Subramaniam, N. and Carey, P.P. (2011), "Risk management, governance and assurance", Managerial Auditing Journal, Vol. 26 No. 7. https://doi.org/10.1108/maj.2011.05126gaa.001
Emerald Group Publishing Limited
Copyright © 2011, Emerald Group Publishing Limited
Risk management, governance and assurance
Article Type: Editorial From: Managerial Auditing Journal, Volume 26, Issue 7
Corporate governance is the framework of rules, relationships, systems and processes within and by which authority is exercised and controlled in corporations (ASX, 2007). While a vast body of research has developed around corporate governance and its implications for organizational management and performance, consensus on best practice in corporate governance continues to evolve. In particular, internal and external audit, audit committees and the system of risk management are well-acknowledged as important elements of a system of corporate governance, but ever-changing regulatory requirements concerning these elements suggests there remains scope to further develop our understanding of their respective roles within the corporate governance process. This special issue titled “Risk management, governance and assurance” aims to extend the literature by presenting five papers that address selected aspects of risks and assurance in relation to corporate governance. The first three papers revolve around risk assessment and management, while the other two papers focus on internal audit and audit committees.
Risks can be objective and measurable (e.g. probabilities can be assigned to eventualities based on systematic scientific techniques) or be subjective and based on perceptions (e.g. based on intuition and hindsight). While formal recognition of risk management practices is a relatively recent addition to best practice in corporate governance, the notion of risk emerged as an important element in of the audit process during the early part of the twentieth century (Mock and Wright, 1993). The first paper, by Michael De Martinis, Hironori Fukukawa and Theodore J. Mock examines whether country (i.e. Australia or Japan) and client type (i.e. public sector or private sector) influence the external auditor’s client risk assessments, subsequent audit planning decisions (i.e. planned audit hours), as well as the relationship between client risk assessments and planned audit hours. The study is strengthened by archival data sourced from working papers on planned auditor effort and client risk assessments. Results support the notion that country and client type differences are associated with the extent to which particular client risk assessments affect planned total audit hours.
The notion that business activities entail risks is a long-standing one, but the establishment of formalised systems of risk management in organisations is a more recent development. Risk management is commonly viewed as “the process by which organisations methodically address the risks attaching to their activities in pursuit of organisational objectives and across the portfolio of all their activities” (Collier et al., 2007, p. xvii). In recent years, an organisation-wide approach to managing risks, also known as enterprise risk management (ERM) has been strongly advocated as a more holistic and effective approach for managing risks in business organisations. The Committee of Sponsoring Organisation’s (COSO) Enterprise Risk Management-Integrated Framework published in 2004 defines ERM as a process that is:
[…] applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives (COSO, 2004).
ERM is seen to provide a framework for systematic identification of particular events or circumstances relevant to the achievement of an entity’s objectives. The approach to risk management thus undertakes a more holistic perspective starting with identification of risks throughout the organisation, followed by an assessment of their likelihood and the magnitude of their individual and joint impact on entity’s objectives and the development of a strategy to monitor, manage and mitigate the identified risks.
The second paper, by Siti Zaleha Abdul Rasid, Abdul Rahim Abdul Rahman and Wan Khairuzzaman Wan Ismail provide some preliminary insights to the link between management accountants and ERM. While exploratory in nature, the study extends the earlier work by Collier et al. (2004) and Soin (2005) by providing empirical data from a survey in a developing country, i.e. Malaysia, and finds that risks are generally considered in various management accounting functions such as budgeting and planning. However, there also appears to a blurring in functions and the way in which risk information maybe utilised.
The third paper, by Laura de Zwaan, Jenny Stewart and Nava Subramaniam addresses the critical link between risk management and internal audit and the potential for the loss of perceived objectivity of the latter. The authors bring to the fore the potential for the loss of internal auditors’ independence and objectivity as a result of familiarity developed through internal consultancy and advisory work including engagement in ERM. The Institute of Internal Auditors (IIA, 2004) in fact issued a position paper delineating the core roles of internal audit in regard to ERM, the roles that internal audit can legitimately undertake providing safeguards are in place, and roles that internal audit should not undertake. The results, based on an experimental study, indicate that a high involvement in ERM impacts the perceptions of internal auditors’ willingness to report a breakdown in risk procedures to the audit committee. The study also investigated whether audit committees may play a significant role as compensatory governance mechanism (i.e. high involvement in ERM tolerated if a strong audit committee existed). However, a strong relationship with the audit committee does not appear to affect perceptions of internal auditors’ ability to maintain their objectivity.
The fourth paper, in this issue by Dominic S.B. Soh, Nonna Martinov-Bennie pertains to the role, effectiveness and evaluation of the internal audit function through interviews of audit committee chairs and chief audit executives from six Australian public-listed firms and one public sector entity. Results confirm that following recent regulatory changes internal audit has an expanded role within the corporate governance mosaic. There is increased awareness of the value of a quality internal audit function as well as an increase in the quality of the individuals in the key roles within both the internal audit and audit committees. However, the practice of evaluating the effectiveness of internal audit varies considerably which suggests that performance evaluation mechanisms have not evolved contemporaneously with internal audits new roles.
Audit committees have long been regarded as a critical element in best practice in corporate governance. The fifth and final paper, by Won Sil Kang, Alan Kilgore and Sue Wright investigates whether key audit committee characteristics are associated with enhanced financial reporting quality for low- and mid-cap firms in Australia. It is possible to investigate the effectiveness of audit committees as monitoring mechanisms that restrict the occurrence of earnings management among small and mid-cap Australian public-listed firms because audit committees are voluntary among these firms. Results indicate that lower earnings management is associated with audit committee member independence, financial expertise, frequency of audit committee meetings. Results provide further support for the ASX recommendations regarding audit committees and suggest that audit committees are important in improving the financial reporting quality for low- and mid-cap firms.
In conclusion, the empirical findings presented in this special issue highlight the rather complex and inter-related nature of the various elements of a system of corporate governance, namely risk management, audit committees, and internal and external audit. It is clear that corporate governance is an interplay of people, structure and processes, and that the quality of interaction and communication among these various factors have direct implications for overall corporate governance efficiency and effectiveness. Future research undertaking a more holistic perspective and a longitudinal approach would contribute to further development in this area by identifying the key linkages across the various governance mechanisms and how such linkages evolve over time. In particular, the conceptualization of risks and its impact on audit committees, internal and external audit is ripe for further investigation.
Professor Nava SubramaniamDeakin University, Australia
Professor Peter CareyDeakin University, Australia
ASX (2007), Corporate Governance Principles and Recommendations with 2010 Amendments, 2nd ed., Australian Securities Exchange (ASX) Corporate Governance Council, Sydney
Collier, P.M., Berry, A.J. and Burke, G.T. (2004), Risk and Control: Drivers, Practices and Consequences, Chartered Institute of Management Accountant, London
Collier, P.M., Berry, A.J. and Burke, G.T. (2007), Risk and Management Accounting: Best Practice Guidelines for Enterprise Wide Internal Control Procedures, Elsevier, Oxford
COSO (2004), Enterprise Risk Management: Integrated Framework, Committee of Sponsoring Organizations, New York, NY
IIA (2004), “The role of internal auditing in enterprise risk management”, Institute of Internal Auditors, available at: www.theiia.org/guidance/standards-and-practices/position-papers/current-position-papers/
Mock, T. and Wright, A. (1993), “An exploratory study of auditors’ evidential planning judgments”, Auditing: A Journal of Practice & Theory, Vol. 12 No. 2, pp. 39–61
Soin, K. (2005), “Risk, regulation and the role of management accounting and control in UK Financial Services”, paper presented at the Critical Perspectives in Accounting Conference, New York, NY, 28-30 April