For UK listed companies, changes to how internal control frameworks are regulated has been a long time coming. And it has been a slow, painful, messy process: white papers, discussion documents, more white papers…nothing new there.
But wait, is that clarity that we can see emerging? We will have a new regulator – the Audit Reporting and Governance Authority (“ARGA”) that will replace the Financial Reporting Council. They will endorse a new framework for internal control reporting, which will include a requirement for a company’s CEO and CFO to attest that an evaluation of the company’s Internal Controls of Financial Reporting (ICFR) has been completed. This is a big step since it shifts a responsibility from external audit and back to the management of the company, arguably where it belongs. Some sleepless nights for the CFO and CEO.
So rather than just lie in bed worrying about it, get up and make a cup of tea and consider three key questions that need to be answered:
- What will the new internal controls framework look like?
- How will the role of external audit change?
- When it will be introduced?
What will the new internal controls framework look like?
Views on this tend to be polarised. At one end you have the US’s prescriptive rules and the other the UK’s principle-based “light touch”.
The current thinking behind what will happen in the UK draws on elements of s302 of the US’s Sarbanes Oxley Act (“SOX”) which requires the CEO & CFO to attest that an evaluation of the effectiveness of the company’s ICFR has been completed state whether they were effective.
However, it is not expected that external audit will have to report on this attestation as is required by s404 of SOX. This may be a relief for some given that around one third of total external audit costs in the USA relate to ICFR.
But do not be fooled – the cost of the internal effort needed to complete the attestation work properly is significant. It’s a like an iceberg, what you see above the water represents only a fraction of the effort needed to get to a position where the attestation can be made with confidence. In addition, the current UK corporate governance requirements have a broad application and are not limited to the controls over financial reporting. Which is important – the risks that companies face are not just limited to financial numbers. Controls need to be vigorously applied to operations, data, security, staff conduct, culture, ethics and more. So the scope of the work can be much wider.
How will the role of external audit change?
While it seems obvious that some form of independent assurance would be required, this has not been recommended, citing the considerable cost involved.
Instead of external auditors reporting annually on internal control effectiveness, the recommendations are that only reported failures of ICFR would result in a requirement for an audit of the CEO & CFO attestations in the three years following the failure. The ‘logic’ behind this is that only those companies who have fallen short of the mark will incur additional costs in relation to external audit.
This creates three problems:
- It presupposes that weaknesses and failures will be reported in the first place. History shows that the bigger the failure, the more likely it is going to remain unhidden until it is too late.
- This ‘ad hoc’ audit approach when controls fail is not conducive to efficient and effective audits. Auditors cannot just ‘dip in and out’, especially in large complex organisations where it takes time to establish an understanding of processes and relationships.
- We can’t help but feel that this is “closing the stable door after the horse has bolted” – generally by the time the failure has been reported the damage has already been done.
While there may not be a consensus on the need for external auditor attestation during the initial implementation of the new internal control framework, it is almost certainly likely to be required following implementation if the framework is to have any kind of credibility amongst the company stakeholders.
OK I am still worried – when is this going to happen?
Anyone familiar with the accounting, auditing and reporting world will note that the pace of change can best be described as glacial. The most optimistic voices are looking towards a phased introduction in the early 2020s. Many are unconvinced however, given the lead time required for the development and introduction of good quality guidance that would need to underpin the new framework.
However, the implementation of new regulation should not prevent organisations putting in place a robust internal control framework right now. Corporate failures are inevitable – it is an economic fact of life – but failure due to poor internal controls will also keep happening regardless. Just look at the recent demise of Wirecard, where the simplest of controls was overlooked that could have uncovered the scale of deception years earlier. This may not have saved the company, but it might have minimised the losses to the shareholders. And do not forget that it is the duty of the management of all companies, regardless of their size and nature, to ensure that adequate controls are in place to protect shareholder value – this is a fundamental principle of their stewardship role.
The time to act is now…
Companies need to put in place robust and effective internal control frameworks now and ensure that they engage and coordinate all three lines of defence in its day to day operation.
The good news is that the steps to take do not need to be overly complicated:
- Look at your business processes and activities,
- identify the inherent risks,
- implement key controls to mitigate these risks, and
- monitor the controls on an ongoing basis.
Organisations can use a well-designed and effective technology solution to facilitate these steps and engage all three lines of defence. Those that do will find themselves in a position of significantly reduced risk of control failures, operating in a proactive rather than reactive mindset. Preparing now will also start them on a journey to greater control environment maturity that will see them well placed to easily comply with new UK regulations for internal control.
An integrated control framework can become a cornerstone of the business. Driving a culture of control where everyone takes simple daily habitual steps that become as familiar as cleaning your teeth every morning. Continually driving better behaviour across the organisation.
But it will take time. And that is why the time to act is now.
ICE is a nimble and practical internal control and compliance solution that focuses on engaging and enabling all three lines of defence. It provides a standard and transparent backbone to your organisation’s control environment at all levels of maturity.
Further information around the direction the regulatory landscape is heading can be found in the recent ICAEW paper – Internal controls reporting: sketching out the options