Examining the UK Government’s intention to have directors report on the effectiveness of internal controls
On 31 May 2022, the UK Government published its feedback paper to its 2021 White Paper ‘Restoring trust in audit and corporate governance’. James Barbour CA looks at the Government’s intention to have directors of premium listed entities report on the effectiveness of a company’s internal controls.
Whilst there has been considerable commentary on the dilution of the Government’s proposals in this area, ICAS welcomes that the Government does intend to take forward the inclusion of a provision in the UK Corporate Governance Code for directors to report on the effectiveness of an entity’s internal controls. The Government believes that the Code provides a way of testing and refining an approach before making it a stronger legal requirement at a future point if required, and potentially extending it to a wider range of companies. Whilst it currently applies only to premium listed companies, the Government is of the view that it has a wider influence on other codes and best practice principles developed for different types of companies. These include the QCA Corporate Governance Code which is tailored for small and mid-size quoted companies and the Wates Principles, aimed at improving corporate governance in large private companies.
Restoring trust in audit and corporate governance
In its 2021 White Paper, the Government stated that it was minded to enhance the existing requirements on internal controls and set out three options for doing so.
- Option A: requiring an explicit statement from directors about whether they regard their internal controls to be effective and the basis for that assessment;
- Option B: requiring the external auditors to say more about the work they already undertake to understand the company’s internal control systems and how that work has influenced the approach taken to the audit – but without requiring a formal attestation of their effectiveness; and
- Option C: requiring auditors to provide a formal assurance of the directors’ statement about control effectiveness.
The White Paper outlined an “initial preferred option” based on an explicit statement from the directors which was in relation to the effectiveness of internal controls over financial reporting, leaving the question of whether external assurance should be sought as a voluntary matter for the company (and its shareholders) to determine based on its own circumstances, other than in certain exceptional circumstances. The White Paper stressed that the initial preferred option was not intended to close down consideration of alternatives.
This particular proposal has been the subject of considerable debate as the Government seeks to assess the costs and benefits of such a proposal. So what has the Government decided to do?
Internal controls – the way forward
The Government considers that there would be benefits in strengthening the UK’s internal control framework However, it believes that there are risks in moving directly to putting a directors’ statement on a legislative footing. It has noted the views of a number of respondents to the 2021 consultation, including audit committee chairs, that a legally required directors’ statement might, in practice, lead companies to default to seeking external assurance from their auditors as the safest way of avoiding challenge. There would be a risk that the UK might unintentionally default to an approach very similar to the one in the US where mandatory external assurance is a requirement and combined audit and assurance costs are significantly higher. This from the Government’s perspective could affect the attractiveness of the UK’s public markets as a place to list.
Therefore, the Government will not seek to legislate in this area, but rather, intends to:
- Invite the Financial Reporting Council (FRC) to consult on strengthening the internal control provisions in the UK Corporate Governance Code to provide for an explicit statement from the board about their view of the effectiveness of the internal control systems (financial, operational and compliance systems) and the basis for that assessment. The Government believes this is the most practical and proportionate way of strengthening boardroom focus on internal control matters. It will be particularly effective if investors in their stewardship role are ready to apply pressure on boardrooms where internal controls seem to be weak, or where the statements by directors are “boilerplate” or inadequate. Additionally, the intended scope of “internal controls” is wider than just those over financial reporting (see above). The Government expects that this provision would be underpinned with guidance on how boards should approach the preparation of the statement, which would be developed following a review of the FRC’s existing Guidance on Risk Management, Internal Control and Related Financial and Business Reporting. This guidance would cover the identification of acceptable standards, benchmarks or principles and address definitional issues and the circumstances in which external assurance might be considered appropriate. To help prepare the guidance it is envisaged that the FRC will work with companies, investors and auditors.
- Require Public Interest Entities (PIEs) above the size thresholds of 750 or more employees and £750m or more in annual turnover to state, as part of the proposed “minimum content” for the new Audit and Assurance Policy, whether or not they plan to seek external assurance of the company’s reporting on internal controls. This would not require directors to seek such assurance but would help ensure that they had at least considered the possibility. This would also provide external shareholders with a clear opportunity to raise the matter and press for more assurance if they had concerns; and
- Ask the FRC to explore with investors and other stakeholders whether and how the content of the auditors’ report could be improved to provide more information about the work auditors have undertaken on the internal controls over financial reporting. This would be limited to observations based on work carried out as part of the statutory audit and would not amount to assurance of the control system. The FRC has agreed to take this forward as part of a consultation on the content of audit reports.
The new Audit and Assurance Policy will require companies to state whether or not they plan to seek external assurance of the company’s reporting on internal controls. This will provide transparency to investors and other stakeholders and an opportunity, in practice, to raise the issue and press for more assurance if warranted. So too will the provision of more information from the external auditor about the work they undertake to understand and assess the internal controls. The regulator’s stronger corporate reporting review powers to monitor the entire annual report should also help address and deter cases of inadequate reporting.
The Government also intends to proceed with implementation of the White Paper proposal that directors of PIEs above the size thresholds of 750 or more employees and £750m or more in annual turnover should be required to report on the steps they have taken to prevent and detect fraud. This reporting could provide more transparency about internal controls more generally since, whilst the fraud statement would not require them to say anything about the wider internal control system, it would be an obvious opportunity to do so, since an effective system is the best defence against fraud.
Post-implementation review and potential future steps
The Government and the regulator will review the effectiveness of the envisaged Code changes in driving improved standards of internal control and more informative reporting as part of the Post-Implementation Review of the reform package.
They will also consider the extent to which the provisions have been reflected in other codes and best practice principles. The Government will consider at that point whether further measures are needed, and if there would be value in extending the measures to other PIEs. If necessary, new statutory reporting requirements relating to internal controls could be introduced using existing powers in the Companies Act 2006.