Internal control effectiveness: who needs to know?

Financial reporting controls are designed to help ensure that the financial statements give a true and fair view. They are intended to reduce the risk of misstatement associated with the loss or misappropriation of assets. A business cannot prepare financial statements, or prevent or detect the theft of assets, if it fails to control its accounting records. While accurate accounting records cannot prevent theft, they can help deter, detect and correct it.

The UK has a wide-ranging framework for internal controls, including financial reporting controls. It comprises the requirements relating to:

• adequate accounting records and the preparation of financial statements in UK company law;
• risk and internal controls within the UK Corporate Governance Code (the UK Code); and
• internal controls for companies seeking admission to listing under the Listing Rules.

These requirements overlap in some respects, and they apply to different categories of companies, so they, therefore, already have a degree of proportionality.

Sarbanes-Oxley (SOX) was passed in the USA in 2002 in reaction to a number of major corporate and accounting scandals, including Enron and WorldCom. The Public Company Accounting Oversight Board (PCAOB) was set up to deal with the perceived failure of self-regulation. SOX was also designed to address ineffective audit committees, conflicts of interest between securities analysts and investment bankers, and the inadequate funding of the SEC. It was enacted shortly after the burst of the internet bubble. SOX has been influential around the world. Variations on the SOX legislation have been enacted in, among other jurisdictions, Canada, Germany, South Africa, France, Australia, India and Japan.

The next steps:

ICAEW is ready to explore the key issues in more detail. One or more roundtables with interested parties may be an appropriate starting point, with a view to providing information and insight to the new regulator. Topics for discussion could include:

1. What issues are there to address with regard to internal controls over financial reporting in the UK? Do these issues need to be addressed by clarifying and enhancing the existing UK requirements, by bringing in US-style requirements, or by some combination of the two?
2. Should we enhance directors’ responsibilities for keeping adequate accounting records? In particular, should we require directors to report publicly, annually and explicitly on whether adequate accounting records have been kept? Should we develop greater specificity in the related guidance, and require clearer links between accounting records and the financial statements they support? Should the sanctions for non-compliance with these requirements be reconsidered? Or should the requirements be eliminated?
3. In relation to the UK Code, should we focus the accountability of directors on the application of the mandatory Principles, as well as on the specific Provisions? Should we streamline and clarify the current reporting requirements in both the financial statements and the auditor’s report?
4. Is there scope for wider use of the criteria set out in Tech 14/14 CFF, relating to a company’s financial position and prospects, on an ongoing basis, and not just when listing for the first time? Should directors and auditors report on internal control effectiveness against these criteria on an annual basis?
5. If we need to do more, what can we learn from the US experience? Should we narrow the scope of the current UK reporting requirements to internal controls over financial reporting? Should we consider whether penalties remain appropriate, and whether certain directors should have additional responsibilities? Are the galvanising effects of the criminal offences created by SOX critical to its success? How might we better motivate directors and auditors in other ways?