Internal controls that are effectively designed, operated, and maintained, with appropriate oversight, are fundamental to high-quality corporate reporting.
Recent high profile corporate failures and scandals in Europe have damaged the public’s confidence in both the quality of financial information and in the transparent functioning of capital markets. In many cases, these failures have been attributed to inadequacies in the corporate internal control environment.
Existing EU legislation requires an entity whose securities are traded on an EU regulated market to include, in its annual financial reporting, a corporate governance report describing the key aspects of its internal control and risk management systems pertaining to financial reporting. Individual Member States may set more extensive requirements and national legislative frameworks cover a wide range of different approaches. These factors have contributed to an EU debate over the need for a more consistent and stronger approach to legislation governing corporate internal controls in Member States.
In this context, in November 2021 the European Commission (EC) published its Consultation Paper ‘Strengthening of the Quality of Corporate Reporting and its Enforcement’. It seeks views on whether and how to strengthen the three pillars of high-quality and reliable corporate reporting: corporate governance, statutory audit, and supervision both of auditors and companies, acknowledging their key importance for healthy financial markets, business investment, and economic growth.
Deloitte believes that high-quality and reliable corporate reporting, including future sustainability information, is of paramount importance for both capital markets and society in Europe. It helps protect stakeholders against unexpected corporate failures, channels finance to strong, sustainable businesses, and encourages cross-border investments. Internal controls that are effectively designed, operated, and maintained, with appropriate oversight, are fundamental to high-quality corporate reporting.
To this end, we welcome the EC’s holistic approach, which aims to address possible shortcomings in the corporate reporting ecosystem. We support evidence-backed and proportionate changes to EU legislation in the three pillars (corporate governance, statutory audit, and supervision both of auditors and companies), to help safeguard the long-term sustainability of enterprises and improve the reliability of corporate reporting.
The primary responsibility for the quality and integrity of corporate reporting rests with the company’s management and board. Consequently, management should design, implement, and maintain effective internal controls over corporate reporting, as well as assess their effectiveness, under an established, reliable, and well-understood internal control framework aligned to the key risks in the entity’s business model, including a focus on the risk of fraud and going concern. In this context, enhanced requirements for management to publicly assess the proper design and the operating effectiveness of the company´s relevant internal procedures and controls are key to greater reliability of financial reporting.
External auditors are responsible for delivering audit services with quality and integrity, in accordance with appropriate standards. Later in this article we refer to research that shows:
Therefore, we support EU legislative proposals that: i. require the auditor to audit the design, implementation, and operating effectiveness of relevant internal controls, and; ii. set standards to issue an associated assurance report.
In addition, we believe that any future developments that will further contribute to audit quality and the value that an audit provides, will also increase the attractiveness and credibility of the audit profession, which in turn will help it provide enduring support to capital markets.
Changes to the EU’s legislative framework should be scalable and proportionate. We recognize that designing and maintaining effective internal controls can be more challenging for smaller companies, so the legislation could exclude smaller issuers in the initial phase, with the option to change the threshold at a later stage. Smaller listed companies could, of course, elect to report on the effectiveness of internal controls and obtain an auditor’s assurance too, on a voluntary basis.