Position paper: Audit and Assurance Policy (AAP)

August 2021

In March 2021, the Department for Business, Energy and Industrial Strategy published its white paper entitled ‘Restoring trust in audit and corporate governance’.

The white paper contained significant proposals on audit and corporate governance reform. This included adopting a key recommendation put forwards by the Brydon Review, which is to introduce a statutory requirement on Public Interest Entities (PIEs) to publish an audit and assurance Policy. The Audit and Assurance Policy will provide a proportionate and flexible means for companies to explain whether (and, if so, how) they are obtaining assurance on any company reporting beyond that which is required by the annual company statutory audit. The policy also provides an opportunity for companies to explain their approach to internal audit and assurance, and any improvements they propose in light of lessons learned.

The Chartered Institute of Internal Auditors, UK and Ireland (Chartered IIA) has welcomed the opportunity to contribute our views to the white paper. Our detailed response can be read in full here.

We look forward to the publication of the government’s response to the white paper consultation and will continue to inform the policymaking process and our positions as these recommendations develop over time.


Chartered IIA’s position

The Chartered IIA strongly supports the proposal for companies to have an Audit and Assurance Policy. We agree that this would provide a proportionate and flexible means for companies to explain whether, (and if so, how), they are obtaining assurance on any company reporting beyond that which is required by the annual company statutory audit.

The content of an Audit and Assurance Policy
The Chartered IIA supports the proposed minimum content for the Audit and Assurance Policy. We particularly welcome that companies will have to provide a description of their internal auditing and assurance processes, as well as whether (and how) a company is proposing to strengthen its internal audit and assurance capabilities over the next three years.

In addition to the minimum content, Audit and Assurance Policies could also be used to document an organisation’s high-level assurance map.

The scope of coverage
The Chartered IIA supports the government’s proposed phased approach for coverage for the Audit and Assurance Policy to start with premium listed firms first and then extending it to other PIEs on a phased basis (linked to the government proposal to broaden the definition of a PIE). We agree that all PIEs should be required to have an Audit and Assurance Policy for the compelling reasons that the government has set out in the white paper.

We also support the view that the requirement for PIEs to have an Audit and Assurance Policy is best delivered through new statutory requirements under the Companies Act 2006. However, given its importance, we believe that this is one aspect of audit reform that should be fast-tracked and prioritised within months not years.

Publication and review of the Audit and Assurance Policy
The Chartered IIA supports the Brydon Review proposal that the Audit and Assurance Policy should provide a three-year rolling forward look on a company’s approach to the audit and assurance of its reporting. We believe that it is important that the Audit and Assurance Policy has a sufficiently strategic and forward-looking focus.

We believe that there could be merit in requiring companies to publish a new Audit and Assurance Policy at least every three years, as opposed to every year. This would help ensure that the policy remains not only strategic and forward-looking but also will provide a three-year forward view of whether (and how) a company is proposing to strengthen its internal audit and assurance capabilities over that period of time. Additionally, this would also ensure that companies have a degree of flexibility, depending on their size, scale, complexity and risk-profile.

We agree that for premium listed companies the Audit and Assurance Policy should be subject to an advisory shareholder vote. We believe this will help to underline the importance of the policy, as well as ensure shareholders and investors have a stake and say in the policy.

Consistent with what we have advocated on other key proposals, we support giving premium listed firms one reporting cycle to implement the Audit and Assurance Policy, whereas all other firms should get two reporting cycles.

Ownership of the Audit and Assurance Policy
There are some important aspects that have not been covered in the white paper, namely in regard to who within a company should own and be responsible for the drafting of the Audit and Assurance Policy. We believe that the Audit and Assurance Policy should be owned and signed off by the Audit Committee and they must be accountable for it.

However, we further believe that internal audit is in a strong position to act as the facilitators and coordinators of the drafting of the policy, in collaboration with other key internal stakeholders such as finance and risk management. This is because of internal audit’s unique position as the Third Line in the business that provides it with an independent ‘helicopter view’ of the entire audit, risk and assurance landscape. We believe internal audit has a key role to play in weaving the policy together, in partnership with the other assurance functions.

The Chartered IIA believes that the Audit and Assurance Policy should help to strengthen internal audit functions and is a golden thread that will help to tie the strands of a company’s assurance together.

We have developed additional technical guidance on the role of internal audit in establishing the Audit and Assurance Policy within the governance of the organisation and how to facilitate its creation to help guide thinking in this area. We will continue to update this information as the proposals develop over time.

Timing and implementation of the Audit and Assurance Policy
We agree that the requirement for PIEs to have an Audit and Assurance Policy is best delivered through new statutory requirements under the Companies Act 2006. However, given its importance we believe that this is one aspect of audit reform that should be fast-tracked and prioritised within months not years.

Implementation of the Audit and Assurance Policy is one aspect of audit reform that we would like to see delivered swiftly through legislation. However, if for any reason the legislation is not forthcoming in the near future, we believe an alternative option could be for the Financial Reporting Council (FRC) to accelerate the introduction of Audit and Assurance Policies through voluntary means. In a similar way that the audit regulator has recently started to deliver the operational separation of audit firms. This would have the benefit of ensuring that when legislation is eventually passed, companies will already be well-prepared for their introduction, laying the groundwork and supporting a smooth transition. It is worth noting that some premium listed companies have already started publishing Audit and Assurance Policies, 3i Group’s recent annual report and accounts provides a good example of this.

Similarly, in support of the implementation of the Audit and Assurance Policy we believe that it will be essential for the FRC to publish clear implementation/best-practice guidance on the Audit and Assurance Policy. This guidance should make clear the minimum contents and requirements for the Audit and Assurance Policy, a proposed framework/structure and guidance on the roles and responsibilities, including on ownership and drafting of the policy. This will help to ensure Audit and Assurance Policies across different companies are accurate, reliable, comparable and consistent.

What should internal audit be doing about the Audit and Assurance Policy proposal?
Internal auditors should not wait for the Audit and Assurance Policy proposal to be introduced by government before taking action. Instead, we urge internal auditors to be pro-active and start having conversations now about the introduction of Audit and Assurance Policies with key stakeholders within the business, including your Audit Committee Chair. To support this please read our technical guidance on the Audit and Assurance Policy and the role of internal audit, as well as on how to facilitate the creation of the Audit and Assurance Policy.


Appendix (NOT LINKED)

  • Department for Business, Energy, & Industrial Strategy | Restoring trust in audit and corporate governance – White paper
  • Chartered IIA | Response to the BEIS Restoring trust in audit and corporate governance white paper
  • Chartered IIA | Audit and Assurance Policy (AAP) - role of internal audit
  • Chartered IIA | How to facilitate creation of the Audit and Assurance Policy (AAP)