Sir Donald Brydon made a number of recommendations in his final report of the Independent Review into the Quality and Effectiveness of Audit, published in December 2019.
The recommendations of the report were mainly aimed at increasing the quality and effectiveness of external audit, however, some of the recommendations could also have an impact on the internal audit profession, depending on how they are implemented.
The two sections of Sir Donald’s report that could have an impact on the internal audit profession are section 6, which outlines the proposals for a new ‘corporate auditing’ profession, and section 13 on a strengthened framework around ‘internal controls’.
Given recent corporate collapses linked to governance and audit deficiencies, including Carillion, we believe that the audit and corporate governance framework should be reformed. We believe that such reform is vital in order to strengthen the UK’s corporate governance framework, to help identify issues early and help to prevent future collapses before they occur, as well as to restore trust and confidence in business.
Sir Donald Brydon in his final report highlights the need to stimulate a better audit and governance framework through making both auditors and company directors more accountable to restore trust in the audit profession for stakeholders.
We believe that strong, effective, and well-resourced internal audit functions, which operate in accordance with professional standards, are pivotal to ensuring the long-term success of organisations. Therefore, it is crucial that the wider audit profession remains a consideration for the reforms that have been proposed.
The Chartered IIA has broadly welcomed the proposals put forward by Sir Donald in his report. However, a number of recommendations will need further careful thought and consideration to assess their impact and avoid any unintended policy consequences for the internal audit profession.
Section 6 of Sir Donald’s report proposed that external audit should be an independent profession in its own right and, as such, he proposed the establishment of a ‘corporate auditing’ profession. This new profession would have a broader scope and encompass all auditors of corporate information such as cybersecurity and environmental measures as well as statutory auditors of financial statements.
Our main concern with the proposed ‘corporate auditing’ profession is that there is a risk that there could be a conflict between the work of internal auditors and the work of the new ‘corporate auditors’, and that it could possibly erode the boundaries between internal and external audit. Indeed, Sir Donald suggested that the ‘corporate auditors’ would also provide assurance in areas such as culture, cybersecurity and ESG. However, internal auditors are already engaged in providing assurance on these areas.
The Chartered IIA would like to ensure that the current separation between external audit and internal audit is maintained so that there is no significant overlap or duplication of work between the two functions. Both functions are vital for the effective governance of an organisation and it is crucial that they remain independent and objective through having their own clear roles and responsibilities. It is imperative that the establishment of the new ‘corporate auditing’ profession does not erode or harm the scope and status of internal audit.
As mentioned above, we believe that it is important to preserve clear boundaries between external audit and internal audit. Therefore, in order to promote the separate and distinct roles of the two professions, we propose that it would be better if the new profession is instead called the ‘corporate external auditing’ profession.
The Chartered IIA supports the view that, if such a profession is created, ARGA should establish an overarching framework that governs the work and behaviour of corporate auditors and that standards and rules for the new profession sit within this framework. However, careful thought and consideration should be given to these principles to ensure that there is clarity and accountability between the two audit professions. This would ensure that the two professions can effectively work together and maintain their independence and objectivity, so that they can effectively fulfil their distinct roles.
In section 13 of the report, Sir Donald outlines his recommendations for a strengthened framework around internal controls in the UK, learning lessons from the Sarbanes-Oxley (SOX) regime in the US.
Sir Donald recommended that the “Government gives serious consideration to mandating a UK Internal Controls Statement consisting of a signed attestation by the CEO and the CFO to the Board that an evaluation of the effectiveness of the company’s internal controls over financial reporting has been completed and whether or not they were effective, as in SOX 302 (c) and (d).”
Sir Donald further recommended that “where weaknesses (and/or failures) in controls have been reported, it should become an obligation on directors to report on what remedial action has been taken and on its effectiveness, supportive of section 404 of the SOX legislation.”
The Chartered IIA supports Sir Donald’s recommendations as we believe that more should be expected of company directors in relation to internal controls over financial reporting and that this would help to raise corporate governance standards.
However, with regard to non-financial controls, Sir Donald said that it might be a step too far to extend his proposed UK Internal Controls Statement to non-financial controls. Indeed, one could argue that this would create a lot more work for organisations. Also, when looking at the recent corporate collapses, the issues were mostly around financial controls, which shows that this is where a more robust system is needed. Therefore, extending these requirements to non-financial controls should be carefully considered.
Whilst the Chartered IIA has welcomed the specific proposals put forward by Sir Donald Brydon on a possible UK version of the SOX Act, we have also cautioned against any such regime being overly prescriptive.
We have suggested that depending on how such a regime is implemented it could lead to unintended policy consequences.
From discussions with stakeholders and professionals, notably in the US, it transpired that compliance may encourage a tick-box approach with regards to internal controls rather than seeking to innovate or improve practices. This is something that should be avoided.
As previously mentioned, internal audit functions have a broader scope in providing assurance than external audit functions. Internal audit considers risks that are both financial and operational, whereas external audit focus solely on financial reporting. Therefore, there is a risk that internal audit functions may get called upon to provide compliance support for financial reporting similarly to what happened in the US.
This would have a detrimental impact on internal audit functions being able to provide assurance on other operational risks such as governance, risk management and non-financial internal controls as they had to shift their focus fully to financial reporting activities. Therefore, there is a risk that a similar system could divert internal audit focus and resources away from core audit areas and risk internal audit overlooking vital work.
The additional cost that the SOX Act imposed on companies was one of the main criticisms of the new legislation when it came into force in the US. Sir John Kingman, in his Independent Review of the Financial Reporting Council, pointed out that if a SOX system was introduced it could “impose significant costs, at least initially, particularly on smaller listed companies. The US experience shows that smaller companies were affected disproportionately, and listing could become less attractive.”
This is another unintended policy consequence of the introduction of the SOX regime in the UK. However, as Sir John stated, if a SOX system was “introduced carefully and monitored to avoid these unintended consequences, it could contribute to a more robust financial reporting system.”