UK corporate governance and audit reform: Experts unpack the challenges and propose solutions
How to respond to UK corporate governance and audit reform is a question many UK companies are pondering. With a degree of uncertainty and delay around some measures, as others appear to be progressing, what are the “no-regrets” actions can companies confidently take now? Which are the right areas to prioritise?
In a bid to answer these questions and more, we held a briefing with leading experts in the field of governance, risk, and compliance. The fast-paced and information-rich discussion was chaired by Editor of Board Agenda, Gavin Hinks. Our panellists Michael Lucas, Founding Partner of Brave Within; Rania Bejjani, Independent Corporate Governance Advisor; and Tracy Gordon, Director, Centre for Corporate Governance at Deloitte, were generous with their expertise, offering practical ideas to help organisations adapt to the proposed changes.
The issues discussed included:
Audit committees and the external audit: Minimum standard
The Financial Reporting Council (FRC) has published its new minimum standard for audit committees. This codifies what is already best practice and aims to stimulate the market for audit and build a greater pool of audit firms by mandating the inclusion of challenger firms in audit tenders.
Responsibility for external audit is effectively moving from Executive Management to the Audit Committee and the panel noted that the Committee will need to be more commercially oriented and involved far more closely in the tender process than before.
Tracy Gordon noted that Audit Committees could struggle to generate interest in participating in audit tenders from challenger firms. “Challenger firms are clear on what audits they want to take on and which ones they don’t,” she said. “This could put unfair pressure on audit committees when not all challenger firms want to be in the tender.”
The panel also raised the issue of capability, noting that stakeholders may have less confidence that challenger firms have the skills and depth of experience to take on audits that were formerly the preserve of the Big Four. Tracy suggested that Audit Committees that want to help challenger firms get experience could task them to handle other audit activities, such as providing assurance over ESG reporting and other statements in the front half of the report. Michael Lucas agreed and added: “Corporate Governance reforms are a great opportunity for challenger firms to get involved in the audit assurance category.”
However, Rania Bejjani cautioned that Audit Committees will need to keep a close watch on the relationship between the company and prospective challenger auditors, to ensure that they do not take on too much activity and preclude themselves from the tender process. She advised: “You’d need to keep tabs on the projects undertaken, hours worked, and what percentage of revenue the audit has covered. That record will have to be kept by, for example the CoSec, Finance Department, or GRC function. It will introduce a level of tracking that may not have been as diligent before.”
Audit Committees are undoubtedly facing a far higher workload than before across a range of responsibilities. This prompted an audience member from a challenger firm to ask whether this will result in bigger audit committees and whether they will remain as a subcommittee of the board, or develop as entities in their own right?
Tracy responded that, “the scope for Audit Committees is huge and getting bigger, and there is always fear of creep towards them becoming executive. They must remember it is about oversight, not getting hands in there.”
Michael Lucas added: “The challenge is going to be around the skills [of Audit Committee members]. Skills are not mentioned in the standard, but financial reporting skills can’t be the only skills required.”
Rania agreed, “It is only natural that the size and skillset of audit committees will need to expand […] as responsibilities stack up they will need to upskill.”
The audit standard is just one of the new Audit Committee responsibilities; the Audit and Assurance Policy will also require considerable focus.
Audit and assurance policy: Assuring independence and challenge
The Audit & Assurance Policy is a requirement of the Companies Act, changes to which are currently in the process of gaining parliamentary approval. Tracy summarised what Audit Committees should be aware of: “Audit Committees need to be clear about the choices they are making around what assurance is obtained over disclosures made in the annual report. It is about transparency for all key statements in the front half of the report that stakeholders are relying on… [You need to] set it out so stakeholders can know how assurance is managed and decide whether they can rely on it.”
The panel agreed that this will be a “hefty document” describing the nature and level of assurance obtained. Michael suggested that an assurance map could be the right approach to take, with a mix of high-level processes and detail where needed.
A key challenge will be defining what level of assurance you are offering when there are no objective standards. The FRC is working on guidance and the International Audit and Assurance Standards Board is working on a new assurance standard to help companies articulate the difference between “reasonable” and “limited” assurance.
The panel also debated the issue of providing assurance over the independence of auditors. Rania advised: “It will be a combination of tracking the relationship of the auditor with management over non-assurance work and about the quality of dialogue with management – how often they are challenging them and on what topics, how much do they stick to their guns and how much do they bend? It is more qualitative and places responsibility on Audit Committee and Company Secretaries […] they need to have tentacles into day-to-day dialogue when the auditor is sitting with the CFO or Finance Division.”
Michael advised that achieving this oversight will require formalisation around what local teams can and can’t do, saying: “The company has to keep track of relationships, know what services have been bought locally and that information must go back to the Audit Committee.”
Resilience reporting: An opportunity for enterprise and risk management teams to step up
The resilience statement is an evolution of the viability statement. It is about threats to the ongoing resilience of the business model, rather than focusing on solvency and liquidity. As such it extends far beyond the traditional financial reporting sphere and involves reverse stress testing different risk scenarios as well as the identification of emerging risks. It also involves an extended time frame – companies must identify short-, medium- and long-term risks.
The panel suggested that the resilience statement will be owned by the finance and treasury departments with input from risk and sustainability teams. Tracy noted that, “because the resilience statement is now wider, the whole business is coming together. Finance may hold the pen, but it needs to involve a lot of cross-functional work.”
It is an opportunity for enterprise risk management teams to step up and play a key role informing the foundation of the resilience statement. Michael added, “We also need to mention strategy. It is a great opportunity to tie finance, risk, and strategy all together.”
Internal controls statement: Too broad and too complex?
The panel noted that there has been considerable pushback to the FRC’s proposal on the internal controls statement. The proposed approach would cover all controls including operational controls as well as conventional financial controls and cover the whole year not just a point in time. It is considered too wide and resource-intensive, and potentially too similar to Sarbanes-Oxley (SOX).
The issue of materiality is also unclear, as Tracy explained: “At the moment the materiality point does not come through in the form that it is currently written. Companies that are already doing SOX on financial are concerned that it is not possible to replicate it across all types of controls and risks. They all have different types and characteristics. You also have to acknowledge that some of the risks are not controllable.”
Peter Lewis of Risk Coalition added his view that there will be enormous challenges between where the financial aspect, where the three lines of defence operates, and outside it, where the three lines do not, saying: “Companies don’t have the same methodology across [non-financial risk]. How on earth is director attestation going to happen if there is not a robust risk function?” He agreed with Tracy, saying, “These are not easily quantifiable risks; asking internal audit to give assurance on, for example, geopolitical risk, is ridiculous.”
Final takeaways
Summing up, Board Agenda’s Gavin Hinks captured the sense in the room that there is a lot of work ahead. He asked the panellists to share what companies should be prioritising now.
Michael advised teams to: “Start early and be clear on the business case for activity internally.”
Tracy encouraged teams to get started on the “no-regrets actions” such as “getting your principal risks right and starting assurance mapping to match the two.”
Rania concurred that companies should start early and should also, “think about resourcing. If you leave it too late, as happened with SOX
