Restoring trust in audit and corporate governance

On the 22 March we held a special edition in our Future of Controls webinar series focussed on the recently launched White Paper and consultation from the Department of Business Energy and Industrial Strategy (“BEIS”) on "Restoring Trust in Audit and Corporate Governance”.

During the webinar we reviewed the position on internal controls set out in the White Paper, outlined Deloitte’s view on the key attributes of a strengthened internal controls framework in the UK (aka “UK SOX - Sarbanes Oxley”) which we presented in our Future of Controls series in September 2020. We are still digesting the White Paper and listening to developing arguments and will be able to share a Deloitte view in due course. We also looked at some key actions for companies to consider now.

In this blog we’ve included some of the highlights from that discussion, which will help you determine some practical next steps.

Overview of the proposed changes

The published BEIS White Paper responds to over 150 recommendations arising from independent reviews throughout 2018 and 2019 by Sir John Kingman, the CMA and Sir Donald Brydon covering measures in relation to directors, auditors and audit firms, shareholders and the audit regulator. The paper opens a 16-week consultation period, ending 8 July 2021, to gather views on the intended reforms.

In relation to creating a UK based attestation on internal controls, the paper set out three options, which are not mutually exclusive:

• A Directors’ statement on the effectiveness of internal control
• The work of auditors should be better described in the audit report
• A formal audit opinion over the effectiveness of a company’s internal controls

The consultation refers to "internal controls" and the omission of the word financial is deliberate. The Corporate Governance Code addresses operational and compliance controls and BEIS is asking for views on whether the new requirement should be limited to financial controls.

We asked participants, “What should your Directors’ review of the effectiveness of their company’s internal controls be over?”, with 58 per cent stating it should be over all controls, compared to 42 per cent saying financial controls only.

Under the Corporate Governance Code organisations should already have in place a system of internal control. The Government’s proposed changes holds the Board accountable for the effectiveness of internal control.

The Government’s preferred option is a combination of the above: a Director’s statement as described in option A, plus audit validation subject to the company’s Audit and Assurance Policy. This would allow a company to choose an audit approach aligned with their stakeholders’ preference.

It should be noted that a framework of adoption is not specified within the consultation.

Our session then looked at some of the key questions featured in the White Paper, including:

• Is there a case for strengthening the internal control framework for UK companies and what are the benefits or disbenefits (sic) of a stronger regulation?
• If the control framework were to be strengthened:
  • Would you support the Government’s initial preferred option of Director attestation plus stakeholder led assurance?
  • Are there other options you think should be considered?
  • Do you think external audit and assurance of the internal controls should be mandatory?
  • Which types of company do you think should be in scope?

Given the consultation asks whether assurance is required over the Directors' attestation and who should be responsible for performing it, we asked the audience for their view, with 71 per cent suggesting their external auditor perform the attestation.

The preferred option set out in the White Paper is that the requirement would initially apply to premium listed entities with other public interest entities two years later. This is an ongoing debate within the consultation paper on who should be defined as a public interest entity with the potential that AIM listed and others, such as large private entities, could be included as well.

The timing of compliance with an enhanced controls framework at time of writing is not known and will depend on a number of factors including the legislative timetable, but press reports suggest it may be as soon as years ended 2023 or 2024 for premium listed companies, with other public interest entities following two years later.

Our perspective on key drivers for a successful “UK SOX" regulation

We believe that the following 5 factors are critical to the success of an enhanced control environment in the UK:

• A risk-based approach
• Practical guidance
• Implementation readiness
• Enforced by a strong regulator
• Stakeholder demand-led assurance
   

A risk-based approach
A risk assessment is critical to the above and the success of any framework. Any such risk assessment should include:

• Relevance to the business model;
• The principal risks and uncertainties disclosed in the financial statements; and
• Wider financial reporting and fraud risks.

A proper risk assessment will ensure a controls framework is right sized and able to enhance value. Without this focus, a company will create years of burden and compliance which will result in significant cost.

The next step is to determine if controls are appropriately designed, implemented and operating effectively to address those risks. This should include technology driven controls: applications, automation, data flow, and points of business and IT integration, extending beyond the ERP.
 

Practical guidance
Now is the time for companies to be assessing if the controls framework they operate today is consistently applied across their organisation and whether it would align to an internationally recognised framework.
 

Implementation readiness
Organisations should also consider now if they have the capability and bandwidth to make the necessary changes. Changes will go beyond finance, and engaging with the wider organisation and especially IT will be critical to its success. Taking this into account, and how far an organisation might be away from a recognised framework, should allow organisations to assess the scale of the challenge.

As a ‘no regrets’ action, Directors should consider the entity level controls that exist and whether they enforce a strong controls culture.

What should companies do now?
We have a framework for internal controls that follows four key steps:

The success of any change programme, be it systems implementation or finance transformation, is driven by defining the strategy and the steps to achieving that strategy, and the design of a new controls framework should be no different.

The operating model should consider the organisation design, the people and capability required for its success and the technology and data which will underpin it.

We encourage businesses to be proactive, and there are a number of initial steps you can take, as follows:

• Plan your response to the consultation – this is your opportunity to influence the outcome
• Review your compliance with the UK Corporate Governance Code
• Understand the key areas of challenge within your organisation by performing a detailed risk assessment and assess the controls that are, or are not, operating and the assurance requirements
• Engage with your business and determine if you have the right people, tools and technology for change
• And by completing the above, assess if your current model really provides value and insight.

We’ll regularly be updating our hub with guidance and insight, and if you’d like to attend future webinars you can request to be added to our mailing list at ukracontrolsforum@deloitte.co.uk.