Restoring Trust White Paper - Too much governance?

Many hearts in the business world will have sunk when the “Restoring trust in audit and corporate governance” White Paper was published on 18 March. It is quite a tome, with its 230 pages and 98 consultation questions, and it contemplates some far-reaching changes to the UK’s audit and corporate governance landscape.

The owners of those hearts were no doubt anxious, ahead of publication, that the shape and extent of proposed reforms would further constrain a business world already burdened by extensive regulation and exhausted by Covid and Brexit.

Were those anxieties justified?

The answer, perhaps inevitably, is “Yes and No”.

Some of the more anxiety-inducing proposals emerging from the Kingman and Brydon Reviews - such as full Sarbanes Oxley-style audited certifications and a requirement for Public Interest Statements - are not being pursued for now. And it is gratifying, for someone as old and romantic as me, to see that “true and fair view” lives to fight another day.

At the same time, many will finish reading the Paper (and the accompanying Impact Assessment) with a weary feeling that the end result is likely to be too much governance - leading to significant extra cost, undue box-ticking and a defensive, rather than entrepreneurial, mindset among Boards of Directors.

There is a huge amount of detail in the Paper and it is good that the consultation period is long, lasting until 8 July 2021.

In this piece, I do not aspire to dig deeply into the detail. But rather to highlight 8 Themes which seem to me to be particularly noteworthy.**

1. New Regulator

The Government proposes to establish a new, stronger, regulator with the general objective to:

“protect and promote the interests of investors, other users of corporate reporting and the wider public interest”.

The regulator, the Audit, Reporting and Governance Authority (ARGA), will also have:

• a quality objective to promote high quality audit, reporting, corporate governance, accounting and actuarial work; and
• a competition objective to promote competition in the market for statutory audit work

and will have regard to regulatory principles. These will include promoting innovation, brevity and clarity and working closely with other regulators.

Three points to note:

1. the Financial Reporting Council (FRC) envisaged that one of the duties which ARGA should have when exercising its policy-making functions would be to be “proportionate, having regard to the size and resources of those being regulated and balancing the costs and benefits of regulatory action”. Regrettably, the White Paper suggests that proportionality does not need to be a duty or, indeed, a regulatory principle, but can be addressed by ARGA having regard to the Regulators Code. I would much prefer to see proportionality being the subject of greater profile and obligation;
2. ARGA is going to have a huge amount to do and capacity will, I feel sure, be a big issue; and
3. RGA will be funded by a statutory levy payable by market participants (eg auditors and companies). The outline idea is that funding will new based around activity blocks and the FRC will be consulting on design and methodology. This is not the work of a moment and the levy will not be cheap.

2. Public Interest Entities

The statutory audits and auditors of Public Interest Entities (PIEs) are subject to more stringent regulation, for example in relation to auditor selection procedures, content of the auditor’s report and prohibition on non-audit services. The definition of a PIE currently encompasses listed entities, credit institutions and insurance undertakings and there are around 2,000 PIEs.

The Government believes that this more stringent regime, as further developed by the proposals in the White Paper, should extend to a broader range of entities, particularly large private companies and bigger AIM quoted companies. Mention is made, in this context, of the failure of BHS and Patisserie Valerie. Government takes the view that the public interest would be served by bringing these entities within the scope of the stricter regulatory regime.

Two options are suggested for identifying the large private companies to come within the expanded definition of a PIE:

1. companies with more than 2,000 employees or turnover of more than £200 million and a balance sheet of more than £2 billion; or

2. companies with over 500 employees and turnover of more than £500 million.

Option A would result in some 1,960 additional entities being brought within scope. For Option B it would be around 1,060 additional entities.

In addition, it is proposed that AIM companies with a market capitalisation of more than Euro 200 million should become PIEs. Currently around 105 AIM companies would be within scope.

There are, as will be appreciated, complex issues around companies, over time, falling below and going above the thresholds and these are mentioned in the White Paper.

Four points to note:

1. this is a very material increase in the scope of regulation. Even if Option B is chosen that would mean, together with the AIM change, some 1,165 extra PIEs. The White Paper acknowledges that there would be highly material implications for the entities concerned, the regulator and the auditors (Option A and the AIM change would, for example, bring 90 additional audit firms into scope while Option B plus the AIM change would bring around 20 additional firms into scope);
2. the Government recognises, therefore, that the widening of the PIE definition would need to be introduced at an “an appropriate pace” to avoid bottlenecks and allow companies and audit firms to build capacity;
3. the cost of all this will be high. According to the Government’s Impact Assessment, the present valued total aggregate cost to the affected businesses of Option A, plus AIM, over 10 years will be £1,717 million (an annual average direct cost of £198 million). This would be to cover transition, costs of appointing and maintaining audit committees, extra audit firm costs and such like. For Option B, plus AIM, the present valued cost over 10 years would be £1,244 million (an annual average direct cost of £144 million); and
4. the Government seems very committed to extending the definition of PIE (and one can sympathise with the policy drivers) but, even on the narrower Option B approach, you do have to wonder whether it is proportionate.

3. Internal controls, dividends and capital maintenance

Internal controls

The White Paper observes that the regulatory and other requirements applying to internal control arrangements in UK companies comprise a combination of interlocking company law requirements, Listing Rules, provisions of the UK Corporate Governance Code (Code) provisions and auditors’ responsibilities. It is, as this suggests, a bit of a patchwork quilt.

As a result of high-profile firm failures where weak internal controls and poor risk management have been evident, it is proposed to strengthen the controls framework. Three Options are outlined and an “initial preferred option” is identified, involving:

• a directors’ statement in which they acknowledge their responsibility for establishing and maintaining “an adequate internal control structure and procedures for financial reporting”; and
• a directors’ annual effectiveness review, disclosing the “benchmark system” used to make the assessment and explaining how deficiencies have been remedied; where
• decisions on whether the effectiveness statement should be subject to external audit and assurance would be a matter for the audit committee and potentially (as part of the Audit and Assurance Policy, described below) shareholders.

ARGA would have power to investigate the accuracy and completeness of these disclosures and to sanction directors if they fail to establish and maintain adequate controls. The provisions would be set out in legislation (so, moving beyond the “comply or explain” world which applies to some control elements currently) and would apply initially to premium listed companies, being extended to all PIEs after two years.

I would make a couple of points:

1. the preferred option stops short of requiring a full Sarbanes Oxley-style certification attested to by the external auditor. I come back later to the question of director sanctions but, that aside, the option feels like a worthy approach;
2. it will, however, be a very significant change for the many companies which are not currently (because of their US Listings) familiar with SarBox. This is clear from the Impact Assessment. That explains that present valued total cost to business over 10 years is estimated to be £1.5 billion.

Dividends and capital maintenance

In relation to dividends and capital maintenance the White Paper makes proposals which are, in the round, welcome. The essence of the proposals is to provide greater clarity as to how distributable reserves are calculated, for purposes of assessing dividend capacity, and to require disclosure of distributable reserves in the company’s annual report. Currently, the quantum of reserves which are distributable is not necessarily evident on the face of the balance sheet - which is a bit odd.

More controversial is a suggestion that directors confirm in writing that a proposed dividend is consistent with their duties and that the dividend will not threaten the company solvency over the next two years. I believe that this is over-reaching and an undue burden on directors, not least in light of proposals for a Resilience Statement (discussed further below).

4. New Corporate reporting

The big points here relate to:

• Resilience Statements
• Audit and Assurance Policies and
• Supervision of corporate reporting.

Resilience Statements

Currently a Going Concern Statement (which looks 12 months ahead) must be made by all large and medium-sized companies. In addition, premium listed companies need, under the Code, to make a Viability Statement assessing the prospects of the company over a longer period (typically 3 years). The White Paper proposes consolidating these elements into a Resilience Statement which would be a legal requirement for all premium listed companies and, after two years, all other PIEs - so including large private companies and bigger AIM companies.

These Resilience Statements would be more granular than current disclosures. Thus:

• the going concern element would need to disclose any material uncertainties subsequently determined not to be material after the use of significant judgement or mitigating action;
• the medium term (old viability) element would be required to cover 5 years and include two reverse stress testing scenarios; and
• a new long-term section would not be for a prescribed period but would be a home for consideration by the directors of the main long-term challenges to the company and how these are being addressed.

These seem to me to be sensible proposals and would promote greater comparability as between the disclosures made by different companies. I am not so keen, however, on the White Paper suggestion that Resilience Statements should specifically address a range of issues (such as supply chain and digital security risks) as these will surely duplicate a lot of themes discussed elsewhere as risk factors.

In addition, it would be good to see it confirmed that the current safe harbour for directors under s463 of the Companies Act remains available. This provides that directors will only be liable to the company (and not third parties) for these statements and that liability to the company will only arise if the director knew, or was reckless as to whether, a statement was untrue or misleading. It may be at risk given the proposals for sanctioning directors described below.

Audit and Assurance Policies

The White Paper suggests that PIEs should publish an annual Audit and Assurance Policy describing the company’s approach to assuring information in the annual report beyond the financial statements. This would cover the extent, if any, to which independent assurance will be sought (for example in relation to the Resilience Statement, risk, internal controls, carbon footprint) and a description of the company’s internal auditing and assurance processes.

For listed PIEs, the policy would be subject to an advisory shareholder vote. The requirements would be introduced first for premium listed companies and, after two years, for other listed and unlisted PIEs.

The key thought is that, with the inclusion in annual reports of an increasing amount of information falling outside the natural expertise of the statutory auditors, stakeholders would wish to have more confidence in that information. The White Paper suggests that the statutory auditors’ current “read requirement” is of limited comfort to stakeholders in relation to such information.   Three points:

1. whilst I see a certain logic here, I am concerned that this approach will build in a lot of additional process to annual reporting which is already burdensome and where the “read requirement” is to my eyes doing a meaningful job;
2. in any event, if Audit and Assurance Policies are introduced I do think that they should be published, and (for listed entities) voted on, every three years and not annually. This would give more time for stakeholder consultation prior to policy adoption and for experience to inform the next policy; and
3. will shareholders engage meaningfully?

In addition, I have a real worry about the White Paper’s related proposition that a separate profession of Corporate Auditors, regulated by a new professional body, should be created. The heart of audit will surely remain the domain of the accounting profession and so the complexity, cost and distraction of creating a whole new profession of (forgive me) checkers seems wholly disproportionate.

Supervision of Corporate Reporting

Currently the FRC monitors corporate reporting through its Corporate Reporting Review (CRR) work. The FRC checks the directors report, strategic report and annual accounts of public and large private companies for compliance with the Companies Act and applicable reporting standards. Where a change to company reports is looked for by the FRC, a court order is required.

The White Paper proposes that ARGA’s CRR powers should extend to the entire contents of the annual report (thus including the governance statements, the remuneration report and the audit committee report). Whilst this is understandable, much more concerning is the proposal that ARGA will have the power to direct changes to any part of the report and accounts, without having to seek a court order.

The White Paper acknowledges that some check on this power will be required and says that the Government is working “with the regulator to develop an appropriate mechanism which will ensure fairness to the companies and enable then to challenge the regulator’s decision”. This is a very delicate area and, with the courts removed from the equation, companies will definitely want to see robust assurance as to fairness in a much expanded CRR regime.

Brevity?

One might also raise a sceptical eyebrow, given all of the new thinking around corporate reporting, at the proposed Regulatory Principle for ARGA to promote brevity, comprehensibility and usefulness - particularly the brevity piece!

5. Company directors

This is a big and important topic.

The White Paper outlines the range of legal provisions which back up the duties of directors under the Companies Act, the listing and transparency rules and the market abuse regime. In addition, directors are potentially exposed to proceedings by the company for breach of their fiduciary and other duties.

The Government concludes, however, that the current mechanisms for enforcement of directors’ duties relating to corporate reporting and audit are insufficient and thus “intends to legislate to provide ARGA with the necessary powers to investigate and sanction breaches of corporate reporting and audit-related responsibilities of PIE directors”. These powers to bring civil proceedings would be in addition to the existing arrangements for proceeding against directors and The White Paper states that the FRC and the FCA will seek arrangements which avoid unnecessary overlap and duplication.

All directors will be in scope for the new enforcement powers. The civil standard of proof “on the balance of probabilities” would apply (lower than the criminal standard of “beyond a reasonable doubt”). Proposed sanctions include reprimands, fines, orders to mitigate and, in the most serious of cases, temporary prohibition on acting as a director.

Three points:

1. for many directors the existing burden of work and potential liability is a heavy one and one for which they are often not well remunerated. Concern about personal reputation, moreover, is already a powerful incentive driving care and attention;
2. not only would the new enforcement powers add unduly to this burden but ARGA would be judge and jury in its own actions, with a range of sanctions at its disposal operating to a balance of probabilities threshold. The proposal in the White Paper that ARGA would be required to apply sanctions in a proportionate manner will not provide much comfort; and
3. all of this runs counter to Government’s desire to promote greater diversity on boards as those who are new to the corporate world will surely be very concerned about the risks they are taking on.

6. Audit purpose and scope

There are a large number of points made in the White Paper around audit purpose and scope. The essential thrust is to sharpen up the role of auditors, set a framework for an increase the scope of audit and test the appetite for liability limitation agreements.

A few reflections:

• the suggestion that statutory auditors should be required to consider “wider financial or other information”, as amplified by standards to be set by ARGA, in reaching their judgements seems sensible - as does the notion of setting for ARGA a purpose of audit (to provide confidence in a company, its directors and the information it publishes) as the broad ambition for its programme of reforms;
• as mentioned above, whilst I can understand that some companies may feel it appropriate for certain non-financial information in the annual report to be assured by a party other than the statutory auditor (for example, around climate), I do not think that it is appropriate to create a new profession of Corporate Auditors;
• the proposal that directors of PIEs should report on the steps they have taken to prevent and detect material fraud, with these steps being assessed and reported on by the auditors, seems appropriate. The idea that a case study register should be maintained by the regulator as a useful learning tool for auditors is a good one; and
• I am doubtful that liability limitation agreements will catch on. They are not easy to negotiate, I read that institutional investors don’t like them and, for UK companies with US listings, they are not permitted by SEC rules.

7. Audit Committee Oversight and engagement with shareholders

Oversight

It is proposed that ARGA should impose additional requirements on Audit Committees in relation to the appointment and oversight of auditors, including “the need for audit committees to continuously monitor audit quality, and consistently demand challenge and scepticism from auditors”. Oversight will include a power to require information and, where concerns have not been resolved through engagement, to place an observer on the audit committee. Moreover, the Impact Assessment suggests that an annual report on oversight of the audit process will be required.

Clearly the specifics of ARGA’s requirements will be of great interest to Audit Committees, when developed. The requirements will initially apply to FTSE 350 companies only and potential extension to a wider community of PIEs will be considered in the light of experience.

Engagement

The Government proposes that Audit Committees should gather shareholder views on the audit plan for the company and, for this purpose, shareholders would be furnished with a summary version of the audit plan setting out key audit matters and proposed areas of focus. Views would be advisory in nature. In addition, presumably as part of this consultation, shareholders should be provided with an updated assessment of principal risks where there has been a material change since the latest annual or interim report. These changes would be for premium listed companies initially and built into the Code.

Two points here:

1. this is potentially quite a burdensome process, timing could be complicated and how should companies work out which comments to take seriously? The White Paper suggests that it could be a function of size of shareholding or materiality - but is that very democratic?
2. in any event, will shareholders engage?

8. Managed Shared Audits

Under this proposal FTSE 350 companies would be required, when the audit is re-tendered, to adopt a Managed Shared Audit.

This would require companies to appoint a Challenger Firm to conduct a meaningful proportion (not less than 10%, and preferably closer to 30%, by reference to one or more of the total audit fee, group revenues, profits or assets) of the statutory audit. Challengers will be firms which provide audits to PIEs but have no more than a modest share of the FTSE 350 audit market. They would have liability for the audits of the subsidiaries which they audit, but the firm appointed to lead the group audit would have overall responsibility and liability.

There are a number of concerns around these proposals:

• will Challengers be willing to build capacity when they have no certainty of appointment?
• will these arrangements really help Challengers build appropriate expertise when they are in a box doing (probably) unexciting bits?
• there will be numerous practical issues in making the combination to work (for example around liability sharing) - and where is the benefit to the corporates?

Whilst the desire to promote more competition and choice in the audit market is more than understandable, and the challenge is a tough one, the Managed Shared Audit proposals as they stand don’t look like a ready answer.

Finally

As ever in this world, it is too easy to criticise. But my core concern is that the White Paper is an aircraft carrier of change at a time when a speedboat is required.

Christopher Saul

Christopher Saul provides independent trusted advice to senior executives and key stakeholders within publicly quoted and privately owned businesses and professional service firms. His areas of focus are governance, succession and the moderation of differences.

Send this article to a friend...