Skip to main content

An effective internal control environment for EU filers: does it lead to greater protection of capital-market stakeholders?

Internal controls that are effectively designed, operated and maintained, with appropriate oversight, are fundamental to high-quality corporate reporting.

Recent high profile corporate failures and scandals in Europe have damaged the public’s confidence in both the quality of financial information and in the transparent functioning of capital markets. In many cases, these failures have been attributed to inadequacies in the corporate internal control environment.

Existing EU legislation requires an entity whose securities are traded on an EU regulated market to include, in its annual financial reporting, a corporate governance report describing the key aspects of its internal control and risk management systems pertaining to financial reporting. Individual Member States may set more extensive requirements and national legislative frameworks cover a wide range of different approaches. These factors have contributed to an EU debate over the need for a more consistent and stronger approach to legislation governing corporate internal controls in Member States.

In this context, in November 2021 the European Commission (EC) published its Consultation Paper ‘Strengthening of the Quality of Corporate Reporting and its Enforcement’. It seeks views on whether and how to strengthen the three pillars of high-quality and reliable corporate reporting: corporate governance, statutory audit, and supervision both of auditors and companies, acknowledging their key importance for healthy financial markets, business investment and economic growth.

Internal controls are fundamental for high-quality and reliable corporate reporting

Deloitte believes that high-quality and reliable corporate reporting, including future sustainability information, is of paramount importance for both capital markets and society in Europe. It helps protect stakeholders against unexpected corporate failures, channels finance to strong, sustainable businesses and encourages cross-border investments. Internal controls that are effectively designed, operated and maintained, with appropriate oversight, are fundamental to high-quality corporate reporting.

To this end, we welcome the EC’s holistic approach, which aims to address possible shortcomings in the corporate reporting ecosystem. We support evidence-backed and proportionate changes to EU legislation in the three pillars (corporate governance, statutory audit and supervision both of auditors and companies), to help safeguard the long-term sustainability of enterprises and improve the reliability of corporate reporting.

Management’s role is key to designing, implementing, and maintaining effective internal controls

The primary responsibility for the quality and integrity of corporate reporting rests with the company’s management and board. Consequently, management should design, implement and maintain effective internal controls over corporate reporting, as well as assess their effectiveness, under an established, reliable and well-understood internal control framework aligned to the key risks in the entity’s business model, including a focus on the risk of fraud and going concern. In this context, enhanced requirements for management to publicly assess the proper design and the operating effectiveness of the company´s relevant internal procedures and controls are key to greater reliability of financial reporting.

Deloitte supports EU legislative proposals that further contribute to audit quality and the value that an audit provides

External auditors are responsible for delivering audit services with quality and integrity, in accordance with appropriate standards. Later in this article we refer to research that shows:

  • The external auditor’s ability to conduct a high-quality financial audit would benefit from an increase in the quality of the internal control environment of the audited company and the effectiveness of the company’s corporate governance
  • High quality external audits of the system of internal controls pertaining to financial reporting benefit the quality of the overall information in financial statements and increases the entity’s focus on their control system.

Therefore, we support EU legislative proposals that: i. require the auditor to audit the design, implementation and operating effectiveness of relevant internal controls and; ii. set standards to issue an associated assurance report.

In addition, we believe that any future developments that will further contribute to audit quality and the value that an audit provides, will also increase the attractiveness and credibility of the audit profession, which in turn will help it provide enduring support to capital markets.

Changes to the EU’s legislative framework should be scalable and proportionate. We recognise that designing and maintaining effective internal controls can be more challenging for smaller companies, so the legislation could exclude smaller issuers in the initial phase, with the option to change the threshold at a later stage. Smaller listed companies could, of course, elect to report on the effectiveness of internal controls and obtain an auditor’s assurance too, on a voluntary basis.

Components of an optimal EU legislative and regulatory framework to evaluate and report on internal controls systems

A suitable Internal Controls Framework would be:

  • Reliable and well-established for the proper design, implementation, operation, and maintenance of internal control over financial reporting
  • Applicable to listed companies though scalable and proportionate to the entity’s reporting risks that may be influenced by the dimensions of the issuer
  • Suitable and well-recognised, i.e., established by experts using due process, including the broad distribution of the framework for public comments. One of the most frequently used is the framework established by: i. the US Committee of Sponsoring Organizations of the Treadway Commission (COSO) and, ii. the UK Financial Reporting Council’s ‘Internal Control: Guidance for Directors on the Combined Code’.

An enhanced regulatory framework should require the management report to include management´s assessment of the proper design and the operating effectiveness of the relevant internal procedures and control structure over financial reporting, including the internal controls designed and conducted to assess and mitigate fraud and going concern risks.

Such a framework should:

  • State management's responsibility for establishing and maintaining adequate internal controls and procedures for financial reporting
  • Describe the framework used for the assessment
  • Assess that internal controls over financial reporting are properly designed and have operated effectively (including disclosure of any deficiencies in such internal controls that comes to its attention)
  • State that appropriate actions are taken to correct identified deficiencies, and estimate timeline for remediation
  • [if legislation also provides for auditor’s assurance on internal controls] State that the independent auditor has attested to, and reported on, management's evaluation of the company's internal controls over financial reporting.

Management should ideally be requested to assess the company´s internal controls as of the financial statements’ period-end date, as this approach represents a fair balance regarding the level of confidence offered to the stakeholders and the incremental costs over the implementation and maintenance of the internal control system. Also, this approach would provide management with the ability to remediate deficiencies identified during the year, with no impact on the disclosures included in the financial reporting.

Management should also be required to disclose any material changes to the internal control structure that occurred during the interim periods in any mandatory interim financial reporting.

Ideally, the assessment should be signed by both: (i) the company´s principal executive officers and (ii) the principal financial officers or persons performing similar functions.

Deloitte supports legislation for external auditors to:

  • Plan and conduct audit procedures on the proper design, implementation, and operating effectiveness of relevant internal controls designed and conducted by management to assess and mitigate financial reporting risks; including those related to fraud and going concern.
  • Issue an assurance report
    • separate from the auditor’s report on financial statements to attest to the effectiveness of the company’s internal controls
    • setting out identified deficiencies (or a combination thereof) in the internal controls such that there is a reasonable possibility that a material misstatement of the financial statements will not be prevented or detected on a timely basis
    • disclosing any material error in financial reporting identified by the auditor, or prior year restatement, that – based on the auditor’s judgment – were caused by or remained undetected due to deficiencies in internal controls.

Download the full article for an overview of the current EU legislative and regulatory landscape.

Get in touch

  • Pablo Zalba, Managing Director Deloitte EU Policy Centre

Did you find this useful?

Thanks for your feedback

If you would like to help improve Deloitte.com further, please complete a 3-minute survey