Restoring trust in audit and corporate governance. We consider the latest government white paper and raise some key questions.
By Peter Snowdon | 25/05/2021 in Blog posts
The government white paper Restoring trust in audit and corporate governance (the White Paper) published in March 2021 contains a number of wide-ranging proposals for reform. This note considers the proposal to require directors to attest to the effectiveness of their company’s internal controls.
The obligation will apply to directors of Public Interest Companies (PIE). Currently the definition of a PIE captures predominantly public listed companies together with banks and insurance companies. The White Paper proposes that the definition should be expanded to capture large private companies and large AIM companies.
The White Paper proposes two options for expansion of the definition:
- Option one would capture companies with 2000 employees or companies with a turnover of more than £200 million and a balance sheet of more than £2 billion.
- Option two would see the definition expanded to capture companies with more than 500 employees and a turnover of more than £500 million.
According to the government Option one would mean an additional 1,960 companies falling within the definition of a PIE with Option two capturing 1060.
Internal controls – director attestation
The government is seeking views on a proposal that company directors be required to conduct an annual review of the effectiveness of their company’s internal controls and make a statement in the company’s annual report, as to whether they consider them to have operated effectively. The statement should disclose the benchmark system used and explain how the directors have assured themselves that it is appropriate to make the statement.
The White Paper notes that currently the UK Corporate Governance Code (the Code):-
‘. . . requires the board to establish a framework of prudent and effective controls which enable risk to be assessed and managed. A Code provision then calls on the board to monitor the company’s risk management and internal control systems and, at least annually, to carry out a review of their effectiveness and report on that review in the annual report. This is not as strong a provision as it appears because there is no specific requirement for boards to report whether they consider the control system to be adequate or effective, although many companies do provide such an assessment.’
The White Paper argues that the absence of any requirement ‘for boards to express an opinion on the effectiveness or otherwise of the control systems’ means that investors may be unable to form a view as to the directors’ assessment of a company’s controls. To deal with this issue, the White Paper proposes that the UK’s framework be strengthened by introducing an obligation the board as a whole (or alternatively just the CEO and the CFO) has to:
- explain the outcome of the annual review of the risk management and internal control systems and make a statement as to whether they consider the systems to have operated effectively;
- disclose the benchmark system, if any, that has been used to make the assessment;
- explain how the directors have assured themselves that it is appropriate to make a statement; and
- if deficiencies have been identified, set out the remedial action that is being taken and over what timeframe.’
It is likely that there will continue to be a significant debate on the question as to whether the board collectively should provide attestations or whether it should be limited to certain key executive directors such as the CEO and CFO. It has been suggested that requiring NEDs to provide such an attestation would be of limited value as they would inevitably be relying on the material provided to them by the executives. On the other hand, imposing the obligation on certain executive directors alone would seem to run counter to the established principle of board collective responsibility. It seems that the government favours attestations being made by the whole board.
The government is proposing to enhance the impact of this obligation (and in relation to certain existing requirements on directors) by legislating to give a new regulator, the Audit Reporting and Governance Authority (ARGA), ‘effective powers’ to both investigate the ‘accuracy and completeness of the directors’ internal control disclosures’ and to sanction directors where they have failed to ‘establish and maintain an adequate internal control structure and procedures for financial reporting’.
The government proposes to give ARGA new powers to take civil enforcement action against:-
‘PIE directors in relation to breaches of existing PIE directors’ duties relating to corporate reporting and audit (and any new duties which are introduced further to this consultation, for example in relation to internal controls). This new enforcement regime for PIE directors would not replace existing arrangements for taking action against company directors, for example in respect of offences under the Companies Act or breaches of the FCA Listing Rules, FCA Transparency Rules or Market Abuse Regulation.’
These new enforcement powers would be in addition to those exercised by the FCA and by other agencies such as the Serious Fraud Office. To mitigate the risk that individuals may be discouraged from acting as directors the White Paper suggests that ARGA could:
‘look to mitigate the risk of deterring directors when exercising their enforcement powers by applying their proportionality principle, taking into account the directors’ backgrounds and considering the size and complexity of the entity concerned.’
The proposals in the White Paper serve to underline that acting as a director of an English company should not be seen as a sinecure. The role demands extensive commitment from individuals and requires a detailed understanding of how the company operates including its internal controls. These proposals together with the advent of a new regulatory regime are likely to mean that directors will have to develop procedures and processes to help mitigate personal risk.
Some key questions raised:
- Should these requirements be the collective responsibility of the board or should it be for the executive directors alone?
- Are the proposed measures proportionate in achieving the intended outcomes versus increased bureaucracy and cost?
- Where best to draw the line when categorising public Interest Companies?
- Is this strong enough to win back public trust in business and the audit.
 The White Paper notes that one option might be to base the benchmark on the approach taken by the Committee of Sponsoring Organizations of the Treadway Commission (COSO) framework, adapted to suit UK requirements.