Where the audit reform burdens fall

One way of judging which of the 98 questions matter most in the UK government’s consultation on restoring trust in audit and corporate governance is to look at the cost.

On that basis, the biggest single item – totalling £1.7bn over 10 years, or nearly £200m a year – is extending the definition of public interest entity (PIE) to more than 2,000 companies, some with turnover of as little as £200m. Each would have to implement all the requirements imposed by the government and the new regulator, the Audit, Reporting and Governance Authority (Arga, which will replace the Financial Reporting Council).

To minimise red tape for smaller companies, this can be mitigated: the second option would cast the net only over those with more than 500 employees and turnover above £500m, halving the number affected.

That’s the easy bit. Much harder is the next most expensive item: tightening up internal controls over financial reporting. The £1.5bn total, or nearly £170m a year, estimated for a directors’ statement about the effectiveness of internal controls and risk management points to the inadequacies of the status quo.

The SOX model

In the US, under the Sarbanes-Oxley Act, the CEO and CFO sign an attestation of effectiveness. This has led to a rigorous process of regular testing and documentation, owned by the company’s leaders. According to the UK consultation’s impact assessment, the evidence ‘suggests that SOX has resulted in more accurate financial information’, allowing better prediction of financial performance and curbing fraud.

To accommodate the unitary board and collective responsibility, the CEO and CFO could provide a SOX-style attestation to the board, which would then consider and sign off on it.

While there is nervousness about non-executives being liable for sanctions if controls fail, blame would mainly fall on the executives whose day job is to oversee the scrupulous running of the business. It is only failures implicated in bankruptcy, misleading investors or breaking other laws that matter. Arga will be armed with new powers to sanction directors, but negligence by directors is already pursued, to some extent, by the Insolvency Service and the Financial Conduct Authority.

A related thorny question is whether to follow another SOX precedent in requiring the external auditor to attest to and report on management’s assessment. This would increase the bill by about 50%, but I believe it is worth it. Indeed, if a non-executive director is concerned about signing up to the CEO/CFO’s statement, he or she should welcome independent assurance.

Could this be left to the new audit and assurance policy of ‘let the market decide’? It has to be said that the proposals as a whole go against the grain of the government’s deregulatory thrust (eg the Hill review of listings). But the trouble with making key decisions voluntary is that well-run companies will go for them and those dominated by executives who find external challenge irksome will not.

I also believe that a few clear changes, such as on internal controls and giving Arga powers to sanction directors and order restatement of accounts, are a way to cut some of the voluminous guidance that goes with voluntary codes.

More disclosures

This brings us to new disclosure requirements. The way to turn the proposed audit and assurance policy into better regulation, rather than just more regulation, is for it to provide the meat of the audit committee’s report. Then an advisory shareholder vote complements the nuclear option of voting against the audit committee chair’s reappointment.

The issue of the ‘wider’ audit will be partly market-led: what risks beyond the financial statements do investors want more assurance on? But increasingly regulation has intruded – over remuneration and diversity, for instance. It will continue to do so, unless the government’s deregulatory strategy turns against ESG (environmental, social and corporate governance) concerns, which is highly unlikely.

As for the resilience statement, with its five-year time horizon for the ‘medium-term’ section, this is where prescription threatens to go over the top – eg business investment needs and digital security (the first is a matter of strategy, the second may or may not be a principal risk – both are reported on elsewhere). Similarly, reporting on climate change risk should be mandated separately, as is going to happen with the implementation of recommendations from the Taskforce on Climate-related Financial Disclosures.

Stress-testing, yes. Contingency planning, yes. Transparency on dividend-paying capacity, yes. But a general shopping list, no. And who can tell what will happen five years into the future? Corporate reporting cannot guarantee that a company will not go bust. Its goal should be to provide reliable and relevant information so that shareholders and lenders (including suppliers) can make sound decisions about investment and financial risk.

Users of accounts also need to take responsibility. Shareholders can get involved in audit by saying which aspects of a company’s financial reports worry them. This chimes with requirements for auditors to take in the wider picture – from management bias to short-selling. The risk of ignoring external warning signals is huge, witness Wirecard.

Arga will have its plate full. It will have to prioritise and should avoid detailed meddling in what boards do. Very few company failures are systemic – Patisserie Valerie is sexy but not significant – or even cost the taxpayer much money.

These new regulations will involve more words (the reference to brevity is a joke) and more cost. It will only be worth it if a) boards take action sooner to prevent delusional or reckless executive behaviour and to implement a survival – or orderly wind-down – plan, and b) auditors do their core job of scrutinising without fear or favour the information that managements produce.