Position paper: Strengthened internal controls: learning lessons from Sarbanes-Oxley

June 2020

Chartered IIA’s position

The Chartered IIA would like to see a strengthened framework around internal controls in the UK and Ireland. Notably, we believe that more should be expected of company directors in relation to the effectiveness of governance, risk management and internal controls. This should help raise corporate governance standards which, in light of recent corporate collapses, is something we strongly advocate.

The best way to support company directors in meeting those higher expectations is, by well-resourced internal audit functions, which operate in accordance with professional standards and Codes of practice, including our newly published Internal Audit Code of Practice.

We also argue that there may be a case for introducing into the UK a more specific responsibility on company directors in relation to internal controls over financial reporting such as is mandated by the Sarbanes-Oxley Act (SOX) in the US. This is a recommendation that Sir Donald Brydon made in his Independent Review into the Quality and Effectiveness of Audit, which we have supported in our response to the Brydon review.  

However, as we have highlighted in our response to the BEIS committee Future of Audit Inquiry there could be unintended policy consequences of introducing any new regulations on internal controls that are overly prescriptive.

There is also still a debate about who should support company directors in meeting the new requirements (first and second lines of defence vs third line of defence).

If it is internal audit, there is an opportunity that it could enhance the profile, resources and status of the function. On the other hand, an unintended policy consequence could be that it diverts internal audit resource and focus away from auditing some of the new and emerging non-financial business risks such as cybersecurity or corporate culture – where arguably internal audit can add most value – back to devoting more time to the more traditional internal audit areas such as auditing the financial controls.

As a result, careful thought and consideration should be given to how a Sarbanes-Oxley style system is introduced in the UK and in particular which function should be responsible for implementing it and how that additional work is best resourced without negatively impacting on other areas of core work.


Supporting points

UK Corporate Governance Code

The UK Corporate Governance Code 2018 already requires the boards of premium listed entities to:

  • “Carry out a robust assessment of the company’s emerging and principal risks. The board should confirm in the annual report that it has completed this assessment, including a description of its principal risks, what procedures are in place to identify emerging risks, and an explanation of how these are being managed or mitigated.” (s.4.28)
  • “Monitor the company’s risk management and internal control systems and, at least annually, carry out a review of their effectiveness and report on that review in the annual report. The monitoring and review should cover all material controls, including financial, operational and compliance controls.” (s.4.29)

The Code requires the audit committee to:

  • “Monitoring and reviewing the effectiveness of the company’s internal audit function or, where there is not one, considering annually whether there is a need for one.” (s.4.25)
  • “Where there is no internal audit function, [the annual report should include] an explanation for the absence, how internal assurance is achieved, and how this affects the work of external audit; and an explanation of how auditor independence and objectivity are safeguarded if the external auditor provides non-audit services.” (s.4.26)

The Code also requires that:

  • “The directors should explain in the annual report their responsibility for preparing the annual report and accounts, and state that they consider the annual report and accounts, taken as a whole, is fair, balanced and understandable, and provides the information necessary for shareholders to assess the company’s position, performance, business model and strategy.” (s.4.27)

Though we strongly support the UK Corporate Governance Code, we want to see the Code strengthened in relation to the provision of internal audit. Specifically, we advocate for a change in the wording of the Code around internal audit to include that all premium listed companies should have an internal audit function that adheres to the recommendations of the Chartered IIA’s Internal Audit Code of Practice.

In addition to this, careful thought and consideration should be given to whether similar requirements are also needed for organisations that are not covered by the UK Corporate Governance Code (e.g. large private companies or companies not listed on the main stock exchange such as AIM).

Given recent corporate collapses linked to governance and audit deficiencies, we believe that stronger requirements around internal controls – and notably around financial controls – would help raise corporate governance standards and should help to prevent corporate collapses such as Carillion.


A strengthened framework around internal controls – lessons from the Sarbanes-Oxley Act

What is the Sarbanes-Oxley Act (SOX)?

The SOX legislation on internal controls became law in the US in 2002, in the wake of the Enron and WorldCom crashes, with the aim to better protect investors from fraudulent financial reporting.

The legislation has notably made mandatory the publication of annual, public, and explicit reports by CEOs and CFOs on the effectiveness of internal controls over financial reporting. What is more, the legislation requires the senior officers (CEO or CFO) who sign the company’s accounts to certify that the accounts do not contain misrepresentations or untrue statements.

More specifically, section 404 of the legislation states that “all annual financial reports must include an Internal Control Report stating that management is responsible for an "adequate" internal control structure, and an assessment by management of the effectiveness of the control structure. Any shortcomings in these controls must also be reported. In addition, registered external auditors must attest to the accuracy of the company management’s assertion that internal accounting controls are in place, operational and effective.”

While the SOX Act was originally criticised – mainly because of the additional cost it imposed on companies and the little guidance it offered for its implementation – it is now, 18 years after its inception, widely acknowledged that reporting under SOX has led to better financial reporting. There are indeed fewer significant accounting restatements and a higher focus on greater clarity on the robustness of internal financial controls within an entity.

Strengthening the role of company directors over financial reporting

We were pleased to see that both Sir John Kingman in his Independent Review of the Financial Reporting Council, and Sir Donald Brydon in his Independent Review into the Quality and Effectiveness of Audit, supported the case for strengthened internal controls in the UK, learning lessons from the SOX regime in the US.

Sir Donald Brydon specifically recommended that the “Government gives serious consideration to mandating a UK Internal Controls Statement consisting of a signed attestation by the CEO and the CFO to the Board that an evaluation of the effectiveness of the company’s internal controls over financial reporting has been completed and whether or not they were effective, as in SOX 302 (c) and (d).”  

Sir Donald further recommended that “where weaknesses (and/or failures) in controls have been reported, it should become an obligation on directors to report on what remedial action has been taken and on its effectiveness, supportive of section 404 of the SOX legislation.”  

We support these recommendations as we believe that more should be expected of company directors in relation to internal controls over financial reporting. This will help raise corporate governance standards.

Non-financial controls

 As noted above, the UK Corporate Governance Code already requires boards to monitor the company’s risk management and internal control systems. They are also required to carry out a review of their effectiveness at least once a year and, when reporting on this work, boards should make clear what processes have been considered and reasons for their confidence in their effectiveness.

In his final report, Sir Donald said that it might be a step too far to extend his proposed UK Internal Controls Statement to non-financial controls. Indeed, one could argue that this would create a lot more work for organisations. Also, when looking at the recent corporate collapses, the issues were mostly around financial controls, which shows that this is where a more robust system is needed. Therefore, extending these requirements to non-financial controls should be carefully considered. It would therefore be wise to apply these new requirements to only the financial controls in the first instance and then review their operational effectiveness after a certain period of time following their implementation. This could include reviewing extending the requirements to non-financial controls.


Unintended policy consequences of SOX

Whilst the Chartered IIA has welcomed the specific proposals put forward by Sir Donald Brydon on a possible UK version of the SOX Act, we have also cautioned against any such regime being overly prescriptive.  
 
We have indeed suggested that depending on how such a regime is implemented it could lead to unintended policy consequences.

Tick-box culture

From discussions with stakeholders and professionals, notably in the US, it transpired that compliance may encourage a tick-box approach with regards to internal controls rather than seeking to innovate or improve practices. This is something that should be avoided.

Internal audit resources diverted away from key risks beyond the financial controls

Internal audit functions have a broader scope in providing assurance than external audit functions. Internal audit considers risks that are both financial and operational, whereas external audit focus solely on financial reporting.

When SOX was introduced, there was a vast amount of work that companies were required to do in order to comply with the new Act. As a result, internal audit functions were called upon to provide compliance support for financial reporting and, in many instances, took full ownership of the entire process.

This had a detrimental impact on internal audit functions being able to provide assurance on other operational risks such as governance, risk management and non-financial internal controls as they had to shift their focus fully to financial reporting activities.

Some non-financial risks such as cybersecurity pose a significant threat to organisations and, if these threats materialise, could have a catastrophic impact on their growth. Therefore, it is important that internal audit functions’ resources are not diverted away from looking at the business’ wider risks as this is, arguably, where they can add most value to the organisations they serve.

There is still a debate around whether the compliance for these requirements on financial controls should sit in both the first and second lines of defence or in the third line. If compliance sits with internal audit, it could create an opportunity to raise the profile of the function. However, as described above, it could also divert internal audit focus and resources away from core audit areas.

Compliance could place an administrative and financial burden disproportionately on smaller companies

The additional cost that the SOX Act imposed on companies was one of the main criticisms of the new legislation when it came into force in the US. Sir John Kingman, in his review, pointed out that if a SOX system was introduced it could “impose significant costs, at least initially, particularly on smaller listed companies. The US experience shows that smaller companies were affected disproportionately, and listing could become less attractive.”

This is another unintended policy consequence of the introduction of the SOX regime in the UK. However, as Sir John stated, if a SOX system was “introduced carefully and monitored to avoid these unintended consequences, it could contribute to a more robust financial reporting system.”


Appendix

The Sarbanes-Oxley Act 2002

UK Corporate Governance Code (2018)

Report of the Independent Review into the Quality and Effectiveness of Audit, Sir Donald Brydon, December 2019

Independent Review of the Financial Reporting Council, Sir John Kingman, December 2018

Chartered IIA’s response to the Independent Review into the Quality and Effectiveness of Audit: call for views, June 2019

Chartered IIA’s response to the BEIS Future of Audit Inquiry, January 2019

Chartered IIA’s Internal Audit Code of Practice, January 2020