The recent Government response to the consultation on strengthening the UK’s audit, corporate reporting and corporate governance systems sets out that the Government intends to take a Code-based approach as the most practical and proportionate way of strengthening boardroom focus on internal control matters. Some commentators have suggested that this is a missed opportunity and that a Code based solution – rather than primary legislation, like Sarbanes-Oxley in the US – leaves UK Plc with no clearly defined framework for internal controls and risks a ‘hotchpotch’ approach to reporting and measurement.
I would argue that this is not the case, and that a UK Corporate Governance Code based approach to strengthening the UK’s internal control framework has a lot to recommend it.
A simple ask
The Sarbanes-Oxley requirements in this area are relatively short on words. Essentially the CEO and CFO must report that they have evaluated the effectiveness of the issuer’s internal controls over financial reporting and present their conclusions about the effectiveness of such controls. It would be very easy to accommodate similar words into the Code itself – and much quicker and easier to finesse over time if need be.
A formidable hurdle
So, what makes the US Sarbanes-Oxley requirement such a formidable hurdle? I would suggest that it is a combination of the requirement that a company’s statutory auditor attests to, and reports on, the assessment made by the executives; and the SEC Rules and PCAOB Auditing Standards that support the Act itself.
The SEC Rules and PCAOB Auditing Standards are critical to the success of Sarbanes-Oxley – without them the US would have no clearly defined framework for internal controls and a pick’n’mix approach to reporting and measurement. Whether the new UK reporting regime is pursued through legislation or the Code, ARGA will have to act to provide clear guidance for companies (and auditors).
Mandated external auditor assurance – no matter how likely to ensure a meaningful shift in the seriousness with which boardrooms consider internal controls – seems never to have been on the agenda. It was not part of the solution presented by BEIS in 2021, so without extensive support from the investor and corporate community – which hasn’t been forthcoming – it was always unlikely to become a reality.
A role for auditors
While mandated external auditor assurance might be off the cards, the inclusion of ‘internal controls’ as part of the minimum content for the new Audit and Assurance Policy will surely play a role in encouraging external assurance.
Furthermore, amending the Code to require an explicit statement on the effectiveness of internal controls would very likely have consequences for auditors. Since the very early days of the Code, the Listing Rules have required that companies ensure that their auditors review those parts of the directors’ corporate government statement relating to internal controls. If this were to persist – and I see no reason why it wouldn’t – then auditors would be required to carry out specific procedures in relation to the directors’ internal control statement. While stopping short of providing an opinion on the effectiveness of internal controls, if current practice were to be extended to the new statement, auditors would be required to understand the review process defined by the board, review the documentation prepared by the directors to support their statement, and compare both to the internal control statement made by the board in the annual report and accounts. Not assurance per se, but certainly enough to ‘encourage’ good practice.
A suitable framework
The Sarbanes-Oxley Act does not specify, nor indeed refer to, any framework by which the effectiveness of internal controls over financial reporting should be benchmarked. Such references do appear with the SEC Rules implementing the Act, but even then, the precise framework isn’t specified – simply that it must be a suitable, recognised control framework that is established by a body or group that has followed due-process procedures, including the broad distribution of the framework for public comment. (The COSO framework is referenced as an example of a suitable framework, but so too is the Guidance on Assessing Internal Control published by the Canadian Institute of Chartered Accountants and the Turnbull Report published by the ICAEW.)
So, while the well-known COSO (Committee of Sponsoring Organizations (COSO) framework for effective internal control) framework is the default framework for most, that is a convention not a requirement. And, if Sarbanes-Oxley reporters’ default to the COSO framework, then it is difficult to see why that would not be the same under a UK Code-based approach. Thus a consistent framework and approach is very likely, particularly if ‘encouraged’ by ARGA in any guidance they might produce.