Governments and governmental agencies enact governance related laws and regulations to ensure that entity managers refrain from participating in corrupt, fraudulent, or unethical behavior. Governments and governmental agencies also enact laws and regulations to provide for stakeholder confidence that management will perform its fiduciary responsibilities. This fiduciary relationship between stakeholders and management typically requires that the organization’s management safeguard assets entrusted to it for use by the entity in generating revenues or paying expenses. To sustain compliance with this legal objective; there is an expectation that an enterprise’s management will provide accurate and complete information about the firm’s past and current performance, as well as their assessments of any confirmed future economic events that may/will affect the organization’s financial status and its present financial position.
Government laws and regulations usually require an entity’s management to design, implement, and maintain a system of controls. However, controls existence and effectiveness verification are commonly an external and internal statutory audit responsibility. Auditors that conduct these entity compliance attestation engagements focus on examining, reviewing, or performing agreed-upon procedures regarding a subject matter; or an assertion about a subject matter, and reporting evidentially-supported results.
Separately or jointly, government-sponsored laws and regulations can impose practice audit requirements that affect compliance attestation service efforts. Where laws and regulations promote managements' accountability of entity assets to stakeholders, information technology (IT) legal compliance audit area, and/or ambit may include government and governmental agency mandates. Alternatively, operationally perceived noncompliance risk can determine an engagement or the entity’s audit committee can direct IT audit coverage to assess expected compliance by the entity's management. Nevertheless, professional IT auditors must evaluate potential irregularities and illegal acts during the entire IT assurance process, even when directed by the audit committee to focus on a particular IT auditable unit -- within the engagement's audit area.