In this episode, Andy Kemp is joined by Gilly Lord - PwC UK Head of Audit Strategy & Public Policy, to discuss the concept of the audit and assurance policy and also the assurance map, which is a practical way to bring that policy to life.View Transcript
Today I am joined by Gilly Lord in the second of our series looking at potential audit reforms. We will be discussing the concept of the audit and assurance policy and also the assurance map, which is a practical way to bring that policy to life.
In his review of the quality and effectiveness of audit, Sir Donald Brydon recommended that Audit Committees publish a rolling three-year audit and assurance policy, which would be put to an annual advisory vote by shareholders for approval at the Annual General Meeting.
In this policy the Audit Committee would provide details about the audit and assurance process, such as the process for appointing auditors, setting audit fees, determining audit materiality, and other matters. It would also explain the approach taken to obtaining assurance over other areas of the business and other financial information outside of the financial statements.
It's possible the audit and assurance policy was inspired by the requirement for a remuneration policy on which shareholders vote at least once every three years. As Sir Donald says in his review, this has increased the dialogue with investors and focused boards and Remuneration Committees towards greater clarity on the issues involved.
We think a really valuable way to bring the policy to life would be an assurance map, where the Audit Committee outlines the level and type of assurance over the principal risks faced by the company and opens this up to the shareholders to comment too. Gilly, could you please give us some background on the concept and how it might work in practice.
Definitely. The best place to start thinking about this is to remember that in a company’s annual report, they already outline the principal risks faced by the business, and usually the way that disclosure works is that you get the principal risks and then the mitigating processes and controls in place to address those risks. But what’s not clear in company reporting at the moment is how much assurance is provided over those mitigating processes and controls. So, if you are a shareholder, you are not able to gauge actually how much confidence you might be able to take from that.
To address this, the idea of the assurance map would go one step further and also outline the type and depth of assurance provided over those processes and controls. It would also take account of any related KPIs. In terms of the assurance, you describe who provides it, how frequently, and so on. Andy, when I am talking about assurance here, I am not necessarily meaning formal assurance, that you and I might normally talk about. Depending on the type of risk and the type of controls, it could be that a company’s own governance processes or internal audit reviews give enough comfort. There could be other risks, where it’s felt that independent assurance would be necessary, but the real key here is that the assurance map would give visibility over the steps being taken to address risks, and then give Audit Committees the opportunity to engage with shareholders and debate over whether there is enough assurance available over the risk mitigation.
That sounds like a really sensible idea and a valuable exercise, but it also sounds like it could be quite time consuming as well. What do you think?
Well, not necessarily. Most companies are already doing those first two steps in their disclosure. It also isn’t something that for most people you’d have to do from scratch every year, that would be a one-time exercise to get it in shape, and then you’d be just looking for annual changes. This also touches on another of Sir Donald’s recommendations, though he talked about the idea of a risk report that companies might publish their principal risks at the start of every reporting and audit cycle and ask the shareholder’s comments on that. Though, I feel that it is really important that the Audit Committee do know how much assurance they are getting on the effectiveness of these controls that respond to risk. Arguably, it should be going through these types of thinking anyway (and I know many will be) but this step would help structure and formalise that thinking.
Focussing particularly on the comments from shareholders, how do you think companies would deal with those?
In the format Sir Donald is talking about, any such comments would be advisory, not binding per se, but I do think companies would need to think through what their process was going to be to respond and needn’t necessarily be individual responses to individual comments. I could imagine that some companies might set up a page on the website, where if they’ve had comments, they could respond in a single place on the website. It could also be the kind of thing you might present to an AGM, that would be another way of responding.
From a personal perspective, would the auditor have a role to play in this?
Good question, Audit Committees would almost certainly want to discuss the responses, or the construction of the assurance map with their assurance providers. Now, that almost certainly would include the external auditors, but also internal auditors, and other people who might provide assurance. All of those discussions would be part of the Audit Committee’s thinking and response. I mentioned Donald’s recommendation that companies might put out an annual risk report at the beginning of every cycle that shareholders could comment on. In that recommendation, Sir Donald actually said, shareholders, might want to comment on areas of emphasis that they want to see incorporated in the audit plan, but both of those things along with this assurance map, would be a really good package of information, which would help to increase and improve engagement with shareholders, the company and in fact the auditor - beneficial for all three.
This particular recommendation in the Brydon review is just one of many. How do you think the audit and assurance policy fit and dovetails with, for example, the UK version of the SOx-type regime and the need to get assurance over that?
Well what we don’t know at the moment is, if we end up with some kind of UK SOx regime, whether assurance over that regime will be mandated. But if we assume it's not mandated, then Sir Donald has also recommended that Audit Committees could consider themselves whether they want to get assurance over their internal controls, over their financial reporting. That could definitely be something that sits within this audit and assurance policy process. I can see a very clear link between these two recommendations, and that determination of the need for assurance would be an important part of the audit and assurance policy. Andy, that probably fits into some extent with the areas you were discussing with Iain on the video you’ve already recorded on SOx.
Indeed, yes. Taking this as an overall package, would you recommend that Audit Committee chairs think about developing an assurance map as we’ve called it, and indeed the other recommendations that we’ve been talking about?
I definitely think this is worth thinking about even if they don’t go forward as formal recommendations, which of course we don’t know yet. The reason is, I do think this is a really valuable way for Audit Committees to think through how they can pull together all of the different types and forms of assurance being provided by the business/to the business, reflect on whether they’ve got any gaps on key risk areas, and also demonstrate their ongoing commitment to engaging with shareholders.
Indeed, and thanks very much Gilly, lots of food for thought there. As always, we are here to help you navigate change, so if you would like to discuss this further, please contact either me, or Gilly, or your usual PwC contact.
Partner, UK Head of Public Policy, PwC United Kingdom
Tel: +44 (0)7841 490 928