Spotlight on trust: the Chartered IIA response to the BEIS White Paper
On 18 March 2021 the government published its long-awaited White Paper outlining its audit reform programme, aptly named “Restoring Trust in Audit and Corporate Governance”. This fired the starting gun for a 16-week public consultation, ending in early July. During this period, the Chartered IIA has been busy consulting members and stakeholders to get their ideas and input on our response, based on a policy position paper we published on our website in late May.
The White Paper is the culmination of several independent reviews into audit and corporate governance that were initiated in 2018 following the collapse of Carillion, which revealed many serious audit and corporate governance deficiencies. Other high-profile corporate scandals linked to audit and governance failings, including those of BHS, Patisserie Valerie and Thomas Cook in the UK, as well as the Wirecard accounting scandal in Germany, have also undermined trust in corporate governance and have eroded society’s trust in business.
These reviews and inquiries included the Independent Review into the Financial Reporting Council led by Sir John Kingman, the Audit Market Study by the Competition and Markets Authority and last, but not least, the Independent Review into the Quality and Effectiveness of Audit, which was itself a recommendation of the Kingman review. The road to audit reform has been more of a marathon than a sprint.
The good news is that much in the White Paper closely aligns with what the Chartered IIA has been advocating on audit reform in recent years. While much of the focus of the reform programme is on improving the quality and effectiveness of statutory audit and financial reporting, there are also proposals that will affect the future of the internal audit profession.
The vital role of internal audit as a cornerstone of good corporate governance is recognised several times in the 232-page document. This includes the exciting and welcome proposal for companies to have an audit and assurance policy, which will contain a description of the company’s internal auditing and assurance processes, as well as stating how they plan to strengthen their internal audit and assurance capabilities over the next three years. For publicly listed firms, this will be subject to an advisory vote at the AGM.
The institute believes that, while the audit and assurance policy must be owned and signed off by the audit committee, internal audit is in a unique position to act as facilitator and coordinator of the policy in collaboration with other internal stakeholders such as finance and risk management. We believe the proposal for an audit and assurance policy should help to strengthen internal audit functions and is a golden thread that will help to tie strands of a company’s assurance together.
The White Paper also proposes strengthening the internal control framework for financial reporting, learning the lessons from, and adopting an approach similar to, the Sarbanes Oxley (SOX) Act in the US. In practice, this will involve all company directors signing a statement that the internal controls related to financial reporting are effective. We believe the internal controls related to financial reporting are a good place to start. However, we see no reason why, in time, these requirements should not extend to other areas where risks need to be mitigated to the lowest possible level – cyber security and data protection, for example.
In principle, we welcome the proposals for a SOX-style regime and we believe that overall they are a positive development for internal audit and the wider corporate governance framework. However, we have some concerns about unintended consequences. Specifically, we know that when SOX was introduced in the US directors often expected internal audit to do much of the “heavy-lifting” to support attestation. This went beyond providing independent assurance to being involved in other aspects of SOX, such as testing. In many instances, this diverted internal audit time and resources back to financial controls and away from business-critical risks such as cybercrime, environmental, social and governance (ESG) issues and culture.
While we believe internal audit could play an important role in providing independent assurance, we don’t want to see internal auditors doing work that should fall to senior managers in the first line and risk management in the second line. We would therefore like to see the audit regulator publish clear implementation guidance, outlining best practice on the roles and responsibilities for the design, oversight and assurance of any SOX-style regime.
Another important proposal is to widen the definition of a public interest entity (PIE). At present, a public interest entity is, generally, defined as one that is publicly listed on the main London Stock Exchange. However, when BHS collapsed it was a large private company and when Patisserie Valerie collapsed it was listed on the Alternative Investment Market (AIM), so neither would have been subject to the more stringent audit and corporate governance regulations that apply to PIEs, such as the statutory audit regulations introduced in 2016 (SATCAR 2016). While some issues need to be clarified, particularly in relation to larger, more complex group structures, we support widening the definition and have called for this in the past.
We also have concerns about two areas in the White Paper referring to the scope of external audit and a proposed corporate auditing profession with a new professional body. The proposals around external audit’s scope would formally assign more of an assurance role to external audit in areas such as ESG, cyber and culture. Our key concern is that this could potentially duplicate the roles and responsibilities of internal auditors, as these are non-financial areas where internal audit currently provides independent assurance.
Indeed, given that many of the issues with external audit that have emerged in recent years have been financial, we believe external audit would benefit from focusing more on improving the quality and effectiveness in that area. A wider scope could raise expectations further still.
We have similar concerns regarding the proposal for establishing a corporate auditing profession. We believe far more time is needed to consider this proposal fully. Furthermore, we believe that priority should be given to more urgent recommendations to improve external audit quality and effectiveness.
One recommendation we would like to see accelerated is the replacement of the Financial Reporting Council with a beefed-up new audit regulator, the Audit Reporting and Governance Authority. This will require legislation to put the audit regulator on a statutory footing with the legal powers it needs to do its job properly – something that we have long said should be front and centre of any audit reform programme.
So, when is any of this likely to happen? The government has suggested passing legislation towards the end of this current parliamentary term, but there is no clear timetable or roadmap for this. We will be calling on the government to publish and commit to a timetable in our White Paper response.
Gavin Hayes is head of policy and external affairs at the Chartered IIA.
This article was first published in July 2021.