Governance, Risk & Compliance: GRC
What Do We Know after a Year of the UK SOX Consultation?
The UK’s version of the U.S. Sarbanes-Oxley Act (SOX) aims to restore confidence in the governance of UK-listed companies and protect investors from fraud.
On March 18, 2021, the Department for Business, Energy & Industrial Strategy (BEIS) published its consultation to strengthen the UK’s audit and corporate governance framework with the aim of further safeguarding investors, creditors, employees, customers, suppliers and the wider public from corporate mismanagement.
A number of corporate insolvencies, such as Carillion in 2018, have damaged public trust in the credibility of directors’ reporting, and research from the Financial Reporting Council (FRC) revealed that 49 out of the 130 audits in their annual inspection cycle (2019/20) required either improvement or significant improvement.
The government subsequently commissioned three independent reviews:
- Sir John Kingman’s independent review of the Financial Reporting Council (FRC) argued that existing regulators lacked powers and purpose to hold auditors and directors to account
- The Brydon Review recommended that the purpose of audit be clearly defined in law and regulation to “establish and maintain deserved confidence in a company, in its directors and the information for which they have a responsibility to report, including the financial statements.”
- The Competition and Markets Authority (CMA) report contained recommendations to address competition problems in the UK audit industry
For several years now, the FRC has been developing a UK equivalent of the U.S. Sarbanes-Oxley Act (SOX). The legislation is designed to reform current business reporting practices, enhance financial disclosures, and prevent corporate and accounting fraud by making company directors, and auditors accountable and subject to enhanced civil and criminal penalties.
Increasing corporate accountability for PIEs
Public Interest Entities (PIEs) are currently defined in the Statutory Audit Directive, implemented before the UK left the EU, as “entities whose transferable securities are admitted to trading on a regulated market, credit institutions or insurance undertakings.”
Corporate accountability maintains that businesses or individuals should be held responsible for the impact of their actions, and as a result, it is a vital concept for investors and shareholders. Among other things, the BEIS consultation recommended the broadening of reporting and attestation requirements for company directors.
New requirements would necessitate such individuals to attest to the effectiveness of their internal controls as part of their annual reports, while also providing an annual resilience statement setting out how directors are addressing challenges to their business model over the short, medium and long-term, including risks posed by climate change.
Attesting internal controls will also require directors of PIEs to report on the steps they have taken to prevent and detect material fraud. The Government believes this will reinforce directors’ primary responsibility for fraud prevention and detection and may also, in some cases, enhance their focus on the risks relating to fraudulent financial reporting.
The BEIS consultation paper also suggests enhanced reporting requirements for dividend and capital maintenance decisions to sharpen directors' accountability in this key management area. In doing so, they aim to prevent dividend payments from threatening the solvency of UK businesses. For example, in the eight years from 2009 to 2016, Carillion paid out three-quarters of the cash it made from operations as dividends (£554 million), and between 2012 to 2016, Carillion paid out £63 million more in dividends than it generated in cash from its operations.
These proposals aim to promote the efficient conduct of business through monitoring and benchmarking internal controls, thus protecting stakeholders against disruption through mitigating the risk of operational inefficiencies. Moreover, in-depth and transparent resilience planning also safeguards people, assets and brand equity by enabling business continuity through exogenous shocks and economic uncertainty, a trait that has proven vital during the COVID-19 pandemic.
Holding directors to account
In conjunction with broadening reporting requirements, the consultation seeks to expand its reach, capturing a wider range of directors in its metaphorical net. The government has sided with the majority of respondents who argued that the proposal should encompass all appointed directors of PIEs.
This would represent a significant change compared to the current regime, which only applies to directors who are members of professional bodies. Having all PIE directors in scope reduces the risk of culpable directors escaping liability because they do not hold a particular position.
The BEIS consultation highlights the importance of professional skepticism and the ability to exercise constructive challenges in delivering quality audits. The ministerial department proposes to strengthen the role and responsibilities of audit committees of PIEs to ensure they act effectively as an independent body responsible for safeguarding the interests of shareholders.
To achieve this, BEIS suggested that the Audit, Reporting and Governance Authority (ARGA) impose explicit minimum standards on audit committees to effectively monitor the quality and tender processes of audits. Although it remains unclear how these new requirements will fit alongside existing conditions, new rules will promote continuous monitoring of audit quality and demand greater skepticism from the audit committee. Amendments to legislation would also subject audit committees to greater regulatory scrutiny while granting ARGA the power to request reports from, or place an observer within, the audit committee and take regulatory action if necessary.
By encouraging audit committees to make tough decisions and challenge external auditors, BEIS aims to promote more effective enterprise-wide risk oversight from a legal, financial, management and operational perspective, increasing shareholder confidence and promoting fraud prevention in the process.
Audit and assurance policy
This consultation proposes further measures to improve stewardship by suggesting companies be required to outline their approach to audit through an Audit and Assurance Policy on which shareholders would be granted an advisory vote. Shareholders would also have a formal opportunity to propose to the audit committee areas of emphasis to be considered within the annual audit plan.
The Audit and Assurance Policy described in the BEIS consultation would require directors to outline their approach (over a rolling three-year forward look) to seeking internal and external assurance of the information they report to shareholders, including any external assurance planned beyond the scope of the annual statutory audit.
Competition, choice and resilience in the audit market
“It is not healthy for audit quality that the UK audit market is so concentrated.” With 97% of FTSE 350 audits conducted by the four largest global accountancy firms (Deloitte, KPMG, EY and PwC), the BEIS consultation postulates the need to provide opportunities for challenger audit firms to compete with their big brothers. Proposed reforms include greater regulatory powers and duties intended to increase choice and competition in the FTSE 350 audit market, initially through a managed shared audit regime in which a member of the big four is the lead auditor and bears the overall liability.
The government’s expectation is that these shared audits will enable smaller audit firms to invest in their capacity and capabilities in order to grow and compete across the FTSE 350 market.
An operational split within audit firms
The CMA market study concluded that internal tensions could arise within firms conducting both audit and non-audit work, with the result that greater revenue and profits accruing from non-audit work may have a detrimental impact on auditor incentives and working culture.
The government saw merit in taking steps to reform the balance of incentives and working culture within audit firms and, among other measures, proposed to strengthen the governance within audit practices through the creation of independent Audit Boards to have oversight of audit partner remuneration and ensure it is linked to audit quality.
A new corporate auditing profession
The government is also seeking to broaden the role of auditors to encompass issues outside of financial statements. The BEIS has proposed the creation of a new corporate auditor profession to operate independently of the professional accounting bodies. Accompanying this would be a new duty on auditors to take a wider range of information into account to reach comprehensive audit judgments to assess whether financial statements give a “true and fair view” of the firm.
So, what now?
Although the response period for this consultation ended in July of 2021, the exact legislation will be worked on from here and its official implementation is not expected until 2023.
While we await clarity on some key areas, such as ARGA’s minimum standards for audit committees, there is much that directors can be doing to prepare.
In our next blog on the subject, we will compare the BEIS proposal to U.S. SOX to understand what, if anything, can be applied to UK businesses. We will also offer practical recommendations for firms, enabling you to get ahead of the curve.
Learn how SAI360 supports internal controls and SOX compliance.
Best practices whitepaper on internal controls: An Enterprise Perspective on Internal Controls: How to Mature your Internal Control Program