Audit reform: A new baseline?
The primary aim of the government’s consultation on audit reform, published on 18 March, is to set a benchmark that raises the basic standard of corporate governance across all companies. This was the message of Sir Jon Thompson, CEO of the Financial Reporting Council (FRC), when he addressed our Internal Audit Leaders’ Forum. He explained that the proposals should not prove onerous for most of the largest listed companies, which are already doing many of the things suggested in the consultation. However, it will set a new bar for companies that lag behind and have considerable room for improvement.
“I’ve spoken to companies where someone says ‘I am the audit committee’ and that simply isn’t acceptable any more,” he said.
Significant changes outlined in the proposals include the creation of a more forceful regulator for the audit profession, a reduction in the reliance of large organisations on Big-Four audit firms, new reporting obligations for external auditors and directors around detecting fraud, the extension of external audits to cover wider performance issues, including work towards climate change mitigation targets, and a requirement for company directors to issue annual resilience statements that set out how their organisation is mitigating short-term and long-term risks. These are based on the corporate governance reviews by Sir John Kingman, Sir Donald Brydon and the Competition and Markets Authority.
Peter Elam, president of the Chartered IIA, emphasised that the institute has long called for, and therefore welcomes, proposals to put the new regulator (ARGA) on a statutory footing.
Thompson stressed that the FRC is listening to responses and has invested heavily in stakeholder communications. This may mean that the process takes longer, but he argued that it is more likely to reach the best outcome. “We don’t want to reach the end of the process and say ‘this is how we will do it’. We will listen and redraft and feed back throughout the process to reach an end that everyone is involved in,” he said.
While most large companies already meet many of the likely new requirements, they should pay close attention to the new emphasis on individual director responsibility, Thompson warned. “A few non-executive directors have said ‘but we don’t run the company, the executives run the company’. My response is that the accounts are the company’s accounts and while the executives may do the day-to-day management, all board members share responsibility for running it – so take some ownership.”
The reforms will raise the profile and importance of the audit committee chair and are a significant change for non-executives as regards responsibilities and training, he added. “Most non-executives understand that they are responsible, but by bringing in minimum standards you aim to bring the ten per cent who do not understand this up to the required level without significantly affecting the 90 per cent who do.”
The proposed reforms are a reminder that the board is responsible to shareholders and its workings should be transparent. They include Sir John Kingman’s recommendation that the UK should adopt a US Sarbanes-Oxley-style regulation that would make directors directly accountable. Thompson said that implementing this would be a significant undertaking, including further training for audit committee chairs and making the work of audit committees more accessible. He said that the FRC was working with audit committee chairs to help them prepare.
Challenge and scrutiny
While many of the recommendations refer to external audit, a new obligation for companies to set out their audit and assurance policies to reveal to shareholders the extent to which the accounts and other disclosures have been scrutinised and assured would directly affect internal auditors. Companies would have to explain their approach to internal audit and to assurance as well as their assurance processes. This would include how assumptions in the reports are challenged and scrutinised.
They would also have to declare how the new annual resilience statement has been assured and how the company identifies risks to its long-term success and survival. “This recognises that there is a clear stakeholder and public interest in the long-term viability of the company,” Thompson said. He warned that there may be further changes to this in future, since the current viability statement has proved less comprehensive than intended.
When asked what single element would be the most significant change for heads of internal audit, Thompson pointed to the new focus on internal controls. “The introduction of SOX-style legislation needs to be reconciled with the FCA’s Senior Managers’ Regime and made to work with current listing rules,” he said. “I talk to a lot of audit committee chairs and a few have tested what this regime would mean for them. The general consensus is that a well-run company with a well-run audit committee will not need to do significantly more work. It will just require a few tweaks. We don’t expect it to entail the huge costs seen in the US when SOX was introduced.”
For those keen to start preparing, Thompson suggested that internal audit could look at the implications for internal controls and risk management. “What is disclosed in the annual report and to what extent are these disclosures assured? If there is a requirement to make a resilience statement that extends beyond three years, what would that mean for you?” he asked. “I would also get someone to give me an external view on the quality of the audit committee. Ask how the audit committee feeds into the annual reporting process. Is this transparent enough? Is there more to do here?”
He added that internal audit should prepare to answer more questions from investors about resilience and controls and assurance processes.
When it comes to input from assurance providers other than external and internal audit, particularly around non-financial disclosures and sustainability, Thompson predicted an increased focus on many types of assurance. “This could create a mixed economy in which the audit committee can shop around for the best providers of different elements of assurance,” he said. However, he added that the intention is not to create a single prescriptive control framework.
Elam summed up Thompson’s presentation with a list of dilemmas it set for internal auditors. “The key issues are how we advise the audit committee on where and how to access external assurance, what counts as valid assurance and what constitutes independent assurance,” he said. “The onus is on us to up our game and look more widely at assurance sources and quality."
This article was published in May 2021.