auditors
At the end of the audit, the audit committee should carry out a review. As a part of
this review, the audit committee should:
discuss with the auditors any major issues that arose during the audit. These
may be issues that have been resolved with management, or issues that still
remain unresolved
review the key accounting judgements and audit judgements that have been
made
Chapter 9: Internal control, audit and compliance
© Emile Woolf Publishing Limited 199
review the level of errors identified by the auditors, and should obtain from
management an explanation of why any of these errors remain unadjusted
review the response of management to the recommendations made by the
auditors (in the auditors’ management letter).
Assess the effectiveness of the audit
Each year, the audit committee should assess the effectiveness of the audit, and
assess whether the auditors did their work to a satisfactory standard. The committee
should:
review whether the auditor met the requirements of the agreed audit plan (and
if there were any changes in the plan, the reasons for the changes)
consider how ‘robust’ the auditors were in discussing accounting and audit
issues with management, and how perceptive the auditors appear to have been
in making their judgements
obtain feedback about the conduct of the audit from key people inside the
company, such as the finance director and the head of internal audit
review the contents of the auditors’ management letter (to management), in
order to:
- assess whether the recommendations in the letter are based on a good
understanding of the company and its business, and
- establish whether management has acted upon the recommendations of the
auditors, and if not the reasons why management has taken no action.
Paper P1: Governance, risk and ethics
200 © Emile Woolf Publishing Limited
Evaluating the effectiveness of internal control
Requirement for annual review of internal control
Responsibilities for the review of internal control effectiveness
The review process
3 Evaluating the effectiveness of internal control
3.1 Requirement for annual review of internal control
The board of directors is responsible for the effectiveness of the system of internal
control and risk management, and there should be regular reviews of internal
control and risk management.
The UK Combined Code states that the board of directors, at least once each
year, should conduct a review of the effectiveness of the company’s system of
internal controls.
The Singapore Code of Corporate Governance states that the audit committee
should ensure that a review of the effectiveness of the company’s internal
controls should be conducted at least annually. It adds that the review can be
conducted by either internal accountants or public accountants.
The requirements of the Sarbanes-Oxley Act in the US, which are stricter, have
been described earlier.
When the requirement for a review of the effectiveness of internal control was
introduced by the UK Combined Code in 1998, there was uncertainty about what
this meant in practice. How should a review of the effectiveness of internal control
be conducted?
3.2 Responsibilities for the review of internal control effectiveness
The responsibility for the annual review of the effectiveness of the internal control
system should be clearly identified.
In Singapore, the audit committee has the responsibility, although the audit
committee reports to the board of directors.
In the US, management have the responsibility. Management includes the chief
executive officer and chief finance officer.
In the UK, the Turnbull Report (or Turnbull Guidelines, as they are also called)
states that:
- The board of directors has the responsibility for reviewing the effectiveness
of internal control.
- Management is responsible for monitoring the system of internal control and
reporting to the board on this work.
- The board should decide whether its own review process should be carried
out by the board as a whole, or by a committee of the board (the audit
Chapter 9: Internal control, audit and compliance
© Emile Woolf Publishing Limited 201
committee, or a risk committee). If the review process is delegated to a
committee, the committee must report to the board on its review.
3.3 The review process
The Turnbull Report (Turnbull Guidance) provides useful guidance to directors
about the process for reviewing effectiveness. The nature of the board’s review will
depend on the nature of the company, such as its size and the nature and
complexity of its operations.
There should be a monitoring process within the system of internal control. For
example, the company might have an internal audit department which regularly
monitors internal controls and risk management processes. However, the board
cannot rely entirely on ‘embedded monitoring processes’.
The board should receive and review regular reports from management on
internal control.
In addition, for the purpose of reporting to the shareholders on internal control
in the annual report, the board should assess each year whether it has
considered all significant aspects of internal control.
The board should specify the process that it will use to conduct its review of the
effectiveness of internal control. This process should cover:
the frequency and content of the reports it should receive from management on
internal control, and
the method it will use to make its annual assessment of the effectiveness of
internal control.
The board must be able to justify any statements on internal control and risk
management that it makes to the shareholders. The review process should therefore
ensure that the board is provided with documentary evidence to support the
statements on internal control that it makes.
Management reports to the board on internal control
Reports from management to the board on internal control should ‘provide a
balanced assessment of the significant risks and the effectiveness of the system of
internal control in managing those risks’ (Turnbull Guidance). The reports should:
discuss any significant weaknesses or failings in internal control that
management have identified
the effect that these have had, and
the actions taken by management to deal with the problem.
There must be open and honest communication between management and the
board on these matters, so that the board is given reliable information. A culture of
‘blame’ for weaknesses in controls should be avoided. If managers are criticised for
weaknesses they report, they will probably choose not to report weaknesses and
leave the board members in ignorance about what is actually happening.
Paper P1: Governance, risk and ethics
202 © Emile Woolf Publishing Limited
The board should use the management reports on internal control to make an
assessment of the effectiveness of the internal control system and risk management
system. It should:
consider the significant risks that are reported to them, and assess how they
have been identified, evaluated and managed
assess the effectiveness of the related internal controls for managing the
significant risks, particularly when significant weaknesses in internal control are
reported
consider whether management have taken the appropriate measures to deal
with the weaknesses in internal control that they have reported
consider whether there is a need for more extensive monitoring of the system of
internal control (for example, consider whether the internal audit department
should be increased in size).
Annual assessment of the effectiveness of internal control
In addition to conducting reviews on the basis of management reports, the board
should make an assessment each year, for the purpose of making its annual report
to shareholders on internal control.
This annual assessment should be based on the management reports it has reviewed
during the year together with any other relevant information it considers necessary
for the assessment. The Turnbull Guidance suggests that the annual assessment
should consider:
changes since the board’s previous annual assessment in the nature and size of
the significant risks faced by the company
the company’s ability to respond to changes in its business and in its external
environment
the scope and quality of the system of monitoring risks by management and of
the internal control system: this should include where appropriate an
assessment of the scope and quality of the work of the internal auditors
the scope and frequency of reports by management to the board on internal
control and risk management, and the extent to which the board is able to use its
reviews of these reports to cumulatively assess the state of control and
effectiveness of risk management in the company.
the significant weaknesses in control that have been identified and the failings in
control that have occurred at any time during the year, and their impact on the
financial performance and financial position of the company.
Whenever the board becomes aware of a significant weakness or failing in internal
control, it should:
find out the reason why the weakness or failure occurred, and
re-assess the effectiveness of the processes used by management for designing,
operating and monitoring the system of internal control.
Chapter 9: Internal control, audit and compliance
© Emile Woolf Publishing Limited 203
The annual assessment by the board should consider all aspects of the internal
control and risk management system. This should include an assessment of the
control environment, risk identification and assessment, internal controls,
information and communication and monitoring systems. The table below indicates
the issues that the board might consider.
Control environment
1 Is there an appropriate control environment? Do codes of conduct, human resource policies
and performance reward systems support the company’s risk management system and
internal control system?
2 Is there a clear definition of management responsibilities and accountability for control and
risk management?
3 Does the company communicate to its employees their responsibilities for risk management
and control?
4 Do the managers and other employees (and providers of outsourced services) have the
knowledge, skills and resources to support the achievement of the company’s objectives and
to manage risks effectively?
Risk assessment
1 Does the company have clear objectives about risk? Have these objectives been
communicated clearly to employees?
2 Are significant operational, financial, compliance and other risks (both internal and external to
the company) identified and assessed? Are there established processes for risk assessment
and evaluation?
3 Do management understand clearly what level of risks is acceptable to the board?
Control activities
1 How are processes and controls adjusted when new risks occur or when risks change in
significance?
2 How are processes and controls adjusted when weaknesses or failings in processes and
controls are discovered?
Information and communication
1. Does management receive timely, relevant and reliable reports on performance in relation to
business objectives and the related risks? These reports might include performance reports
and qualitative information on issues such as customer satisfaction and employee attitudes.
2 Does the board receive timely, relevant and reliable reports on the same issues from
management?
3 Are information needs and related information systems re-assessed as objectives and related
risks change, or as deficiencies in reporting are identified?
4 Are there established channels of communication for employees (as whistle blowers) to
report suspected breaches in the law or regulations, or other improper activities?
Monitoring
1 Are there processes, embedded in the company’s operating systems, for monitoring the
effective application of processes, policies and activities relating to internal control and risk
management?
2 Do these processes monitor the company’s ability to re-assess risks and adjust controls in
response to changes in the company’s objectives, its business and its external environment?
3 Are there effective processes and procedures for making changes to controls when
weaknesses or failings in the control system are identified?