The consequences surrounding internal control
The debate on how to improve the internal control environment in the UK is leading many to look to Sarbanes-Oxley for inspiration. We need to be clear what the consequences would be.
When we were all first learning about business and accountancy we were taught about the importance of internal controls, and of having a good control environment which protects the business from mistakes and malice.
The right business ethos and the right tone at the top not only give the owners of a business confidence that their capital is being looked after, they are critical to the effective operation of a good set of detailed control procedures. As our careers progress, most of us become less involved with the detailed control procedures, and we become more aware – whether as senior managers, directors or those charged with governance – of the importance of the control environment. One of the live debates in the UK is how our internal control framework can be improved, and to what extent we can learn from the experience of other jurisdictions, in particular the US.
The Sarbanes-Oxley (SOX) legislation on internal controls became law in the US in 2002, in the wake of the Enron and WorldCom crashes, to better protect investors from fraudulent financial reporting. Among other things, the legislation mandated annual, public and explicit reports by CEOS, CFOs and external auditors, on the effectiveness of internal controls over financial reporting (ICFR). Here in the UK, talk about support for a UK-style SOX regime has been animated.
In its report, The Future of Audit, published in March this year, the House of Commons BEIS Committee cited evidence from five of the top six accountancy firms, as well as investors and audit chairs, giving their backing to such a move as it would “help improve financial reporting, on which audits depend and, by placing more responsibility on CEOs and CFOs, improve the overall reliability of the eco-reporting system”. This view is reflected by many ICAEW members I have spoken to.
A poor control environment and inadequate control procedures have to be remedied, and members believe that the only way to bring focus on internal controls is to make them the direct responsibility of senior management. But we should not assume that what works elsewhere in the world is some sort of silver bullet. Since SOX was established in the US, versions have been adopted by countries including Australia, Canada, France, Germany, India, Japan and South Africa – not always successfully.
The overwhelming majority of US companies reporting under SOX use the “COSO” framework for internal controls – a voluntary framework, developed in the US – against which control effectiveness can be assessed. COSO, with its five basic controls components, is not hard to translate at a high level, but the detailed requirements don’t always travel so well. The UK already has a framework for internal controls, as a new report from ICAEW – Internal Control Effectiveness: Who Needs to Know? – points out. Reporting on controls in the UK is wider in scope and covers more forward-looking information than it does in the US.
And we should not forget either that the UK corporate governance requirements – which predate SOX – make UK boards collectively responsible for internal controls more generally, and not just for ICFR. That’s not to say there aren’t lessons to be learned about the US experience. While implementation in the US was problematic and expensive at first, partly because of overzealous regulation and little guidance, 17 years on it is widely acknowledged that reporting under SOX against the COSO framework has resulted in an overall improvement in ICFR.
Indeed, as the report reveals: “Many CFOs discovered that some of the controls they had thought were in place and effective were, in fact, not there, or were ineffective or undocumented”. At ICAEW we believe that the new Audit, Reporting and Governance Authority, which will shortly replace the Financial Reporting Council, should investigate and consult on ways to develop the UK framework for better quality public reporting on internal controls by directors and auditors.
Our report provides questions for discussion, including what could be done to improve the UK framework, whether US-style requirements would help, and whether the scope of the UK regime should be narrowed to just ICFR. I strongly recommend reading the report. If the UK decides a more US-style regime would be more appropriate than the status quo, there will be consequences for all of us.
Michael lzza is ICAEW chief executive
Originally published in Economia on 4 October 2019.