After an 11-month wait the Department for Business, Energy and Industrial Strategy (BEIS) published its response to reform corporate governance and audit on 31 May 2022. This is an important milestone on the path to reform – but it's not the finishing line.
Update: 16 June
The new FRC Chair, Sir Jan du Plessis has pledged that the FRC will hold directors to account with a version of the UK SOX proposals that government has dropped. “We will be consulting about the merit of using the corporate governance code and the audit reforms we are working on to put more pressure on boards of directors to take responsibility for their own internal controls. It won’t be Sarbanes Oxley, but it is the same idea.”
Following the three independent reviews and an extended consultation, there's a lot to digest in the 197-page response. We take a look at the key elements of controls, assurance, risk, and fraud.
The focus of this consultation has always been to restore trust, enhance accountability for those with key roles in the business ecosystem, and ensure the quality and accuracy of information companies are reporting.
While the majority of the over 600 responses endorsed the need for reform, as reported in the media over recent weeks, there were reservations about the government’s proposals from business, auditors, and investors. Specifically, concerns over cost and timing: particularly in the wake of the COVID-19 pandemic; whether the measures would be effective; and the scale of reforms putting an excess strain on audit resources.
Over 70% of respondents agreed there was a case for strengthening the control framework. But there was significant divergence in views on how this should be achieved and whether this should be focused on financial or wider operational controls. Similarly, most respondents (74%) supported a directors’ statement on fraud responses and there was broad support for both the proposed Resilience Statement and Audit and Assurance Policy.
What are the key outcomes?
The government has made changes to their initial proposals on internal controls, assurance, and fraud. In key ways these are less prescriptive for business.
Practical and proportionate internal control reporting
Amid reported concerns on having to implement a UK SOX framework in recent media reports, the government has opted to focus boards on internal control matters through the ‘tried and tested approach’ of using the UK Corporate Governance Code, rather than legislate. This immediately focuses any requirements on the premium-listed market to ‘comply or explain’. The response indicates that the government wants to avoid unintentionally defaulting to a US SOX approach, where external assurance is mandatory and costly.
Further consultation is needed to reach consensus on how directors will provide comfort their statement is “soundly based”. It's then for investors to deliver the stewardship role and apply pressure where internal controls are weak or director statements on controls inadequate. The Financial Reporting Council (FRC), soon to be replaced by a newly created regulator: the Audit, Reporting and Governance Authority (ARGA), has been asked to explore with investors how to enhance the content of auditor reports on work done over internal controls.
Expanding definition of a PIE
The definition of a public interest entity (PIE) is expanding to include the most economically and systemically important companies: those with both 750 employees or more and an annual turnover of at least £750 million (up from the £500 million mentioned in the consultation).
Preventing and detecting material fraud
Building on the package of fraud measures proposed by Sir Donald Brydon, there will be an onus on directors to identify, quantify, prevent, detect, and remediate fraud risk exposures and to report on the steps taken.
Scope of wider assurance
The proposed Audit and Assurance Policy will be taken forward under new legislation. It must set out whether and how independent external assurance will be sought on your Resilience Statement. The government shares the Brydon review’s long-term vision of corporate auditing going beyond financial statements, but is not going to set a regulatory framework. Instead, it will leave the market to shape this – ‘stimulated’ by the requirement to publish an Audit and Assurance Policy.
Responses identified the need for clear guidance in the future on assurance or auditing of areas, such as ESG and cyber, where underlying standards are not as defined.
Risk and resilience
Specifics highlighted to cover in the Resilience Statement include the ability to manage cyber security threats, data protection breaches and digital security risks, and the impact on the business model of climate change (building in the ESG agenda). The government and regulator will need to consider how the Resilience Statement can effectively reference the new Sustainability Disclosures Requirement (SDR) regime reporting.
The response doesn’t set out a timetable, but rather outlines actions to be taken and what the Government intends to ask. This approach will take a range of actors and mechanisms to deliver reform. Businesses can expect further consultations by the FRC.
What do you need to think about now?
In our experience most organisations have taken some steps to address key proposals put forward in the long-running consultation. But now you need to think about how you're set up to respond to the requirements and what feedback, if any, you already have from your investor and stakeholder community on their expectations.
While the government’s proposals have in areas been scaled back, most notably related to the anticipated UK SOX regime, there's still a clear focus on enhancing accountability, so the hope is that companies continue to prioritise activities to mature their approach to managing risk and controls.
Internal audit needs to maintain its independence but functions can help provide focus and assessments on maturity of frameworks and controls that informs the future approach.
While proposals are not legislating a directors’ statement on internal control effectiveness, eg UK SOX, there's widespread support and agreement from the government on the importance of an effective internal control framework.
Are you comfortable and confident that your internal control framework is robust, value-adding, and monitored?
Are there key risk areas where effort should be prioritised?
Does your control framework focus on internal controls over financial reporting, or extend to other compliance or operational reporting areas too?
Risk and resilience
How mature is your enterprise risk management framework to support the enhanced reporting requirements of the Resilience Statement? Given requirements to report in the Resilience Statement on short to medium term material challenges, what work is needed to expand on what you already capture through your enterprise risk management (ERM) processes?
Audit and Assurance Policy
Do you have a clear view of the assurance activity that exists across the organisation? How integrated are your Three Lines in providing combined assurance across key organisational risks? Does your internal audit plan provide assurance over key risk exposures during this transition? What steps have been made to draft your Audit and Assurance Policy?
How mature is your fraud risk framework and what assurance do you have that it operates effectively? Are you confident processes are sufficiently mature and embedded to make public statements that sufficient actions are taken to prevent and detect fraud?
For answers to these questions, and to find out more about how you can get ahead of the curve on the emerging requirements for your business, get in touch with our experts.