Bryan Foss MCSI, co-founder and director of Risk Coalition, committee member of the CISI Risk Forum and non-executive member of the Financial Reporting Council, talks us through the BEIS proposals on audit reform
By Bethan Rees
The UK government department for Business, Energy and Industrial Strategy (BEIS) published a whitepaper on 18 March 2021, Restoring trust in audit and corporate governance, seeking views on proposals to reform the way major companies are audited. Proposals include how reports are audited, how companies should report on their governance and finances, and how the audit market should change. This would all be overseen by a new regulator, the Audit, Reporting and Governance Authority (ARGA).
BEIS is seeking responses to the consultation, which closes at 11.45pm on
8 July 2021
The proposals outlined are a response to three independent reviews commissioned by the government in 2018: Sir John Kingman’s independent review of the Financial Reporting Council; the statutory audit market study by the Competition and Market Authority (CMA); and Sir Donald Brydon’s independent review of the quality and effectiveness of audit.
The objectives of the reform include restoring public trust in the UK's major companies and empowering investors, creditors, workers and other stakeholders by giving them access to high-quality information on company performance.
Bryan Foss MCSI is co-founder and director of Risk Coalition, a network of not-for-profit professional bodies and membership organisations committed to raising the standards of risk management, a member of the CISI Risk Forum Committee, and a non-executive director of the Financial Reporting Council (FRC) advisory council. He talks us through the proposals outlined in the whitepaper.
Can you explain what the current system of audit is in the UK, why we are a leader in this field and how others might collaborate or follow?
A substantial number of international companies are UK-based, with audit firms providing consistently high-quality audits across all the markets they operate in – in support of a high-quality corporate report for investors and other stakeholders.
For standard setting, this requires the FRC to work closely with international standards bodies (the International Auditing and Assurance Standards Board and International Accounting Standards Board, for example) and for execution, the principal audit firm coordinates and combines all audit activities to the same standard.
"Stakeholders have been surprised and concerned, even significantly harmed, when an organisation fails unexpectedly"
While financial regulations specify minimum requirements, the FRC’s guidance always aims to stretch firms and auditors to do better with quality and transparency. As we push ahead through this consultation and subsequent changes, other key markets are in close contact and considering how they can retain their standards and competitiveness to a similar level.
Given the current auditing and corporate reporting system, why does material corporate failure still happen so often? How can the ‘assurance expectation gap’ be considerably narrowed by these proposals?
Stakeholders have been surprised and concerned, even significantly harmed, when an organisation fails unexpectedly – sometimes within sight of a recent audit. Increasingly, stakeholders and interested parties expect a high level of viability assurance from the directors themselves, and from auditors and an increasingly wide range of assurance providers – many now independent too.
The assurance expectation gap seems to remain, but much attention is applied to audit quality and other efforts are likely needed to address this. The BEIS consultation mentions a number of risk and assurance imperatives, but classifies them too closely to audit quality rather than giving them the separate attention and development needed. The FRC has worked closely with the Risk Coalition to develop guidance and support in this ‘gap’, but needs to take more direct ownership through the ARGA – the FRC's successor body (more on that later) – if the gap is really to be closed and within a short enough time.
Who do the proposals on reforms impact? How are the largest companies defined? And how could society benefit from others meeting similar standards?
The proposals are initially aimed at large listed companies, but need to (and will) be applied much more widely as a result of market and stakeholder pressure.
Governance codes were originally focused on listed companies, especially those in the FTSE 350, for example. However, this missed some hugely important sectors of society. For example, very few of the UK-based banks are listed, most are private and sometimes subsidiaries of companies listed elsewhere. For this reason, the public interest entities (PIE) definition was created to capture important organisations under governance codes, those that would cause most harm to individuals and society if they operated under lower stakeholder standards. So, all banks are defined as PIEs, for example.
The consultation suggests broadening the PIE definition to include many more organisations, including private companies governed by
The Wates Corporate Governance Principles for Large Private Companies, which are now a substantial part of the UK market and of any pension or other investment scheme. Higher regulatory standards would also have a trickle-down effect to the alternative investment market via
Quoted Company Alliance (QCA) guidance. There is a case that these less-liquid investments could benefit from at least as high governance standards as those we expect from listed firms where investors can move on.
In the current and revised frameworks, how can directors be held accountable for their judgements, fiduciary responsibilities and attestations by the FRC?
Stakeholders have become frustrated with examples of directors who are not held accountable, even for a series of failures that appear more than a coincidence. There are few government bodies able or willing to take action (other than at insolvency) and as the FRC has no supervisory or enforcement resources for the governance codes (only for audit), investors are left to challenge these repeat offenders through the courts.
While larger investors can achieve that, minority investors don’t have the resources to do so. The current consultation proposes widening FRC powers potentially to all directors, instead of those with current financial qualifications. It seems likely that this will still be closely confined to roles such as chief financial officer, CEO and perhaps the audit chair, leaving all others unaffected.
Can you comment on the new reporting and attestation requirements covering internal controls, dividend and capital maintenance decisions, and resilience planning, as recommended in the whitepaper?
In the US, the Sarbanes-Oxley Act (SOX) regulations do seem to have brought more attention to the improvement of controls, and the accompanying attestations focus the minds of signing directors – a few at least. The UK speaks of a SOX-lite (which of course would need a new name here), with an intention to improve controls and accountability.
However, this implementation might be considered a tick-sheet. Directors completing the checklist will likely consider that completion has protected them from challenge, however UK regulators have always made it clear that they expect directors to consider situations and make relevant judgements using the principles of the code, to generate the best outcomes for stakeholders from any situation. In the UK legal system, accountability is not fully achieved through a completed checklist alone – where it often is in other legal systems, for example in the US and the EU.
"As professionals, we know the harms that are caused by failing organisations, and we know the assurance expectations of stakeholders"
If completed, it covers those involved, where UK directors have been more used to working in a principles-based governance system, taking appropriate decisions on controls and reporting that are explained to and challenged by stakeholders through a comply or explain (or apply or explain) judgement and accountability regime.
The whitepaper proposal includes the "creation of a new, stand-alone audit profession, underpinned by a common purpose and principles”. Please can you comment on this?
While audit quality is a tempting objective, recent audit quality surveys run by the FRC have shown substantial differences in how quality is evaluated, by audit firms, audit chairs and their own assessors – some combination of them all probably providing the best solution.
A ‘carrot and stick’ solution is required to ensure the audit profession has sufficient new hires and can retain staff through a challenging career where new techniques (including the application of technology) are developed to close the audit and assurance expectation gap described above.
About the expert
Bryan is an active non-executive director (NED), risk and audit chair, experienced in financial services, listed, public sector and high growth technology firms. Bryan is also an FRC adviser, co-founder of the Risk Coalition and member of the CISI Risk Forum committee.
He is also a Chartered director, Fellow of other professional bodies, visiting professor with Bristol Business School and mentors founders and new NEDs. ‘Auditing’ the full report (front/narrative and back/financial ends) from purpose through to strategy, risks and operations (including alternative and non-financial performance measures) will help close that gap, especially in a world where environmental, social and governance (ESG) oversight from investors and others becomes key.
How does the UK Stewardship Code 2020 relate to this consultation?
Alongside this consultation, more work will be required (and may even be done more quickly) to update The UK Corporate Governance Code, The Wates Corporate Governance Principles for Large Private Companies and the UK Stewardship Code 2020, all of which need to work together to encourage cooperation for better outcomes. No doubt the QCA and others (perhaps The Charity Commission, housing associations and others) will update their own guidance as these code improvements become available.
Following the 2018 review, the FRC’s successor body, the ARGA, is to be established. Can you tell us about the implementation so far and what the next steps are?
The FRC was quick to implement most of the Kingman review actions through new and accelerated project work; however, the Brydon recommendations seem more substantial and, together with the CMA report on the audit market, has required much more involvement from BEIS in parallel with Brexit, Covid-19 and more.
As BEIS will need time to consider the consultation responses, agree a final strategy and find busy parliamentary time for approvals, we cannot expect implementation for at least a few years yet. In the meantime, the FRC’s scope for responsibility and change remains too limited – and even with ARGA implementation it seems unlikely to sufficiently address the audit versus assurance gap, the unexpected failure of key organisations (largely through risk) or the accountability issues of errant directors.
As professionals, we know the harms that are caused by failing organisations, and we know the assurance expectations of stakeholders. We can also see the direction of society in general, in terms of ESG, including transparency, accountability, good governance and risk management. Accountable directors and risk professionals should be leading this debate and change and not waiting for the regulator's checklist, though. For example, Risk Coalition's principles-based guidance, which the CISI collaborated on to develop and use.