This paper follows our preliminary essay on the same subject, Internal control effectiveness: who needs to know? (May 2019). It is based on a series of interviews with members and chairs of audit committees and external auditors.
Reporting on the effectiveness of internal controls is a key feature of the current reviews of UK audit and regulation. And as the nature of the heightened financial reporting risks associated with COVID-19 become clearer, investors are looking to companies for reassurance about the quality of ICFR. They want to know how companies are mitigating the risks of error, manipulation, collusion and fraudulent financial reporting. These questions will be addressed, in practice, to audit committees and auditors, the very people we interviewed for the purposes of this publication.
The Framework: COSO, the UK Code – or something else?
Audit committees need higher quality information and a clear framework for the reporting, documentation, evaluation and testing of ICFR, to challenge management and auditors effectively.
Controls “relevant to the audit” have driven auditor behaviour to date in this area. Under a new reporting regime with a focus on management and the risks facing the entity, such auditor-driven decisions should take a back seat. Everyone involved should clearly understand what effectiveness – and ineffectiveness – look like.
The Brydon recommendations
The Brydon recommendations are seen as a good starting point and suggest a mandatory “UK Internal Controls Statement”, signed by the CEO and CFO, based on principles led by ARGA, and a framework “based on a UK customised version of COSO”.
COSO
Reporting on a COSO-style framework within a SOX-style regime, could well result in improvement to the financial reporting process, but lessons would need to be learned from the implementation of SOX in the USA which was inefficient and expensive.
Audit committee chairs interviewed were less confident than external auditors, but many believed that COSO is the only practical way forward, albeit with concerns over proportionate application.
The UK Code
The UK Code has been used for SOX reporting in the USA by UK companies listed there. Although not mandated by SOX, no company with a US listing currently reports against anything other than COSO.
COSO defines risk, a controls framework and a material weakness, and provides examples, which makes it clearer than the UK Code.
Some are of the view that it avoids the need for UK companies with dual listings to report under two different regimes. Others are adamant that the UK should follow a principles-based controls framework.
What are the alternatives?
There are clear differences of opinion about the starting point for a UK Framework and its compatibility with SOX. Some believe that the UK Code could, with additional guidance, be sufficiently robust for reporting publicly on ICFR.
Some urged the UK to move towards a controls mind-set, with better quality documentation and more granularity. Others thought excessive focus on controls leads to a loss of focus on the risks themselves.
Scope, timing, preparedness and skills
What might be the scope?
Brydon suggested that ICFR reporting recommendations might be applied to a subset of the FTSE 350, as well as to PIEs. Those interviewed generally disagreed with the idea that reporting would be too difficult for smaller listed companies.
Nevertheless, many thought there are significant differences between companies at the top and bottom end. There were concerns about costs being prohibitive for smaller companies, about making the UK unattractive to investors, and memories of SOX resulting in de-listings.
What might be an acceptable timeframe?
The pace of change matters. Those interviewed were concerned whether the lessons of SOX were learned, and that its hasty introduction contributed to high costs.
Some advocated introducing a new attestation regime on a phased basis in the early 2020s, due to risks of delay and of political momentum being lost. Others wanted a longer lead-time for the development of good quality guidance.
How prepared are companies?
External auditors expressed concerns about how even large companies will cope, although some thought that those already applying something close to SOX would fare better, and that finance teams in the UK are used to, and respond positively, to being challenged. Some external auditors thought that companies need to take action now – particularly with regard to IT systems.
Audit committees look at internal controls through a wider angled lens because their responsibilities are not confined to ICFR. Members of audit committees suggested that FTSE 100 companies probably already have the quality of controls necessary for SOX, but that other listed companies would need to do more.
Will companies have to upskill?
Larger firms of external auditors and very large companies have the resources and skills to train their staff, but concerns were expressed about the ability of challenger firms to recruit, retain and develop people skilled in this area. Some external auditors expressed concerns about the pool of skills – particularly IT skills – available to companies, particularly smaller companies.
Assurance
The Brydon recommendations
Instead of recommending a s404-style regime where external auditors report annually on internal control effectiveness, Brydon recommended that certain failures of ICFR, would require an audit of CEO and CFO attestations for up to three years. Additional costs will therefore only apply to those who have 'failed in their recent reporting'. Some boards may still choose to have the attestation audited.
Brydon also recommended that directors should report remedial actions taken, and their effectiveness. Any principles, guidance and standards developed should equip boards – and auditors – to distinguish between 'weaknesses', 'material weaknesses', 'failures' and 'deficiencies', and to clarify what exactly internal control effectiveness looks like.
Material weaknesses are reported in the USA, but relatively few. The main drivers in the USA –criminal penalties for non-compliance and the s404 requirement – are not currently on the agenda in the UK. Auditor involvement may drive better behaviour or companies might avoid reporting internal control failure in the first place.
Some external auditors also had concerns about recommendations for 'ad-hoc' audits when controls are deemed to fail. External auditors cannot just 'dip in and out of audits', because it takes time for companies and auditors to develop robust documentation, evaluation and testing processes.
Some noted that the COSO guidance suffers from proportionality issues and that external auditors will need their own guidance for 'voluntary' audits of ICFR, and for audits where controls have failed.
Voluntary external assurance?
Those interviewed were clear that a new reporting regime would involve some external auditor involvement, beyond the voluntary and control failure-driven involvement envisaged by Brydon. Some were more concerned about how audit committees would satisfy themselves about the CEO and CFO attestations.
Audit committee members suggested that where the internal audit function is independent, properly resourced and effective, there should be no need for mandatory external auditor involvement. But they thought it important to retain the right to have independent checks.
Recommendations and next steps
While our interviewees had divergent views on the reporting framework to be adopted, and on company preparedness, they were broadly in agreement with the six areas listed below:
- Critical to the success of the reforms will be the quality of the reporting framework adopted and the guidance for management and external auditors.
- Whatever the framework adopted, the focus must first be on company reporting on the effectiveness of ICFR, not on reporting by external auditors.
- Enhanced public reporting of weaknesses in the UK represents a significant step forward for most companies and will require courage.
- The short-term focus must be on ICFR. Reporting on the broader controls framework is important but would be a step too far at this time.
- The pace of change and scoping both matter. Some sort of phased implementation will be necessary taking account of different types of company, as well as any external auditor involvement.
- Many companies will need help from their external auditors with ICFR.
We invite individuals and organisations to share with us their comments on the suggestions in this essay, and their own experiences and ideas regarding the challenges of internal controls reporting. These will help us to develop our contribution to the coming period of intense consultation and reflection that will determine the future of audit and reporting in the UK, and beyond.
Internal controls reporting: sketching out the options
Download the full Thought Leadership report.
Read the report