‘An effective internal control system is a key aspect of the efficient management of a company.’ That statement appeared in the 1992 Cadbury report, which instituted the UK’s corporate governance code. Cadbury also recommended that directors should make a statement on the effectiveness of the system and that auditors should report on it.
Nearly 30 years on, the continuing trail of corporate scandals and collapses bears witness to persistent weakness in internal controls, external audit and the power of the regulator. There is a danger that the UK government – whose consultation on restoring trust in audit and corporate governance closed on 8 July – will miss out on a rare chance to implement fundamental reform in these crucial, interlocking areas.
One country stands out for the effectiveness of its regime: the US, with its 2002 Sarbanes-Oxley Act. On corporate responsibility, section 302 of the act requires the CEO and CFO to sign up to a statement that the material facts are not untrue, misleading or missing. On internal controls, section 404 makes clear that management is responsible for establishing and evaluating an effective system, and their assessment must be subject to external audit. The act also established the Public Company Accounting Oversight Board, which has left other audit regulators in the dust.
‘The compliant will comply, and the non-compliant are likely to only be identified at the point of failure’
The 2018 Kingman review of the Financial Reporting Council (FRC) called for the UK to learn lessons from Sarbanes-Oxley. ‘The review is particularly struck by the support for this amongst senior audit committee chairs with experience of operating this regime in US-listed companies.’
Around 170 UK companies have US listings and therefore already comply with Sarbanes-Oxley. The 2019 Brydon review of the quality and effectiveness of audit recommended that ‘the CEO and CFO provide an annual attestation to the board of directors as to the effectiveness of the company’s internal controls over financial reporting’.
Unfortunately, Brydon proposed that guidance on internal controls should be developed by the Audit Committee Chairs’ Independent Forum, with the new Audit, Reporting and Governance Authority (Arga) that is set to replace the FRC merely endorsing the principles of that guidance.
This halfway house, reflected in the government’s preferred option A for a directors’ statement on effectiveness, leaves the initiative with preparers of accounts. This goes against Kingman’s principle that the new regulator should be ‘firmly focused on the interests of consumers of financial information, not producers’.
I chaired a working group at CFA Society of the UK, which represents users of accounts, and we support option C, which is much closer to a UK version of Sarbanes-Oxley. Notably, it would make external audit mandatory.
The Corporate Reporting Users’ Forum also prefers option C, although it would prefer the external audit to be commissioned by audit committees in consultation with shareholders – via a new audit and assurance policy, for instance.
While audit firms might be expected to support a measure that would create work for them, ACCA makes a telling point in its submission, which also supports option C: ‘The compliant will comply, and the non-compliant are likely to only be identified at the point of failure.’
Benefits of accuracy
The case for a UK Sarbanes-Oxley is clearly made in the impact assessment that accompanies the government’s consultation. It cites evidence from the US that the regime has resulted in more accurate financial information, more conservative accounting practices and a decrease in fraud. More accurate financial information can reduce companies’ cost of capital, make investors’ allocation of capital more efficient, cut the cost of corporate failures (the collapse of Carillion cost the UK government £148m) and improve decision-making within companies.
What’s not to like? Well, there’s the cost: £2.3bn over 10 years, front-loaded for the transition period. Ongoing annual costs are put at £174m. A UK Sarbanes-Oxley would apply initially to premium-listed companies – more than 400 of them, of which about a third already comply with the US act. The later rollout to all public interest entities (PIEs) would be more contentious – other proposals could add up to 2,000 entities to the current PIE universe.
I believe it will be good for the ringfenced audit firms to step up to SarbOx standards in the UK
CFA UK points out that although the cost sounds high, ‘it is less than a tenth of a percent of the £2.6 trillion market value of the FTSE All-Share’. A more appropriate benchmark would include debt, ie the £5.1 trillion enterprise value of the All-Share, on which the ongoing cost would be well under 0.004% a year.
‘This is a small price to pay for improved internal controls and external attestation, and for a reduced risk of misstatements, misappropriation, corporate collapse and fraud,’ states the CFA UK submission.
A curious aspect of the cost is that two-thirds of it, about £1.5bn, would be incurred even under the softest of the three options: the directors’ statement alone (option B envisages the auditor reporting more of a view; the overall cost is similar). This is an indictment of the status quo. The board is responsible for risk management and internal control. Principal risks and their mitigation are already reported on, and viability and going concern statements depend on rigorous assessment of risk. The UK corporate governance code requires boards to review effectiveness and report on this in the annual report.
The reforms make explicit the personal accountability that is already implicit in directors’ responsibilities, with the CEO and CFO rightly taking the lead. A footnote in the consultation explains how collective responsibility would work: ‘A model encompassing a role for both the CEO and CFO and the board collectively could be designed under which the board could be required to consider and sign off an attestation by the CEO and CFO about the effectiveness of the internal control system.’
Why would non-executive directors not want to scrutinise management’s efforts and also have their backs covered by an external auditor? Far from putting people off becoming NEDs, they would be better informed and better protected from hidden risks. Other proposals mean that Arga could sanction directors who are not accountants, as well as those who are, but that looks right too.
I believe that it will be good for the ringfenced audit firms to step up to Sarbanes-Oxley standards in the UK, including the additional revenue that will help make these firms financially independent. Arga will also gain clout from becoming more like the PCAOB.
Some of the prescriptive detail of US regulation may get rubbed off in a more principles-based British approach, although the 230-page consultation does not stint itself on prescription when it comes to proposed guidance on resilience statements, dividend-paying capacity, audit policies, payments to suppliers etc.
I would rather see the reforms get a few big things right. Enacting a UK version of Sarbanes-Oxley is top of my list.