White Paper Bulletin 5 - Redressing the balance between auditors and directors (Chapters 2 and 5 of the White Paper)

Following reviews into the audit profession from Sir John Kingman, Sir Donald Brydon and the Competition and Markets Authority, the Government published, on 18 March 2021, a White Paper, “Restoring trust in audit and corporate governance”, the title of which makes clear that the proposed reforms are not just aimed at auditors. A “holistic” approach is advanced, and the reforms envisage changes to the rules governing four main parties: investors, companies and their directors, auditors and regulators, all of whom are considered to need to improve, and work together.

The White Paper proposes two significant reforms which will affect directors. They are:

1. a “Sarbanes-Oxley” style attestation by directors of the effectiveness of internal controls (Chapter 2.1);  

2. a new enforcement regime for company directors who breach their duties (Chapter 5.1), which will be similar to the one currently in place for auditors.

The proposed enforcement regime for directors is, in particular, a radical and far reaching step which has the potential to correct a perceived imbalance: under the current system, those auditing a company’s financial statements arguably appear to be subject to closer regulatory scrutiny and fiercer sanction than the directors responsible for presenting those statements;  auditors are subject to investigations by the Financial Reporting Council (“FRC”), and disciplinary action under the Audit Enforcement Procedure (“AEP”).  Directors, in contrast, have no dedicated regulator, and such investigative regimes and consequent sanctions as do apply to directors (such as director disqualification) are relatively rarely used outside of insolvent situations.

In this latest bulletin, we look at the proposals aimed at directors and assess whether they are likely to achieve the Government’s aims. We also highlight some potential problems, and we discuss parts of the new proposals which we consider need to be developed further.

The assurance of internal controls

It is clear that inadequate systems and controls relating to corporate financial reporting were a factor in accounting misstatements behind many of the recent high-profile corporate collapses. This is despite the existing framework of rules (largely within the Listing Rules and Corporate Governance Code) which require boards to take responsibility for establishing effective internal control systems. 

The White Paper puts forward three proposals to strengthen the rules. They are:

Option A: an explicit directors’ statement about the effectiveness of the internal control and risk management systems.

Option B: a requirement for statutory auditors to report more about their views on the effectiveness of companies’ internal control systems.

Option C: a requirement for statutory auditors to express a formal opinion on the directors’ assessment of the effectiveness of the internal control systems.

The Government’s preferred option is based on Option A, which is to require a directors’ statement. The Listing Rules and Code of Corporate Governance currently require boards to review the effectiveness of their internal controls on an annual basis. The Government proposes that in addition to this, the board will need to:

• explain the outcome of the annual review of the risk management and internal control systems and make a statement as to whether they consider the systems to have operated effectively;

• disclose the benchmark system, if any, that has been used to make the assessment;

• explain how the directors have assured themselves that it is appropriate to make a statement; and

• if deficiencies have been identified, set out the remedial action that is being taken and over what timeframe.

These proposals hark to elements of the US Sarbanes-Oxley Act 2002 (“SOX”). However, unlike SOX, the Government is not proposing that auditors be required to separately report and attest to this assessment, save in limited circumstances (for example where there has been a previous serious failing in the company’s internal controls), as this is seen as expensive and burdensome.

As the White Paper notes, at 2.1.5, when SOX was introduced in the US, the arrangement “was perceived by some stakeholders to have led to better financial reporting, fewer significant accounting restatements and stronger reassurances for investors about the robustness of internal controls.” This appears to be reflected in commentary from US auditors referring to their experience since SOX was implemented, though many others in the US have also complained about the additional and costly regulatory burden that SOX imposed.

These new reporting provisions could be implemented via changes to the UK Corporate Governance Code or through legislation to put the requirements on a full statutory footing (including a requirement to carry out an annual review). Should failings be identified, the White Paper envisages that the new regulator should have powers to investigate the accuracy and completeness of the directors’ internal control disclosures and, if necessary, order amendments or recommend an external audit of the internal controls. These would sit alongside powers to sanction directors for failures to establish and maintain an adequate internal control structure and procedures for financial reporting.

Comment

The proposals underline clearly that the primary responsibility for internal financial controls and the accuracy of financial reporting rests primarily with the board and management of a company, which auditors will welcome.

However, any import of SOX-style attestation requirements will need to reflect the different regulatory landscape in the UK. SOX-style regulation has been adopted in a number of countries including Australia, Canada, France, Germany, India, Japan and South Africa. Views are mixed as to how successful such adoption in each jurisdiction has been. UK regulators have different resources and different sanctioning powers from those in the US; the US Securities and Exchange Commission is well funded, provides very close scrutiny, and the certifying CEO and CFO of companies face very serious fines and penalties for breaches of the relevant certification provision (up to 20 years in prison and $5m in fines). US companies also face the ever-present threat of securities class actions, which are less of a feature of the UK litigation scene. Consequently, it is unclear whether transplanting SOX-style certification to the UK would deliver a level of improvement in the reliability of financial reporting similar to that seemingly achieved in the US, without the same jeopardy for infringement.  

It is notable that under the Government’s preferred option, the standards by which internal controls are to be judged, and the degree of external assurance which will be provided on this, are to be decided by boards. This may offer sensible flexibility, but there is the risk that some boards might take the opportunity to elect for “soft” benchmarks. Additionally, such flexibility also may increase the burden on statutory auditors, as they will potentially have to make a judgement on whether the board’s choice of benchmarks was reasonable. A common standard set by a regulator would anticipate these issues but may not afford a universally business-friendly solution.

The Audit Committee Chairs’ Independent Forum (ACCIF) has already developed a set of principles to support a CEO/CFO attestation about internal controls over financial reporting, and the White Paper refers to this. Prior to the issue of the White Paper, the ACCIF had proposed attestation wording under which the CEO and CFO would attest only to the fact that they have established procedures and controls which provide a reasonable basis for financial reporting.  This wording (which would essentially be just about the design of the controls) arguably does not satisfy the current proposals. Instead, what may be needed is an attestation as to the actual operational effectiveness of those controls (not just their design)

The White Paper also proposes that boards could, if they chose, rely primarily on their internal audit function to support the directors’ certification of controls. However, this leads to the question of whether companies have sufficient resources to perform this. For example, in the US, after the introduction of SOX, many companies had difficulty recruiting sufficiently experienced people to assist with the new certification regime. UK companies may have similar problems if the Government’s preferred option is enacted, albeit UK companies have expanded their internal audit functions considerably since SOX was introduced.

It is possible that the Government may not proceed with their preferred option, and instead opt for Option B and Option C. Under Option B, statutory auditors would be required to say more about their views on the effectiveness of internal controls and the extent to which they considered them in the audit. However, they would not be required to provide a formal attestation of their effectiveness. Option B by itself would potentially risk creating a new “auditor expectation gap”, as the further commentary provided by an auditor on the internal controls might, wrongly, be seen (by itself) as an assurance opinion on the effectiveness of those controls (even though an auditor may not have completed sufficient assurance work to provide such an opinion).

Option C proposes an additional requirement to the director attestation proposed in Option A. Under Option C, the Government proposes that auditors should also be required to express a formal opinion on the directors’ attestation of the effectiveness of the internal controls.

This would be similar to the approach taken in the SOX provisions, which requires both the director attestation and the auditors’ assurance opinion. However, whilst the Government’s preferred option is to introduce the director attestation, the Government is not minded (save in exceptional circumstances, such as where there has been a prior serious failing in the controls) to make it mandatory for a company to obtain a separate auditors’ assurance opinion on the directors’ attestation. Instead, the Government proposes that this be a matter for audit committees and shareholders, as this additional step potentially creates a costly and unnecessary burden. It seems sensible that audit committees should, in the normal course of events, have discretion as to whether to obtain external assurance on the directors’ attestation.

The mere fact of additional certification in itself may not lead to improvements in financial reporting if the certification is not backed by adequate documented procedures; additional certification would not, for example, deter a director who is sufficiently embroiled in fraud to be prepared to sign a set of false accounts. Improvements would derive from the increased focus given by directors to the effectiveness of systems and controls, and from independent assurance providers being able to see evidence of the steps taken by the directors in order to arrive at the certification decision. 

Overall, it appears that the director attestation requirement introduced in the US by SOX in the wake of the Enron affair has had some success in improving financial reporting, and it is unsurprising that the UK is now considering the introduction of a version of those requirements. However, it remains to be seen how effective the UK version of certification will be in improving the reliability of financial reporting, and much will depend on the details of how it is implemented. 

The new directors’ enforcement regime

Scope

One of the headline grabbing proposals in the White Paper is that the Government intends to legislate to provide the new regulator, Audit, Reporting and Governance Authority (“ARGA”), with the necessary powers to investigate and take civil enforcement action for breaches of corporate reporting and audit-related responsibilities by Public Interest Entity (“PIE”) directors. Currently, the FRC is only able to pursue a director if they are a chartered accountant who is subject to the FRC’s Accountancy Scheme.  

The Government considers that it is important that ARGA should be given these powers, otherwise ARGA’s credibility would be undermined if it could only act against the auditors, but not against those responsible for presenting the information subject to audit.

The White Paper proposes that ARGA’s powers are to extend to all directors at PIEs (and not just the CEO, CFO, Chair of the Board and Chair of the Audit Committee as had been proposed by the FRC). This is to meet the criticism, which came up in consultation, that implementing an enforcement regime that only applied to some directors would undermine the concept of a unitary board.

The enforcement powers will therefore also extend to non-executive directors. This obviously makes a non-executive role more burdensome, and commentators have suggested that it may have the unintended consequence of making it more difficult for companies to recruit a suitablye experienced and capable group of non-executives.

Duties

The White Paper proposes that the new enforcement regime powers will apply to breaches by directors of their existing statutory duties, namely the duties to:

• keep adequate accounting records;
• approve accounts only if they give a true and fair view;
• approve and sign the annual accounts;
• approve the directors’ report; and
• provide a statement as to disclosure to auditors and to provide information or explanations at the request of the auditor.

However, as the White Paper acknowledges, these duties were (as currently drafted) not designed to be enforced by a regulator. Accordingly, it is proposed that ARGA will have the power to impose more detailed “relevant requirements” for directors, relating to these statutory duties, which will form the basis for enforcement action. Developing these relevant requirements will be a major piece of work for the new regulator, and it will undoubtedly take some time and require further consultation. The Government is, in particular, consulting about whether the relevant requirements should include behavioural standards for directors in the way they carry out their duties relating to corporate reporting and audit, i.e. would directors be required to act with honesty and integrity in relation to corporate reporting? The White Paper does not state whether financial reporting standards will form a component of the relevant requirements for directors.

There seems to be no doubt that the new proposals will expand existing obligations on directors and will likely lead to further enforcement action.  As the new powers are to be on the civil, rather than criminal, side, the lower civil standard of proof will make enforcement easier.

Comment

Whilst generally the new enforcement regime is to be welcomed, there are a number of areas that we believe need further consideration. In particular:

• Knowledge and education requirement: the White Paper does not propose an express statutory obligation for directors to possess sufficient knowledge and understanding of relevant laws, principles and standards to enable them to properly discharge their duties. In contrast, and instructively, in the context of pension trustees, section 247 of the Pensions Act 2004 requires pension trustees to have a knowledge and understanding of the law relating to pension and trusts, and principles relating to funding and investment, that is "appropriate for the purposes of enabling the individual properly to exercise the function in question."  The Pensions Regulator produces briefing documents and runs training programmes for pension trustees. A similar statutory provision for directors to know and understand the relevant duties and to have a certain level of understanding of financial reporting requirements would not only be of assistance to directors in helping them to equip themselves with the ability to challenge management and advisers but would also provide for a clearer yardstick by which regulators could evaluate director conduct.
• Separate or single enforcement framework? The existing regulator, the FRC, operates the Accountancy Scheme, which is a non-statutory enforcement regime for accountants, and the Audit Enforcement Procedure, which is a statutory scheme for auditors. ARGA will inherit these schemes, and in addition operate the new directors’ scheme. There are many issues to resolve in this context which are not addressed in the White Paper. Specifically:
  • Will the ARGA enforcement schemes for directors, auditors and accountants each operate independently? Or is there to be a single scheme with enforcement being pursued in response to breaches of different sources of relevant requirements according to the nature of the respondent’s role?
  • If separate schemes, how would separate disciplinary actions arising out of the same matter be co-ordinated under different schemes to avoid inconsistent outcomes at Tribunal? This is already an issue with the existing AEP and Accountancy Scheme arrangement.
  • Would there be rules stipulating circumstances in which disciplinary proceedings arising out of the same matters (whether under the same scheme or different ARGA disciplinary schemes) should be heard together?
  • Under what arrangements and by reference to which requirements would directors who are qualified accountants be sanctioned? Under the accountancy requirements or the directors’ requirements, or both?
  • Would financial reporting standards be a relevant requirement for directors, at least for those who are accountants in business?
  • Given that ARGA  (like the FRC) will be an enforcement authority with the power to impose  severe financial penalties, would there be a right of appeal to the High Court (as well as the existing option to seek judicial review of its decisions)? This is the case for example with solicitors who (under s.49 of the Solicitors Act 1974) have the right to appeal a decision of their disciplinary tribunal to the High Court.
• Multiple regulators: As the White Paper notes at paragraph 5.1.11, “ARGA’s use of such powers will need to be coordinated with other regulators to avoid an overly complex regime for businesses.”. Further, as noted in paragraph 5.1.14 “This new enforcement regime for PIE directors would not replace existing arrangements for taking action against company directors, for example in respect of offences under the Companies Act or breaches of the FCA Listing Rules, FCA Transparency Rules or Market Abuse Regulation.”  There seems still to be significant work to be performed in considering how the overlap between the regulators is to work in practice. In that regard, we note that the White Paper proposes that a Memorandum of Understanding should be put in place between the FRC and ARGA.
• Insolvency service: The White Paper proposes that the power to bring disqualification proceedings against directors should remain with the Insolvency Service, rather than being granted to ARGA in certain circumstances (see paragraph 5.1.14). This does not seem ideal. If ARGA is to have an enforcement remit over certain directors, having the power also to bring disqualification proceedings in Court may serve to enhance the consistency, cost-efficiency and cohesion of enforcement activity.

Overall

For directors to become the subject of the type of regulatory scrutiny envisaged is a remarkable innovation. It seems intended that directors should be held to account more readily than in any previous or current civil or criminal legal framework in the UK. Increased enforcement activity against directors may deter some instances of aggressive accounting or deliberate misstatement.  Auditors may offer a cautious welcome to the proposals. However, realistically, we will not know for some time after the reforms are introduced whether the combination of the extended reach of ARGA enforcement and the new certification regime, and the intended interplay of these innovations with the reform of the framework for audit regulation, will be effective to implement the substantial holistic improvements in financial reporting that have been envisaged.  The White Paper proposes that the changes required in respect of director regulation would be the last reforms to be introduced. Moreover, until the standards for directors are articulated, and even then, it is next to impossible to assess the likely cost on business. That will be more apparent in the medium term, together with extent of the attractions of PIE directorship in this more exposed environment, and whether the pool of willing candidates for directorships will broaden or narrow.