White Paper Bulletin 4 - Competition, choice and resilience in the audit market
Following reviews into the audit profession from Sir John Kingman, Sir Donald Brydon and the Competition and Markets Authority, the Government published, on 18 March 2021, a White Paper, “Restoring trust in audit and corporate governance”, the title of which makes clear that the proposed reforms are not just aimed at auditors. A “holistic” approach is advanced, and the reforms envisage changes to the rules governing four main parties: investors, companies and their directors, auditors and regulators, all of whom are considered to need to improve, and work together.
The White Paper proposes two significant reforms which will affect directors. They are:
The proposed enforcement regime for directors is, in particular, a radical and far reaching step which has the potential to correct a perceived imbalance: under the current system, those auditing a company’s financial statements arguably appear to be subject to closer regulatory scrutiny and fiercer sanction than the directors responsible for presenting those statements; auditors are subject to investigations by the Financial Reporting Council (“FRC”), and disciplinary action under the Audit Enforcement Procedure (“AEP”). Directors, in contrast, have no dedicated regulator, and such investigative regimes and consequent sanctions as do apply to directors (such as director disqualification) are relatively rarely used outside of insolvent situations.
In this latest bulletin, we look at the proposals aimed at directors and assess whether they are likely to achieve the Government’s aims. We also highlight some potential problems, and we discuss parts of the new proposals which we consider need to be developed further.
It is clear that inadequate systems and controls relating to corporate financial reporting were a factor in accounting misstatements behind many of the recent high-profile corporate collapses. This is despite the existing framework of rules (largely within the Listing Rules and Corporate Governance Code) which require boards to take responsibility for establishing effective internal control systems.
The White Paper puts forward three proposals to strengthen the rules. They are:
Option A: an explicit directors’ statement about the effectiveness of the internal control and risk management systems.
Option B: a requirement for statutory auditors to report more about their views on the effectiveness of companies’ internal control systems.
Option C: a requirement for statutory auditors to express a formal opinion on the directors’ assessment of the effectiveness of the internal control systems.
The Government’s preferred option is based on Option A, which is to require a directors’ statement. The Listing Rules and Code of Corporate Governance currently require boards to review the effectiveness of their internal controls on an annual basis. The Government proposes that in addition to this, the board will need to:
These proposals hark to elements of the US Sarbanes-Oxley Act 2002 (“SOX”). However, unlike SOX, the Government is not proposing that auditors be required to separately report and attest to this assessment, save in limited circumstances (for example where there has been a previous serious failing in the company’s internal controls), as this is seen as expensive and burdensome.
As the White Paper notes, at 2.1.5, when SOX was introduced in the US, the arrangement “was perceived by some stakeholders to have led to better financial reporting, fewer significant accounting restatements and stronger reassurances for investors about the robustness of internal controls.” This appears to be reflected in commentary from US auditors referring to their experience since SOX was implemented, though many others in the US have also complained about the additional and costly regulatory burden that SOX imposed.
These new reporting provisions could be implemented via changes to the UK Corporate Governance Code or through legislation to put the requirements on a full statutory footing (including a requirement to carry out an annual review). Should failings be identified, the White Paper envisages that the new regulator should have powers to investigate the accuracy and completeness of the directors’ internal control disclosures and, if necessary, order amendments or recommend an external audit of the internal controls. These would sit alongside powers to sanction directors for failures to establish and maintain an adequate internal control structure and procedures for financial reporting.
The proposals underline clearly that the primary responsibility for internal financial controls and the accuracy of financial reporting rests primarily with the board and management of a company, which auditors will welcome.
However, any import of SOX-style attestation requirements will need to reflect the different regulatory landscape in the UK. SOX-style regulation has been adopted in a number of countries including Australia, Canada, France, Germany, India, Japan and South Africa. Views are mixed as to how successful such adoption in each jurisdiction has been. UK regulators have different resources and different sanctioning powers from those in the US; the US Securities and Exchange Commission is well funded, provides very close scrutiny, and the certifying CEO and CFO of companies face very serious fines and penalties for breaches of the relevant certification provision (up to 20 years in prison and $5m in fines). US companies also face the ever-present threat of securities class actions, which are less of a feature of the UK litigation scene. Consequently, it is unclear whether transplanting SOX-style certification to the UK would deliver a level of improvement in the reliability of financial reporting similar to that seemingly achieved in the US, without the same jeopardy for infringement.
It is notable that under the Government’s preferred option, the standards by which internal controls are to be judged, and the degree of external assurance which will be provided on this, are to be decided by boards. This may offer sensible flexibility, but there is the risk that some boards might take the opportunity to elect for “soft” benchmarks. Additionally, such flexibility also may increase the burden on statutory auditors, as they will potentially have to make a judgement on whether the board’s choice of benchmarks was reasonable. A common standard set by a regulator would anticipate these issues but may not afford a universally business-friendly solution.
The Audit Committee Chairs’ Independent Forum (ACCIF) has already developed a set of principles to support a CEO/CFO attestation about internal controls over financial reporting, and the White Paper refers to this. Prior to the issue of the White Paper, the ACCIF had proposed attestation wording under which the CEO and CFO would attest only to the fact that they have established procedures and controls which provide a reasonable basis for financial reporting. This wording (which would essentially be just about the design of the controls) arguably does not satisfy the current proposals. Instead, what may be needed is an attestation as to the actual operational effectiveness of those controls (not just their design)
The White Paper also proposes that boards could, if they chose, rely primarily on their internal audit function to support the directors’ certification of controls. However, this leads to the question of whether companies have sufficient resources to perform this. For example, in the US, after the introduction of SOX, many companies had difficulty recruiting sufficiently experienced people to assist with the new certification regime. UK companies may have similar problems if the Government’s preferred option is enacted, albeit UK companies have expanded their internal audit functions considerably since SOX was introduced.
It is possible that the Government may not proceed with their preferred option, and instead opt for Option B and Option C. Under Option B, statutory auditors would be required to say more about their views on the effectiveness of internal controls and the extent to which they considered them in the audit. However, they would not be required to provide a formal attestation of their effectiveness. Option B by itself would potentially risk creating a new “auditor expectation gap”, as the further commentary provided by an auditor on the internal controls might, wrongly, be seen (by itself) as an assurance opinion on the effectiveness of those controls (even though an auditor may not have completed sufficient assurance work to provide such an opinion).
Option C proposes an additional requirement to the director attestation proposed in Option A. Under Option C, the Government proposes that auditors should also be required to express a formal opinion on the directors’ attestation of the effectiveness of the internal controls.
This would be similar to the approach taken in the SOX provisions, which requires both the director attestation and the auditors’ assurance opinion. However, whilst the Government’s preferred option is to introduce the director attestation, the Government is not minded (save in exceptional circumstances, such as where there has been a prior serious failing in the controls) to make it mandatory for a company to obtain a separate auditors’ assurance opinion on the directors’ attestation. Instead, the Government proposes that this be a matter for audit committees and shareholders, as this additional step potentially creates a costly and unnecessary burden. It seems sensible that audit committees should, in the normal course of events, have discretion as to whether to obtain external assurance on the directors’ attestation.
The mere fact of additional certification in itself may not lead to improvements in financial reporting if the certification is not backed by adequate documented procedures; additional certification would not, for example, deter a director who is sufficiently embroiled in fraud to be prepared to sign a set of false accounts. Improvements would derive from the increased focus given by directors to the effectiveness of systems and controls, and from independent assurance providers being able to see evidence of the steps taken by the directors in order to arrive at the certification decision.
Overall, it appears that the director attestation requirement introduced in the US by SOX in the wake of the Enron affair has had some success in improving financial reporting, and it is unsurprising that the UK is now considering the introduction of a version of those requirements. However, it remains to be seen how effective the UK version of certification will be in improving the reliability of financial reporting, and much will depend on the details of how it is implemented.
One of the headline grabbing proposals in the White Paper is that the Government intends to legislate to provide the new regulator, Audit, Reporting and Governance Authority (“ARGA”), with the necessary powers to investigate and take civil enforcement action for breaches of corporate reporting and audit-related responsibilities by Public Interest Entity (“PIE”) directors. Currently, the FRC is only able to pursue a director if they are a chartered accountant who is subject to the FRC’s Accountancy Scheme.
The Government considers that it is important that ARGA should be given these powers, otherwise ARGA’s credibility would be undermined if it could only act against the auditors, but not against those responsible for presenting the information subject to audit.
The White Paper proposes that ARGA’s powers are to extend to all directors at PIEs (and not just the CEO, CFO, Chair of the Board and Chair of the Audit Committee as had been proposed by the FRC). This is to meet the criticism, which came up in consultation, that implementing an enforcement regime that only applied to some directors would undermine the concept of a unitary board.
The enforcement powers will therefore also extend to non-executive directors. This obviously makes a non-executive role more burdensome, and commentators have suggested that it may have the unintended consequence of making it more difficult for companies to recruit a suitablye experienced and capable group of non-executives.
The White Paper proposes that the new enforcement regime powers will apply to breaches by directors of their existing statutory duties, namely the duties to:
However, as the White Paper acknowledges, these duties were (as currently drafted) not designed to be enforced by a regulator. Accordingly, it is proposed that ARGA will have the power to impose more detailed “relevant requirements” for directors, relating to these statutory duties, which will form the basis for enforcement action. Developing these relevant requirements will be a major piece of work for the new regulator, and it will undoubtedly take some time and require further consultation. The Government is, in particular, consulting about whether the relevant requirements should include behavioural standards for directors in the way they carry out their duties relating to corporate reporting and audit, i.e. would directors be required to act with honesty and integrity in relation to corporate reporting? The White Paper does not state whether financial reporting standards will form a component of the relevant requirements for directors.
There seems to be no doubt that the new proposals will expand existing obligations on directors and will likely lead to further enforcement action. As the new powers are to be on the civil, rather than criminal, side, the lower civil standard of proof will make enforcement easier.
Whilst generally the new enforcement regime is to be welcomed, there are a number of areas that we believe need further consideration. In particular:
For directors to become the subject of the type of regulatory scrutiny envisaged is a remarkable innovation. It seems intended that directors should be held to account more readily than in any previous or current civil or criminal legal framework in the UK. Increased enforcement activity against directors may deter some instances of aggressive accounting or deliberate misstatement. Auditors may offer a cautious welcome to the proposals. However, realistically, we will not know for some time after the reforms are introduced whether the combination of the extended reach of ARGA enforcement and the new certification regime, and the intended interplay of these innovations with the reform of the framework for audit regulation, will be effective to implement the substantial holistic improvements in financial reporting that have been envisaged. The White Paper proposes that the changes required in respect of director regulation would be the last reforms to be introduced. Moreover, until the standards for directors are articulated, and even then, it is next to impossible to assess the likely cost on business. That will be more apparent in the medium term, together with extent of the attractions of PIE directorship in this more exposed environment, and whether the pool of willing candidates for directorships will broaden or narrow.