Lindsey Stewart is Senior Manager of Investor Engagement at KPMG LLP. This post is based on a KPMG memorandum by Mark Baillache, and Sophie Gauthier-Beaudoin.
Robust controls over financial reporting enhances trust in business and improves reporting quality. The UK already has requirements in this area but there is widespread agreement among users of financial reporting that there is much room for improvement.
In March, the long-awaited consultation on ‘Restoring Trust in Audit and Corporate Governance’ was published by the Department for Business, Energy and Industrial Strategy (BEIS). One of its key proposals is that the UK should adopt a strengthened internal controls framework for companies, similar to the US Sarbanes-Oxley Act (SOX) which requires directors to attest to the effectiveness of internal controls over financial reporting. The proposal explores a number of options featuring varying degrees of auditor involvement with the intention that premium listed companies be required to apply them first, followed by all other Public Interest Entities after two years.
Learnings from the US experience
Although much has been said and written about the time and cost of implementing a more robust internal controls regime, the experience in the United States suggests that the benefits justify the expense.
Research and evidence demonstrate that SOX has strengthened the reliability of financial reporting in the US delivering tangible benefits for the capital markets, including:
- Improved quality of financial reporting
- More robust financial controls
- Rebalancing the relationship between the auditor and management
- Highlight problems early and an early warning for fraud
The number of restatements reported by US public companies has steadily decreased since the introduction of SOX. It reached its lowest level in 2019 having decreased by over 90 percent in the last 15 years.
This also suggests that assurance over management’s assessments of the internal control environment within listed companies has benefits for investors and for the company itself. In a 2017 Centre for Audit Quality survey, 79 percent of CFOs who took part felt that the overall quality of information in audited financial statements had improved since the enactment of SOX and 85 percent believed the external audit of their company’s internal controls over financial reporting has helped their company.
Overall 80 percent of those CFOs agreed that the benefits of SOX outweigh or is equivalent to the expense.
What might a UK version of SOX look like?
The BEIS white paper sets out three options for strengthening the UK’s internal controls framework.
Option A. Require an explicit directors’ statement about the effectiveness of the internal control and risk management systems
This would strengthen the existing UK framework by requiring the board to explain the outcome of their annual review of the risk management and internal control systems and make a statement as to whether they consider the systems to have operated effectively. Additionally, they would:
- disclose the benchmark system, if any, that has been used to make the assessment;
- explain how the directors have assured themselves that it is appropriate to make a statement; and
- if deficiencies have been identified, set out the remedial action taken and over what timeframe.
Option B. Require auditors to report more about their views on the effectiveness of companies’ internal control systems
Under this option, the auditors’ report would be required to say more about the work that they already undertake to understand the company’s internal control systems and how that work has influenced the approach taken to the audit, but without requiring a formal attestation of their effectiveness.
This option could be reinforced by placing an explicit duty on the board to disclose to the auditor and the audit committee any significant internal control deficiencies or weaknesses they are aware of.
Option C. Require auditors to express a formal opinion on the directors’ assessment of the effectiveness of the internal control systems
This option would require the auditor to undertake additional audit and assurance work to be in a position to express a formal opinion on the directors’ assessment—potentially limited to key internal controls over financial reporting, or a sub-set of that. It would have similarities to section 404(b) of the US’s Sarbanes-Oxley Act which requires the company’s auditor to attest to and report on management’s assessment of the internal control structure and procedures for financial accounting.
The Government’s initial preferred approach is Option A. Unlike the US approach, which mandates external auditor attestation for larger companies (based on their market cap), the preferred option leaves the decision on whether the statement should be assured by an external auditor to the company’s directors, audit committee and shareholders.
What’s currently required and what happens in practice?
The Board is required to summarise the process applied in reviewing the effectiveness of the system of risk management and internal controls and explain what actions are being taken to remedy any significant failings or weaknesses.
Currently in the UK, it is rare that control failings and weaknesses are reported—this generally only occurs for issues that are already in the public domain. This could be due to a lack of a robust definition of what constitutes ‘significant failing or weakness’, and potentially the absence of mandatory independent assurance to hold the board to account as is required in the US.
What have investors told us they want?
We held a roundtable discussion with investors and analysts last month to discuss the internal controls recommendations, alongside others in the BEIS white paper. Here are the key points raised by attendees.
- There was strong support for the adoption of a UK version of SOX—investors welcomed the benefits observed in the US since its implementation
- They believe the scope of internal controls over financial reporting should extend beyond the primary financial statements and include processes over value relevant information which is often contained in the front half of the annual report and in investor presentations
- They believe that assurance as described in Option C would be needed with a clear preference to mandate a defined scope for the audit as opposed to relying on voting on the Audit and Assurance Policy as proposed in the white paper.
- While they are mindful of the additional cost imposed on companies, they expect large companies to already have controls in processes in place that would reduce the burden of implementation.
What can investors do now?
The BEIS white paper represents a once in a generation opportunity for investors to submit their views on how UK companies should be directed and controlled, ahead of new legislation that aims to build resilience and increase the attractiveness of the UK capital markets.
So, in the short time remaining between now and the 8 July comment deadline, it’s vitally important that shareholders respond to the consultation, but also continue their dialogue with companies to outline what they think a proportionate level of control, reporting and assurance should look like.