In June 2020, the Chartered Institute of Internal Auditors (IIA) published a position statement on proposals to strengthen the framework around internal controls in the UK put forward in the Kingman report and the Brydon Review.
The current UK framework requires premium listed companies to establish procedures to manage risk and oversee the internal control framework, monitor the company’s risk management and internal control systems and, at least annually, carry out a review of their effectiveness and report on that review in the company’s published annual report.
The Brydon Review notes that it is widely accepted that the level of review undertaken by these companies is inconsistent and quotes an EY review stating that “the extent and nature of work performed in support of these requirements and reporting obligations varies and usually does not involve detailed testing of the effectiveness of controls.”
The purpose of the proposals put forward by Brydon and Kingman is to address this matter and to oblige companies to review and report on their internal control frameworks with more rigour, specifically in respect of controls over financial reporting.
The Kingman report proposed “serious consideration to the case for a strengthened framework around internal controls in the UK, learning any relevant lessons from operation of the Sarbanes-Oxley regime in the US.”
The Brydon Review developed this point and recommended “serious consideration to mandating a UK Internal Controls Statement consisting of a signed attestation by the CEO and the CFO to the Board that an evaluation of the effectiveness of the company’s internal controls over financial reporting has been completed and whether or not they were effective, as in SOX 302 (c) and (d).”
Brydon also recommended that “where weaknesses (and/or failures) in controls have been reported, it should become an obligation on directors to report on what remedial action has been taken and on its effectiveness, supportive of section 404 of the SOX legislation.”
Brydon recommends that this requirement should apply to all Public Interest Entities (PIEs). At present PIEs include premium listed entities- UK companies with equity or debt admitted to trading on a regulated market (including the London Main Market but not the Alternative Investment Market) and credit and insurance firms. The Kingman report recommends that this definition should be reviewed since is too narrowly drawn and should include a wider group of entities.
The UK Government Department for Business, Energy & Industrial Strategy (BEIS) has been charged with developing proposals for implementing these recommendations which are expected later this year. A root and branch adoption of the US legislation is not anticipated but some form of attestation and audit is certain to be established in respect of internal controls over financial reporting. There has been no formal date set at this stage for implementation of what has been described as a “Sox-lite” regime. However, some commentators have predicted that this will come into force from 2023, following a transition period of 12 months.
The IIA position statement supports the proposals in principle. However, the IIA has rightly noted that implementation will have a significant impact on the internal audit profession, which Heads of Internal Audit need to be aware of.
Back to top
What would Sox-lite look like?
Since Brydon and Kingman reference the Sarbanes-Oxley Act it is likely that this will form the basis of the approach to certification that will be adopted for the UK. There are two main elements to this: certification by the CEO and CFO and a management internal control report.
Section 302 of the Act requires each annual report and quarterly report to be certified. The certifying officers are usually the CEO and CFO. They are required to confirm they are responsible for establishing and maintaining disclosure controls and procedures and internal control over financial reporting for the company. In respect of these controls they are also required to confirm the following:
Disclosure controls have been designed to ensure that material information relating to the company, including its consolidated subsidiaries, is made known to them by others within those entities.
Internal control over financial reporting has been designed to provide reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements for external purposes in accordance with generally accepted accounting principles.
They have evaluated the effectiveness of disclosure controls and procedures and presented in the report their conclusions about the effectiveness of these controls.
They have disclosed any change in the internal control over financial reporting that occurred during the company’s most recent fiscal quarter that has materially affected or is reasonably likely to materially affect the registrant’s internal control over financial reporting.
They have disclosed, based on their most recent evaluation of internal control over financial reporting, to the company’s auditors and the audit committee of the company’s board of directors:
- All significant deficiencies and material weaknesses in the design or operation of internal control over financial reporting which are reasonably likely to adversely affect the company’s ability to record, process, summarise and report financial information
- Any fraud, whether or not material, that involves management or other employees who have a significant role in the company’s internal control over financial reporting.
The signing officers are also required to indicate in the report whether or not there were significant changes in internal controls or in other factors that could significantly affect internal controls subsequent to the date of their evaluation, including any corrective actions with regard to significant deficiencies and material weaknesses.
The US Securities and Exchange Commission (“SEC”) has also established rules under the Securities Exchange Act that set out the mandatory requirements for companies in respect of this certification and more specific definitions and detail. Specifically, the certifications provided by the CEO/CFO must be filed as an Exhibit (Appendix) to the annual or quarterly report.
The recommendations in both Brydon and Kingman suggest that similar certifications will be required under a Sox-lite regime.
Management’s report on internal control over financial reporting
SEC rules also require that the company’s annual report must also include an internal control report of management that contains:
- A statement of management's responsibility for establishing and maintaining adequate internal control over financial reporting for the company
- A statement identifying the framework used by management to conduct the required evaluation of the effectiveness of the company's internal control over financial reporting
- Management's assessment of the effectiveness of the company's internal control over financial reporting as of the end of the company's most recent fiscal year, including a statement as to whether or not the company's internal control over financial reporting is effective.
- The assessment must include disclosure of any "material weaknesses" in the company's internal control over financial reporting identified by management.
- A statement that the registered public accounting firm that audited the financial statements included in the annual report has issued an attestation report on management's assessment of the registrant's internal control over financial reporting.
A shorter statement is required to be included by companies in their quarterly reporting. This refers to the CEO/CFO review of effectiveness of disclosure controls at the end of the quarter and disclosure of any changes to internal financial control. There is no requirement for quarterly attestation by a registered public accounting firm.
With the exception of emerging growth companies the annual report by management on internal control is to be audited by the financial statement auditor in accordance with section 404 of the Sarbanes-Oxley Act.
Brydon does not go as far as recommending the full implementation of the provisions set out above, preferring a Sox-lite solution. It is proposed that the Board should make a statement confirming that it has received the certifications provided by the CEO and CFO. Only where there has been a material failure of controls in the 12 months before or after a certification is it suggested that would there be a requirement for the certification to be subject to audit. Kingman makes no suggestions in this respect beyond recommending that Sox style provisions should be considered.
Under a Sox-lite regime, it is likely that the emphasis will be upon the CEO/CFO certifications, with the requirement for audit only being applied in extremis. Nevertheless, since certifying internal controls is expected to be a legal or regulatory obligation upon the CEO and CFO, this needs to be taken very seriously. If the Sarbanes-Oxley model is followed, the obligation will be accompanied by significant criminal and civil penalties should a false or negligent certification be made. The CEO and CFO therefore need to commission sufficiently detailed work to document and evaluate the design and effectiveness of the internal controls over financial reporting so that they are able to sign the certificate with confidence.
Supporting evidence base
The CEO/CFO need to be satisfied that their certification will cover all aspects of the internal financial control framework and that all the relevant controls are captured and included in their assessment. This is most effectively achieved by taking the financial statements of the business as the starting point to identify all the important, material and potentially risky elements of financial reporting. For each of the areas identified, the business processes that impact on material financial statement values and disclosures then need to be documented thoroughly on an end-to end basis, together with the related risks and key controls - including IT controls and control activities performed by third parties.
The CEO/CFO will wish to ensure that a structured and generally accepted methodology for identifying risk and control design is adopted, so that their approach to certification is credible in the eyes of shareholders. The COSO framework- which is the framework most commonly used as a template for control framework design to support Sarbanes-Oxley certifications - provides a structure for risk assessment and control design. Risk is evaluated against control objectives, set primarily at entity and assertion level.
For each control objective, the risk of financial reporting error is identified. At assertion level financial reporting error is further specified by considering the following financial statement assertions:
Existence or Occurrence
Whether assets or liabilities exist at a given date and whether recorded transactions have occurred during a given period
Whether all transactions and accounts that should be presented in the financial statements are actually included
Valuation or Allocation
Whether asset, liability, equity, revenue, and expense components are included in the financial statements at appropriate amounts
Rights and Obligations
Whether the rights and liabilities are the obligations of the entity at a given date
Presentation and Disclosure
Whether particular components of the financial statements are properly classified, described, and disclosed
Controls then need to be devised and implemented to address the identified risks.
Setting out the whole control framework in accordance with this or a similar structure enables a clear assessment to be made as to whether the controls are appropriately designed and any gaps to be identified and remediated where required.
The CEO/CFO also need to establish a mechanism through which they receive sufficient comfort that the established controls have been operating effectively and to ensure that they are confident that all significant deficiencies and material weaknesses in the design or operation of internal control over financial reporting have been identified and disclosed. A programme of testing therefore needs to be established to confirm that the documented controls are indeed being followed.
Possible testing approaches could include:
- Traditional testing - including walk-throughs, inquiry and inspection of documentation and re-performance of a sample of transactions to confirm the control is being performed effectively
- Continuous auditing/ monitoring throughout the period - generally using software to test 100% of processed transaction for compliance with specified parameters and identifying outliers for more detailed review
- Management self-assessment- obtaining confirmations from management that certain controls have been performed.
It is important that whatever testing approach is adopted, it is credible and reliable. Whoever is assigned to devise and perform the testing programme needs to have the right skills and experience to undertake the work properly. They also need to be independent of the area that is being reviewed so that they can arrive at a sufficiently objective conclusion.
Back to top
What this means for Heads of Internal Audit
In view of their considerable expertise in control frameworks and related testing approaches, Heads of Internal Audit are likely to be asked to advise the CEO, CFO and Audit Committee on the most appropriate response to the BEIS proposals when they are published. This may include interpreting their impact on the business and working through the certification requirements with the CEO and CFO.
Implementation will also require resource with expertise in constructing and evaluating control frameworks. Internal audit is likely to be expected to provide at least some of this resource, whilst respecting the need for its independence to be protected so that it can still perform objective control assessments.
Most significant, is the potential impact on internal audit resource and assurance if it is expected to undertake the testing required to support the certifications. Without additional investment in the internal audit function, resource may need to be diverted away from wider non-financial controls testing- reducing the breadth of the overall assurance provided.
In view of the potentially fundamental impact on their approach to delivering assurance, Heads of Internal Audit therefore need to begin considering this matter so that they understand the likely consequences and can assist the business in its preparations. At present, it appears certain that the BEIS proposals will apply to premium listed companies. However, Kingman’s recommendation that a wider group of entities should be considered to be of a public interest indicates that all companies of a significant size or public profile (whether they are listed or not) may also be subject to a Sox-lite regime in the future. Heads of Internal Audit of these entities should also be alert to the possibility that they too may be required to respond to this challenge.
Back to top
Please for more articles please visit our Index here.
Institute of Internal Auditors Position paper: Strengthened internal controls: learning lessons from Sarbanes-Oxley- June 2020
UK Corporate Governance Code 2018
Independent review of the Financial Reporting Council- “The Kingman Review”- December 2018
Report of the independent review into the quality and effectiveness of audit- Brydon review December 2019
EY, Protecting Stakeholders, Enhancing internal control accountability in the UK (August 2019)
The Committee of Sponsoring Organizations of the Treadway Commission (COSO) Internal Control—Integrated Framework 2013