TO REPORT OR NOT TO REPORT : IN WHAT CONTEXT IS A ‘ REPORTABLE IRREGULARITY ’ REPORTABLE ?

Whistle-blowing can play an important role in enhancing the effectiveness of corporate governance processes. In particular, legislation mandating that auditors blow the whistle on their clients’ transgressions can assist in overcoming agency-related costs and improve confidence in external audit. This is, however, only the case if regulatory reform enjoys cohesion. The Companies Act No. 71 of 2008, by introducing a definition of ‘reportable irregularities’ different from that in the Auditing Profession Act No. 26 of 2005 (APA); excluding ‘independent reviews’ from the scope of APA; and effectively exempting the majority of South African companies from the requirement either to be audited or reviewed, may materially undermine whistleblowing by auditors in South Africa. In turn, this begs the question: for how long will South Africa rank first globally for the quality of its auditing practices?


Introduction
A series of corporate scandals has led to a diminution of trust in the audit profession and the questioning of the wisdom of the auditor's selfregulatory framework (Mosso, 2003;McMillan, 2004;Unerman and O'Dwyer, 2004;Pesqueux, 2005;Humphrey, 2008;Windsor and Warming-Rasmussen, 2009;Victoravich, 2010).In South Africa, the call for tighter legislation manifested itself, in part, in the auditor's duty to report 'reportable irregularities' (RIs) in terms of s45 of the Auditing Profession Act No. 26 of 2005 (APA) superseding the reporting duties in s20(5) of the Public Accountants ' and Auditors' Act No. 80 of 1991 (PAAA) (Nel, 2001;Gawith, 2006; Independent Regulatory Board for Auditors (IRBA), 2006;PwC, 2006;Wielligh, 2006).The intention was to enhance the profession's understanding of its reporting obligations to third parties and to improve the transparency and effectiveness of the external audit reporting process (Nel, 2001;Negash, 2004;Gawith, 2006).Subsequently, review and limited assurance engagements have grown in relevance, begging the question: does s45 of the APA apply to these circumstances?As from 1 May 2011, the Companies Act No. 71 of 2008 (Companies Act, 2008) requires only public companies to undergo compulsory audits (s30(2)(a) of the Companies Act, 2008).Other companies will only be audited if it is in the 'public interest', taking into account the 'economic or social significance' of the company and particularly the provisions of certain Companies Regulations (s30(2)(b)(i) of the Companies Act, 2008).Failing this, voluntary audit or independent review is required.Certain private companies, however, will need neither to be audited nor reviewed (s30(2)(b)(ii)).The exact effect of these developments for the audit of private companies is still to be seen with the number of companies being reviewed, or having no assurance provided on their financial statements, yet to be determined (Institute of Directors Southern Africa, 2008;SAICA, 2010;PwC, 2011;PwC, 2011a).It would be reasonable to assume that a large number of South African Abstract companies may be in a position to dispense with the need for external audit, electing the review engagement as a lower cost substitute or being subject to neither an audit nor a review.
Confirming the growing relevance of the limited assurance engagement, the Integrated Reporting Committee (IRC) (2011) released a draft conceptual framework for integrated reporting during 2011, which refers to the need for 'assurance' to be provided over the integrated report.Concurrently, King III (2009) requires audit committees to assume responsibility for integrated reporting and to play an active role in ensuring that a combined assurance model is applied (King-III, 2009;PwC, 2009a;PwC, 2009b;IRC, 2011).In each of these situations, a limited assurance or review report under ISAE 3000: Assurance engagements other than audits or reviews of historical financial information (ISAE 3000) or ISRE 2400: Engagements to review financial statements (ISRE 2400) respectively, may be provided.
The purpose of this paper is to explore whether or not 'independent reviews' or 'limited assurance engagements' fall within the scope of the APA and, hence, whether the detection of a 'reportable irregularity' triggers a reporting duty to the IRBA under s45 of the APA.Whether or not this is the case will have important corporate governance implications, particularly for the South African Audit Profession.
Firstly, an auditor's failure to report an RI when he ought reasonably to have done so could result in fines, imprisonment, or both, under s52 of the APA.Disciplinary sanctions could also follow (s52 of the APA, 2005;IRBA, 2006;IRBA, 2011;SAICA, 2012).A sound understanding of exactly when a reporting duty is triggered and under which legislation -either the Companies Act (2008) or the APA -is, therefore, paramount.
Secondly, as a means of bringing transgressions into the open, purportedly in the public interest (see: Nel, 2001;Manuel, 2002), the obligation to divulge reportable irregularities to the IRBA serves as an example of whistleblowing.Consistent with Near and Miceli (1995), Miceli andNear (1984), andJubb (1999), s45 of the APA entails the reporting, broadly speaking, of wrong doings to a party in a position to take appropriate action, in this case, to the IRBA.In turn, the IRBA is empowered to inform relevant regulators (s45(4) of the APA, 2005;IRBA, 2006).That the duty happens to be enshrined in statue or exists outside of a traditional employeremployee context (see: Hwang, Staley, Chen & Lan, 2008;Seifert, Sweeney, Joireman & Thornton, 2010), does not detract from the characterisation of the reporting duty as whistle-blowing (see : Rotter, 1966;Staub, 1978).Within this context, the potential for a large number of companies to avoid the need for any external audit or review function could materially reduce incidences of reporting under s45 of the APA.As such, this research tentatively explores whether improved transparency, purportedly at the heart of the enactment of the APA (Nel, 2001;Manuel, 2002), and the inherent benefits of whistleblowing in addressing the agency problem, could be undermined, leading to a weaker corporate governance environment (consider: Vinten, 2000;Vinten, 2003;Hwang et al., 2008;Low, Davey & Hooper, 2008;Reckers-Sauciuc and Lowe, 2010).

Context and prior literature
The APA defines an 'individual registered auditor' as the individual appointed to perform an 'audit' (s44 (1)(a) of the APA), and s1, defines an 'audit' as: '[the] examination of, in accordance with prescribed or applicable auditing standards: 1) financial statements with the objective of expressing an opinion as to the fairness or compliance with identified financial reporting framework and any applicable statutory requirements; or 2) financial and other information, prepared in accordance with suitable criteria, with the objective of expressing an opinion on the financial and other information'.From the first part of the definition of 'audit' it is clear that where an external audit is carried out in accordance with International Standards on Auditing (ISA), s45 of the APA is applicable (s1, s44 & s45 of the APA).Less obvious is whether or not s45 of the APA also applies within the context of an independent review or limited assurance engagement.
Reckers-Sauciuc and Lowe (2010), Hwang et al. (2008), Vinten (2000;2003), Kaplan and Whitecotton (2001) and Dozier and Miceli (1985) are among the numerous academic sources recognising the important role whistleblowing plays in enhancing transparency and accountability.The professional literature is to similar effect (Financial Reporting Council (FRC), 2008a;FRC, 2008b;European Commission, 2010;European Commission, 2010a).Miceli and Near (1984:824) define 'whistleblowing' as: 'the disclosure by 'organization members… of illegal, immoral or illegitimate practices under the control of the employer to persons or organizations who may be able to effect action'.Jubb (1999), Staub (1978) and Hwang et al. (2008) adopt a similar definition, stressing the importance of acting for the greater good, rather than primarily for self-interest, that underpins whistle-blowing.
When it comes to s45 of the APA, otherwise confidential client information concerning 'acts or omissions' involving material financial losses, material breaches of fiduciary duties, fraud or theft (see: s1 of the APA; IRBA, 2006) is disclosed to the IRBA, which is obligated to inform the relevant third parties of the transgression (IRBA, 2006).Although Near and Miceli (1984;1995) refer specifically to divulgences within an employer-employee context, the substance of reporting in both instances is consistent.In addition, the auditor is entitled to no direct material benefit for reporting (IRBA, 2006), implying the absence of self-gain.Reinforcing this view was an awareness of the public duty owed by the auditor to bring certain transgressions into the open at the genesis of the auditor's reporting duty (Nel, 2001).To this end, s45 of the APA may be interpreted as part of the auditor regulation machinery aimed at encouraging whistle-blowing (Nel, 2001;Manuel, 2002;IRBA, 2006), especially considering that one of the objectives of s45 of the APA is the clarification of the reporting duty and prevention of its circumvention (Nel, 2001).
Both the mechanism allowing moderate or limited assurance engagements to fall outside the scope of s45 of the APA and the reporting duties enshrined in Regulation 29 of the Companies Act (2008) may result in inconsistency with the spirit of corporate governance principles and achieve peculiar results.This is of particular concern given the assertions of Sy and Tinker (2008), Gavious (2007), Pesqueux (2005), Unerman andO'Dwyer (2004), andMcMillan (2004) that the regulation of the profession ought to aim at addressing the risk of self-interested practitioners ignoring their civic duties.
Looking specifically at whistle-blowing, Hwang et al. ( 2008), Brennan and Kelly (2007), Kaplan and Whitecotton (2001), Near andMiceli (1995) andStaub (1978) identify impediments to whistle-blowing at the audit firm level and recommend the use of effective complaint recipients and communication channels to foster the much needed reporting of transgressions.If whistle-blowing is a desirable element of the governance system (Reckers-Sauciuc & Lowe, 2010;European Commission, 2010;FRC, 2008a;Hwang et al., 2008;Vinten, 2003;Nel, 2001), a conflict with legislation that allows technicalities to justify a lack of reporting is counter to the public interest.
This research adopts an interpretive discursive style to explore possible tensions or inconsistencies between the Companies Act (2008), including relevant regulations, the APA and the IRBA's (2006) guide dealing with reportable irregularities.To retain focus, we do not deal with other legislation, such as anti-corruption or money-laundering laws and regulations, but instead deal with those acts that have the most direct bearing for auditors (see IRBA, 2006).Similarly, the research does not take a broad stakeholder-based perspective.It concentrates specifically on the audit context.The approach is inspired by comparable exploratory research carried out within a sociolegal context where detailed data allowing for quantitative analysis is not readily available (Power, 2003;Brennan and Solomon, 2008;Humphrey, 2008).In other words, this paper contributes to the body of knowledge, not by posing and testing hypotheses in a positivist sense, but by exploring and highlighting tensions and contradictions in a certain auditspecific regulation that appears to have gone unnoticed (see: Humphrey, 2008;Brennan & Solomon, 2008;Power, 2003;Pesqueux, 2005).
With this in mind, Section 3 provides a technical assessment of the relevance of s45 of the APA within the context of a review of a client's financial statements under ISRE 2400 or to limited assurance engagements of other financial information under ISAE 3000.In each case, it is assumed that the practitioner is not engaged as the respective client's auditor.The impact of the Companies Act ( 2008) on the scope of s45 of the APA is considered in Section 4. Section 5 briefly explores the ramifications of the findings and Section 6 concludes.

Current guidance and its shortcomings
3.1 Guidance from the IRBA While s1 of the APA provides a definition of an 'audit' that clearly encompasses an external audit of financial statements conducted in terms of ISA (Gawith, 2006;Wielligh, 2006;IRBA, 2006; s1 of the APA), less obvious is whether or not the APA applies within the context of an ISRE 2400 or ISAE 3000 engagement.The IRBA (2006), in its Guide on Reportable Irregularities, provides initial insights.
The IRBA (2006) concludes that s45 of the APA is applicable for ISRE 2410 engagements.Such an engagement falls within the definition of an 'audit' per s1 of the APA because the practitioner is also responsible for the audit of the respective client's financial statements.In other words, the IRBA maintains that, since ISRE 2410 is applied only when the practitioner carrying out the client's review is also the client's auditor, s45 of the APA applies by default (International Auditing and Assurance Standards Board (IAASB), Nel, 2001;IRBA, 2006;IAASB, 2009t).This conclusion is consistent with the need for the registered auditor to consider all information coming to his attention, irrespective of its source, when deciding whether or not to report an RI (s45(5) of the APA).The IRBA (2006) emphasises that, since the practitioner carrying out the review engagements is also responsible for the audit of the respective client's financial statements, if an RI is identified during the review engagement, it is automatically reportable.
For an ISRE 2400 engagement, the IRBA's conclusion is different.ISRE 2400 covers engagements where the practitioner is not the auditor to the entity and the client is, therefore, not also an audit client.The IRBA ( 2006) is of the opinion that an ISRE 2400 review does not meet the definition of an 'audit' in terms of s1 of the APA (IRBA, 2006:28).This opinion is based on the wording of s45(1)(a) of the APA, which explicitly refers to an 'individual registered auditor'.Since the IRBA (2006) does not regard an ISRE 2400 review as amounting to an 'audit', the practitioner carrying out a review is not theoretically an 'individual registered auditor' as defined by s45(1)(a) of the APA.
At first blush, this argument may appear reasonable, as a review engagement provides only a moderate level of assurance, as opposed to the high level of assurance provided by an audit.Furthermore, an ISRE 2400 review may not amount to an examination in accordance with applicable 'auditing standards', but rather 'review standards' (s1 of the APA, 2005;IRBA, 2006;IAASB, 2009s;IAASB, 2009t).The same logic may apply mutatis mutandis to ISAE 3000 engagements.The IRBA (2006) does not provide detailed commentary on whether or not s45 of the APA would be applicable within this context.The conclusion on whether or not a modification of the assurance report is required when an RI is reported in terms of s44 of the APA is, however, relevant.Briefly, s44 mandates the modification of audit reports in instances where an RI exists and is reported (s44(3)(e) of the APA).The IRBA (2006) concludes that the legislation 'does not specifically require the inclusion of an appropriate modification to an assurance report on matters other than financial statements or supplementary information thereto (in terms of ISAE 3000)…' (IRBA, 2006:41).By inference, s45 of the APA does not apply to limited assurance engagements under ISAE 3000.Provided that the practitioner is not also the auditor of the client -as he would then be compelled to consider information from all sources when deciding on whether or not to report an RI -based on the IRBA's view, no reporting duty under the APA can arise for an ISAE 3000 or an ISRE 2400 engagement (IRBA, 2006).
On a prima facie basis, the guidance provided by the IRBA (2006) may appear tenable.Different assurance levels, coupled with the use of different professional standards, arguably appear to support the IRBA's ( 2006) contention that s45 of the APA is not applicable within the context of ISRE 2400 and ISAE 3000 engagements.On closer examination, this conclusion may not, however, be sustainable.

Different reports similar in substance
ISRE 2400 is expressly applicable where the practitioner is not also the respective client's auditor (IRBA, 2006;IAASB, 2009s).Furthermore, ISA 700: Forming an Opinion and Reporting on Financial Statements (ISA 700) specifically refers to the 'opinion' section of the audit report, which provides a high level of assurance.This 'opinion paragraph' must be clearly demarcated.In contrast, ISRE 2400 requires users to be informed of the fact that an 'audit opinion' is not provided and refers to a 'statement of negative assurance', thereby providing only a moderate level of assurance (IRBA, 2006;IAASB, 2009m;IAASB, 2009s;IAASB, 2009t).Whereas the illustrative guidance in ISA 700 specifically refers to an opinion, the paragraph commencing with the phrase 'in our opinion…', (ISRE 2400) refers to the fact that 'based on [the] review, nothing has come to the [practitioner's] attention…'.
Similarly, ISAE 3000 refers to a 'conclusion' being provided rather than an 'opinion' and requires the conclusion for a limited assurance engagement to be expressed in a negative form, similar to that seen in ISRE 2400, again providing only a moderate level of assurance (IAASB, 2009s;IAASB, 2009t).Despite these differences, under both ISRE 2400 and ISAE 3000, at least some level of assurance is provided.Unlike International Standards on Related Services (ISRS), the product of both engagements is not a simple report on factual findings, but rather the provision of assurance (IAASB, 2009a;IAASB, 2009n;IAASB, 2009s;IAASB, 2009t;IAASB, 2009u;IAASB, 2011v).Although a high level of assurance is not provided, the moderate assurance offered by ISRE 2400 and limited assurance of ISAE 3000 are, in substance, similar.
Supporting this argument is the fact that the general principles enshrined in ISRE 2400 and ISAE 3000, namely the need to assess the appropriateness of the subject matter and the suitability of underlying criteria are consistent with the guidance provided in ISA 200 (IAASB, 2009e).An emphasis on independence, integrity, objectivity, professional competency, adherence to professional standards, and obtaining of sufficient appropriate evidence is common to ISRE 2400, ISAE 3000 and ISA.Similarly, both ISAE 3000 and ISRE 2400 recommend agreeing to the terms of engagement with the client to ensure that each party's objectives and responsibilities are well defined (IAASB, 2009n;IAASB, 2009s).Finally, ISRE 2400, ISAE 3000 and ISA engagements are subject to inherent limitations, which make the provision of absolute assurance impossible (IAASB, 2009c;IAASB, 2009e;IAASB, 2009n).
Based on these parallels, in spite of the fact that ISRE 2400 and ISAE 3000 provide only moderate assurance (whereas ISA 700 envisages a high level of assurance), the substance of these engagements is similar.In each case, a professional service is rendered where a conclusion is provided, based on the outcome of procedures designed to provide sufficient appropriate evidence and intended to provide an output being the expression of an opinion to provide assurance regarding the subject matter.Rather than a report of factual findings, each engagement provides a professional opinion, evidenced by similarities in the structure of the report, which define the scope and context of the work performed, as well as the conceptual approach to undertaking these engagements and their inherent limitations (IAASB, 2009e;IAASB, 2009n;IAASB, 2009s).For this reason, it seems logical for s45 of the APA to apply, mutatis mutandis, to ISRE 2400 and ISAE 3000 engagements, irrespective of the fact that the practitioner is not also the statutory auditor of, or auditor appointed to execute a voluntary audit for, the respective client.

Ordinary meaning of 'opinion'
While a technical argument that the substance of a review, limited assurance and audit engagement are similar provides one critique of the guidance provided by the IRBA ( 2006), the ordinary meaning of 'opinion' should not be overlooked.Section 1 of the APA defines an 'audit' as an engagement culminating in the expression of an opinion on the underlying (IRBA, 2006; s1 of the APA).The Oxford English Dictionary defines 'opinion' as simply 'a belief or assessment on grounds short of proof' or as 'what one thinks about a particular question or topic'.When it comes to opinions providing high or moderate levels of assurance, each respective type of engagement conveys a belief concerning an underlying, albeit based on different degrees of evidence.That the conclusions are stated in the positive or negative is largely semantics.
A second definition -'a formal statement of professional advice' -corroborates this argument.Whether the practitioner issues an audit (ISA 700), review (ISRE 2400) or limited assurance report (ISAE 3000), an opinion is provided.The underlying engagement has been executed according to professional standards, subject to ethical considerations (IAASB, 2009e;IAASB, 2009n;IAASB, 2009s;IRBA, 2011).Whether it states that fair presentation is achieved or that nothing has come to the practitioner's attention to suggest otherwise, a formal professional statement on an underlying subject matter has been provided.
Within this context, a review (ISRE 2400) or limited assurance (ISAE 3000) engagement meets the definition of an 'audit' in terms of s1 of the APA.When it comes to financial statements, the ISRE 2400 engagement expresses an opinion on the fair presentation of the underlying or compliance with IFRS, albeit couched in the negative.For other financial information 'prepared in accordance with suitable criteria', an ISAE 3000 engagement achieves a similar result.

The impact of the Companies Act (2008)
Section 1 of the Companies Act (2008) defines an 'auditor' and 'audit' as 'having the meaning set out in the [APA], but provides that an 'independent review' is specifically excluded from the definition of an 'audit' in APA.This is replicated in s30(8) of the Companies Act (2008), which stipulates that: '[despite] section 1 of the Auditing Profession Act, an independent review of a company's annual financial statements required by this section does not constitute an audit within the meaning of that Act.' Furthermore, while s5(4) of the Companies Act ( 2008) provides that if it is impossible to 'apply and comply with' provisions of the APA inconsistent with the Companies Act ( 2008), the former legislation applies, this is specifically not the case with respect to s30(8) of the Companies Act ( 2008).This reaffirms that an 'independent review' for the purpose of the Companies Act ( 2008) does not fall within the scope of the APA.
Regulation 29(3) specifies that an independent review required in terms of the Companies Act (2008) ought to be executed according to ISRE 2400.Accordingly, an 'independent review' per the Companies Act ( 2008) would lead to the practitioner expressing an opinion giving moderate assurance on the client's financial statements (IAASB, 2009a;IAASB, 2009b; s1 of the Companies Act, s38 of the Companies Act).Yet, in spite of the fact that an ISRE 2400 engagement culminates in the expression of an opinion (IAASB, 2009s), the Companies Act (2008) deems the 'independent review' not an audit engagement under the APA.
The preliminary result is that any RI identified during the course of an independent review would not need to be reported to the IRBA and relevant authorities in terms of s45 of the APA.In other words, on a plain reading of the Companies Act ( 2008) and its Regulations, a reporting duty in terms of s45 of the APA would not be triggered if the practitioner is carrying out a review engagement.That noted, before concluding that no reporting duty has resulted, the practitioner would need to consider the provisions of the Companies Regulations (2011).
Regulation 29(1)(b) introduces its own definition of a 'reportable irregularity', which, remarkably, is different to that found in the APA.Regulation 29(1)(b) defines a reportable irregularity as an act or omission by a person responsible for a company's management which: i) 'unlawfully has caused or is likely to cause material financial loss to the company or to any member, shareholder, creditor or investor of the company in respect of his, her or its dealings with that entity; or ii) is fraudulent or amounts to theft; or iii) causes or has caused the company to trade under insolvent circumstances' (reg 29(1) (b)(i-iii)).Where the 'independent reviewer' identifies such a 'reportable irregularity', he is obliged to follow protocols virtually the same as those specified by s45 of the APA, albeit that any reports are issued to the Companies and Intellectual Property Commission (the Commission), rather than the IRBA (Regulation 29(6)-29( 11)).A number of shortcomings are immediately apparent.
Firstly, Regulation 29(1)(b) regards an act that leads to trading under insolvent circumstances as a 'reportable irregularity'.The same provision does not appear in the definition of RI in s1 and s45 of the APA.Compounding the dissonance, the APA's definition of an 'RI' includes material breaches of fiduciary duty, but such an act is not a 'reportable irregularity' in terms of the Companies Regulations ( 2011).This could lead to the peculiar situation of different results for the same conduct.For example, trading while insolvent would trigger a reporting duty by the practitioner carrying out an ISRE 2400 review, but no reporting duty if the same engagement is structured as an audit.Similarly, a material breach of fiduciary duties (not being a fraud or causing material loss) would not be reportable for ISRE 2400 engagements, but would be reportable for audit engagements.In each case, despite the similar substance of the ISRE 2400 and audit engagements as a means of providing assurance on the quality of financial statements for market participants, different criteria for what amounts to a reportable act are applied.
Secondly, a 'reportable irregularity' detected during the course of an ISRE 2400 engagement should be reported to the Commission, rather than the IRBA.This is in spite of the fact that the IRBA has, since 2005, been vested with the responsibility of dealing with such reporting duties (IRBA, 2006).(It should also be remembered that the Public Accountants and Auditor' Board (PAAB) was initially responsible for dealing with 'material irregularities' under the preceding PAAA since the 1950s (PAAB, 2003).)Rather than extend these duties, the Companies Regulations (2011) lead to two bodies to whom reports may be issued, with the result that the similar difficulties plaguing the efficiency of report processing by the IRBA following the replacement of s20(5) of the PAAA with s45 of the APA may also befall the Commission.The added practical difficulty of having to provide the Commission with the necessary resources, including skilled personnel to discharge the duties enshrined in Regulation 29, seems to have been largely overlooked.
Finally, differences in the scope of reporting duties compound the above concerns.Unlike the APA, the Companies Regulations (2011) remain silent on ISAE 3000 engagements.Despite the growing relevance of assurance for integrated and control reports (consider: King-III, 2009;Solomon, 2009;Solomon, 2010;IRC, 2011), the legislation has chosen to deal only with financial statement audit and review processes.The result is a tension between the APA, the Companies Act ( 2008), and the IRBA's (2006) guide on reportable irregularities.
As discussed in Section 3.1, the IRBA (2006) does not specifically consider whether a reporting duty under s45 of the APA can be triggered during the course of an ISAE 3000 engagement only, although it is possible to infer that no such duty would result.Looking to the Companies Regulations (2011), a reporting duty under Regulation 29 is triggered only for 'independent reviews', that is, those within the scope of ISRE 2400 (Regulation 29(3 & 6a)).The illogical conclusion is that an ISAE 3000 engagement on a client's controls that happens to detect a substantial fraud would likely trigger a reporting duty to the IRBA by the auditor if the client is also his audit client.If the same engagement were undertaken during the course of an ISRE 2400 review, the Companies Regulations (2011) would require no reporting to the Commission per Regulation 29 and the IRBA (2006) would conclude that no s45 reporting requirements results.In both instances, the spirit of the APA (Gawith, 2006;Wielligh, 2006;Nel, 2001) and existing corporate governance practices that champion the need for whistle-blowing (Solomon, 2010;European Commission, 2010a) appear to have been overlooked.

Implications for corporate governance
The superseding of s 20(5) of the PAAA by s45 of the APA was, in part, a response to a series of corporate scandals, both locally and abroad, which undermined the trust vested in the audit profession (see Nel, 2001;Manuel, 2002).In particular, the South African Government was concerned that a thirty day window period under s20 (5) of the PAAA (within which the client could rectify the problem identified) delayed reporting and allowed rogue auditors an opportunity to evade reporting duties (Nel, 2001).Consequently, s45 of the APA requires reporting to the IRBA 'without delay' (s45(1) of the APA) and before the client is provided with an opportunity to address the respective problem (IRBA, 2006).
A similar rationale applied to the reporting of instances of fraud.Under s 20(5) of the PAAA, only material fraud needed to be reported.Responding to concerns that excessive reliance on professional judgement to determine what constituted 'material' sees s45 of the APA requiring all acts of fraud to be reported, irrespective of materiality (Gawith, 2006;IRBA, 2006;Wielligh, 2006;Nel, 2001).In each case, regulatory reform can be seen as aimed specifically at the risk of the auditors' whistle-blowing duties being marginalised.
This approach is largely consistent with emerging trends in other jurisdictions calling for clarified and enhanced reporting duties for auditors.The European Community, for example, is currently exploring the possibility of expanding the auditor's reporting duties in the name of increased transparency and accountability and improved audit quality (CESR, 2007;European Commission, 2010;European Commission, 2010a).In the USA, the enactment of the Sarbanes Oxley Act (2002) gives rise to certain instances where additional disclosures by auditors, for instance in connection with certain control deficiencies, arise (see: Khalifa et al., 2007;Riotto, 2008).Finally, the academic literature points to the on-going debate about the nature and extent of what auditors should be communicating to stakeholders, particularly from the perspective of auditors being required to detect and report on fraud (see : Humphrey, Turley & Moizer, 1993;Khalifa et al., 2007;Humphrey, 2008;Gold, Gronewold & Pott, 2012).
Within this context, the guidance provided by the IRBA (2006) and the prescriptions of the Companies Act (2008) represent a contradiction.In Sections 3.1 and 3.2, it was argued that ISRE 2400 and ISAE 3000 engagements culminated in the expression of an opinion and that, as a result, a reporting duty under s45 of the APA may arise in each situation.This would see an increased application of s45 of the APA as limited and moderate assurance engagements become more common.
The enactment of the Companies Act (2008), however, deems an 'independent review' not to be an 'audit' in terms of the APA, effectively narrowing the scope of s45 of the APA (s5 & 30(8) of the Companies Act, 2008).This stands in stark contradiction of the need to enhance the transparency of the assurance reporting process, arguably a driving force behind the refinement of auditor whistleblowing obligations embodied in s45 of the APA.The efforts aimed at reducing the risk of auditors circumventing their civic duty to report wrong-doings (Nel, 2001) by repealing s20(5) of the PAA have largely been neutralised by the enactment of the Companies Act (2008), which has reduced the number of companies that will be subject to an 'audit'.Furthermore, the nature and extent of reporting, whether to the IRBA or the Commission, is largely driven by semantics.The substance of the 'irregularity' is ignored with the APA and Regulation 29 each defining what is reportable differently.The result is the creation of a mechanism that allows reporting to third parties to be disregarded, irrespective of whether or not this is in the public interest.
These concerns may, however, be rendered moot, given the potential for the majority of companies to be subject to neither an audit nor a review (s1, s30 & Regulation 28 of the Companies Act ( 2008)).In such instances, s45 of the APA and Regulation 29 would be rendered inoperative.If, for example, a professional accountant is engaged at such a client on a compilation or agreed-upon procedure engagement, professional standards and codes of ethics prohibit him from disclosing clients' affairs to third parties (IRBA, 2010;IFAC, 2006).Unless a transgression amounts to an act of money laundering, terrorism or breach of certain financial regulations, no reporting would result in the absence of s45 of the APA (IRBA, 2010;IRBA, 2006;Nel, 2001; s45 of the APA) and the recently introduced Regulation 29.Effectively, the vast majority of currently reportable transgressions would fall outside of the reportable sphere, given that most registered companies would not be subject to audit or review (consider Nel, 2001;Manuel, 2002;Institute of Directors of Southern Africa, 2008).
The resulting 'internalisation' of transgresssions is at odds with the existing theories on whistle-blowing.Reckers-Sauciuc and Lowe (2010), Hwang et al. (2008), Vinten (2003), Kaplan andWhitecotton (2001), Nel (2001), and Dozier and Miceli (1985) are examples of the prior scholarly efforts pointing to the role of whistle-blowing in enhancing transparency and accountability at the corporate level.It is for this reason that Vinten (2003) concludes that effective whistle-blowing should be encouraged.Curiously, the Companies Act (2008) seems to discourage this and/or confuses the situation.This comes at a time when, in the aftermath of corporate scandals, the legitimacy of the audit profession has been questioned (Edwards, 2001;Unerman and O'Dwyer, 2004;Pesqueux, 2005;O'Dwyer, Owen & Unerman, 2011) and the need for enhanced corporate reporting has been emphasised (Humphrey, 2008;European Commission, 2010;Gold et al., 2012).

Conclusion
The guidance provided by the IRBA (2006) in Reportable Irregularities: a Guide for Registered Auditors is not consistent with the substance of engagements within the scope of ISRE 2400 and ISAE 3000.Although these engagements do not provide a high level of assurance, they nevertheless are designed to lead to the expression of an opinion on a subject matter.Conceptual approaches to and inherent limitations of these engagements are largely consistent with audit engagements undertaken in compliance with ISA.For these reasons alone, ISRE 2400 and ISAE 3000 engagements should fall within the scope of s45 of the APA.
This conclusion is consistent with the spirit of the APA, which was enacted, in part, to reduce the risk of marginalisation of whistleblowing duties by auditors (Nel, 2001).If regulation is to be a means of entrenching whistle-blowing to improve the transparency of the audit reporting process, allowing for exceptions in situations 0simil0ar in substance to a financial statement audit is illogical.
The Companies Act ( 2008), however, leads to the opposite conclusion.It effectively deems 'independent reviews' different to 'audits' for the purpose of the APA (s1 and s30(8) of the Companies Act, 2008).Given the potential for the majority of South African companies to avoid an audit of their financial statements (Institute of Directors Southern Africa, 2008), this could culminate in a substantial reduction in the incidences of whistle-blowing by external auditors to the IRBA in terms of s45 of the APA.Instead, 'reportable irregularities' detected during ISRE 2400 engagements would be reported to the Commission.
Initially, this appears to broaden the scope of whistle-blowing duties.A number of practical difficulties, however, emerge.Firstly, definitions of a 'reportable irregularity' in terms of the Companies Regulations (2011) and APA are inconsistent, leading to a possible situation where the nature of the engagement, rather than the underlying act in question, dictates whether or not a reporting duty exists.This is in spite of the arguments that the substance of ISA and ISRE 2400 engagements are largely similar.Secondly, rather than relying on the practical lessons learned by the IRBA since 2005 in dealing with 'reportable irregularities', the Regulations effectively create a second complaint recipient, which may be beset by similar difficulties already encountered by the IRBA.Thirdly, in spite of the growing relevance of ISAE 3000 engagements (consider IRC, 2011), the Regulations remain silent on this type of professional service.The result is that an act, clearly contrary to the public interest, and although otherwise reportable, falls outside of the whistle-blowing net.The IRBA (2006) argues that ISAE 3000 engagements are not within the scope of s45 of the APA and Regulation 29 addresses only review engagements per ISRE 2400.
The above problems arise only in situations where audits or reviews are carried out.Practically, the Companies Act (2008) will result in the vast majority of companies requiring no formal assurance services, rendering the provisions of s45 of the APA and the newly created whistle-blowing duties per Regulation 29 less relevant, if not nugatory.Ultimately, this points to a lack of cohesion, making it remarkable that South Africa has been ranked first globally for the quality of its auditing regulations, standards and guidance (see: IRBA, 2010a).The real question is whether or not we will retain this position.
This research provides an initial exploratory view on possible tensions or inconstancies between the Companies Act ( 2008), the APA and the IRBA's (2006) guide on reportable irregularities.It does not purport to be a comprehensive account of the audit regulatory environment.In addition, this research assumes -as per Nel (2001) and Manuel (2002) -that s45 of the APA serves as a whistle-blowing mechanism that contributes to the quality of the audit and review reporting process, which ultimately serves the public interest.As such, there is considerable scope for future research.For example, whether or not the shortcomings of the above-mentioned legislation could give rise to additional litigation risk for audit firms and the need for additional protection for auditors against legal action could prove fruitful.How audit firms are practically addressing these tensions could also prove insightful, concurrently addressing the calls by, inter alia, Power (2003) and Brennan and Solomon (2008) for research with a more real-world focus on audit and corporate governance systems, respectively.Additional work on the practical contribution of 45 of the APA could also prove interesting.For instance, does s45 of the APA change audit practice and result in the detection and reporting of transgressions that would, otherwise, have gone unnoticed?In other words, how successful are auditors in actually detecting RIs and hence reporting them and what, if anything, can be done to improve the status quo?Similarly, how does s45 of the APA contribute to the so-called 'expectation gap', particularly when it comes to the auditor's duties in connection with fraud?None of these issues have been explored by this paper and would offer fruitful prospects for other interpretive researchers.