Brydon recommendations: Suggestions to inform the work of BEIS on internal controls
Following the publication of Sir Donald Brydon’s final report on his Independent Review into the Quality and Effectiveness of Audit, this article summarises the recommendation for introducing a UK version of Sarbox and his proposals on internal audit.
Scope of recommendation
Sir Donald Brydon has recommended significant changes to the UK internal control requirements on corporates.
He states at the start of his report that the recommendations are collectively aimed at improving audit and assurance in relation to public interest entities (PIEs) as per the focus of the review’s terms of reference. He recognises that the government is in the process of addressing Sir John Kingman’s recommendation that the existing definition of PIEs be revisited but in principle sees no reason why the recommendations in his report should not apply to any expanded group of PIEs, except for recommendations that are aimed specifically at listed companies.
He does add, however, that: “the Government, in determining the implementation of each recommendation should consider the case for certain recommendations applying initially to the audit of PIEs in the FTSE 350 index, or in some instances, a subset thereof, and the extent to which they may be applied to PIEs outside the FTSE 350 index.” Therefore, further clarity will be required on those companies that would be within the scope of his proposals on an enhanced internal control regime from the outset.
UK version of sarbox
Sir Donald notes that Sir John Kingman recommended in his report of his review of the Financial Reporting Council (2018) that serious consideration should be given to the case for a strengthened framework around internal controls within UK companies, learning relevant lessons from the United States experience of implementing and operating the 2002 Sarbanes-Oxley Act (SOX).
Sir Donald expands on this by setting out how he envisages that such an approach could be introduced in the UK, being careful to ensure that any such proposals are proportionate.
He refers to the current provisions in the UK Corporate Governance Code and related guidance and notes that there is a lack of consistency in how these are applied. Whilst recognising that focusing accountability on the CEO and CFO when the UK has a unitary board model may cause some issues, he believes that: “there is sufficient evidence to suggest that such attestations have improved relevant internal controls and may have helped to lower the cost of capital”.
He then sets out, in terms of a company’s internal controls over financial reporting, that:
- The government gives serious consideration to mandating a UK Internal Controls Statement consisting of a signed attestation by the CEO and CFO to the Board that an evaluation of the effectiveness of the company’s internal controls over financial reporting has been completed and whether or not they were effective, as in SOX 302(c) and (d).
- This attestation should be received by the Board no later than 28 days before the accounts of the company for the relevant financial period are signed. The Board should then report to shareholders that it has received such an attestation.
Taking account of proportionality, Sir Donald is not minded to mandate having the auditor opine on the attestation. This of course will spark considerable debate but is like the approach applied in Canada. He does, however, suggest that where there is a failure of relevant controls in the twelve months prior to the attestation or in the twelve months following it. This should result in a requirement for future statements to be audited for a period of three years following the failure. The directors should be required to state if such a failure has occurred. He of course highlights that companies could voluntarily choose to have the attestation audited.
He further recommends that the Audit Committee Chairs Independent Forum (ACCIF) should develop principles that should be followed by CEOs and CFOs in making an internal controls effectiveness attestation with final endorsement of these principles being made by the new audit regulator, the Audit, Reporting and Governance Authority (when in existence).
He further proposes that where weaknesses (and/or failures) in controls have been reported it should
become an obligation on directors to report on what remedial action has been taken and on its effectiveness. If the same or any other material weakness persists over two reporting periods, boards should be obliged to have their attestations audited until the controls can be pronounced effective.
Sir Donald also highlights that he believes it would be a step too far to extend the proposed UK Internal Controls beyond those relating to financial reporting.
Sir Donald also recognises that ISA (UK) 610 (Revised) Using the work of internal auditors should be reviewed with a view to encouraging external auditors to make greater use of internal audit. This was a point ICAS raised in its submission to Sir Donald. He also recommends that external and internal auditors should meet to share all relevant information at the start of setting the audit plan and assessing the environment in which an audit is to take place. He also hopes that the publication by the Chartered Institute of Internal Auditors (CIIA) of its Internal Audit Code of Practice (for non-financial services entities) will help to enhance the role of the internal audit profession, ought to assist audit committees in their work and there will be more transparency around the role and activity of the internal audit function. ICAS, as it has previously stated, would welcome this increased transparency.