Analysis: BEIS proposals in relation to internal controls
BEIS proposes to enhance UK company requirements on internal controls
One of the key proposals in the BEIS consultation ‘Restoring trust in audit and corporate governance' is for certain companies to have enhanced requirements in relation to the effectiveness of their internal controls. The intended scope is premium listed companies, to begin with (subject to certain possible temporary exemptions) and then to be made applicable to all PIEs two years later. The potential temporary exemption would be for newly listed companies where gross revenues are below a specified threshold.
UK and US internal control frameworks
The regulatory and other requirements applying to internal control arrangements in UK companies can be found in company law, the Listing Rules, UK Corporate Governance Code provisions and auditors’ responsibilities.
A number of respondents to the Kingman and Brydon Reviews argued that consideration be given to possibly adopting elements of the regime that applies in the US under the Sarbanes-Oxley Act 2002 (SOX). This requires the management of public companies to assess and report annually on the effectiveness of their company’s internal control structure and procedures for financial reporting.
The company’s auditor is then required to attest to and report on this assessment. SOX also places responsibility for a company’s financial statements and internal controls clearly with the CEO and the CFO. These officers must certify (inter alia) for each annual and quarterly report that they have reviewed the report, acknowledge their responsibility for establishing and maintaining internal controls and that they have evaluated the effectiveness of the internal controls within 90 days prior to each report.
Options for strengthening the UK’s internal control framework
The Government has put forward the following three options (not mutually exclusive).
Require an explicit directors’ statement about the effectiveness of the internal control and risk management systems.
The expectations about maintaining, evaluating and reporting on the underlying risk management and internal control systems are dealt with through UK Corporate Governance Code provisions. Principle C of the Code requires the board to establish a framework of prudent and effective controls which enable risk to be assessed and managed. A Code provision then calls on the board to monitor the company’s risk management and internal control systems and, at least annually, to carry out a review of their effectiveness and report on that review in the annual report.
However, there is no need for boards to report whether they consider the control system to be adequate or effective, although many companies do so. To strengthen this the CEO and the CFO (or alternatively, the board collectively) could be required to:
- explain the outcome of the annual review of the risk management and internal control systems and make a statement as to whether they consider the systems to have operated effectively;
- disclose the benchmark system, if any, that has been used to make the assessment;
- explain how the directors have assured themselves that it is appropriate to make a statement; and
- if deficiencies have been identified, set out the remedial action that is being taken and over what timeframe.
Such provisions could be implemented via changes to the Code or through legislation to put the requirements on a full statutory footing (including a requirement to carry out an annual review). The latter would be stronger and would also enable the requirements to be applied to a wider range of companies, including large private companies.
The directors’ statement required under this option could cover all aspects of the company’s internal control and risk management procedures or be restricted to the internal controls over financial reporting.
It has been suggested that the well-established Committee of Sponsoring Organizations of the Treadway Commission (COSO) framework, adapted as required for the UK, could be used by boards for assessing the effectiveness of the internal controls for financial reporting.
Many US companies use this for the purposes of SOX compliance. A UK-tailored standard could focus more on design effectiveness, entity-level controls and the use of management judgement to ensure an emphasis on the highest risk areas. The board would need to decide on the degree of assurance it needed to satisfy itself that the control framework was effective in terms of both its design and implementation e.g. rely on work by the internal auditors, or in addition, it could commission additional work from the external auditors on all or specific aspects of the framework, subject to any barriers to them providing non-audit services.
On these matters, the Code or legislation (if applicable) could be more, or less prescriptive. At one end of the spectrum, companies could be required to use a specified internal control standard (or one of a range of standards or control frameworks approved by the regulator). Alternatively, companies could be given a choice, but a company’s board would be required to justify why its chosen standard or approach was appropriate to its business model and circumstances. A latter approach could be given more rigour through the development of principles and guidance to be followed by a board when deciding on its approach to the effectiveness statement.
The Audit Committee Chairs’ Independent Forum (ACCIF) has developed a set of draft principles to support a CEO/CFO attestation to the board about the internal controls over financial reporting which have been the subject of consultation. These could be further developed and endorsed by the Audit Reporting and Governance Authority (ARGA) and become a formal part of the UK corporate governance framework.
Require auditors to report more about their views on the effectiveness of companies’ internal control systems.
Here, the auditors’ report would be required to say more about the work that they already undertake to understand the company’s internal control systems and how that work has influenced the approach taken to the audit – but without requiring a formal attestation of their effectiveness.
Auditors of premium listed companies are currently required by auditing standards to report to audit committees their views on the effectiveness of internal controls relevant to the risks that may affect financial reporting. These, however, are not published and do not form part of the audit report. This existing auditing standard could be built on to require the auditor to provide more information in the audit report about its views of the internal controls (but only to the extent that it has considered them as part of the audit), and the extent to which it relied on them in planning the audit.
The Financial Conduct Authority’s (FCA) Disclosure and Transparency Rules (DTRs) require listed companies to include a statement in their annual report and accounts (as part of their corporate governance statement) describing “the main features of the [company’s] internal control and risk management systems in relation to the financial reporting process”. The company’s auditor, in turn must state whether this is consistent with the financial statements and knowledge obtained during the audit and whether there have been any material misstatements in the information in the statement and, if so, their nature.
This would be a stronger provision if the company’s DTR statement had to include the board’s assessment of whether it regarded the internal controls as effective (Option A above), because the auditor would have to disclose if it thought that this was inconsistent with anything discovered in the
course of the audit. This option could be reinforced by placing a specific positive duty on the board (or the CEO and CFO) to disclose to the auditor and audit committee any significant deficiencies and weaknesses in the internal controls of which they are aware.
The existing duty on auditors under the Companies Act to form an opinion as to whether the company has kept “adequate accounting records” could also be improved. In part, this could be achieved by clarifying what the duty to keep adequate accounting records entails.
Alongside this, ARGA could be asked to prepare guidance to auditors on how this aspect of an audit should be approached. This would ensure greater consistency of audit approach and could provide more clarity about the extent to which an assessment of internal controls should be an aspect of assessing whether or not a company has kept adequate records, particularly for the audit of larger, more sophisticated companies.
Require auditors to express a formal opinion on the directors’ assessment of the effectiveness of the internal control systems (this assumes Option A is required).
This option would go significantly further than Option B and would involve the auditor undertaking additional audit and assurance work to be in a position to express a formal opinion on the directors’ assessment and hence have similarities to the US SOX approach.
The paper notes that there are arguments for and against the scope of such an attestation to be restricted to controls over financial reporting. An auditor’s attestation requirement would logically match the scope of the directors’ statement. While the scope of audit remains as it is now, the Government believes that there are strong arguments for limiting the auditors’ attestation work to the financial controls.
Frequency of external attestation
The frequency of any formal auditor attestation could be required on an annual basis, or less frequently, such as at least once every three years, or in specific circumstances e.g. the year following any significant acquisition or merger or other major corporate events.
The FCA’s Listing Rules require IPO sponsors, before submitting an application for a listing, to come to a reasonable opinion that “the directors of the applicant have established procedures which provide a reasonable basis for them to make proper judgments on an ongoing basis as to the financial position and prospects of the applicant and its group”. This could become a permanent feature of being a listed company, with a regular (not necessarily annual) statement required from the auditor or other external party.
Government’s initial preferred option
The Government wants to achieve a proportionate strengthening of the internal control framework which builds on and develops the UK’s existing provisions. A potential model which focuses on internal controls over financial reporting, therefore, encompasses (i) to (vi) below.
(i) Directors’ responsibility statement
Directors should be required to acknowledge their responsibility for establishing and maintaining an adequate internal control structure and procedures for financial reporting.
(ii) Annual review of internal control effectiveness and new disclosures
Directors should be required to:
- carry out an annual review of the effectiveness of the company’s internal controls over financial reporting;
- explain – as part of the annual report and accounts - the outcome of the annual review, and make a statement as to whether they consider the systems to have operated effectively;
- disclose the benchmark system that has been used to make the assessment; and
- explain how they have assured themselves that it is appropriate to make the statement.
If deficiencies have been identified, these should be disclosed and the directors should set out the remedial action that is being taken and over what timeframe.
(iii) Principles and guidance
In deciding on the approach to be taken to the internal control effectiveness statement, directors should be guided by principles and guidance developed or endorsed by the regulator reflecting audit committee best practice.
(iv) External audit and assurance
Whether the internal control effectiveness statement should be subject to external audit and assurance should usually be a matter for audit committees and shareholders. Companies should be required to have their internal controls assured by an external auditor in limited circumstances (e.g. where there has been a serious and demonstrable failure of internal controls).
The regulator should have powers to investigate the accuracy and completeness of the directors’ internal control disclosures and, if necessary, order amendments or recommend an external audit of the internal controls. There should be effective powers to sanction directors where they have failed to establish and maintain an adequate internal control structure and procedures for financial reporting.
The requirements should be set out in legislation and phased in over a period of time. They should apply initially to premium listed companies who are already familiar with the concept of an annual review (with possible temporary exemptions for newly listed companies where gross revenues remain below a specified threshold) and extended to other PIEs after two years.