Bryan Foss

The ongoing collapse of gas distribution companies is a stark reminder that corporate failures in the UK are continuing to hurt the economy and potentially make the country less attractive to investors and incoming businesses. Despite the attention focused on the quality of audit following the 2008 financial crash, familiar company names have carried on disappearing. 

“Sometimes these failures, such as those of Patisserie Valerie and Debenhams, come close on the heels of recent audits,” Bryan Foss, Co-Founder and Director of Risk Coalition, pointed out to participants in ACCA’s recent virtual Internal Audit Week that focused on resilience in a dynamic environment. Understandably, questions are being asked about how this happened and what could be better done to prevent other organisations meeting the same fate.

In the spirit of finding answers, the BEIS Consultation Restoring trust in audit and corporate governance was launched in March this year, bringing together three recent independent reviews focusing on audit and corporate governance. The proposals for reform are broad-ranging and ambitious. They cover, among other areas: quality of audit issues; attestation of controls; joint audits for competition and choice; corporate reporting improvements; and assurance vs audit expectation gaps.

In proposals around attestation of controls, the consultation sought feedback on whether the UK should implement a similar - but lighter system - to the USA’s SOX, where controls are more robust and tested, and signed off personally by the CEO, Audit Chair and Chair of the Board. 

Proposals over joint audits to create competition and choice caused most disagreement within the BEIS consultation. “Clearly we have too few auditors,” said Bryan. “The objective here is to create to encourage greater choice and more attractive options in the market for auditors to operate in but it remains unclear what might eventually be done to address this.”  

While proposals aim to bring about improved trust in audit, Bryan argued that there is no point making audits even tighter when there remains an expectation gap between assurance and audit. “We need to start from the top, looking at the objectives of the organisations and the assurances against them. That will take us to multiple sources of assurance both inside and outside the organisation. As expectations keep moving and growing, our profession we will need to generate new skills, new capabilities and new reporting characteristics to keep up. “

A push for improvement will come from the Board who are feeling an increase in the expectation of stakeholders and society in general. There is a recognition that the availability of more data creates the need for increased transparency and accountability from board directors so people can see that what they say and what they do are the same thing, Bryan pointed out. 

“Risk and assurance have traditionally been seen as technical subjects and not given the time needed by Boards,” he added.”This is changing. The Board understands now that both are key to feeling confident about the statements made by the organisation and achieving the objectives of the business model they’ve set out. That’s a good thing for the profession because it means Internal Auditors will get the attention, support and resources they need more easily than in past.”

Lines of defence

Lee Glover

Meanwhile, the most useful tool for supporting trust in audit and corporate governance remains the Three Lines of Defence model, which has long been accepted by Internal Auditors as enhancing clarity on risks and controls. This was the view Lee Glover, Director, Haines Watts, shared with attendees at the same session. 

“The reason I like this approach is that it can help us easily explain and position internal audit as the core advisor to the Board,” he said. “It helps us understand perceived organisational risk exposure, shows where internal audit’s attention would be most beneficial and enables us to map assurance and help identify gaps in those assurances. Then, more importantly still, it helps us position ourselves to provide solutions either directly or in cooperation with other providers.” 

In coordinating activities, the Chief Audit Executive may rely on the work of other assurance and consulting service providers. A consistent process for the basis of reliance should be established, and the chief audit executive should consider the competency, objectivity, and due professional care of the assurance and consulting service providers. 

Internal Audit has a responsibility to share information with all assurance providers, minimise duplication of effort and achieve best value for an organisation’s overall investment in assurance. “However it is important to recognise that all parties, whether internal or external, retain ultimate responsibility for the conclusions and opinions they reach,” Lee pointed out. 

He reminded his audience that standards and expectations on coordination are placed upon them by the International Auditing Standards, notably Standards 315 and 610. Standard 315 is essentially risk assessment for the external auditor and deals with the auditor’s responsibility to establish their understanding of the entity and its environment, including its framework of internal control. Standard 610 deals with the external auditor’s responsibilities if using the work of internal auditors, including using the work of the internal audit function in obtaining audit evidence.

“We should remember that external audit is generally focused on the past, whereas modern internal audit is more forward looking,” Lee said. “Nevertheless, we should be building strong relationships with our external audit counterparts by maintaining frequent dialogue throughout the year, ensuring significant control weaknesses are identified, positioning ourselves as core advisors and providers of solutions and working with managements and boards towards implementation of those solutions.”

Time to step up

Meanwhile, as the audit and governance world waits to see the response of BEIS and FRC to the consultation, Bryan suggests those operating within it shouldn’t wait too long. “If we look at the list of proposed reforms we’ll see what needs to be done,” he said. “We can make our own ‘no regrets’ decisions and decide on what to get started on and what to implement now as a base for our own improvement projects. Regulatory requirements can be added as we proceed. It really is time for our profession to step up.”