Audit and corporate governance reform: UK SOX and the case for strong internal controls

The Department for Business, Energy & Industrial Strategy (BEIS) published its consultation on these proposals in March 2021, setting out a broad programme of reform for auditors, companies, directors, audit committees, investors, other stakeholders and the regulator to improve corporate transparency.

The Government’s recent announcement to bring forward a Draft Audit Reform Bill indicates that it is unlikely to propose legislation for a strengthened internal controls regime over financial reporting (ICFR). It is possible this could be adopted through regulation, for example by amendment to the UK Corporate Governance Code and/or introduction of a new minimum standard for audit committees. There are a number of other measures proposed in the reforms that further emphasise the need for and the importance of strong internal controls.

The benefits of stronger internal controls

Strengthening internal controls has significant benefits for organisations, helping to combat fraud and enhance the quality of corporate reporting and governance. And beyond compliance it creates a controls-focused culture with broader insight and operational benefits that improve investor confidence, support better decision making and protect shareholder value.

The importance of strong internal controls, particularly over financial reporting, was highlighted by Sir Donald Brydon and Sir John Kingman in their government-commissioned reviews and many companies have already begun a major controls transformation programme, irrespective of any legislative requirement.

Based on our own experience of successful control transformation programmes and also publicly available evidence of improvements experienced in the US after the introduction of Sarbanes Oxley (SOX) in the early 2000s, we believe that the strengthening of internal controls, in particular around financial reporting, has significant benefits for an organisation on many levels such as:

Improve credibility of financial reporting

The process of strengthening internal controls leads management to better understand financial reporting risks, put in place appropriate controls to mitigate these risks and address internal control deficiencies in a more timely fashion. This in turn has a positive impact on the quality and reliability of the information produced, increasing shareholder and investor confidence in the companies’ financial reports.

Provide greater safeguarding of shareholder value

A robust internal control framework with clearly assigned and embedded ownership within the front line of the business is a powerful method to reinforce high quality standards through better governance and accountability.

Enhance fraud prevention and detection

One of the most tangible benefits is in helping organisations to prevent and detect material fraud. While we can’t attribute this only to the implementation of an enhanced control framework, we believe it plays a key role by providing the awareness of where an organisation's key fraud risks are and whether mitigating controls are in place to address those risks.

Drive operational improvements and rationalisation

Organisations with the right-sized controls for their current structure and future plans can build greater resilience, gain broader insight and have more confidence in the decisions they make. Processes and controls are simplified, standardised and digitised and duplicate and redundant controls are identified and removed, while ongoing monitoring of the operation of controls leads to continuous real time improvement.

Improve management information to support better decision making

Technology advances plus a risk-based, top-down approach and focus on entity level controls helps drive a proportionate and cost-effective response to a strengthened internal control regime. And by using automation and advanced analytics, organisations will benefit from having more real time management information and insight.

Build a better culture

A controls-focused culture led from the top, promotes behaviours and activities across the wider organisation that play an important role in safeguarding the business and shareholder value. Employees who understand their responsibilities and are accountable will be able to design and operate effective controls and identify deficiencies early. This leads to improvements in the behaviours and attitudes specifically related to risk and controls. It also promotes a controls mindset over increasingly important disclosures outside of financial information, such as ESG and climate change, helping organisations to build or rebuild trust.

There are wide-ranging benefits of strengthened internal controls, beyond just meeting a regulatory compliance requirement and there are some ‘no regrets’ activities you should start now to drive improvements to your business in any event, alongside preparing for a strengthened internal controls regime.

Contact our team to learn more

Why you need to act now to strengthen your internal controls

The Government’s proposed reforms to audit and corporate governance include measures that emphasise the need for and importance of better internal controls. These include:

A recommendation for companies to publish an Audit and Assurance Policy that sets out the independent assurance the company intends to obtain over the annual report and other company disclosures (beyond that required by the statutory audit)- subject to shareholder comment and advisory vote. Whatever the actual structure of an Audit and Assurance Policy, it should be transparent about the company’s approach to determining how it has ensured the information it reports is reliable and the extent to which it has been scrutinised (by the company auditors or someone else). The BEIS suggestion that the policy includes a description of the approach to independence assurance specifically over disclosure relating to resilience, risk and internal controls highlights the significance of these areas.
Proposal for directors of Public Interest Entities to disclose the steps they have taken to prevent and detect material fraud. Fraud is on the rise, with new working practices, market and supply chain disruption and global instability all increasing the motivation, rationalisation and opportunity to commit fraud. A robust fraud risk management framework is critical to a company's overall risk management structure and the success of its business.
A resilience statement with disclosure of specific threats to the company’s survival. This covers any digital security risks, including external cyber security threats and the risk of major data breaches arising from internal lapses, which puts increased scrutiny on the controls in place to mitigate these threats.
Increased accountability of directors and strengthened review enforcement regime over corporate reporting, including the directors’ disclosures around internal controls.

How you can strengthen your internal controls - what does good look like?

Beyond the proposed audit and governance reforms, this is an opportunity for organisations to rethink control more broadly - through Enterprise Control. What we mean by this is an optimised, right-sized control environment that is focused on key risks and strategic objectives beyond internal control over financial reporting.

Enterprise Control provides panoramic insight, underpinned by trusted data sources and enabled by technology. It allows organisations to balance the need for transformation and creating new opportunities for growth with building resilience and creating trust and confidence among stakeholders, investors and customers.

A successful control implementation programme requires significant effort, resource and planning from a broad range of stakeholders across an organisation. In our experience, and learnings from US SOX and other similar regimes, there are a number of critical success factors.

Understanding what the change means for your business and taking a pragmatic approach will enable you to enhance and optimise your control environment.

This means:

Start early by understanding the areas of strength, gaps, common pitfalls and improvement needed, and establishing a roadmap to enhance internal controls. Acting now will result in early identification of any control weaknesses, allowing time to remediate.

Establishing an appropriately resourced controls programme to enhance the design, perform operational testing and modify for business changes.
Focus on optimising controls - a right size internal control framework that is aligned to the governance model and tailored to the business operations for an efficient and cost effective controls testing programme.
Making use of technology and automation to establish an integrated internal control framework that drives efficiency, improves quality and provides real-time reporting and insight for management oversight.
Embedding controls culture across the organisation from Board level to control owners to drive the right behaviours and embed change. Enhancing your control environment is not just about processes and controls. Changing behaviours and the culture is vital too.

Now is the time to step back and take a panoramic view of the whole system of governance and control to ensure that the target operating model, frameworks, processes and controls are defined, proportionate and able to stand up to much greater scrutiny.

Speak to us now to find out what these proposed reforms mean for your organisation and how we can help you strengthen your internal controls regime.