The expectations of shareholders and other stakeholders are changing. To meet this the UK regulatory environment is changing too. Reforms have already started. The Government will shortly issue a White Paper on the recommendations of the Kingman and Brydon reviews. Both reviews called for the implementation of a UK SOX (Sarbanes Oxley) style reporting requirement on internal controls. The White Paper will shape the requirements for companies and their directors and the responsibilities of auditors thereafter. We encourage all stakeholders to respond to this paper with their views.
Control in a time of uncertainty
The Brydon review is especially relevant in today's uncertain environment. Ways of working have changed radically over the past year – and so have the needs of every stakeholder group who reads the annual report and financial statements, from investors and employees, to customers and regulators.
Today, stakeholders expect transparency on how companies are run and risks facing their business models. Reliable controls underpin trust in business and build confidence in financial reporting.
The Brydon review into the effectiveness of audit articulated the challenge well: it should not just be a question of checking the accuracy of statements; it is about whether a business is honestly run and has a viable future. The only way to fully answer this is to consider its financial reporting environment in the context of a company’s business model and internal control environment.
Beyond numbers
Controls are the basic way in which a company protects itself by preventing and detecting errors. Controls cannot predict the future, but they are the best indicator that a company is prepared for uncertainty, change, and risk. Is the business forward-looking? Is it planning well? Is it working to prevent fraud? Can it adequately anticipate and adapt to future eventualities?
Whilst attestation requirements, such as the Sarbanes Oxley Act in the US (USSOX), are focused on controls relating to financial reporting, operational and compliance controls are just as important in getting the numbers right and understanding the resilience of the business. The UK Corporate Governance Code requires company directors to monitor and review all material controls, including financial, operational and compliance controls. Investors, auditors and wider stakeholder groups need to understand risks and controls across the whole business model if we are really going to start lifting the lid on responsible business behaviour.
Of course, there are good reasons why financial reporting controls are currently the primary focus. They are generally objective and reflective of the business control environment, reaching much wider than the numbers alone. We must ensure the accounting and reporting are relevant and reliable before extending to that bigger picture.
UK PLC is not starting from scratch. Company directors have a responsibility to maintain a robust control environment under the UK Corporate Governance Code. Auditors already apply a wide skill set and assess a variety of factors that drive the numbers, particularly when considering forecasts. An audit is not simply adding up or reconciling financial data.
Stakeholders want to know that checks and balances are in place, not just that the final number is accurate. To put crudely, it is one thing to check the number of aircraft in a hangar against an asset register; it is quite another to understand their forecast usage – which is crucial to their value and the long-term future of the business.
In essence, the real mission is to understand the company’s business model, the associated risks and controls, and how together that safeguards value for the company’s stakeholders.
Questions of risk and value
However audit evolves to fulfil that mission, the starting point must be the company and its directors. What is their approach to risk in the business? What assurances can they develop over those areas? And, critically, what expectations do all the stakeholders have for understanding the business, its risks and operations?
This challenges old interpretations of what ‘good’ internal controls look like. It is not just being able to tick off a long list of controls mandated by a regulator, or even a boilerplate risk register.
The real value is to protect the business today and build resilience for tomorrow. To achieve this demands a focused approach to risk, targeting areas that are critical to the company’s business model. Unfortunately, the ‘comply or explain’ approach has allowed companies sometimes to underplay their responsibility for good controls, when it needs to be at the top of CFO and CEO agendas.
Those that have strong oversight of their internal controls can reap the benefits. Companies with an effective financial control team and internal control function, well informed non-execs on the board, and engagement and scrutiny from other stakeholders, tend to be clear on risks and have tailored the control environment to match.
As a result, they can make more informed decisions, create value for stakeholders, and better protect the company from undue risk while producing relevant, reliable, accurate and timely financial reporting information. This can be seen in those companies that have responded to the global pandemic by moving their business online or reinventing their products and services.
Adapting controls
Robust controls are particularly important when risks are evolving quickly. We have seen that with COVID-19 where remote working has required changes to business models and the way information is collected, processed and verified. Good internal control teams evaluate new risks and design around them quickly.
But it’s not just one-off events that provoke change. Risk and internal control change naturally over time. This is an opportunity not to be missed. Understanding how new technology, for example, might enhance our ability to detect failures or predict outcomes, can radically improve risk assessment and the effectiveness of controls.
Done right, controls create a cascade of benefits. Internally, they improve resilience and viability, and support focused risk management and decision-making – while saving the company money at the same time. Transparent control reporting creates a more positive relationship with stakeholders – from the board and shareholders to employees and the public. Effective reporting underpinned by well-designed control processes also makes compliance with regulation and the requirements of external audit much simpler.
Internal control and audit are changing to meet some much deeper changes in the business environment. Short term, the UK needs to be a leading capital market and have a strong position in the global economy, particularly as we emerge from the pandemic and the UK repositions itself after leaving the EU. That means having a strong control environment and a robust audit product to provide investors a deeper level of confidence. This must be balanced against cost of course – but there is significant value in effective controls, targeted at the key financial risks faced by a business, and a market system that has clear requirements and regulation over internal control.
Even before the dust settles on COVID-19 and Brexit, issues such as climate change and demographics pose huge questions for every business. The growing trend for ESG (environmental, social and governance) investing shows this is becoming animportant corporate reporting, as well as operational and ethical, question. Internal control has a critical role in providing useful information to management to inform decisions, the directors and external stakeholders alike – so they can be proactive in tackling the risks of this new world.
Shaping the future of controls
If you would like to know more on practical guidance on how to implement a robust internal control environment, please refer to Deloitte’s four-step guide in our Governance in focus publication: On the board agenda 2021.
Click here to sign up for the UK audit and corporate reporting debate