‘Restoring Trust in Audit and Corporate Governance’.
Despite media reports that many of the proposals had been watered down or diluted, the government’s proposed approach and the key proposals arguably do still represent the biggest and most radical shake-up of the UK’s audit and corporate governance framework in years.
While much of the focus of the proposals are designed to increase the quality and effectiveness of external/statutory audit and audit market reforms aimed at the main professional services firms, several of the proposals do impact the role and work of internal auditors.
The Chartered Institute of Internal Auditors is pleased to see that several of the policy positions we advocated on the key proposals in the White Paper are broadly reflected in the government response.
A summary of the main proposals are as follows:
This is something that the Chartered IIA has long supported, and we said should be front and centre of any audit reform programme. The government have made a clear commitment to deliver this through primary legislation published as part of the draft Audit Reform Bill.
The Chartered IIA strongly supports this, but we remain concerned that there is no detailed timetable as to when the government plans on publishing a draft Audit Reform Bill, or when legislation will be passed. However, this is one aspect of audit reform that we would like to see happen as soon as possible.
The introduction of Audit and Assurance Policies is something that we strongly supported in our response to the White Paper and has the potential to strengthen the internal audit profession. This is because it is expected that companies will have to state in their AAP how they plan on strengthening their assurance and internal audit capabilities. It is therefore good news that the government has said it intends to introduce this as a statutory requirement, and it will apply to PIEs (under the new widened definition – see below). The fact that the government intend for AAPs to be a new statutory requirement for PIEs demonstrates how important they regard it to be, as part of the overall package.
The government has said that the AAP will require companies to describe their internal auditing and assurance process. The government has also confirmed that the AAP will be published every three years (as opposed to every year) which is also something that the Chartered IIA called for in our White Paper response. However, AAPs will not be subject to a shareholder vote, although companies will have to state how they took account of shareholders’ views. AAPs will apply to PIEs under the new definition.
The Chartered IIA strongly supports this, but again we remain concerned that there is no clear indication of when legislation would be passed to make this a statutory requirement. This is also one aspect of reform we would like to see happen as soon as possible.
Internal Audit Call to Action:
As per the technical guidance we have published on AAPs, internal audit functions and the organisations they serve should not wait for AAPs to become a statutory requirement before doing something about it. Companies should get ahead of the curve and start developing their AAPs now. Internal audit has a vital role to play in facilitating and supporting the creation of the AAP. Indeed, there is evidence that the market is already preparing for this, with many blue-chip companies already publishing AAPs (as evidenced in their Annual Report and Accounts). In the meantime, we will also be urging BEIS and the FRC to publish preliminary guidance as to the framework and minimum content for AAPs to support comparable and high quality reporting ahead of this becoming a statutory requirement.
The government has confirmed its intention that all Public Interest Entities will be required to publish an annual Resilience Statement and that this will also be a statutory requirement. The Resilience Statement will set out a company’s approach to managing risk and developing resilience over the short, medium, and long term.
Specifically, the government intends to legislate for companies to report on matters that they consider a material challenge to resilience over the short and medium term, together with an explanation of how they have arrived at this judgement of materiality.
The new Resilience Statement will replace the existing Viability Statement and Going Concern disclosure. This Resilience Statement will also require at least one stress-test, something that is common in financial services, but a less common practice across non-financial services.
The Chartered IIA supports the introduction of Resilience Statements as a statutory requirement for all PIEs. This is also one aspect of reform we would like to see happen as soon as possible.
Internal Audit Call to Action:
We believe there is a role for internal audit in independently reviewing, verifying, and auditing the narrative of the Resilience Statement in terms of accuracy and transparency, prior to it being formally submitted to the statutory auditors. Potentially this could include reviewing the company’s approach to risk management and how business-critical risks, including the strength of the internal control framework in mitigating these risks, are being reflected in the resilience of the organisation and the Resilience Statement itself.
The government has decided not to pursue the proposal for stronger internal company controls, or SOX-lite as it has become to be widely known, via legislation. Instead, the government will now look to achieve similar aims through strengthening the provisions of the UK Corporate Governance Code. Meaning that this will only apply to premium listed firms and not firms under the wider definition of a public interest entity (see below).
The government plans to invite the regulator to strengthen the UK Corporate
Governance Code to provide for an explicit directors’ statement about the effectiveness of the company’s internal controls and the basis for that assessment, and to work with companies, investors, and auditors to develop appropriate guidance.
The Chartered IIA is disappointed that the government will not now be delivering the proposal for stronger internal company controls via legislation. We believe this would have been a game-changer for audit and corporate governance in the UK and would have led to better outcomes for businesses and enhanced their long-term sustainability.
We remain concerned that a half-baked attempt to deliver this through the UK Corporate Governance Code could create the opportunity for company directors to circumvent the requirements as the Code is complied with on a comply or explain basis. A risk that we have highlighted clearly in our engagement with the government and in the media.
However, the Chartered IIA now aims to work with the FRC and other stakeholders to ensure that this is now delivered in a way to enhance its effectiveness and make it work as best as possible. We will therefore work to influence the strengthening of the provisions of the UK Corporate Governance Code in a way that recognises and optimises the important role of internal audit. At present it is unclear as to when the UK Corporate Governance Code will be updated.
Internal Audit Call to Action:
Internal audit functions of premium listed firms must not wait for the UK Corporate Governance Code to be updated before supporting their organisations in ensuring that they are complying with the government’s clear intent on this. Internal audit must collaborate with first and second lines and the organisation as a whole, to take steps now to strengthen their internal company controls related to financial reporting. Adopting a holistic approach internal audit should also look to strengthen the wider internal control environment across the organisation. Organisations should also undertake an independent review of the Audit Committee’s effectiveness and establish where it is getting its assurance from.
Non premium listed companies and organisations outside the scope of the UK Corporate Governance Code should consider whether these new provisions could provide a benchmark of good practice for their internal control framework.
The government has confirmed that it does plan on proceeding with the proposal to widen the definition of a Public Interest Entity for regulatory purposes. This is something that the Chartered IIA has supported but with the caveat that the government should be proportionate in its approach.
At present, a Public Interest Entity (PIE) is mainly classed as a premium listed company. However, when BHS collapsed it was a large private company, and when Patisserie Valerie collapsed it was listed on the Alternative Investment Market (AIM). This means neither company would have been protected by the more stringent audit and governance regulations that apply to PIEs.
The government has confirmed its intention to broaden the definition of a PIE to include large private companies, AIM companies and LLPs with 750+ employees AND a turnover of £750m. This is a narrower definition to the options set out in the original White Paper, but the Chartered IIA believes is a positive step forwards, and consistent with a proportionate and reasonable approach.
Internal Audit Call to Action:
Internal audit functions working for organisations that will now be included under the
new definition of a Public Interest Entity should be asking challenging questions at senior leadership team meetings, and Audit Committee meetings, around the organisations understanding as to how the additional requirements for Public Interest Entities impacts their business. Internal audit functions should also engage second line compliance functions to ensure the additional regulatory requirements for PIEs are fully understood and will be complied with in time for their eventual implementation.
In the Chartered IIA’s White Paper response we expressed our concerns that extending external/statutory audit’s scope beyond the financial reporting, could duplicate the roles and responsibilities of internal auditors.
The government have said that they support external audit’s long-term scope and purpose being extended as per Brydon. However, critically they have said that they do not plan to legislate for this, and instead will look to FRC/ARGA to take the lead.
The Chartered IIA is pleased that the government has confirmed that they do not plan to legislate for this. We now plan to work closely with the FRC/ARGA to ensure that there are no unintended policy consequences for the internal audit profession, including duplication of roles and responsibilities. We remain strongly of the view that external audit would in fact benefit from a narrower scope, so that it can really focus on improving the quality and effectiveness of its work on the financial aspects of the business.
Internal Audit Call to Action:
The Chartered IIA encourages a closer working relationship between internal audit and the statutory auditors without of course compromising either independence in accordance with both professions’ respective standards. In our Internal Audit Codes of Practice, we are clear that the CAE/HIA and the partner responsible for external audit should ensure appropriate and regular communication and sharing of information.
In the Chartered IIA’s White Paper response we raised significant concerns with the proposal to establish a corporate auditing profession with a new professional body. This proposal was the most contentious and most opposed by internal auditors/our members.
The Chartered IIA, therefore, welcomes the government has made clear that it will not seek to establish a new professional body or regulatory oversight of a new ‘corporate auditing’ framework at this stage.
Instead, the government has said it will create the conditions for ‘the market’ to develop wider external assurance services, including through the new requirement on large Public Interest Entities to publish an Audit and Assurance Policy setting out their approach to the assurance of information beyond the financial statements. It will also seek improvements from existing professional bodies to statutory/external auditor qualifications, skills, and training to make for a more effective and distinctive statutory/external audit profession.
Broadly speaking, this reflects the sentiment expressed in the Chartered IIA’s White Paper response. We now plan on working with BEIS, the FRC/ARGA and other relevant professional bodies to ensure that the important role of internal audit is recognised in providing assurance beyond the financial statements.
The government has confirmed that they do plan on giving the audit regulator formal powers regarding the separation of the large audit firms. Whereas at present the FRC has only been able to achieve this through a set of voluntary principles.
This is something that the Chartered IIA has also supported. Not least because we believe this is positive for the internal audit profession, in terms of protecting the independence and integrity of outsourced internal audit. As it means the provision of external audit services will be in separate arm, to the provision of internal audit services (non-statutory audit arm).
In the Chartered IIA’s White Paper consultation response we expressed concerns that we remained sceptical as to whether managed shared audit was the right approach to increase competition and improve external audit quality and effectiveness. However, the government has said they do plan on introducing managed shared audits on a phased basis, but that these will only apply to FTSE 350 companies.
Where appropriate the Chartered IIA will continue to voice our concerns regarding this proposal. However, because it has minimal impact on internal audit and is primarily focused on external audit, we do not regard this as an advocacy priority.
Measured against what we have advocated regarding the White Paper proposals, we believe that overall, this is a positive outcome for the Chartered IIA and the internal audit profession, as well as for the wider audit and corporate governance framework.
However, critically what was left missing from the response, which once again highlights the risk of further delay, is the mention of any specific or detailed timetable for implementation.
All it said was: “Implementing this approach involves a range of actors – not just government – taking forward multiple strands of reform over a period of several years. This document, therefore, does not seek to set out a precise timetable, but rather outlines the actions to be taken, including what the government intends to ask of the regulator and other stakeholders.”
The Chartered IIA, therefore, plans to keep up the pressure on the government to act swiftly and with a greater sense of urgency on audit and corporate governance reform, especially those aspects of reform that need to be implemented by legislation.