In December, the Brydon review was published, the last of a series of reviews commissioned by the government and others to look at different aspects of the audit market.
The review sets out proposed measures to achieve significant improvement in the perception and operation of external audit, and build greater trust in business. What will these measures be and what can you do to prepare for any new legislation?
What is the impact of the Brydon review and how can you prepare for it?
Broadly, the Brydon review focuses on the external audit market, particularly within large public companies, and makes recommendations for change. If these are implemented, they will be mandatory and expand the compliance requirements for the UK's largest listed businesses. There will, naturally, be an impact on internal audit in its role supporting the business and delivering assurance to the board. Some of these areas are summarised below, together with suggestions for how internal audit can prepare.
Introducing a UK version of SOX
The Brydon review gives further consideration to introducing a 'SOX-lite' regime. This had already been raised by the Kingman review and the Department for Business, Energy and Industrial Strategy (BEIS) are developing proposals, which are expected later this year. This would likely lead to significant strengthening of the current UK Corporate Governance Code requirement for an annual assessment of effectiveness of risk management and internal controls systems.
Brydon anticipates guidance will be provided by the Audit Committee Chairs’ Independent Forum and formally endorsed by the Audit, Reporting and Governance Authority, which is replacing the Financial Reporting Council (FRC). While Brydon suggests this assessment should not be audited (except in the case of past control failures), others have different views on the level of assurance auditors should provide over the proposed internal control statement.
Internal audit should expect questions from C-Suite and the audit committee on the level of assurance provided on internal controls and how this could be strengthened to meet future requirements. We believe this will likely involve minimum control frameworks, control self-assessments, periodic certifications and an element of independent second- or third-line testing. Experience from the implementation of US SOX also suggests there would be an impact on the demand for finance and technology audit skills, and resultant issues of cost and availability of talent.
Unsurprisingly, there is a clear focus on what companies are doing to prevent and detect material fraud, with Brydon recommending greater disclosure of actions taken to address this and external auditors adopting a 'suspicious' rather than sceptical mindset. Internal audit should look at existing fraud risk and assurance activities and consider how it all fits together. For example:
Is there an overall fraud policy or framework?
Has there been an assessment of key fraud risks?
Has there been any recent training, communication or guidance on anti-fraud measures?
Is fraud considered in all relevant reviews as a thematic?
Brydon recommends that the audit committee publish a three-year rolling audit and assurance policy. This will be broader than external audit and consider internal audit and other sources of assurance. The role of internal audit is specifically mentioned with the expectation that they engage more with external audit, and internal audit should expect questions on the current level of engagement.
Most large corporates have adopted the 'three lines of defence' model and have, to some extent, identified their key sources of assurance. An assurance-mapping exercise is often required to provide clarity on ownership and coverage. In our experience, this is seldom done thoroughly and will likely be an area of focus for audit committees. Internal audit are well placed to take the lead on this.
Risk reporting and resilience statement
Brydon gives heightened focus to risk disclosures, envisaging a stand-alone risk disclosures document to be published mid-year and used to inform the external audit scope. The review suggests the going concern and viability statements should evolve into a resilience statement with short-, mid- and long-term views.
We expect risk and group finance teams to take the lead on these disclosures and greater prominence of risk reporting should be beneficial in terms of increased support and adoption of high-quality, risk-based internal audit. Internal audit should be called upon to provide assurance and robust challenge over the medium- and long-term resilience statements, as well as the processes, information and models that support them.
What should internal audit functions do now?
Together with the release of the IIA Code of Practice this month, the Brydon Review adds a further layer of guidance to consider and an opportunity for internal audit to elevate themselves and the value they deliver to their organisations. Brydon’s recommendations becoming mandatory may take some time, as the government is next to consult on this and all the other views of the audit profession. In the meantime, pro-active internal audit functions should take the opportunity to work with management to consider how to derive value from the guidance and prepare to address requirements.
To find out more about how you can get ahead of the curve in understanding the implications and opportunities for your business, contact Eddie Best or Martin Gardner.