Restoring Trust in Audit and Corporate Governance

On 18 March 2021, the department of Business, Energy & Industrial Strategy (BEIS) published its long-awaited consultation document on restoring trust in audit and corporate governance. The consultation is the culmination of three Government-commissioned reviews: Sir John Kingman's Independent Review of the Financial Reporting Council (the FRC Review), the Competition and Market Authority’s Statutory Audit Services Market Study (the CMA Review) and Sir Donald Brydon’s Independent Review of the Quality and Effectiveness of Audit (the Brydon Review).

The consultation, which sets out wide-ranging reforms to the UK’s audit and corporate governance framework, is focused on the UK's largest companies, both public and private. It contains extensive proposed measures on reform of the business ecosystem addressing corporate reporting, director accountability, corporate governance, audit, and regulation (of companies and auditors).

Business Secretary Kwasi Kwarteng said: “By restoring trust in our corporate governance regime and encouraging greater transparency, we will provide investors with clarity and certainty, cement the UK’s position as the best place in the world to do business, and protect jobs across the country”.

In the briefing paper, we set out an overview of the key proposals.

The consultation includes 98 questions with the consultation period ending on 8 July 2021. The responses to the consultation will inform draft legislation that the Government will introduce over time. We encourage our clients to consider and comment upon the proposals using the Government’s consultation website at this link. We also welcome your comments. Please direct them to Sunil Bhavnani and Milan Pandya, using the contact details on this page, or through your usual Blick Rothenberg contact. The consultation closes on 8 July 2021.

The Government is consulting on options for expanding the PIE definition to include large private companies, companies listed on the AIM market with market capitalisations above €200 million and potentially third sector entities with a public-benefit purpose.

The final outcome of the consultation on what constitutes a PIE is important as the foregoing proposed reforms discussed in this briefing paper will affect those companies currently defined as PIEs and any companies that fall under the extended definition proposed by the Government.

The Government have proposed two alternative definitions of what constitutes a large private company.

It is important, therefore, for directors, shareholders, and other stakeholders of all companies to be fully appraised of the proposed reforms. We have focused on the more significant proposed reforms including those that would apply to companies that meet the extended PIE definition.

Directors’ accountability for internal controls

The UK’s regulatory and other requirements applying to internal control arrangements in UK companies are already well established through Company Law, the UK Corporate Governance Code (which applies to all companies with a premium listing on the FTSE, whether incorporated in the UK or elsewhere) and the Listing Rules. The FRC Review, however, recommended that serious consideration be given to the case for a strengthened internal control framework.

The consultation sets out three options for strengthening the UK’s internal controls framework. They are not mutually exclusive.

Option A: Require an explicit directors’ statement about the effectiveness of the internal control and risk management systems

This option strengthens the existing UK framework by requiring the board to:

• explain the outcome of their annual review of the risk management and internal control systems
• make a statement as to whether they consider the systems to have operated effectively.

The statement, supplemented by a disclosure of the benchmark system used (if any) such as the COSO framework, requires the directors to explain how they have assured themselves that it is appropriate to make the statement. If deficiencies have been identified, the timeframe over which remedial action is being taken must be disclosed.

The statement could cover all aspects of internal control and risk management systems (including those over reputational, environmental and health and safety risks) or be limited to internal control over financial reporting (similar to the US’s SOX framework).

False or misleading statements, or those made without reasonable care, skill or diligence could be part of the directors’ enforcement regime being considered.

Option B: Require auditors to report more about their views on the effectiveness of companies’ internal control systems

Under Option B, the auditors’ report would be required to say more about the work that they already undertake to understand the company’s internal control systems and how that work has influenced the approach taken to the audit, but without requiring a formal attestation of their effectiveness.

This option could be reinforced by placing a specific positive duty on the board (or the CEO and CFO) to disclose to the auditor and the audit committee any significant deficiencies and weaknesses in the internal controls of which they are aware.

Option C: Require auditors to express a formal opinion on the directors’ assessment of the effectiveness of the internal control systems

Option C assumes that a directors’ statement about the effectiveness of the internal controls (Option A) is required and would involve the auditor in undertaking additional audit and assurance work to be able to express a formal opinion on the directors’ assessment.

The auditor’s attestation requirement would match the scope of the directors’ statement i.e.:

• all aspects of the company’s internal control and risk management procedures, or
• limited to internal control structure and procedures for financial reporting similar to section 404 (b) of the US’s Sarbanes-Oxley Act framework, or
• limited to a subset of the internal control structure and procedures for financial reporting, focussing on the auditors’ work only on priority areas of particular interest to investors such as ‘design effectiveness’ of the internal controls (rather than their operational effectiveness), or ‘entity level’ rather than ‘transactional level’ controls, or the controls covering fraud, going concern, viability and the use of management judgement.

The Government notes in its consultation that while the scope of audit remains as it is now, there are arguments for limiting auditors’ attestation work to the financial controls where auditors’ main competence and experience lies although in principle, audit firms could expand their expertise in these non-financial areas or contract it out.

The Government’s initial preferred option

The Government's tentative preferred option is to require a directors’ statement about the effectiveness of the internal controls as described in Option A, but leave the decision on whether the statement should be assured by an external auditor to the directors, audit committee and shareholders.

The requirements would be set out in legislation and phased in over a period of time. They would initially apply to premium listed companies who are already familiar with the concept of an annual review and extended to other PIEs after two years. 

Dividends and capital maintenance

There are legal constraints on the amount a company can distribute in dividends such as a requirement that they cannot be paid out of capital, but only paid from a company’s accumulated realised profits less its accumulated realised losses. Other considerations in the decision to make distributions are the need for directors to have regard to their fiduciary duties which include the obligation to safeguard the company’s assets and take reasonable steps to ensure that the company is in a position to settle its debts as they fall due.

The legal framework is well established, but high profile examples of companies paying out significant dividends shortly before profit warnings and, in some cases, insolvency, have raised questions about its robustness and the extent to which the dividend and capital maintenance rules are being respected and enforced.

The Government is seeking views on proposals for strengthening the law on dividends capital maintenance in a proportionate way.

The key proposals are as follows:

• assigning responsibility for preparing guidance on what should be treated as realised profits and losses to Audit, Reporting and Governance Authority (ARGA) (the new established regulator for corporate reporting and audit) rather than as present the Institute of Chartered Accountants in England and Wales. This guidance would be given authoritative status by providing in the Companies Act 2006 that reference should be made to this guidance, or
• giving ARGA the power to make binding rules as to the meaning of realised profits and losses with which preparers will have to comply.

The Government also seeks to address the absence of a legal requirement for companies to disclose profits available for distribution through:

• introducing new statutory reporting requirements for companies to disclose distributable reserves in the financial statements for individual companies and, in the case of a group, the parent only
• introducing new disclosures requiring a parent company to estimate and disclose the amount of potential distributable profits across the group that could, in principle, be passed to the parent company for the purpose of paying future dividends to shareholders, and
• requiring a new directors’ statement about the legality of proposed dividends and the effects on the future solvency of the company which will cover:
  • in proposing the dividend, they have satisfied themselves that it is within known distributable reserves and have had regard to their duties as directors under s172(1) of the Companies Act 2006 as regards the likely consequences of a decision in the long term, and
  • confirmation that payment of the dividend will not, in the directors’ reasonable expectation, threaten the solvency of the company over the next two years.

The proposals above are intended to apply to listed and AIM companies. However, as the rules on dividends and distributable profits apply to all companies and the disclosures would be of interest to all stakeholders, the Government are seeking views on whether the requirements should be extended to all PIEs including large private companies.

New corporate reporting on resilience, audit and assurance policy and payment practices

Resilience Statement

The Government proposes to introduce a statutory requirement on public interest entities to publish an annual Resilience Statement. The Resilience Statement should be required initially of premium-listed companies, in view of their existing experience of producing viability statements alongside their going concern assessments and should extend to other public interest entities two years later.

The Resilience Statement should address business resilience over the short, medium, and long term.

• The short-term section of the Statement would incorporate companies’ existing going concern statement, including disclosure of any material uncertainties considered by management during their going concern assessment, which were subsequently determined not to be material after the use of significant judgement and/or the introduction of mitigating action.
• The medium-term section of the Statement would incorporate the existing viability statement requirements to provide an assessment of the company’s prospects and resilience, and to address matters which may threaten the company’s ability to continue in operation and meet its financial liabilities as they fall due. The mandatory assessment period would be five years and the statement would include at least two reverse stress testing.
• The long-term section of the Resilience Statement should set out what the directors of the company consider to be the main long-term challenges to the company and its business model, and how these are being addressed. These might include the impact of long-term changes in demographics, technology, consumer preferences and other identified trends on the company’s long-term business model. The Government would welcome views on whether the Resilience Statement as a whole, including the long-term section, should specifically address the impact of climate change on the company’s business model and financial planning.

Audit and Assurance Policy

A statutory requirement is proposed for public interest entities to publish an annual Audit and Assurance Policy describing the company’s approach to seeking assurance of its reported information over the next three years. For quoted public listed entities, the Policy would be subject to an advisory shareholder vote at the time of its publication. The Government is minded that the Policy would be required initially of premium-listed companies, and extend to other public interest entities (including unlisted PIEs) two years later albeit for unlisted PIEs it would not include the requirement for a shareholder vote or statement of how shareholder views had been taken into account.

The Government invites views on whether the Policy should include the following new disclosures at a minimum:

• An explanation of what independent assurance, if any, the company intends to obtain in the next three years in relation to the annual report and other company disclosures beyond that required by statutory audit. This should include an explanation of what independent assurance, if any, the company plans to obtain in relation to:

o the company’s Resilience Statement in whole or part, and other disclosures related to risk

o the effectiveness of the company’s internal controls framework

• A description of the company’s internal auditing and assurance processes
• A description of what policies the company may have in relation to the tendering of external audit services (for example, whether the company is prepared to allow the external company auditor to provide permitted non-audit services)
• An explanation of whether, and if so how, shareholder and employee views have been taken into account in the formulation of the Audit and Assurance Policy.

Reporting on Payment Practices

The Government seeks views on improving reporting on payment policies and performance.

A specific option being considered is to require the annual reports of PIEs to provide a summary of how the company – or group in the case of a parent company – has performed with regard to supplier payments over the previous reporting year, and to comment on how this compares to the year before that. This could be achieved by requiring companies to include this information in their strategic report.

The Government suggests at this stage that companies in scope could be required to summarise (at a group level in the case of parent companies):

• the company’s supplier payments policy, including its standard payment terms and shortest and longest standard payment period
• the percentage of the company’s supplier payments that met its standard terms and, where this figure is less than 80%, an explanation of why this occurred and what actions the company plans to take to improve its payments record
• where such an explanation was required in the previous year’s annual report, an update in the following year’s report on the actions that were taken to improve the payments record and any additional steps proposed.

Including this proposed new reporting requirement within the strategic report would mean that it was included within the annual company audit’s check that the reporting was prepared in accordance with applicable legal requirements and was materially consistent with the accounts. Companies would also have the opportunity, in consultation with their shareholders, to consider whether and, if so, how they should seek any additional assurance on their supplier payment reporting as part of their Audit and Assurance Policy.

Supervision of corporate reporting

The Government has set out proposals to strengthen the regulator’s corporate reporting review (CRR) powers as follows:

• give the regulator powers to direct changes to company reports and accounts rather than needing to see a court order
• give the regulator powers to publish correspondence entered into during the course of the CRR review, as well as summary findings
• give the regulator the power to broaden their review currently limited to the financial statements, the directors report and strategic report, so that it can scrutinise the entire contents of a company’s Annual Report and Accounts (both the legally required and voluntary elements of the report such as the CEO and chair’s reports)
• allow the regulator to offer companies a pre-clearance service for novel and contentious matters connected with the interpretation of accounting standards in advance of the publication of the annual accounts

Appropriate mechanisms will be established to ensure fairness for companies and safeguard information that is commercially confidential.

The Government proposes an expansion to the volume of the regulator’s CRR activity. The new regulator should focus most of its pro-active CRR work on PIEs but should retain its current powers to investigate reporting by non-PIE companies.

Company Directors

While company directors have various statutory duties in relation to the preparation of their company’s accounts and reports, and the auditing of those accounts and reports, the FRC currently has no direct powers to enforce these duties. They may in limited cases be able to take enforcement action against a director if they are a chartered accountant, who under voluntary arrangements with the chartered accountancy bodies, are subject to the FRC’s disciplinary scheme for accountants. However, the FRC has no means of taking enforcement action against directors who are not chartered accountants where they have breached their duties relating to corporate reporting and audit.

The Government therefore intends to legislate to provide ARGA with the necessary powers to investigate and sanction breaches of corporate reporting and audit-related responsibilities by PIE directors. All directors of companies which are public interest entities will be in scope due to the principles of collective responsibility and a unitary board. These powers will therefore not be restricted to the Chief Executive Officer, Chief Finance Officer, Chair and Chair of the Audit Committee.

The Government’s intention is that the regulator’s new enforcement powers will apply to breaches by directors of the existing statutory duties relating to corporate reporting and company audits. Those include:

• the duty to keep adequate accounting records
• the duty to approve accounts only if they give a true and fair view
• the duty to approve and sign the annual accounts
• the duty to approve the directors’ report
• the duty to provide a statement as to disclosure to auditors and to provide information or explanations at the request of the auditor.

The Government believes that where new statutory duties for directors are introduced into the regulatory regime for which the regulator is responsible, it should be able to enforce those duties under this regime. This might include any new directors’ duties that are being proposed elsewhere in the consultation.

Audit purpose and scope

The purpose of audit

Recognising the importance of audit in establishing confidence in a company and its directors and in informing those with an interest in its success, the Brydon Review looked not only at issues around audit performance but also what audit is for and what should be expected of it.

The Brydon Review concluded that: “Audit is not broken but has lost its way”. The core activity of auditing financial statements should continue, and there is no immediate need for wholesale changes to auditing standards. However, for audit to do better, the Review argued: “The concept of audit needs to be rethought and redefined… rooted in a widely accepted clarification of its purpose”. The Review was seeking to ensure that audit practice went beyond a narrow focus on financial statements’ compliance with accounting standards (and other legal and regulatory requirements) to be more sceptical, more informative, and hence more trustworthy.

The Government proposes to give auditors a specific responsibility to consider relevant director conduct and wider financial or other information in reaching their judgements. This would be a statutory requirement of auditors.

The intention is that in light of the additional information, auditors may reach different judgements in certain cases: in particular when reaching an overall judgement of whether the financial statements constitute a true and fair view of the entity’s financial position, but also for example judgements about line items in accounts such as revenue, goodwill and other intangible assets, the proposed new resilience statement, or other new reporting requirements.

The actions taken by auditors to meet this new statutory requirement would not constitute a non-audit service, and hence could be undertaken by the statutory auditor. Meeting the new requirement would necessarily require a change in auditor mindset, skill set and behaviour. It should lead to innovations in the way auditors are trained; how audit and assurance engagements are conducted; and in the quality and nature of reporting.

The intention of the Brydon Review was not only to widen the scope of information used in (and reported by) statutory audit but also to bring additional aspects of assurance alongside statutory audit to become what it termed: “corporate auditing”. This aspect of the Review is addressed in the section on the scope of audit.

The scope of audit

Currently, statutory audits cover a company’s annual accounts which are required under the Companies Act (its financial statements). The Brydon Review identified that if businesses were to have a wider range of information audited then this could enhance confidence in those businesses and thus improve the availability and cost of capital for them.

The Government proposes that the Audit and Assurance Policy (AAP) should indicate and define what additional information has been subject to audit.

The Government is minded to introduce a regulatory framework to cover both audits of financial statements (referred to as statutory audit) and other types of information which companies decide to have audited via the Audit and Assurance Policy process (“wider audit”).

The Government proposes that the new regulator should oversee the provision of these wider audit services, including through the creation of a framework for all “corporate auditing”, covering both the auditing of financial statements and also the auditing of this wider information.

The scope of the wider auditing services which will be overseen by the regulator would be limited to auditing that companies choose to obtain, as set out in their published Audit and Assurance Policy.

The Government notes that choices made by companies about what wider audit to undertake may be influenced by a market led approach for example

• Public Interest Entities (PIEs), which are strongly linked to financial markets and hence could benefit from lower costs of capital if investor confidence in them increases through higher levels of assurance being provided by wider audit, but other companies may also benefit.
• Smaller companies with limited ability to influence their own cost of capital and/or more concentrated ownership are less likely to obtain the benefits identified by the Review, and therefore should not be expected to commission a wider audit.

The principles of corporate auditing

The Government is considering introducing a new legal framework to empower the regulator to set and enforce new principles of corporate auditing that would apply to both statutory auditors and those appointed to provide auditing services via the Audit and Assurance Policy.
These are likely to incorporate the principles suggested by the Brydon Review, along with responses to the White Paper consultation.

Tackling fraud

The Brydon Review identified fraud and auditors’ related responsibilities as the most complex and misunderstood of all the topics the Review covered. It proposed a package of measures, including greater clarity regarding the respective roles of directors and auditors, to restore public confidence in auditors’ work. The Government agrees that a holistic approach is needed in relation to fraud.

The Government proposes to legislate to require directors of Public Interest Entities to report on the steps they have taken to prevent and detect material fraud. The Government believes this will reinforce directors’ primary responsibility for fraud prevention and detection and may also, in some cases, enhance their focus on the risks relating to fraudulent financial reporting.

In line with the Brydon Review’s recommendation, the Government intends to legislate to require auditors of Public Interest Entities, as part of their statutory audit, to report on the work they performed to conclude whether the proposed directors’ statement regarding actions taken to prevent and detect material fraud is factually accurate. Such reporting will enable users to understand the nature and extent of the work performed and the evidence obtained by the auditors relating to the actions which the directors state they have taken.

The Review also recommended that auditors be required to report on the steps they took to detect any material fraud and assess the effectiveness of relevant controls. The Government supports this recommendation which complements the proposed obligation for directors to report on the actions they have taken. It will therefore discuss with the FRC the changes to company law and/or the auditor reporting standards which will be needed to give effect to it.

Audit committee oversight

The Government proposes to require ARGA to impose additional requirements on audit committees in relation to the appointment and oversight of auditors. These requirements will cover the need for audit committees to continuously monitor audit quality, and consistently demand challenge and scepticism from auditors.

Any new requirements imposed by ARGA should allow for audit committees to exercise discretion and professional judgement and for innovative best practice to develop.

It is proposed that the new additional requirements should initially apply to audit committees of FTSE 350 companies and could then be extended to other PIEs in due course.

ARGA will have a duty to monitor compliance with the new audit committee requirements, including through a power to require information and/or reports from audit committees, to meet audit committee chairs to discuss issues and a power to place an observer on audit committees if necessary.

It will have appropriate powers to take action in relation to breaches of the new requirements against the company directors and/or the audit committee.

Engagement with shareholders

Several new measures are proposed to encourage and facilitate more meaningful engagement between a company and its shareholders on matters affecting audit quality which include:

• A formal mechanism by which shareholders of premium-listed companies can propose additional matters for emphasis within the scope of the company’s external audit, and
• Proposals for better communication to shareholders following the resignation or dismissal of the auditor of a PIE.

Competition, choice, and resilience in the audit market

The Government plans to increase choice, competition, and resilience of the statutory audit market through:

• Introducing a managed shared audit regime for FTSE 350 companies or, if needed, exercising a reserve power for a managed market share cap
• Operational separation between the audit and non-audit arms of certain firms, as determined by ARGA. This will include separate governance, financial statements, regulatory oversight of audit partner remuneration and audit practice governance; and statutory powers for the regulator to proactively monitor the resilience of the audit market and audit firms, including powers to require audit firms to address any viability concerns that are identified.

Supervision of audit quality

The Government proposes that:

• the new regulator be assigned responsibility for the determination of whether individuals and firms are eligible for appointment as statutory auditors of PIEs, rather than continuing the present delegation of this task to the recognised supervisory bodies (e.g. ICAEW)
• legislation will allow for Audit Quality Review reports on individual audits to be published by the regulator without the need for consent from the audit firm and the audited entity
• The regulator be provided with powers to require a UK group auditor to provide it with access to overseas component working papers.

Our initial view

The proposals represent important steps to rebuild trust and confidence in business and in the profession, which has been shaken following a number of high-profile corporate collapses. It is vital that stakeholder perceptions of the integrity of these businesses and the industry are restored. This is true both domestically and on the world stage, with the UK widely recognised as a destination of choice for businesses around the globe.

The measures to enhance corporate accountability, improve transparency in corporate reporting, expand the scope of audit and strengthen regulatory oversight should be viewed positively. However, consideration needs to be given to appropriately conclude on the scope of new measures, in particular the definition of public interest entities, when considering larger private companies to ensure that the proposals are applied proportionately and do generate a net benefit outcome.

Would you like to know more?

We encourage our clients to consider and comment upon the proposals using the Government’s consultation website at this link. The consultation closes on 8 July 2021.

If you have any questions about the above and how it may affect you, please get in touch with your usual Blick Rothenberg contact or Sunil or Milan using the details on this page.