UK Corporate Governance Code - strengthening the UK's internal control framework

The recent Government response to the consultation on strengthening the UK’s audit, corporate reporting and corporate governance systems sets out that the Government intends to take a Code-based approach as the most practical and proportionate way of strengthening boardroom focus on internal control matters. Some commentators have suggested that this is a missed opportunity and that a Code based solution – rather than primary legislation, like Sarbanes-Oxley in the US – leaves UK Plc with no clearly defined framework for internal controls and risks a ‘hotchpotch’ approach to reporting and measurement.

I would argue that this is not the case, and that a UK Corporate Governance Code based approach to strengthening the UK’s internal control framework has a lot to recommend it.

The Sarbanes-Oxley requirements in this area are relatively short on words. Essentially the CEO and CFO must report that they have evaluated the effectiveness of the issuer’s internal controls over financial reporting and present their conclusions about the effectiveness of such controls. It would be very easy to accommodate similar words into the Code itself – and much quicker and easier to finesse over time if need be.

So, what makes the US Sarbanes-Oxley requirement such a formidable hurdle? I would suggest that it is a combination of the requirement that a company’s statutory auditor attests to, and reports on, the assessment made by the executives; and the SEC Rules and PCAOB Auditing Standards that support the Act itself.

The SEC Rules and PCAOB Auditing Standards are critical to the success of Sarbanes-Oxley – without them the US would have no clearly defined framework for internal controls and a pick’n’mix approach to reporting and measurement. Whether the new UK reporting regime is pursued through legislation or the Code, ARGA will have to act to provide clear guidance for companies (and auditors).

Mandated external auditor assurance – no matter how likely to ensure a meaningful shift in the seriousness with which boardrooms consider internal controls – seems never to have been on the agenda. It was not part of the solution presented by BEIS in 2021, so without extensive support from the investor and corporate community – which hasn’t been forthcoming – it was always unlikely to become a reality.

While mandated external auditor assurance might be off the cards, the inclusion of ‘internal controls’ as part of the minimum content for the new Audit and Assurance Policy will surely play a role in encouraging external assurance.

Furthermore, amending the Code to require an explicit statement on the effectiveness of internal controls would very likely have consequences for auditors. Since the very early days of the Code, the Listing Rules have required that companies ensure that their auditors review those parts of the directors’ corporate government statement relating to internal controls. If this were to persist – and I see no reason why it wouldn’t – then auditors would be required to carry out specific procedures in relation to the directors’ internal control statement. While stopping short of providing an opinion on the effectiveness of internal controls, if current practice were to be extended to the new statement, auditors would be required to understand the review process defined by the board, review the documentation prepared by the directors to support their statement, and compare both to the internal control statement made by the board in the annual report and accounts. Not assurance per se, but certainly enough to ‘encourage’ good practice.

The Sarbanes-Oxley Act does not specify, nor indeed refer to, any framework by which the effectiveness of internal controls over financial reporting should be benchmarked. Such references do appear with the SEC Rules implementing the Act, but even then, the precise framework isn’t specified – simply that it must be a suitable, recognised control framework that is established by a body or group that has followed due-process procedures, including the broad distribution of the framework for public comment. (The COSO framework is referenced as an example of a suitable framework, but so too is the Guidance on Assessing Internal Control published by the Canadian Institute of Chartered Accountants and the Turnbull Report published by the ICAEW.)

So, while the well-known COSO (Committee of Sponsoring Organizations (COSO) framework for effective internal control) framework is the default framework for most, that is a convention not a requirement. And, if Sarbanes-Oxley reporters’ default to the COSO framework, then it is difficult to see why that would not be the same under a UK Code-based approach. Thus a consistent framework and approach is very likely, particularly if ‘encouraged’ by ARGA in any guidance they might produce.

It is true that the Code operates via the now well established ‘comply or explain’ framework rather than being a set of requirements as such. But would any board realistically refuse to state the outcome of their review of the effectiveness of internal controls – or worse still, refuse to carry out such a review? Experience suggests that this would be extremely unlikely and would require a very ‘special’ explanation if the board were not to incur the wrath of the investment and wider stakeholder community.

So far, I have argued that there is little difference between a UK Corporate Governance Code based approach to strengthening the UK’s internal controls framework and a legislative approach. But there is one area where the new proposals leapfrog the US Sarbanes-Oxley reporting regime.

Rather than being restricted to internal controls over financial reporting (as is Sarbanes Oxley), the Government’s proposed approach is that boards report on the effectiveness of internal control systems in the broadest sense. Not just internal controls over financial reporting, but also those controls designed to address operational, compliance and wider financial risks. This is difficult, but important. It is often – perhaps most often – these wider risks that pose the greatest threats to stakeholder value. Sarbanes-Oxley wasn’t designed to prevent the bank failures at the heart of the 2008 financial crisis or to insulate companies against existential events like the global pandemic, climate change, and geopolitical tension around the world – yet these are the events of greatest significance to corporate sustainability.

So, in conclusion, I tentatively suggest that rather than being a missed opportunity, the Government’s proposals present a significant opportunity for the UK to adopt a framework for reporting on internal controls that is fit for the ‘real’ risks faced by companies as well as the expectations of today’s stakeholders. Sarbanes-Oxley may or may not have been the right approach to address the issues surrounding the collapse of Enron - the greatest fraud in American history – but today’s world demands, and deserves, a broader solution – whether legislative or not.