Start early to meet tougher audit controls
The Department of Business, Energy and Industrial Strategy (BEIS) consultation on audit reform prompts a deeper look at the challenges ahead for auditors and their clients.
With today’s announcement from BEIS, it is no longer a question of if audit reform is coming to the UK, but when and how it will be applied.
Based on recommendations from the 2019 Brydon review, the BEIS audit reform proposals seek to:
- Open up the audit market to smaller “challenger” audit firms by capping the market share of FTSE 350 audits enjoyed by the Big Four.
- Give the new Audit, Reporting and Governance Authority (ARGA) new powers to regulate listed and unlisted companies and enforce operational separation between audit and non-audit services from accountancy firms.
- Introduce new reporting obligations on directors and auditors to detect and prevent fraud, with further responsibilities for audits to examine the company’s wider performance, including climate targets.
There are many other detailed proposals set out in the BEIS consultation, but commentators have already expressed a sense of déjà vu with many of the ideas, which have been circulating within the European Union and regulatory circles for some years.
For years, the UK’s Financial Reporting Council (FRC) has been working on a UK equivalent of the US Sarbanes-Oxley Act (SOX) that was introduced in 2002 in response to the financial scandals involving listed US companies such as Enron, Tyco International and WorldCom.
While the latest BEIS audit reform proposals are unlikely to mirror the prescriptive US legtislation, it is worth remembering that SOX is a law intended to protect investors from corporate fraud. To that end, it and lays out strict requirements for enhanced financial disclosure, internal control assessment, corporate governance, and auditor independence.
Since SOX was introduced Galvanize has been helping companies introduce new processes and tools to help them introduce SOX-compliant working methods. Even without knowing the specific reforms that will ultimately be implemented in the UK, we use the US legislation as a benchmark to predict what the UK’s audit landscape could look like within the next few years.
Listed organisations and larger unlisted companies that fall within the definition of “public interest entity” will be targets for tighter regulation. But whether a proportional approach will be adopted that offers smaller companies lighter reporting and compliance requirements remains to be seen.
Since the introduction of SOX, the US has seen clear improvements in the quality of financial reporting and internal controls. As Brydon noted, the ability to pick up early warnings of non-compliance has seen a reduction of over 90% in financial restatements. The reforms strengthened capital markets, improved the reliability of financial reporting and introduced better assurance over internal controls - a huge benefit for companies and investors.
SOX also introduced some unexpected benefits, including strengthening the overall control environment, improving documentation, increasing audit committee involvement, standardising processes, and reducing complexity and human error.
Any move to implement a similar system of vigorous controls over financial reporting in the UK should help to improve reporting quality and strengthen trust.
In the coming 16 weeks, we are sure to hear a slew of competing voices arguing the different virtues of - to name just a few - the need for light touch regulation to avoid any (further) business slowdown, the dangers of regulation stifling innovation and investment, societal demand for “responsible” business, investors looking for high regulatory standards and the need for post Brexit Britain to be attractive to investors.
And, of course, what level of regulation is best to achieve the balance of all of this.
Crucially, this must not become just another compliance and reporting tick box. Instead, it should drive a broader recognition of the value of an effective and well-embedded internal control framework that helps directors manage risk effectively so they can focus on achieving their wider business objectives.
The risk we all run is that badly thought through or poorly implemented reform becomes a “once and done” process rather than a driver for better (in its widest sense) business performance.
What can I do now?
We know audit reform and tighter regulation is coming, so now is the ideal time to begin building your internal controls framework. Internal control overhauls can take years to fully implement, so putting formal practices into place now will help ensure you have the allocated resources and budget for a feasible long-term strategy.
- Set up two steering committees
Appopint two committees - one to examine business processes and one for IT – to provide a degree of technical oversight and get executive buy-in. They can also play an important role in educating the rest of the organization and developing testing protocols. At least two rounds of testing are advised to give senior managers time to assess the new processes and make corrections.
- Educate your team, division by division
Connect and collaborate with all of the business teams that will be impacted by the new processes, including board members. Explain how the regulatory environment is changing, review their respective roles in the relevant processes and how change is likely to affect them. Make sure to review and document their responsibilities and benchmarks for success.
- Build out the process
Establish a detailed plan. Beginning with a risk assessment, map out all of the processes and systems involved. Next, do a complete walkthrough of the processes to validate control existence and design. For each stage of the process, define who your process and control owners are, and make sure they know what is required of them. As you begin to build your programme, you’ll likely go through a multi-stage maturity model, where you’ll eventually move from manual processes to automation to help you gauge control effectiveness.
- Allocate budget and people
Budget and resourcing are important. More expansive and detailed audits public will require companies to provide annual reporting on the operational effectiveness of their internal controls over financial reporting (ICFR), and to build in internal auditing processes and integrated internal audits. If the UK measures match the scale of the US SOX reforms, the cost of compliance for businesses could cost between £10m and £20m and require a full year’s worth of labor from 20 full-time employees. This is why it’s important to address the basic foundations. Do you have the capacity and skill-set in-house? Do you need to implement training? Are you willing to pay your audit firm to do this?
- Start thinking about data
A key challenge will be bringing together different systems and data. Work out where your data lives, what format and system it is in and whether these systems and formats are compatible. A key learning in the US was that data was often siloed around different, disconnected applications, so, for example, manufacturing or point of sale systems didn’t talk to the accounting ledgers, or sales forecasts and figures were run separately from corporate forecasting and planning. The complexities of integrating these to produce a single version of the truth can be time consuming, so start now.
Also consider whether investment in cloud-based financial and audit ecosystems can automate internal controls and facilitate data integration and consolidation, as well as reduce costs.
The right technology can manage and map your internal controls, automate processes and workflows and serve up insights on storyboards to monitor and track compliance progress. “UK SOX” will no doubt impose a heavy regulatory burden - but by mapping out a plan and process and choosing the right tools to support your initiative, your company can hit the ground running.