Robust controls over financial reporting enhances trust in business and improves reporting quality. The UK already has requirements in this area but there is widespread agreement among users of financial reporting that there is much room for improvement.
In March, the long-awaited consultation on ‘Restoring Trust in Audit and Corporate Governance’ was published by the Department for Business, Energy and Industrial Strategy (BEIS). One of its key proposals is that the UK should adopt a strengthened internal controls framework for companies, similar to the US Sarbanes-Oxley Act (SOX) which requires directors to attest to the effectiveness of internal controls over financial reporting. The proposal explores a number of options featuring varying degrees of auditor involvement with the intention that premium listed companies be required to apply them first, followed by all other Public Interest Entities after two years.
Learnings from the US experience
Although much has been said and written about the time and cost of implementing a more robust internal controls regime, the experience in the United States suggests that the benefits justify the expense.
Research and evidence demonstrate that SOX has strengthened the reliability of financial reporting in the US delivering tangible benefits for the capital markets, including:
- Improved quality of financial reporting
- More robust financial controls
- Rebalancing the relationship between the auditor and management
- Highlight problems early and an early warning for fraud
The number of restatements reported by US public companies has steadily decreased since the introduction of SOX. It reached its lowest level in 2019 having decreased by over 90 percent in the last 15 years.
This also suggests that assurance over management’s assessments of the internal control environment within listed companies has benefits for investors and for the company itself. In a 2017 Centre for Audit Quality survey, 79 percent of CFOs who took part felt that the overall quality of information in audited financial statements had improved since the enactment of SOX and 85 percent believed the external audit of their company’s internal controls over financial reporting has helped their company.
Overall 80 percent of those CFOs agreed that the benefits of SOX outweigh or is equivalent to the expense.
What might a UK version of SOX look like?
The BEIS white paper sets out three options for strengthening the UK’s internal controls framework.
Option A. Require an explicit directors’ statement about the effectiveness of the internal control and risk management systems
This would strengthen the existing UK framework by requiring the board to explain the outcome of their annual review of the risk management and internal control systems and make a statement as to whether they consider the systems to have operated effectively. Additionally, they would:
- disclose the benchmark system, if any, that has been used to make the assessment;
- explain how the directors have assured themselves that it is appropriate to make a statement; and
- if deficiencies have been identified, set out the remedial action taken and over what timeframe.
Option B. Require auditors to report more about their views on the effectiveness of companies’ internal control systems
Under this option, the auditors’ report would be required to say more about the work that they already undertake to understand the company’s internal control systems and how that work has influenced the approach taken to the audit, but without requiring a formal attestation of their effectiveness.
This option could be reinforced by placing an explicit duty on the board to disclose to the auditor and the audit committee any significant internal control deficiencies or weaknesses they are aware of.
Option C. Require auditors to express a formal opinion on the directors’ assessment of the effectiveness of the internal control systems
This option would require the auditor to undertake additional audit and assurance work to be in a position to express a formal opinion on the directors’ assessment – potentially limited to key internal controls over financial reporting, or a sub-set of that. It would have similarities to section 404(b) of the US’s Sarbanes-Oxley Act which requires the company’s auditor to attest to and report on management’s assessment of the internal control structure and procedures for financial accounting.
The Government’s initial preferred approach is Option A. Unlike the US approach, which mandates external auditor attestation for larger companies (based on their market cap), the preferred option leaves the decision on whether the statement should be assured by an external auditor to the company’s directors, audit committee and shareholders.