Bcu msc cg week 8 audit 290712

ASPECTS OF CONTROL : AUDIT

MSC ACCOUNTANCY & FINANCE :CORPORATE GOVERNANCE

& OPERATIONS RISK ANALYSIS AND CONTROL

Stephen Ong BSc(Hons) Econs (LSE),

MBA International Business(Bradford)

Visiting Fellow, Birmingham City UniversityVisiting Professor, Shenzhen University

• Discussion : Leadership & control system design

1

• Gatekeepers, Internal Audit, Audit Committee & External Auditors

2

• Case Presentation: Premier Oil3

Today’s Overview

Casestudy 3 : Premier Oil1. Read and prepare the Casestudy on

Premier Oil (Monks & Minow (2011)) for discussion next class. Identify the corporate governance issues faced.

2. You are required to:

– Analyse the scenario’s in the case study and plot the resulting risk analysis on an appropriate risk map.

– Map out the stakeholder power/interest issues, and propose the appropriate corporate actions.

Risk Map Action

High

Medium

Low

Low Medium High

SIGNIFICANCE

PROBABILITY

Requires close monitoring

Manage and monitor Significant focus and action

Accept but monitorManagement effort

worthwhile Manage and monitor

Accept risksAccept but

periodically reviewAccept but monitor

Stakeholder mapping: the power/interest matrix

Figure 4.4 Stakeholder mapping: the power/interest matrixSource: Adapted from A. Mendelow, Proceedings of the Second International Conference on Information Systems, Cambridge, MA, 1986

1. Open Discussion

• Abernethya, Margaret A. , Bouwensb, Jan and Laurence van Lent (2010) Leadership and control system design, Management Accounting Research No.21: pp. 2–16

2. CORPORATE GOVERNANCE GATEKEEPERS

&MANAGEMENT CONTROL

SYSTEMS :THE ROLE OF INTERNAL AUDIT

The Role of Gatekeepers in Corporate Governance

• While regulators are gradually reinforcing the importance of gatekeepers such as auditors and credit rating agencies to ensure that companies are well governed, the Enron scandal and the recent bank failures suggest that gatekeepers often lack the necessary degree of independence, judgment, competence and power to prevent corporate fraud and failure.

• We assess the role of gatekeepers in corporate governance. Such gatekeepers include among others stock-market listing authorities, auditors, credit-rating agencies and bank regulators.

• We also review the role of corporate governance in regulated industries, including the financial sector.

Learning Outcomes• By the end of this lecture, you should be able to:

1. Evaluate the role of gatekeepers in ensuring that companies are run in the interest of their shareholders and other stakeholders

2. Critically assess the independence of gatekeepers – such as auditors and credit-rating agencies – vis-à-vis their client firms

3. Gauge the effectiveness of gatekeepers in preventing corporate fraud

4. Evaluate the danger of capture of gatekeepers by the economic actors they are supposed to supervise

5. Judge the existing empirical evidence as to whether regulation acts a substitute or a complement for corporate governance.

Introduction

• Gatekeepers play an important role in corporate governance as they provide monitoring and certification services.

• However, the various tend to suffer from a lack of incentives or conflicts of interests.

• Hence, it is unlikely that investors will be able to rely on a single type of gatekeeper.

• This lecture will also look at industry regulation and whether it acts as substitute or complement for corporate governance.

The Role and Duties of Gatekeepers• John Coffee defines the role of gatekeepers

as “assess[ing] and vouch[ing] for the corporate client’s own statements about itself or a specific transaction”.

• Gatekeepers may be particularly important in corporate governance systems where there is a lack of shareholder monitoring.

• They may also play a role in corporate governance systems with large shareholders as there may be a need to monitor related-party transactions.

The Role and Duties of Gatekeepers (Continued)

• Gatekeepers include

–auditors,– investment banks,– lawyers,– financial analysts,– credit rating agencies,– corporate governance rating agencies,– commercial banks and other creditors,– insurers of directors’ and officers’ liability (D&O insurers)– stock markets, and – securities exchange regulators.

• Reinier Kraakman argues that gatekeepers should only be made liable if the primary sources of liability prove to be insufficient.

• Third-party liability is justified if the gatekeeper is connected in such a way with the firm that this connection creates some responsibility in case the firm fails.

• However, gatekeeper liability also raises three issues.


1. It may be very difficult for the gatekeeper to discharge the legal duties.

2. The gatekeeper may have insufficient incentives to fulfil its legal duties and may even be tempted to collude with the firm.

3. Enforcement of gatekeeper liability may be difficult as it depends

– not only on the type of gatekeeper and nature of its legal duties, but

– also on the degree of culpability.


• Hence, gatekeeper liability may be complex and difficult to enforce.

• The question arises as to whether there is a need to regulate gatekeepers given that they put their reputational capital at stake when dealing with clients.

• The spectacular failures of Enron and Worldcom in the USA have renewed in gatekeeper liability and in

particular auditor liability.

The Role and Duties of Gatekeepers …

• The risk of losing the gatekeepers’ losing their reputational capital has done little to prevent corporate failures and conflicts of interests.

• One of the main features of the Enron case was that its auditor, Arthur Andersen, ignored irregularities in the firm’s accounting practices to avoid the loss of lucrative consulting income.


• John Coffee blames the failure of Enron on– the commodification of

auditing services,– the auditor’s capture by its

client, and– the lack of competition

among auditors.

• Capture refers to the influence the client may have over its gatekeeper and may push the latter to serve the interests of the client rather than preventing malpractice.


• The lack of competition may reduce the risk of reputational damage caused by client failure, calling for regulation.

• Another type of gatekeeper that failed to police Enron were financial analysts that kept on issuing buy recommendations, fuelling stock price increases.

• Other countries such as the Netherlands and Italy have had their own Enron-style corporate failures.


€1.1 Billion FRAUD

• The Parmalat debacle in Italy can be blamed on its auditor and financial analysts, but also its creditors.

• The recent subprime mortgage crisis can be blamed on the failure of another gatekeeper, i.e. credit rating agencies.

• Regulators have responded by reinforcing the role and duties of gatekeepers.


€14.3 Billion FRAUD

The Ideal Attributes of a Gatekeeper• A gatekeeper should have the following seven

attributes1. It should be independent of the firms it is to

supervise2. It should have access to the information required

to carry out its duties3. It should not be subject to major conflicts of

interests4. It should have the necessary skills, in particular

the necessary judgment and competence, to perform its duties

5. It should also have the right incentives.

The Ideal Attributes of a Gatekeeper (Continued)

6. It should have enough power to force its supervisees to disclose any information it requires to fulfil its duties and to force them to put a stop to malpractice and wrong-doing. It should also have the power and authority to penalise supervisees that fail to meet its requests.

7. It should provide meaningful and reliable third-party certification to investors and other users.

Types of Gatekeepers and Limitationsto their Role

• Recent corporate governance reforms have put a lot of emphasis on auditors as gatekeepers.

• However, the efficiency of auditors may be severely limited for at least two reasons1. Auditors rely on the information they are

provided with by the company2. Auditors may suffer from conflicts of interests.

• However, auditors are likely to have the necessary power via e.g. the issue of qualified audit reports.

Types of Gatekeepers and Limitationsto their Role (Continued)

• Investments are also likely gatekeepers given– the close relationships they have with

companies, and– the information they collect via the provision of

services such as underwriting and consultancy.• Both the theoretical and empirical literature

suggest that they are third-party certifiers.• However, the subprime mortgage crisis

suggest at least two reasons why investment bankers may not be credible gatekeepers.

1. Investment banks may be subject to conflicts of interests because of client capture or because of internal conflicts of interests.

2. Investment banks are strong lobbying groups that have been successful in keeping regulation of their activities at bay.

Types of Gatekeepers and Limitations

to their Role (Continued)

• Lawyers come in two versions– in-house legal counsels, and– outside lawyers dealing with

particular or one-off transactions of the firm.

• In-house counsels are likely to be well informed about the firm’s processes and dealings.

• However, they may be too close to the firm and suffer from capture and behavioural biases.

• In contrast, outside lawyers may not have enough information on the firm to detect wrong-doing.


• Financial analysts study the firm’s fundamentals and the forecast these for the near future.

• They issue buy, sell or hold recommendations based on these forecasts.

• However, financial analysts may suffer from conflicts of interests as they may be part of the same investment that is also underwriting the firm’s new equity issue.

• They may also be suffer from behavioural biases.



• Credit rating agencies rate the credit worthiness of debt securities such as government and corporate bonds.

• However, credit rating agencies are paid by the issuers themselves and issuers may be shopping around for the highest possible rating.

• Credit rating agencies have also been accused of failing to predict the– Asian crisis of 1997, and– to be at least partly responsible for the subprime mortgage

crisis.



• Similar to the auditing industry, the credit rating industry is highly concentrated and some dispute as to whether there is any danger of reputational loss.

• Corporate governance ratings agencies are still a fairly recent phenomenon, but developing fast.

• Corporate governance ratings agencies include– Deminor,– Standard & Poor’s, and– Governance Metrics International (GMI).



• These ratings have some use for interest parties, but they also have their limitations.

• Typically, the indices are in the form of counters which are incremented by a value of one if a particular corporate governance device is present.

• Hence, there is no detailed assessment about the conflicts of interests that are likely to prevail in a given firm.



• Commercial banks and other creditors may also act as gatekeepers.

• Similar to (large) shareholders, it is in the interests of banks and other debtholders to monitor corporate managers.

• However, large debtholders, via their close relationship with the firm and the information they collect, may acquire a monopoly position.



• Information about the directors’ and officers’ liability (D&O) insurance taken out by the firm may act as a powerful signal.

• The insured amount as well as the reputation of the insurer may provide valuable information to the market as to the risk investors face.



• Stock markets are another important gatekeeper.• They impose entry requirements on firms seeking

a stock-market listing as well as ongoing obligations on already listed firms.

• For example, the London Stock Exchange (LSE) imposes the UK Corporate Governance Code on the firms that are listed on it.

• Stock markets are frequently organised into segments that enable investors to distinguish between safer, mature firms and riskier firms.



• Securities exchange regulators, such as the SEC in the USA, are likely to play an important role given the lack of independence and incentives as well as the conflicts of interests other gatekeepers may suffer from.

• James Fanto argues that the SEC should be the ultimate gatekeeper and perform much closer monitoring of corporations similar to the regulator in the banking industry.


• However, this would then require the securities exchange regulator to monitor all sorts of areas of corporate governance for which other gatekeepers may have greater competence.

• Another limitation to its role as ultimate gatekeeper is that typically the law provides judicial immunity to the regulator.



• Hence given all of the above lacks of desirable attributes, investors and other stakeholders may have to rely on a range of corporate gatekeepers rather than a single gatekeeper.



Is Industry Regulation a Substitute for Corporate Governance?

• David Becher and Melissa Frye argue that industry regulation as to the very least an indirect impact on corporate governance.

• However, a priori it is not clear whether regulation is a substitute or complement for corporate governance.

• On one hand, regulation may be a substitute given that the regulator monitors the firms.

• On the other hand, industry regulators frequently push for improvements in corporate governance.

Is Industry Regulation a Substitute for Corporate Governance? (Continued)

• The existing empirical evidence is also inconclusive• Studies on the effects of the 1980s and 1990s.

deregulation in the US banking industry suggest that – there was an increase in CEO stock ownership,– there was an increase in the importance of variable pay,– but the overall effect on executive compensation was

relatively small.• A likely reason for these changes was the increase in

competition caused by the deregulation.

• Paul Joskow et al. find that US CEOs earn significantly less in regulated industries.

• Pay is lowest in those industries where there is price regulation.

• Joskow et al. propose two reasons for this1. As a result of political pressure, regulation may

keep salaries low to prevent public outrage2. Regulation may have an indirect effect on

executive pay by reducing managerial discretion and the returns from good management.

Is Industry Regulation a Substitute for

Corporate Governance? (Continued)

• Joskow et al. also find that pay is lowest in those industries with a single state regulator rather than multiple regulators.

• They conclude that this is evidence that the first, direct effect of regulation on pay dominates.

• All of the above studies suggest that regulation is a substitute for corporate governance.

• Other studies suggest that regulation is a complement.



• For example, Charles Hadlock et al. find that CEO turnover in regulated industries is at least as sensitive to performance as in unregulated industries.

• Joel Houston and Christopher James argue that the reason why CEO stock holdings and option-based pay are lower in banks is the fewer investment opportunities rather than regulation.

• There is also consistent evidence that firms from regulated industries have higher proportions of independent directors.



The management conumdrum‘In this ever changing and volatile world, stakeholders need assurance that organisations are being operated in a risk controlled manner. Organisations are under increasing scrutiny to identify all the business, social, ethical and environmental risks they face, and to explain how they manage them to an acceptable level. Governance is the responsibility of the leaders of organisations who have to provide assurance that risks have been identified and are being effectively mitigated. They need to establish risk management

systems that help to provide this assurance – internal audit are key in this process since leaders cannot do it alone.’

Institute of Internal Auditors UK and Ireland (2009)

Environmental influences

Figure 3.1 Environmental influences on the organisationSource: Adapted from Dobson et al.(2004).

General environment

Figure 3.3 Identifying environmental influences – PESTEL analysisSource: Adapted from Johnson and Scholes (2002), p. 102.

Institute of Internal Auditors

INTERNAL AUDIT

• is an independent, objective assurance and consulting activity designed to add value and improve an organisations operations.

• It helps an organisation accomplish its objectives by bringing a systematic, disciplined approach

• to evaluate and improve the effectiveness of risk management, control and governance processes.

The advancement of internal audit

1970 1980

19902000

Expectations of internal audit• Since 2000 - Focus on Risk Based Internal Audit in top performers - Focus on what really matters - Acceptance of wider assurance role - Controls Assurance Frameworks - Head of Internal Audit opinion - Corporate Governance Statement of Internal Control - Annual Report and Accounts - Increasing reliance on Internal Audit

Increasing recognition of professional standards• Turnbull guidance on Role of Non Executives

and Audit Committeess• IIA Inc – Global Codes of Internal Audit Practice

2004 and 2009• In UK 2009 version adopted by HM Treasury as

Government Internal Audit Standard• APB recognition• IPPF and Code of Ethics• IIA UK and Ireland achieves Chartered status• 2009 King 111 in South Africa

Set Business & Department objectives

Business Plan

Consider Risk and performance Targets

Agree Assurance Framework

Internal Audit Planning

Feedback and follow up

Assurance Cycle

Assurance Cycle Overview

Overview of audit needs assessment process• Know the client• Understand the industry• Recognise the business culture• Identify the expectations of internal audit• Planning – identify the audit universe• Consultation regarding risk exposure• Use of audit experience• Reporting recommendations• Approval of plan and resource allocation

Needs to identify

Internal- Existing risk exposures- New systems

developments- Reorganisation- Changes in key staff- Policy changes- Concerns

External - New regulation or

legislation- Industry initiatives- Customer complaints- Legal actions in progress- Competitors- Media focus

Critical research• Business Plan• Risk register• Previous Internal Audit Reports• External Audit Management letter• Any third party reports• Board and Audit Committee minutes• Staff handbooks• Management Accounts and Financial reports• Web site

Meetings• Chair of Board• Chair of Audit Committee• Other Non Executive Directors• Chief Executive• Other members of Senior Management Team• Relevant Managers

- IT, Human Resources, Estates, Finance, Health and Safety, selected Operational Service area managers.

Planning• Internal Audit Strategy (IAS)

– initial proposals based on ANA– developed through research of clients business and

through discussions with management– refined in consultation with Executive Team, or– draft agreed with management– approved by Audit Committee prior to start of work

• Three year view linked to business plan and risk register

• Reviewed annually to focus on key risks and key control risk that business objectives are dependent on.

Risk based methodology

• Recognise real issues within in organisation

• Focuses attention• Delivers value added

product• Need to recognise

relationship with External Audit

• Relevance to Statement of Internal Control in Annual Report

High

Medium

Low

Low Medium High

SIGNIFICANCE

PROBABILITY

Requires close

monitoring

Manage and monitor

Significant focus and

action

Accept but monitor

Management effort

worthwhileManage

and monitor

Accept risksAccept but periodically review

Accept but monitor

Internal audit engagement• Allocation of work• Auditee

considerations• Standard

methodology• Evaluation• Exit meeting as

routine• Effective reporting • Assurance• Follow up

Allocation of Internal Audit from agreed plan

Allocation of Internal Audit from agreed plan

Define SCOs Define SCOs

Document SystemDocument System

Walkthrough TestsWalkthrough Tests

Compliance testingCompliance testing

Control EnhancementControl Enhancement

Recommended Risk Mitigation Plan

Recommended Risk Mitigation Plan

EvaluateControls

EvaluateControls

AssuranceReport

AssuranceReport

< Poor Controls< Good Controls< Satisfactory > Unsatisfactory

Follow UpFollow Up

In conclusion:

• Management define business objectives and implement systems that comprise sufficient processes and controls to achieve these objectives.

• Controls systems have a hierachy of controls – identify those key controls that manage/mitigate significant risk

• Controls can be preventative, Detective or of a compensating nature

• Level of assurance• Need for independence – Internal Audit?

The scope, roles and responsibilities of external audit • Audit of financial statements - true and fair view• Prepared in accordance with relevant guidance,

company law and accounting standards• Information in Annual Report consistent with

financial statements• Public sector auditors have additional

responsibilities– regularity opinion– use of resources– grant claims

The scope, roles and responsibilities of external audit

• Audit of financial statements– Audit assesses the risk of material misstatement in

respect of transactions, account balances and presentation and disclosures

– Misstatements: false or missing information whether by fraud or error

– Material: significant enough to influence the user's economic decisions

The scope, roles and responsibilities of external audit

• Reporting to those "charged with governance"– modifications to opinion– unadjusted misstatements– material weaknesses in the accounting and internal control

system– views on qualitative aspects of accounting practices and

financial reporting– any other relevant matters

Implications of Sarbanes-Oxley Act• The Act affected the responsibilities of the Auditor

– partner rotation every 5 years– provision of non-audit services regulated– Must discuss application of all critical

accounting policies and practices with audit committee

– Audit management's disclosures regarding the effectiveness of internal control

Implications of Sarbanes-Oxley Act

Audit of internal control -

implications for internal audit

?

External audit reliance on the work of internal auditWhat key factors have to be considered for an external auditor to place reliance on internal audit?

External audit reliance on the work of internal audit

• Approach to reliance is governed by accounting standards (ISA (UK & IRELAND) 610 - Considering the work of internal audit)

• 3 key levels for reliance– consider scope and activities of internal audit and their

effect on external audit procedures– assess the effectiveness of internal audit function– evaluate work of internal audit and confirm its adequacy

for external audit purposes

External audit reliance on the work of internal audit

Considering scope and activities of internal audit and their effect on external audit procedures• review of internal audit plan: scope, coverage,

relevance to external audit risk assessment• core financial systems and wider internal control• financial and operational reporting• compliance with law and regulation• fraud work

External audit reliance on the work of internal auditAssessing the effectiveness of internal audit function• organisational status:

objectivity• scope of function: nature

and extent of work and management's response to it

• technical competence• due professional care:

planned, supervised, reviewed and documented

External audit reliance on the work of internal auditEvaluating the specific work of internal audit and confirm its adequacy for external audit purposes• scope of work• performance of work: competency, supervision, review and

documentation• Audit evidence sufficient to draw conclusions and

conclusions reached are appropriate and consistent with work performed

• Matters reported are properly resolved……….involves some re-performance of work

Working in partnership - external and internal audit

• Audit Planning: seeking coverage of systems fundamental to the audit of financial statements

• Individual assignments: timing of work, extent of coverage, materiality levels, sample selection - ideally all have to be jointly considered

• Co-ordination and liaison: seeking to reduce duplication, work-load impact on client and sharing knowledge about business risks

• The pitfalls……– Planning to address

risk (core financial systems vs risk based audit)

– External audit requirements/needs can become too influential in shaping internal audit work

Working in partnership - external and internal audit

The Role of Audit in Corporate Governance “The annual audit is one of the cornerstones of corporate governance . . . The audit provides an external and objective check on the way in which the financial statements have been prepared and presented.”(Cadbury Report, 1992, p. 36, para. 5.1)

Auditor Independence • Balance between close relationship and preserving

independence• Provision of non-audit services • “. . . we do not believe it would be right to seek to

impose specific restrictions on the auditor’s supply of non-audit services through the vehicle of Code guidance. We are sceptical of a prescriptive approach, since we believe that there are no clear-cut, universal answers . . . there may be genuine benefits to efficiency and effectiveness from auditors doing non-audit work. “ (Smith Report, 2003, p. 27, para. 35)

Audit Committee

• Rotation of auditors • Smith Report• Audit committees • Cadbury Report

recommended that all companies should establish audit committees

Audit Committee• Recent research has shown that there is

convergence in corporate governance within Europe in the area of audit committees.

• Collier and Zaman (2005) found wide adoption by European countries of the audit committee concept

Effectiveness of the Audit Function “We do have—not officially, not publicly—concerns about their independence overall . . . you would be amazed at how, when you speak to auditors, from big firms as well as little firms, at drinks parties, at non-official events, and when they are in isolation (you would never get this if you had an audit conference), they often say that they are amazed that more does not come to light or that they often get their arm twisted by management—not from their own practice but of the companies they are auditing—to not worry about it, it is under control. I do find that quite alarming. What do you do about it? You cannot go out and say, ’Investment management believes that the

auditing profession is completely corrupt!’.

Auditors & Financial Scandals

• Arthur Andersen (now defunct): Enron, WorldCom, Nicor, Global Crossing

• Ernst & Young: Lehman Brothers, Anglo Irish Bank, HealthSouth

• KPMG: Allied Capital, Peregrine Systems, ImClone, Xerox

• Deloitte: Nortel, Royal Ahold, Reliant Energy

• PwC: Satyam Computer Services, AIG, Tyco

• Grant Thorton: Parmalat

US$1 Billion FRAUD

Next Casestudy 4 : Arthur Andersen1. Read and prepare the Casestudy on Arthur Andersen

(Monks & Minow (2011)) for discussion next class. Identify the corporate governance issues faced.

2. You are required to:

– Analyse the scenario’s in the case study and plot the resulting risk analysis on an appropriate risk map.

– Map out the stakeholder power/interest issues, and propose the appropriate corporate actions.

Core Readings• Solomon, Jill (2010) Corporate Governance and

Accountability 3rd Edition, Wiley, UK. Ch.6• Goergen, Marc (2012) International Corporate

Governance, Pearson. Ch.11

Additional Readings• Solomon, J. F., Solomon, A., Norton, S. D. and Joseph,

N. L. (2000) ‘A conceptual framework for corporate risk disclosure emerging from the agenda for corporate governance reform’, British Accounting Review, 32(4), December, 447–478.

• Collier, P. and M. Zaman (2005) "Convergence in European Corporate Governance: The Audit Committee Concept", Corporate Governance: An International Review, Vol.13, No.6, November, pp.753-768.

• Independent Audit Limited (2006) Better Governance Reporting, Independent Audit Limited, London, UK.

• Solomon, J. F. and C. R. P. Edgley (2008) "The Abandoned Mandatory OFR: A Lost Opportunity for SER?", Social Responsibility Journal, Vol.4, No.3, pp.324-348.

Next Week’s Ideas for Discussion• Prem Sikka, (2008),"Enterprise culture

and accountancy firms: new masters of the universe", Accounting, Auditing & Accountability Journal, Vol. 21 Iss: 2 pp. 268 - 295

QUESTIONS?

Bcu msc cg week 8 audit 290712

Business

Transcript of Bcu msc cg week 8 audit 290712