The Department for Business, Energy and Industrial Strategy (BEIS) recently launched a new consultation on restoring trust in audit and corporate governance.
The consultation seeks to make a number of significant changes to the current UK audit and corporate governance regime, in large part to address that "fundamental reform of the framework underpinning audit and corporate reporting is needed to rebuild public trust in the way the largest companies are run and scrutinised".
This proposed reform is not unexpected – the consultation notes that the high-profile collapse of large private companies like BHS and Carillion has undermined stakeholder and public confidence in the audit process and the reliability of corporate reporting.
The consultation also sets out a number of proposals based on the findings of three independent reviews – Sir John Kingman's independent review of the Financial Reporting Council (FRC) (Kingman Review), the Competition and Market Authority (CMA) statutory audit services market study (CMA Study) and Sir Donald Brydon's report of the independent review into the quality and effectiveness of audit (Brydon Review).
The scope of the consultation is very broad with the government's view that a "holistic approach is essential to drive meaningful and lasting change and the government is clear that directors, auditors, shareholders and the audit regulator must all play their part".
This briefing note sets out some of the key proposed measures contained in the consultation.
More entities are likely to fall within scope of the proposed measures
At the moment, the most stringent audit and corporate reporting measures only apply if a company falls within the definition of a "public interest entity" (PIE), which, broadly speaking, covers listed companies, credit institutions and insurance undertakings.
The UK Government proposes to broaden the scope of this definition to include, among others, large companies (irrespective of whether they are admitted to trading on a regulated market or not) and AIM companies with a market capitalisation exceeding €200 million.
The consultation seeks views on the entities that should fall within the scope of the definition of a PIE such as the test that should apply for a large company (including a large private company) to be included in this definition.
Directors' accountability for internal controls, dividends and capital maintenance requirements
Measures to strengthen internal company controls
The consultation seeks to introduce measures to strengthen the UK's internal company controls framework following high-profile corporate failings where it has been evident that directors failed to put suitable internal controls and risk management processes in place.
There are three proposed options to strengthen the UK's internal controls framework (and it is noted that these options are not mutually exclusive).
The first option is to require a new directors' statement about the effectiveness of the internal control and risk management system of a company. Broadly, this would require the company's CEO and CFO (or, alternatively, the board) to explain the outcome of an annual review of the company's risk management and internal control systems and to provide a statement of whether they consider the systems in place to have operated effectively.
The second option is to require auditors to provide a more detailed report on their views on the effectiveness of a company's internal control system. The auditors' report would need to provide more detail about the work the auditor has undertaken in order to understand the company's internal control systems, and how that work has influenced the approach taken by the auditor to the audit itself. The consultation is clear that this option would fall short of a requirement by the auditor to provide a formal attestation of the effectiveness of the systems in place.
The final option is to require auditors to provide a formal opinion on the directors' assessment of the effectiveness of the company's internal control systems (the first option noted above). This would require the auditor to carry out additional audit and assurance work in order to be able to provide a formal opinion of the directors' assessment and echoes a similar provision in the US's Sarbanes-Oxley Act.
In order to help provide a focus for responses to the range of options set out in the consultation in relation to this measure it is noted that the government's initial preferred option is as follows:
- Directors will need to provide a new responsibility statement acknowledging their responsibility for establishing and maintaining adequate internal control structures and procedures for financial reporting.
- Directors will also need to undertake an annual review of the effectiveness of the company's internal controls over financial reporting and provide certain new disclosures, including a statement on whether the systems have operated effectively and details of any benchmark systems used to make the assessment.
- It will generally be for audit committees and shareholders to decide whether a director’s internal control effectiveness statement should be subject to external audit and assurance but there will a requirement to do so in certain circumstances (for example, if there has been a serious and demonstrable failure of internal controls).
- The new regulator will also have powers to investigate the accuracy and completeness of the directors' internal control disclosures and order amendments, or recommend an external audit of such controls, if necessary. There will also be sanctions for directors that fail to establish and maintain suitable internal control structures and processes for financial reporting.
Setting out the government's initial preferred option is not intended to "close down" any other discussions of the range of measures set out in this section of the consultation.
Measures to strengthen the framework on dividends and capital maintenance
The consultation notes that there have been a number of high-profile cases of companies paying out significant dividends ahead of issuing profit warnings, or even entering insolvency, which has undermined the existing legal framework in relation to dividends and capital maintenance requirements. It also notes that many investors are interested in obtaining more information about a company's approach to allocating surplus capital.
While that is the case, the consultation is clear that the government is seeking to make changes to strengthen the existing legal framework on dividends and capital maintenance requirements, in a proportionate way, rather than introducing wholesale reform and recognises the importance of dividends, particularly for pension funds and savers.
With that in mind, the consultation seeks to address three weaknesses in the current UK framework.
The first issue is that there is no fixed definition of "realised profits" and "realised losses" (which is relevant for the statutory provision contained in the Companies Act 2006 (CA 2006) for when a distribution can lawfully be made). Instead, these terms are determined in accordance with generally accepted principles in place at the time the accounts are prepared, which are liable to change over time.
The consultation therefore proposes two alternative options to address this issue.
The first is to give the new regulator - the Audit, Reporting and Governance Authority (ARGA) - a duty to prepare guidance on determining "realised profits" and "realised losses" in accordance with generally accepted principles at the relevant time. Unlike current guidance issued by the Institute of Chartered Accountants in England and Wales and the Institute of Chartered Accountants of Scotland, the guidance from ARGA would have authoritative status as the CA 2006 would be updated to provide that, when interpreting what are "realised profits" and "realised losses", regard should be had to this guidance.
The second alternative option, is to provide ARGA with powers to make binding rules as to the meaning of "realised profits" and "realised losses" which would need to be applied.
The second issue identified in the consultation is around transparency, as there is no legal requirement for a company to disclose the profits available for distribution. The consultation therefore proposes two new statutory reporting requirements which would form part of the company's financial statements and therefore be subject to audit.
The first would be for individual companies (or a parent company in the case of a corporate group) to disclose the total amount of reserves available for distribution in their annual report. This would allow for greater transparency on the "headroom" between a proposed dividend and the company's available distributable reserves (and the ability of the company to pay dividends in the future).
The second reporting requirement would only be relevant for corporate groups and would require the disclosure by the parent company, in its financial statements, of an estimate of the amount of potential distributable profits across the group that could in principle be passed to the parent company to pay dividends in the future to shareholders. There would also be a requirement to provide narrative disclosures of any major constraints that may prevent a subsidiary from paying its distributable reserves to its parent company.
The government currently intends for the new reporting requirements to only apply to listed and AIM companies on the basis that the disclosures will be of most value to external investors but seeks views in the consultation of whether these requirements should be extended to all PIEs.
The third issue identified in the consultation is that the focus of the current legal framework on capital maintenance, realised profits and distributable reserves reflects on the past performance of the company rather than its future financial needs or performance.
The consultation therefore suggests that, when proposing a dividend, directors should provide a new statement broadly confirming that they are satisfied that the dividend is within known distributable reserves and that they have taken account of their statutory duties under CA 2006 (including the requirement to have regard to the likely consequences of any decision in the long term). The directors will also need to confirm that it is their reasonable expectation that the payment of the dividend will not threaten the solvency of the company in the next two years, following a risk analysis of the company's position.
Unlike the new reporting requirements set out above, the government considers that there is merit in all PIEs falling within scope of the new directors' statement (rather than just listed and AIM companies), but is seeking views on this point.
New corporate reporting requirements – Resilience Statement and Audit and Assurance Policy
The consultation introduces two new proposed reporting requirements – a Resilience Statement and an Audit and Assurance Policy. Both of these were recommended in the Brydon Review.
It is proposed that all PIEs will have a statutory requirement to publish an annual Resilience Statement that will address business resilience over the short, medium and long-term. This will build on existing going-concern and viability statements and, initially, it is proposed that this will only apply to premium listed companies (with all PIEs potentially falling within scope after two years).
The consultation seeks views on the implementation options available in relation to this new statement but notes that its preferred implementation route is to require a company to publish a Resilience Statement as a new section of the company's strategic report. Non-statutory guidance would be maintained by ARGA.
Audit and Assurance Policy
The consultation also proposes that there should be a new statutory requirement for PIEs to publish an Audit and Assurance Policy. This will enable those reviewing a company's annual report and disclosures to have a better understanding of any independent examination that has applied to that report and disclosures.
The consultation seeks views on the scope and frequency of the policy but, broadly, this will require a company to disclose what independent assurances it intends to obtain in the next three years in relation to the company's annual report and other company disclosures (beyond those required by statutory audit). It is proposed that this will initially be a requirement for premium listed companies (with all PIEs potentially falling within scope after two years).
The government also proposes that, in the case of listed companies, the Audit and Assurance Policy should be subject to an advisory shareholder vote.
New powers of enforcement against company directors
At the moment, the FRC has no direct powers to enforce the statutory duties of directors in relation to the preparation of their company's accounts and reports (and the audit of the same).
While there are other avenues of enforcement in the event of failings by directors in relation to corporate reporting (for example, the Financial Conduct Authority may impose penalties in relation to the directors of listed companies) this would not cover many of the entities falling within scope of the proposed expanded definition of a PIE.
The consultation therefore proposes that ARGA be provided with effective powers to investigate and sanction breaches (by civil enforcement action) of corporate reporting and audit by the directors of PIEs. This would be in addition, rather than instead of, other existing arrangements for taking action against directors.
Strengthening clawback and malus provisions in directors' remuneration arrangements
The BEIS Committee, following its report into the collapse of Thomas Cook, recommended that provisions on clawback should be strengthened and expanded.
The government therefore proposes to strengthen malus and clawback provisions in order to provide reassurance that directors will not be rewarded for failure.
ARGA will be asked to consult on changes to the UK Corporate Governance Code to include new provisions, for premium listed companies, which recommend that minimum clawback conditions are included in directors' remuneration arrangements (and that these apply for a period of at least two years after an award has been made). The government will then consider whether this should be extended to all listed companies.
Reform of the scope and purpose of audit
The consultation notes that the Brydon Review concluded that "audit is not broken but has lost its way" and that, in order to make audit more informative, changes are required to both audit practice and the scope of audit.
To this end, the consultation proposes that auditors have a new statutory requirement to consider relevant director conduct and wider financial, or other information, in reaching their judgements. The aim here is for auditors to potentially reach different judgements in light of their review of this additional information given their knowledge of the company's position and strategy – for example, whether the financial statements constitute a true and fair view of the entity's financial position.
The new information reviewed by auditors in light of this requirement would not need to be audited but it would be anticipated to shape the auditors work on the financial statements of a company.
The Brydon Review also set out a new vision for audit with companies, in addition to the statutory audit of their financial statements, electing for other information to be audited which could help to enhance confidence in those businesses. These wider audit assurance services will be set out in the company's new Audit and Assurance Policy detailed earlier in this briefing note.
The consultation proposes that ARGA should oversee the provision of these wider audit assurance services in addition to the statutory audit of financial statements. This will include the creation of a framework for all corporate auditing services.
New principles of corporate auditing
The Brydon Review considered that there should be a single set of principles developed by the new regulator for auditors to follow (and offered its suggestions).
The government agrees and proposes that a new legal framework is introduced to enable ARGA to set and enforce these principles (which would apply to both statutory auditors and auditors appointed to provide wider audit services under the Audit and Assurance Policy detailed above).
The intention is for the new principles to sit above existing requirements and audit standards (for example, an auditor may be subject to sanction for failing to comply with the new principles even if the auditing standards have been met).
New measures to tackle fraud
In order to improve transparency on the measures directors are taking in relation to fraud, the consultation proposes that the directors of PIEs should have a statutory requirement to report on the steps they have taken to prevent and detect material fraud.
This will be coupled with a statutory duty for auditors of PIEs to report, as part of their statutory audit, on the work they have undertaken to conclude whether the proposed directors' statement regarding actions taken to prevent and detect material fraud is factually accurate. It is proposed that auditors will also be required to report on the steps they have taken to detect any material fraud and assess the effectiveness of relevant controls in place.
A new professional body for corporate auditors
The Brydon Review noted that there is currently no specific professional body for external auditors. Instead, there are a number of professional accountancy bodies that statutory auditors should be a member of, and this reflects the current practice of auditors to focus on the audit of financial statements.
As the consultation seeks to expand the scope of audit beyond statutory audit services (to include, for example, the wider audit information that companies elect to have audited pursuant to their Audit and Assurance Policy) it is proposed that a new professional body for corporate auditors should be established to "help create a climate for wider audit and enable good audit practice to thrive across corporate audit disciplines".
The consultation looks at different options to establish this new professional body and the extent to which this should be separate from accountancy professional bodies (for example, by requiring that corporate auditors are members of an audit professional body and have qualifications from a professional body that only provides audit qualifications – in addition to the requirement for auditors of financial statements to hold necessary accountancy qualifications).
Greater shareholder engagement on risk and audit planning
The consultation proposes that a formal mechanism should be put in place to enable audit committees to gather shareholder views on a company's audit plan, given that shareholders are one of the primary users of a company's accounts and reports.
This proposal follows a recommendation in the Brydon Review that audit committees should create an opportunity for shareholders to provide their views on particular risks and areas of concern they would like to have considered within a company's annual audit plan.
The government is clear that the shareholder views expressed should be advisory, and supplemental to those of the auditor, and that the auditor will retain autonomy for the way that the audit is carried out. The auditor should also not be required to consider proposals put forward by shareholders which fall outside the scope of the company audit.
The consultation also proposes that auditors should be required to provide feedback to the audit committee on the extent to which suggestions provided by shareholders have been adopted. It is proposed that this would be a contractual requirement contained in the auditor's terms of engagement with the company.
Reform of the audit market - competition, choice and resilience
The consultation notes that the audit market for companies in the FTSE 350 is very concentrated, creating a "ceiling to growth" which impedes the ability of other firms to win FTSE 350 tenders and is considered to limit the incentive for audit firms to compete on quality. The government is seeking to increase choice, competition and resilience in the audit market through three key reforms.
Firstly, by providing the new regulator with stronger powers and duties to increase choice and competition in the FTSE 350 audit market. It is proposed that this will initially be achieved through a mandatory managed shared audit requirement for UK-registered FTSE 350 companies.
In practice, this would mean that an audit firm would be appointed to lead the group audit but, when tendering the statutory audits of entities within the group, companies would be required to appoint a small so-called “challenger” audit firm to carry out a meaningful proportion of the statutory audits. It is hoped that this will give challenger firms exposure to FTSE 350 companies and, in turn, give companies a greater choice of auditor.
The government also proposes a reserve power for the Secretary of State to allow the new regulator to introduce a market share cap if the mandatory shared audit regime does not introduce satisfactory change to the FTSE 350 market (for example, if challenger firms were only securing a very limited portion of the FTSE 350 audit market despite investing in capacity and capabilities as part of the managed shared audit process).
Secondly, by requiring operational separation between the audit and non-audit work undertaken by certain firms. This follows concerns raised by the CMA's Market Study that tensions can arise between a firm's audit and non-audit functions. This may be detrimental to the objectivity and challenge required by auditors. The consultation therefore proposes steps to reform the balance of incentives and working culture within audit firms while allowing firms to remain multidisciplinary.
These measures include the creation of an independent audit board within firms which will have oversight of audit partner remuneration and ensure that it is linked to audit quality. There will also be a requirement for the publication of a separate profit and loss account for the audit practice which will account for cross subsidies between the audit practice and the rest of the firm through arm's length transfer pricing. It is also proposed that there will be regulatory oversight of audit partners' remuneration structures including a requirement for the new regulator to work together with audit firms and the new audit board, to set principles of what constitutes high quality audit (and how this can be measured). It is anticipated that these proposed measures will initially apply to audit firms that carry out statutory audits of 15% or more of the FTSE350 by audit fees.
Lastly, by providing the new regulator with statutory powers to proactively monitor the resilience of audit firms and the audit market.
The CMA Market Study found that the "Big Four" audit firms dominated the market for statutory audits of FTSE 350 companies. While the risk was small, the CMA reported that there would be significant adverse effects if one of these firms were to fail due to a lack of resilience in the FTSE 350 audit market.
While the FRC currently has a duty to monitor developments in the PIE audit market – which includes resilience and market concentration levels – it does not have necessary powers to obtain the information needed from audit firms. To redress this, the consultation proposes that ARGA should take over this duty (which will be extended to cover the whole of the statutory audit market) and should monitor and regularly report on competition and developments. ARGA will be provided with appropriate information gathering powers to enable ARGA to effectively carry out this duty.
It is also proposed that ARGA will have powers to take enforcement action to address anti-competitive practices and abuse of dominant position within the statutory audit market.
What are the next steps?
The consultation closes on 8 July 2021.
The scope of the proposed reforms and new measures set out in this consultation are clearly very broad and will potentially impact many businesses (particularly as the definition of a PIE is likely to be extended and therefore more entities will fall within scope of the new measures).
While that is the case, the government has confirmed that in order to "balance the urgency of audit reform with its desire to manage additional requirements on businesses" there will be a general approach adopted to the introduction of any new measures put in place pursuant to this consultation.
This means that any measures that do not directly impact on businesses will be introduced first (for example, establishing ARGA) while measures likely to have a significant impact on businesses will be considered for later commencement, a transition period and/or a period of phasing. It is noted that this would include the proposed extension of the definition of a PIE.
It is clear from this consultation that the traditional approach to audit will change, with a marked shift away from a focus on the statutory audit of the financial statements of a company. The audit market itself will also change and we are likely to see new emerging audit companies (the so-called "challenger" firms) having a greater role in the audit of FTSE 350 companies and potentially within the wider audit market too.
Subject to the outcome of this consultation, companies falling within scope of the new measures are likely to have greater disclosure and reporting requirements and we will of course provide further updates on these requirements at that time.
For further information regarding this or another related matter, please contact Tom Swan, a Partner in our corporate finance team, or your usual Shepherd and Wedderburn contact.