ICAEW publishes internal controls reporting paper
9 June 2020: New ICAEW research explores the scope of a future UK internal controls reporting framework, ahead of an intense period of consultation that will determine the future of audit and reporting in the UK.
The Audit and Assurance Faculty essay, Internal controls reporting: sketching out the options, examines various reporting frameworks, including COSO and the UK Code, as well as how these fit in with Brydon’s recommendations.
Reporting on the effectiveness of internal controls is a key feature of the current reviews of UK audit and regulation. Although the reform agenda was temporarily overshadowed by the coronavirus pandemic, important policy decisions will be made, sooner or later, relating to public reporting in the UK on the effectiveness of internal controls over financial reporting (ICFR).
This essay, based on a series of interviews with members and chairs of audit committees and external auditors, explores what the scope of a future UK internal controls reporting framework might be. It follows ICAEW’s preliminary essay, Internal control effectiveness: who needs to know? published in August 2019.
For the recent research, interviewees were asked:
- what they thought about the framework to be adopted, including lessons learned from COSO in the USA;
- how well-prepared companies are for reporting on internal controls;
- the responsibilities of audit committees, CEOs and CFOs;
- the nature and extent of external auditor involvement;
- which companies should be required to report; and,
- what affected companies should be doing now to prepare.
In December 2019, Sir Donald Brydon recommended improvements to ICFR to provide management and users of financial statements with better quality information and to facilitate better decision-making. Our interviewees agreed that improvements would reduce the risk of error, manipulation, collusion and fraudulent financial reporting, but thought that reporting might, in time, be extended to wider controls.
10 years ago, suggestions that UK companies and external auditors might report SOX-style on the effectiveness of ICFR were not taken seriously. Attitudes have changed.
The UK Code currently requires boards to oversee risk management and internal controls on an on-going basis, and to review their effectiveness at least annually, reporting that fact to shareholders. Requirements beyond the financial statements, such as those relating to accounting records, are not as detailed as those in the USA. While Brydon recommended a s302 SOX-style reporting requirement for larger listed companies, none of those we interviewed believed that the UK should go down exactly the same route. But they also acknowledged there are important lessons to be learned from the USA's experience, including reporting on material weaknesses.
We invite individuals and organisations to share their comments with us on the suggestions in this essay, and their own experiences and ideas regarding the challenges of internal controls reporting. These will help us to develop our contribution to the coming period of intense consultation and reflection that will determine the future of audit and reporting in the UK, and beyond. Please email your comments to Nigel.Sleigh-Johnson@icaew.com
To read the full essay, click here.