Governance Audit Evidence is all the information used by the Governance Auditor in arriving at the conclusions on which the Governance Audit opinion is based.
General Guidelines on Governance Audit Evidence
a) The Governance Audit will be based on the Governance Audit self-assessment report submitted by the organisation.
b) The Governance Auditor shall obtain sufficient and appropriate Governance Audit evidence necessary to draw reasonable conclusions against which the Governance Audit opinion is based. Governance Audit evidence shall be evaluated on the basis of sufficiency and appropriateness. The appropriateness of the Governance Audit evidence is determined by its quality and relates to:
(i) Relevance,
(ii) Reliability, and
(iii) Consistency.
Types of Governance Audit evidence
a) Physical examination
This involves inspection of governance documents such as policies, registers, minute books, board charters and work plans. Evidence obtained directly by the Governance Auditor is more reliable than Governance Audit evidence obtained indirectly or by inference.
b) Confirmations
They cover the receipt of written or oral responses from independent third parties where the Governance Auditor has client’s authority to obtain data and information directly from third parties. External evidence is more reliable than internal evidence.
c) Documentation
It involves document tracking and information tracing to test ownership, actual existence or occurrence. The Governance Auditor examines supporting evidence in client files to trace documents that support a recorded transaction or amount. The direction of testing must be from the recorded item to the supporting document and for unrecorded items from the supporting document to the recorded item to test for accuracy and completeness. Documentary evidence is more reliable than oral evidence and original documents are more reliable than copies.
d) Analytical Procedures
Analytical procedures consist of evaluations of governance information through analysis of plausible relationships among data. They also encompass such investigation as is necessary of identified fluctuations or relationships that are inconsistent with other relevant information or that significantly differ from expectations. Analytical procedures are an important aspect of not only understanding governance information an Organisation, but also of flagging and researching inconsistencies. The main purpose of performing analytical procedures is to:
(i) Obtain an understanding of the Organisation and its environment. This helps in assessing the risk of material misstatement in order to determine the nature, timing and extent of Governance Audit procedures. I.e. helps the Governance Auditor develop the Governance Audit strategy and programme.
(ii) Reduce the risk of material misstatements. This helps to provide limited assurance that the Governance Audit Self-Assessment Report do not require material adjustments.
(iii) Assess whether the Governance Audit Report is consistent with the Governance Auditor’s understanding of the Organisation.
e) Inquiries of the Client
A Governance Auditor obtains information from the client in response to questions. Although much evidence is obtained through inquiry, it cannot be regarded as conclusive and may be biased in the client’s favour.
f) Re-performance
This involves a review and rechecking of data and information by the Governance Auditor to obtain reasonable assurance on the position of Governance Audit results. Rechecking of governance information involves confirming consistent recording of information.
g) Observation
The Governance Auditor personally witnesses the physical activities of the client i.e. attends a Board meeting. This differs from physical examination as observation focuses on client activities, processes and procedures.
Limitations in gathering Governance Audit evidence
a) Ability to measure available Governance Audit evidence to adduce its sufficiency levels, degree of relevance, reliability and consistency.
b) Obtaining documentary Governance Audit evidence relating to corporate governance issues in operations where activities have no direct governance implications.
c) Use of historical data and information whose impact on governance may not be explicitly displayed or noted.
d) Use of different governance instruments in Organizations in the absence of prescribed governance instruments’ standards.
e) Obtaining Governance Audit evidence through inquiry depends on the readiness and availability of reliable respondents and informants.
f) Relevance and reliability of information obtained is an indicator of the information sources’ relevance and reliability.
g) Extent of implementation and application of governance instruments in place and ability to monitor and measure the degree of application.
h) Measurability of governance factors in audit evidence.
i) Quantification of governance standards and practices to assess available evidence.
j) Dynamism in the environment that affects Governance Audit evidence.
k) Adequacy of internal systems and controls on governance to manage and monitor performance in governance areas.
l) Governance Audit evidence gathered through confirmations by a third party is reliable to the extent of how informed the sources of the information are.
m) Effectiveness of internal governance control systems and processes in providing sufficient evidence.
n) Attendant risk in obtaining Governance Audit evidence especially in high governance-prone areas.
o) Reliability of governance analytical tools for use in gathering Governance Audit evidence.
p) The process of gathering evidence through observation is limited to the extent of how available and to what extent the observer is able to observe the process or procedure as it takes place.
q) Willingness of the client to give information.
r) Lack of central location for storing governance information in the organisation.
Types of Governance Audit Tests
The different types of Governance Audit tests and procedures used to obtain audit evidence include:
a) Risk assessment procedures
These are used to obtain an understanding of the organization and its environment, such as the potential risks of material misrepresentations of governance issues and related information, adequacy of the organization’s governance structures and internal control processes. Risk assessment procedures are performed to provide a satisfactory basis for the assessment of governance compliance risks.
b) Tests of controls
These test the operating effectiveness of controls in preventing, detecting and correcting material misrepresentations of governance issues. Tests of controls are necessary when the Governance Auditor’s risk assessment includes an expectation of the operating effectiveness of controls, or when substantive procedures alone do not provide sufficient appropriate audit evidence.
c) Substantive procedures
These detect material misrepresentations at the allegation level and include tests of details of governance related transactions, disclosures and substantive analytical procedures. Substantive procedures are performed by the Governance Auditor in response to related assessment of risks of material misrepresentation of governance facts which incorporate results of tests of controls.
d) Analytical Procedures
These consist of evaluations of governance information, studies of plausible relationships among Board and Management functions. They include the investigation of identified changes and relationships that are inconsistent with other relevant information or deviate significantly from expected results.
e) Tests of Details on Related Transactions
These are undertaken to supplement Governance Audit evidence obtained where the Governance Auditor’s ability to express an audit opinion is not fully firmed up. These are substantive tests and the extent to which they are performed depend on the results of tests of controls, substantive tests of transactions and substantive analytical procedures.
Using the work of experts
a) The Governance Auditor should determine whether or not and the extent to which to use the work of an expert.
b) An expert may be an individual or organization possessing expertise in a field other than governance, whose work is used by the Governance Auditor to assist in obtaining sufficient and appropriate audit evidence.
c) An expert may be either an internal expert who is a partner or staff, including temporary staff or a network of external experts.
Extent of Use the Work of Experts
In determining the use of an expert’s work, the Governance Auditor shall consider:
a) The nature of the matter to which an expert’s work relates;
b) The risks of material misrepresentation in the matter to which an expert’s work relates;
c) The significance of an expert’s work in the context of the Governance Audit at hand;
d) The Governance Auditor’s knowledge of and experience with previous work of the expert; and
e) Whether the expert is subject to the auditor’s quality control policies and procedures.
Competence and Objectivity of the Expert
The Governance Auditor shall evaluate whether the expert has the necessary competence and objectivity to provide reliable work for referencing in the Governance Audit purposes.
Understanding of the Field of Expertise of the Expert
The Governance Auditor will obtain sufficient understanding of the field of expertise of the expert to:
a) Determine the nature, scope and objectives of the expert’s work; and
b) Evaluate the adequacy of the expert’s work.
Agreement with the Expert
The Governance Auditor will agree with the expert in writing on the following matters:
a) The nature, scope and objectives of the expert’s work;
b) Their respective roles and responsibilities;
c) The nature, timing and extent of communication between them, including the form of any report to be provided by the expert; and
d) The need for the expert to observe confidentiality requirements.
Adequacy of the Expert’s Work
a) The Governance Auditor shall evaluate the adequacy of the expert’s work for purposes of his Governance Audit opinion to determine:
(i) Relevance and reasonableness of the expert’s findings or conclusions, and their consistency with other Governance Audit evidence;
(ii) If the expert’s work involves use of significant assumptions and methods, the relevance and reasonableness of those assumptions and methods; and
(iii) If the expert’s work involves the use of source data that is significant to that expert’s work, the relevance, completeness and accuracy.
b) If the Governance Auditor determines that the work of the expert is not adequate for Governance Audit purposes, the Governance Auditor will:
(i) Agree with the expert on the nature and extent of further work to be performed by the expert; or
(ii) Perform additional Governance Audit procedures appropriate to the circumstances.
Reference to the Expert Work
a) The Governance Auditor will not refer to the work of an expert in the Governance Audit report that has an unmodified opinion unless required by law or regulation to do so. If such reference is required by law or regulation, the Governance Auditor will indicate in his report that the reference does not reduce the Governance Auditor’s responsibility over the Governance Audit opinion.
b) If the Governance Auditor makes reference to the work of an expert in the Governance Audit report because such reference enhances the understanding of a modification to the Governance Audit opinion, the Governance Auditor shall indicate in the Governance Audit report that such reference does not reduce the Governance Auditor’s responsibility over the Governance Audit opinion.
Methods of gathering Governance Audit Evidence
a) Inspection of Records or Documents
This consists of examining records or documents. Inspection of records and documents provides Governance Audit evidence of varying degrees of reliability depending on their nature and source and, in the case of internal records and documents, on the effectiveness of controls over their production.
b) Observation
This consists of examining a process or procedure being done by others, for example observation of the performance of control activities. Although observation provides Governance Audit evidence about the performance of a process or procedure, it is limited to the point in time at which it takes place and by the fact that the act of being observed may affect how the process or procedure is performed.
c) Inquiry
This consists of seeking information of knowledgeable persons within or outside the organization. Inquiry is a Governance Audit procedure that is used extensively throughout the Governance Audit and complements performing other Governance Audit procedures.
(i) Neither does inquiry alone ordinarily provide sufficient Governance Audit evidence to detect a material misrepresentation at the assertion level nor is it sufficient enough to test the operating effectiveness of controls.
(ii) Inquiries may range from formal written inquiries to informal oral inquiries. Evaluating responses to inquiries is an integral part of the inquiry process.
(iii) Responses to inquiries may provide the governance auditor with information not previously possessed or with corroborative Governance Audit evidence.
(iv) Alternatively, responses might provide information that differs significantly from other information that the governance auditor has obtained, for example, information regarding the possibility of management overriding controls. In some cases, responses to inquiries provide a basis for the governance auditor to modify or perform additional Governance Audit procedures.
(v) In respect of some matters, the governance auditor obtains written representations from management to confirm responses to oral inquiries or when other sufficient appropriate Governance Audit evidence cannot reasonably be expected to exist.
d) Confirmation
This is a specific type of inquiry, and is the process of obtaining a representation of information or of an existing condition directly from a third party. For example, the governance auditor may request confirmation of the terms of agreements or transactions an Organization has with third parties. The confirmation request is designed to ask if any modifications have been made to the agreement and, if so, what the relevant details are. Confirmations are also used to obtain Governance Audit evidence about the absence of certain conditions.
e) Re-performance
This is the Governance Auditor’s independent execution of procedures or controls that were originally performed as part of the organization’s internal control, for example, re-performing compliance tests on statutory returns.
f) Governance Audit Survey
This is undertaken to gain understanding of the Governance Audit subject, report user needs, and potential Governance Audit issues or concerns. These issues/concerns form the source of Governance Audit objectives. Therefore, survey outputs comprise of:
(i) Overview of organization/activities,
(ii) Governance Audit preliminary findings, and
(iii) Recommendations to pursue preliminary/potential audit objectives.
Governance Audit Procedures for Obtaining Evidence
Governance Audit evidence is obtained to enable the governance auditor draw reasonable conclusions on which to base the Governance Audit opinion. The following are sample Governance Audit procedures that can be used to obtain evidence:
a) Risk assessment procedures
These are used to obtain an understanding of the organization and its environment, including its governance structures and internal control processes to assess potential risks of material misrepresentations of governance issues and assertion levels.
b) Tests of controls
Test the operating effectiveness of controls in preventing, or detecting and correcting material misrepresentations of governance issues at the assertion level.
c) Substantive procedures
Detect material misrepresentations at the assertion level and include tests of details of governance related transactions, disclosures and substantive analytical procedures.
Governance Audit sampling
The Governance Audit sampling approaches shall be guided by the materiality of the governance issue being examined; experience, competence and skills of the governance auditor; and the source and nature of the evidence available.