Recently the government produced its long-awaited consultation, “Restoring trust in audit and corporate governance”. Whilst the title would suggest its about trust in the profession and governance, a closer look confirms it is really about restoring trust in the performance information and risk analysis created by directors on behalf of the companies they are accountable for.
Much of the analysis that has emerged in its wake has been developed by the major external audit firms with a natural focus on the external audit implications and their views on what this means for directors, particularly Audit Committee Chairs. This paper aims to turn the tables a little and consider what the proposals really mean for executives within companies. Where will the proposals hit hardest? What might take the most effort? Where might you start in digesting the requirements? Where might you want to comment?
Before starting its important to note that the timelines have been left to be determined in the consultation. Most commentators suggest that a phased approach with the first deadlines being in 2023 is most likely. The consultation itself suggests that for some companies there will be a two-year time lag after this. However, its likely that these proposals will be fully implemented by around 2025.
Secondly, the definition of Public Interest Entities is subject to consultation. It appears certain that these recommendations will extend beyond the current definition to include not only premium listed companies, but also large companies (such as those with more than 2,000 employees, more than £200m in turnover or balance sheet size in excess of £2bn) and large AIM companies, as well as other more significant organisations. These comments are written with a view to encompassing all companies that might meet these definitions at some point in the next five years.
For any sizeable company 2021 will be a year for planning and assessing readiness.
In my analysis there are six major themes for directors and management that emerge from the recommendations:
- Enhanced governance
- Risk and control ownership
- Evidencing resilience
- Reliability of information
- Optionality in assurance
- Increased engagement and accountability
Taken together this creates a call to action.
For those responsible for finance, risk, assurance and governance within companies the starting point should be to consider the enterprise risk environment and controls at all levels holistically so that appropriate decisions and choices can be made. A programme of activity will be required to meet the increased expectations: 2021 is the time to start planning and preparation regardless of your starting point.
Six major themes:
1. Enhanced governance
The consultation introduces a new regulatory regime, overseen by a new regulator, the Audit, Reporting and Governance Authority (ARGA). Directors will more strongly be held collectively accountable for corporate reporting and audit. ARGA will have investigation and enforcement powers for breaches and there are proposals for strengthened malus and clawback provisions. Directors will need to consider whether their existing arrangements are adequate to evidence their engagement in the specific areas where their duties have been explicated enhanced – and this cannot be a matter of the Audit Committee Chair alone.
Further, the Audit Committee will face greater scrutiny in relation particularly to the oversight and appointment of the external auditors. There will be an expectation of continuous monitoring, demanding challenge and scepticism in the auditors’ approach. The Audit and Assurance Policy will create an expectation of greater engagement with all stakeholders underpinned by improved understanding of how and where assurance is obtained across all risks disclosed in the annual report and elsewhere. ARGA will have the power to appoint auditors where problems are identified and to investigate or appoint an observer to the Audit Committee.
2. Risk and control ownership
Perhaps the most significant proposal is for the attestation of internal controls over financial reporting. There are options in the proposals in relation to the role and extent of the external auditor, but from management’s perspective the core requirement for a statement on the effectiveness of the design and operating effectiveness of controls appears unlikely to be challenged.
Whilst focussed on controls over financial reporting, it will be critical for management to understand and document the end-to-end processes that contribute to the reporting so that the relevant systems and controls can be identified. This will stretch well beyond the finance team into customer facing teams where invoices are originated, procurement teams, HR and other operational areas. It will require wide-spread training and developing a risk and compliance culture reflective of the risk appetite of the organisation. Individuals at all levels will need to take ownership of their roles in this process.
This requirement is particularly emphasised with regards to fraud risk and associated controls. External auditors will be held to higher standards and will become more demanding of management, but fundamentally it is the directors that are accountable for the prevention and detection of material fraud. The consultation explicitly refers to the need to put in place appropriate fraud risk assessment, means to identify and respond to fraud risk, ensuring appropriate controls are in place and operating effectively and the promotion of an appropriate corporate culture and corporate values. This alone is an improvement programme for most organisations.
Beyond this companies will be required to identify where risks are emerging or changing and ensure this is adequately communicated, particularly to investors and external auditors, and the requirement for an Audit and Assurance Policy will create the need for a more integrated view over risks across the organisation. In addition, the consultation explicitly does not focus on climate related risks but acknowledges the introduction of disclosures related to the Task Force on Climate Related Financial Disclosures (TCFD) will extend the need to assess risk and consider the controls and assurance required over these risks to this critical area.
3. Evidencing resilience
As proposed by Sir Donald Brydon, the consultation includes the requirement for a Resilience Statement to replace the existing going concern disclosures related to short term risk and viability analysis for medium and longer term risks. Resilience has emerged a key trend in the aftermath of the pandemic with investors and other stakeholders wanting more information on the risks that really threaten the operational stability of the company.
The assessment of resilience will need to be undertaken in the short term over a one to two year period, with scenario analysis proposed to include two reverse stress test situations, extending the severe, but plausible analysis introduced by the Viability Assessment. Any material uncertainties should be disclosed on both a gross and net basis taking into account the strength of controls. The medium term analysis is required over a minimum of five years, reflecting the dissatisfaction felt over the current three years used for most analysis of viability. The longer term might be indefinite.
As for other areas it will be for the directors to engage with investors to determine the extent of audit or assurance, internal or external, that might be required over these disclosures. Given that they will be a core element of the corporate reporting any misrepresentations would be a breach of the collective responsibilities of directors outlined above.
Management are likely to find this requirement challenging. It requires honest and deep thinking about the nature of the events and scenarios that could arise in the most challenging of circumstances and what they would do in response. This has clearly been tested in practice in the last 12 months, but this has perhaps only evidenced how difficult it is to stress test different scenarios and outcomes in a meaningful way.
4. Reliability of information
The consultation emphasises throughout that these proposals are designed to improve the reliability of performance management and related information. It is clear that directors will be held accountable for ensuring all information disclosed in the annual report and accounts, whether quantitative or qualitative, is true and fair, creating a balanced and informative view of the company.
The consultation discusses three areas specifically:
- Capital maintenance and dividends where specific disclosures will be brought into the annual report to evidence the legality of the proposed dividends and the effects on the future solvency of the company.
- Payment practices where there will be disclosures required with information on the proportion of payments that meet the standard policies as described.
- Alternative Performance Measures and Key Performance Indicators, of particular interest to investors and to those considering directors remuneration practices, and which the consultation suggests should be a particular area of focus in the Audit and Assurance Policy so stakeholders understand the nature and level of audit and assurance obtained.
It is a feature of these requirements that a lens beyond the investors is being applied. Whilst the consultation has explicitly not suggested mandating a Purpose Statement, it references s172(1) of the Companies Act in requiring directors to consider the interests of a wider group of stakeholders and references are made throughout to the needs of employees, suppliers, lenders, creditors, customers and the wider public.
5. Optionality in assurance
A central plank of the proposals is the accountability of the directors for determining the level of audit and assurance required beyond the core statutory requirements of the external audit. The consultation says that audit and assurance should be market-led, taking into account shareholders’ views primarily, but also other stakeholders such as lenders, suppliers or employees. The proposals do not suggest that the external auditors need necessarily to be providing a wider range of audit or assurance, although they do require them to think more broadly about issues such as director conduct and the wider set of financial and non-financial information in reaching their judgements.
The proposals also suggest the creation of a regulated Corporate Audit Profession to act as an umbrella for all audit activities and with the intention of encouraging a broad range of suppliers of financial and non-financial audit. It remains to be seen exactly how this regulation will operate in relation to non-financial areas.
Directors can, and should, engage with investors through seeking the advisory vote on the Audit and Assurance Policy. This Policy should explain what assurance is being commissioned over all aspects of the annual report and accounts, as well as other information. It should create an integrated view alongside the existing principal risk disclosures with a focus on the wider information set provided in the directors’ report, the strategic report and the corporate governance statement. It should explain how directors make decisions about where they do and do not require audit and assurance and should be proportionate and flexible. The consultation draws out particularly climate related disclosures, alternative performance measures and KPIs as areas where disclosures will be helpful.
This requirement should not be underestimated. Few companies have an existing assurance map that describes where the directors currently obtain their assurance, including both internal and external providers. The nature of the assurance provided (rightly) varies significantly and it is not an easy process to explain the issues that arise. Companies are likely to need time to embed this approach and to practice the disclosures.
6. Engagement and accountability
These proposals re designed to create a new level of conversation between companies, investors and other stakeholders. They are considered to be proportionate interventions that enable companies to take ownership of their risks, controls and necessary assurance, with the support of an enhanced corporate audit profession with a clear purpose and principles. Directors are at the heart of the proposals, with increased scrutiny and consequences should behaviours not represent the highest levels of integrity and honesty.
The fundamental requirements of external auditors have not changed in the conduct of audits, but there is a clear focus on scepticism, challenge and informativeness. It is likely to be the implications for the external audit profession that are most commented on. As anticipated the proposals suggest the operational separation of audit and non-audit arms of the Big 4 firms, and whilst stopping short of proposing joint audits, introduce the prospect of shared audits and a cap on market share.
The enhanced role and powers of the new regulator will be fairly wide-reaching, giving it the ability within specific frameworks to intervene or advise in areas such as accounting policy decisions, audit firm selection and the conduct of audit committees, as well as greater authority over the new Corporate Audit Profession. Investors have generally indicated they support these proposals.
It goes without saying though that such changes will create additional burdens for management, and particularly finance teams, in responding to more requests and a higher level of audit activity. This will need careful engagement and discussion.