Abstract
In April 2018, Sir John Kingman was asked by the Secretary of State for Business, Energy and Industrial Strategy (BEIS) of the United Kingdom (UK) to undertake an independent review of the Financial Reporting Council. The Kingman review which was published in December 2018 made recommendations for a major overhaul of the UK corporate financial reporting and audit regulations. A key recommendation made in the Kingman review is that the UK should consider introducing tougher regulation in respect of listed companies’ internal controls, similar to that applying in the United States (US) under the Sarbanes-Oxley Act (SOX). This article is written against such background and examines what lessons and experiences can regulators and companies in the UK learn from the other side of the Atlantic in strengthening internal controls. It seeks to recommend what measures UK regulators and companies can adopt to prepare themselves for the likely introduction of a SOX-style regime of internal controls.
Keywords
Introduction
In January 2018, the financial market of the United Kingdom (UK) was shocked by the liquidation announcement made by Carillion PLC, once the nation’s second largest construction company. At its height, Carillion employed 19,500 workers in the UK and 43,000 worldwide. It had a revenue of £5.2 billion, or about US$7 billion in 2016, before running into financial difficulties and entering liquidation. 1
In the aftermath of the Carillion collapse, the UK Parliament conducted an inquiry to investigate the scandal. A 2018 joint committee report of the inquiry 2 published in May 2018 slammed the company as “a story of recklessness, hubris, and greed and its business model was a relentless dash for cash.” 3 The report accused the company’s directors of misrepresenting the financial realities of the business. In particular, the report criticized the internal control weaknesses of Carillion and found that directors gave no indication that they accepted any blame for their decisions that ultimately led to the collapse of the company. 4 The joint committee report criticized Richard Howson, Chief Executive Officer (CEO) of Carillion between 2012 and 2017, who demonstrated “little grasp of the unsustainability of Carillion’s business model.” 5 The report further commented that Howson’s “misguided self-assurance obscured an apparent lack of interest in, or understanding of, essential detail, or any recognition that Carillion was a business crying out for challenge and reform.” 6 Similar criticisms were also made of Richard Adam, Chief Financial Officer (CFO) of Carillion between 2006 and 2017, who was the architect of Carillion’s “aggressive accounting policies” that masked the company’s mounting financial problems. 7
Apart from the company itself, the government and auditors also came under attack by the joint committee report. Although the report acknowledges that the UK has in many respects an enviable system of corporate governance that helps to attract investment from around the world, too often the high profile company failings exposed recently have arisen from rotten corporate cultures. 8 The report criticized the government for lacking the decisiveness and bravery to tackle a culture of corporate recklessness. 9 The Big Four auditors (KPMG, PwC, EY, and Deloitte) were found to have earned £72 million from Carillion in 10 years and were described as a “cosy club incapable of providing the degree of independent challenge needed.” It is found that Deloitte were responsible for advising Carillion’s board on risk management and financial controls, failings in the business that proved terminal. Deloitte were either unable to identify effectively to the board the risks associated with their business practices, unwilling to do so, or too readily ignored them. 10 KPMG, who audited Carillion for 19 years, pocketing £29 million in the process, were even accused by the report as a complicit of the company’s aggressive accounting policies. Not once during those 19 years did they qualify their audit opinion on the financial statements, instead signing off the figures put in front of them by the company’s directors. 11
Amidst the Carillion scandal, the Secretary of State for Business, Energy and Industrial Strategy (BEIS) in April 2018, asked Sir John Kingman to undertake an independent review of the Financial Reporting Council (FRC). In December 2018, the Independent Review of the FRC 12 (Kingman review) was eventually published which recommended a major overhaul of the UK corporate financial reporting and audit regulations. A key recommendation under the Kingman review is to replace the current FRC with a new independent regulator which should be named the Audit, Reporting and Governance Authority (ARGA). 13 On the issue of tackling corporate failure, the Kingman review stated a number of respondents suggested that there is a serious case for considering the introduction of stronger regulation in respect of companies’ internal controls, similar to that applying in the United States (US) under the Sarbanes-Oxley Act (SOX). 14
In March 2019, BEIS published its initial consultation on the recommendations of the Kingman review 15 and accepted the majority of the recommendations made by Sir John Kingman. On the issue of internal controls for UK-listed companies, BEIS states that it welcomes the recommendation for adopting a strengthened framework around internal controls on a similar basis to the SOX regime in the US. It pledges to explore options in this area and bring forward a detailed consultation in due course. 16 Simultaneously, The Future of Audit Report 17 , published by the House of Commons BEIS Committee at the end of March 2019, also support the government’s commitment to consider and consult on the possible introduction of a strengthened framework around internal controls on a similar basis to SOX. It argues that a UK equivalent could make a significant contribution to improving the reliability of financial reporting. 18 Given such wide support from the government and various stakeholders, including senior executives of listed companies and members of the accounting profession, it seems that it is just a matter of time as to when a SOX-style regime of internal controls would be introduced in the UK.
This article is therefore written against such background and examines what lessons and experiences listed companies and regulators in the UK can learn from their US counterparts in order to prepare themselves for the likely introduction of a SOX-style regime of internal controls.
Rationales of corporate financial reporting and why internal controls matter
The fundamental rationale for the regulation of corporate financial reporting and disclosure is that information markets will not function efficiently and fairly in the absence of government regulation. 19 There are two major market failure possibilities for financial information markets. The first relates to the alleged “public good” nature of financial information, and the argument that the problems of joint consumption and exclusion that characterize such goods may induce market failure. 20 The second major market failure possibility involves a presumed asymmetry in the distribution of financial information among financial market agents, particularly buyers and sellers of securities and users of financial information. The latter gives rise to adverse selection and agency problems that are not amenable to a market solution. 21
The essence of a public good is that its provision to a single individual makes it equally and costlessly available to other individuals. Market failure occurs in the case of a public good because other individuals without paying can receive the good, the price system cannot function. Public goods lack the exclusion attribute, that is, the price system cannot function properly if it is not possible to exclude non-purchasers from consuming the good in question. 22 Moreover, one person’s use of a public good does not reduce the amount or quality of the good that is available for other users, such goods possess joint consumption characteristics. 23 The traditional view that information is a public good has been stated by Demski and Feltham. 24 Accordingly, information is not necessarily destroyed or even altered through private consumption by one individual. This characteristic may induce market failure. In particular, if those who do not pay for information cannot be excluded from using it and if the information is valuable to these “free riders,” then information is a public good. Hence under these circumstances, production of information by any single individual or company will costlessly make that information available to all. Therefore, a more collective approach to production may be desirable. 25 Based on such analogy, the significance for corporate financial reporting requirements and regulations of whether or not financial information possesses the characteristics of a public good is apparent.
The argument for financial reporting and disclosure laws is that imperfections in the market for information necessitate government regulation to ensure equitable and efficient production and dissemination of corporate financial information. This argument has both an efficiency element and an equity dimension. The presumed combination of corporate disclosure laws to economic efficiency stems largely from the alleged public good attribute of information. 26 This attribute causes a divergence between the marginal costs and benefits to society of information production and the marginal costs and benefits to information producers. Corporate information disclosure benefits non-owners as well as owners, and the latter cannot capture this externality. Thus, in the absence of disclosure requirements, the amount of information produced would fall short of the quantity necessary for the informed investment decisions required for optimal resource allocation in the economy. 27 Furthermore, government regulation of financial information disclosure is alleged to increase the credibility of financial statements and otherwise increase public confidence in the financial market. 28
The equity argument for disclosure laws focuses mainly on the notion of fair and equal access to information. The concern is that insiders with superior access to information will reap unfair profits from trading on the information. It concerns regarding asymmetry in information distribution are not independent of concerns regarding the operational and allocation efficiency of the financial markets. Hence required disclosure contributes to a more efficient financial market by giving investors more confidence that they are getting the whole story. 29
Information regulation inevitably takes the shape of prescription of what shall be disclosed and proscription of what shall not be disclosed. The fact that disclosure laws affect the nature as well as the extent of information production has implications for both the benefits and costs of a given quantity of information. A strong case can be made that, in a free and fully functional market for corporate financial information, all information produced would be relevant to users. 30 Such a case cannot be made for the regulatory model. Given that the actions of regulators are largely governed by a non-market set of incentives and constraints it is plausible to suppose that, at best, the nature of disclosure requirements will sufficiently diverge from a market determined framework as to necessitate incurrence of greater costs in order to achieve the same sum of benefits. 31
The problem with financial information is not that demand for it is hampered by a lack of purchaser ability to reap the benefits of information use. Rather the difficulty is one of supply, coupled with equity concerns. The individual company is the paramount supplier of information about itself due to superior access and cost considerations. Hence if companies lack incentives to satisfy the demand for information, market failure is likely. Regulation therefore becomes necessary to assure that desired information is made available by least-cost producers. 32 The problems of the supply-side of corporate information can be explained by the distinction between “foreknowledge” 33 and “discovery knowledge,” 34 illustrated by Jack Hirshleifer. 35 It assumed that each of these types of information may have either positive or negative implications for the company and thus for the price of its securities. It is also assumed that a company’s management will pursue disclosure policies that benefit the company’s present shareholders and the individual managers’ privy to the information.
In the case of “positive foreknowledge,” the company’s management can most benefit its current shareholders by immediate disclosure, so as to accelerate the gain to these shareholders. The same holds for “positive discovery information” because we are assuming there are no restrictions on insider trading, individual managers privy to the information can, prior to its disclosure, buy up shares and reap gains when disclosure is made. 36 In the case of “negative foreknowledge,” insiders can again profit or avoid losses by selling their present holdings. If possible, present external shareholders of the company would be best served by being informed so that they could sell their shares before the information became public and the share price declined. Yet the act of informing shareholders generally would, in an efficient market, have the effect of making the information known. Therefore, companies would have no incentive to disclose negative foreknowledge. 37 This is even more the case with “negative discovery information” because present shareholders would be best served if the company’s management suppressed the information. Insiders could profit by engaging in short selling subsequent to a timed disclosure of such information. 38
Based on the above analogy, it would mean that in the absence of disclosure laws, there are two basic concerns. If a company’s management acts in the interest of its present shareholders, negative information will not be disclosed. Financial market allocational efficiency will be impaired by the lag of negative foreknowledge or suppression of negative discovery knowledge of information. 39 If on the other hand, managers use information to pursue insider trading gains, allocational efficiency is served but serious equity concerns emerge. Pervasive insider trading will damage external investor confidence in the markets to a degree that ultimately results in an impairment of allocational efficiency. 40
The problem of information supply in the absence of disclosure laws has been further analyzed under the notion of information asymmetry, which is the second major source of potential market failure in the financial information market. The fact that financial market agents may have an incentive to withhold information or to issue fraudulent information is viewed as having the same potential impact on the market for financial information as moral hazard and adverse selection. 41 Governmental intervention in the form of disclosure laws is therefore defended as essential for an efficient information market. In the case of fraudulent information, the concern of those who accept this view is not limited to the fact that investors may incur losses. The ultimate concern seems to be that quality uncertainty as a result of an increased incidence of fraud would lead to deteriorating financial markets. This is the essence of the adverse selection issue, insofar as the efficiency of the financial information market is concerned. 42
Over the last three to four decades, “internal controls” of listed companies have been perceived as one of the most important aspects for providing reliable financial information. The first statutory regulation regarding internal controls was the US Foreign Corrupt Practices Act 1977. Under this Act, public companies were obligated to establish and maintain the internal control system which enables sufficient assurance for investors. However, the only required disclosure related to internal control weakness was the change of auditor that companies have to disclose in their 8-K Form, the statement used to notify shareholders about important events. 43 Internal control is the most important aspect for providing reliable financial information. Effective internal control is essential to achieve a company’s goals and targets and to avoid losses. Controls designed to ensure that information, including financial information, is timely and accurate are essential to decision making. 44 Moreover, it helps to comply with regulations and law, therefore mitigating the risk of lawsuit and damage to a company’s reputation. Financial reporting controls are designed to help ensure that the financial statements give a true and fair view. They are intended to reduce the risk of misstatement associated with the loss or misappropriation of assets. A business cannot prepare financial statements, or prevent or detect theft of assets if it fails to control its accounting records. 45 While accurate accounting records cannot prevent theft, they can help deter, detect, and correct it. To sum up, adequate internal control systems enable companies to approach the right direction without additional problems.
Financial reporting controls also help to ensure the integrity and usefulness of the financial information produced by a business. They include relatively low level automated controls that help ensure the completeness and accuracy of routine financial transactions captured by the accounting system. A variety of manual and automated monitoring controls over the information used to manage the business and higher level controls to ensure that management does not distort reports provided to shareholders or financial markets. 46
Having examined the rationales of corporate financial reporting regulations and the importance of internal controls of companies to the well-being of financial markets, the article shall now turn to look at how the world’s largest financial market, the US, have adopted mechanisms to regulate internal controls of its listed companies under SOX and their effectiveness.
Regulating internal controls of US-listed companies under SOX and their effectiveness
In the early 2000s, trust in the financial market has significantly broken down due to a series of collapses of several large companies such as Enron and WorldCom. The reason was severe financial reporting scandals, which led not only to corporate bankruptcies, but also to a rise in doubts regarding the accuracy of financial reporting and the trustworthiness of audit opinions. Following these scandals, the US Congress enacted the SOX in 2002. The aim of the legislation was to enhance the reliability and quality of financial statements reported by public companies which in turn would allow for a restoration of investors’ trust in the financial market. 47 SOX was regarded as the most important reform in US securities laws since the passage of the Securities Act 1933 and the Securities Exchange Act 1934. 48
The legislation implemented many new regulations and procedures, and amongst its main provisions are Section 302 (SOX 302) 49 and Section 404 (SOX 404) 50 related to the internal controls over financial reporting (ICFR). Under these sections, managers and auditors are obligated to establish appropriate internal controls, maintain and systemically attest their effectiveness. 51 By implementing SOX 302 and 404, the Securities and Exchange Commission (SEC) hoped that it would disclose significant information about the condition of companies’ control systems and act as an early warning about potential future misstatements. 52
SOX 302 was implemented in 2002, which requires public companies’ CEOs and CFOs to certify that they assessed the effectiveness of ICFR. They are obligated to admit that the reports do not include any misrepresentations and that the financial information is fairly presented. Their opinions should be disclosed quarterly in the reports filed with the SEC. If management identified material weakness in internal controls, they are obligated to provide information about the existence of deficiencies and their general conclusion. Additionally, senior executives are required to provide information about changes to the internal controls and any corrections of material weaknesses. 53 The requirements under SOX 302 preclude management to define their companies’ internal controls as effective, when they have identified significant deficiencies. 54 SOX 906(a) imposes a criminal penalty for officers who knowingly certify an inaccurate financial statement.
SOX 404 became effective in 2004, which also requires an evaluation of the effectiveness of companies’ ICFR. However, this applies to both management and auditors alike. This section is divided into two parts, 404(a) and 404(b). Under SOX 404(a), companies are obligated annually to disclose management’s assessment of their companies’ internal controls effectiveness, while SOX 404(b) requires a company’s external auditor to attest management’s report as well as provide an independent opinion on the effectiveness of internal controls. More specifically, auditors present three opinions: first regarding the financial statement, second on management’s assessment of internal control effectiveness, and third related to the effectiveness of ICFR. 55 The unbiased auditors’ reports enable investors to ensure that financial statements are reliable and prepared in compliance with required regulations. 56 If management or an auditor identify material weakness, they are obligated to disclose it in the annual report (10-K Form) and to communicate the ineffectiveness of ICFR. 57
The implementation of SOX 302 and 404 led to an intense debate about costs and benefits of the new regulation. At the time, many critics claim that complying with SOX involves huge costs, by requiring a great amount of additional work by both management and auditors. 58 On the other hand, proponents and regulators suggest that the implementation of new provisions increase the quality of financial reporting. 59 Moreover, SOX 302 and 404 should lead to lower numbers of restatements. Based on the report published by Audit Analytics in 2009, the rate of financial restatements was 46% higher for companies that did not comply with all of the SOX internal control requirements. The important benefits are also stronger corporate governance and on average a greater amount of audit committees with experts. 60
More than 15 years have now passed since the introduction of SOX 302 and 404, has the implementation of these provisions been effective in enhancing internal controls of US-listed companies? More importantly, have companies incurred substantial costs in complying with these provisions as were initially suggested? This is where the article shall now turn to for discussions.
Effectiveness of internal control mechanisms under SOX and associated costs for compliance
When SOX 404 was first introduced, there were two primary sets of complaints. First, corporate managers legitimately complained about SOX 404’s costs for implementation and ongoing maintenance. Secondly, Wall Street and its supporters claimed that SOX 404 was damaging New York’s status as a major global financial center. 61 Michael Bloomberg, former mayor of New York City and Senator Charles Schumer commissioned McKinsey & Co. to investigate the matter. 62 Former Secretary of the Treasury Hank Paulson assembled a group of academics, Committee on Capital Markets Regulation (CCMR), which decried the role of SOX in the decline of US dominance in investment banking and related businesses. 63 In March 2007, the US Chamber of Commerce’s Commission on the Regulation of US Capital Markets in the 21st century issued a similarly critical report. 64
Given the magnitude of the Enron and WorldCom scandals at the time, Congress’s conclusion regarding the importance of internal financial controls was consistent with findings of many academic literatures. Experts in accounting theory have long emphasized the importance of internal controls to all parties interested in production of accurate corporate financial statements. 65 If reliable internal financial controls are relevant to the accuracy of the financial statements produced, then theoretically companies with poor internal controls should have to pay more for capital because of the increased risk they present to investors. 66 Many empirical studies confirm the theory by indicating that companies with poor internal controls tend to restate earnings more often, be the subject of more SEC accounting and auditing enforcement releases, face more frequent SEC enforcement actions and be worse performers and systemically riskier than comparable companies. 67
When SOX was passed during the early 2000s, the stock markets were almost in a free fall. From its 2000 market peaks, the Dow Jones Industrial Average had dropped 25%, the S&P 500 had declined more than 40%, and NASDAQ had plummeted by more than 70%. 68 Investor confidence in the financial market was at record lows, causing average trading volume to drop by 54%. 69 The lack of confidence stemmed not from worries that Congress would legislate, but from the fact that 84% of the investing public at the time believed that corporate wrongdoing was widespread rather than isolated. 70 It was noted at the time that restoring investor confidence might be the most important thing that the SEC and Congress can do, just as it was the top priority during the crisis of confidence following the 1929 stock market crash. 71
As the cost and effort involved to comply with SOX internal controls were at the forefront of concern for every public company CEO when it was implemented, board members, audit firm partners, and the academic world took notice. Shortly thereafter, SOX 404 became the number one area of accounting research in the US. All aspects of the provision were subject to intense scrutiny by the academic world as well as the profession, but at the forefront was research relative to the cost of compliance, which was anticipated to be significant. 72
It had been initially argued that the increasing costs and regulatory requirements for internal controls under SOX 404 are cost prohibitive, which caused the diversion of resources from other value added activities of corporate operation and would ultimately hurt the long-term growth of many businesses that have performed adequately but would struggle to meet the increased compliance standards under SOX. 73 One report has shown that compliance with SOX 404 was costing public companies much more money and time than previously anticipated at the initial onset. It was predicted that when SOX 404 goes into effect it will cost public companies 62% more on average than previously thought. 74 Another study illustrated that companies overall are on average spending US$5.9 million in the first year of compliance. 75
Overall, it was apparent to researchers and management that SOX 404 was looked at as an extremely cost prohibitive act and unnecessary, since other regulations already required that adequate internal controls be in place and validated. Many thought that even though action and regulation was necessary to restore investor confidence, less invasive and cost prohibitive actions that do not burden all public companies could have deliver as effective a result. The research at the time also showed that as a result of the substantial cost and non-value added nature that SOX 404 compliance brought to many companies, the impacted companies who lack resources to efficiently comply are taking measures that would provide at least temporary compliance, but at an additional cost of reduced corporate growth. Based on early perceptions of the legislation, one had to at least ask if these costs were worth the marginal benefit that SOX 404 compliance would have when imposed on all companies mandated to comply. 76
The main issue of transparency relative to SOX as it was rolled out pertained to those small and mid-cap companies that were required to comply with the legislation. In the case of small and mid-cap companies, the resources needed to comply were scarcer and the uncertainty of requirements significantly increased burden on these companies. 77 A study conducted by Giordano 78 looked at the special advisory committee established by the SEC to examine the impact of SOX 404 on smaller and mid-cap companies. At the time, analysts were beginning to question whether smaller companies were experiencing pain significant enough to delist from US exchanges or move to become a public company outside of the US. 79 Similar studies have also shown that smaller companies had an increased propensity to report material weakness and this is most likely the result of a lack of resources to correct identified weaknesses as quickly as larger companies. Smaller companies also start control testing later in the year due to cost involved to test, or simply that it is not cost effective to address the material weakness as discovered. 80 These studies found that the requirements of SOX 404 present a significant challenge for smaller companies, and as the deadline looms for non-accelerated filers these companies would face significant challenge to comply and manage the requirements of the legislation. 81
However, as time passed into the second decade of the 21st century, SOX internal controls compliance has become routine regulation. Companies of all sizes required to comply have completed multiple years of compliance and should have developed a pattern of compliance procedures in place. Likewise, audit firms have also had a period of years to develop audit programs that streamline the process, and address uncertainty in expectations that initially existed between auditors, companies, and regulators. Contrary to initial concerns regarding the effectiveness and costs associated with compliance of SOX internal control provisions, a review of many researches has shown that over a decade of compliance requirement, the legislation has produced improved financial reporting quality and fees have generally leveled-off for companies that maintain adequate controls and are not found to have material internal control weaknesses. 82 One study conducted by Bhamornsiri et al. 83 illustrates the emergence of two factors as significant compared to past discussion is that the increase in cost initially attributed to meeting compliance requirements did not go away in any significant fashion. Yet despite the increase, the overall net impact of economic decline was small, and not a reason in itself to eliminate the Act if effective in its purpose despite the cost. 84
Another study conducted by Hua-Wei 85 shows that US companies and US-listed foreign companies from developed countries experienced a statistically significant descending trend of material weaknesses reported, a sign pointing to a measure of success for SOX. The study also shows that US-listed foreign companies based in developed countries adjust to SOX 404 more quickly than do those from developing countries, resulting in fewer material weaknesses being reported by these companies. 86 It argues that although SOX 404 imposes vast costs on US-listed foreign companies, investors can benefit from the improved ICFR as the SEC asserts, as well as investor confidence in markets. 87 These studies point to a consistent pattern that despite high cost of compliance fees, overall economic loss is low due to the cost, and the benefits may indeed worth the cost as more data becomes available, despite the fact fees are not decreasing following inception year. 88
A study of 2500 international companies performed by GovernanceMetrics International concluded that SOX reforms led to a 10% improvement in the corporate governance performance of US companies versus their foreign counterparts. 89 To this improvement Healy and Roberts attribute much of the US stock market’s rebound from the 20% tumble it took in 2002 preceding the enactment of SOX. 90 SOX 404 contribution to this improvement cannot be precisely parsed out, but improved formal governance structures mean little if they do not create more reliable information upon which managers and investors can act. 91 An empirical study conducted by Jain et al. 92 found that SOX improved the liquidity of US capital markets both in the short term and the long term, suggesting that these regulatory actions appear to be successful in restoring market participants’ confidence in corporate governance, financial reports, and audit functions. 93
There is now substantial empirical evidence showing that SOX 404 has benefited smaller listed companies as well. Whereas the Internal Controls Subcommittee of the SEC’s Advisory Committee on Smaller Public Companies once proposed exempting smaller companies from SOX 404 on grounds that other SOX provisions dealing with improved corporate governance might suffice to enforce proper establishment and evaluation of the companies’ internal controls 94 , empirical study has indicated that without independent auditor attestation associated with full application of SOX 404, corporate governance quality has little impact on ICFR. 95 This study concluded that SOX 404 beneficial impact on internal controls supported the SEC’s plan to eventually require smaller listed companies to comply with its provisions. 96
A study conducted by Professor Susan Scholz, which examined the financial restatement trends in the US between 2003 and 2012 97 , found that the number of restatements has declined significantly since its peak in 2006. The study specifically focused on the decade following the implementation of SOX and argues that the decline in the frequency and severity of restatements can be attributable in part to improvements in ICFR due to SOX 404 ICFR assessment and reporting requirements. 98
Most studies of SOX 302 are also strongly supportive of the impact of internal control provision. For example, according to an empirical study conducted by Gupta et al. 99 , there have been reduction in the information asymmetry due to SOX 302 certification and related disclosures by the management. It also finds that, subsequent to the first-time management disclosure on internal control via SOX 302, bid-ask spread decreased, trading volume increased, and price volatility decreased for companies. 100
These empirical studies 101 strongly indicate that SOX 302 and 404 are providing investors in US market with the most reliable financial statements in history, which benefits issuers by reducing their capital costs and benefits investors by reducing their risk. As one expert put it, while the costs of SOX 404 are high and immediate, the benefits are real and long term. 102
The above analogy provides a brief review and evaluation as to the effectiveness of SOX internal control provisions in the US financial market. Studies show that over a decade of compliance requirement, management of US companies has realized tangible benefits from the legislation. So what lessons and experiences do they offer for other jurisdictions that are also looking to strengthen internal controls of listed companies? This paper will now turn to the other side of the Atlantic, by first examining the existing legal mechanisms in the UK for regulating financial reporting and internal controls of listed companies and analyze their effectiveness. After that, some suggestions will be provided as to what measures regulators and companies in the UK could adopt in order to prepare themselves for the likely introduction of a SOX-style regime of internal controls.
UK corporate law requirements on accounting records and internal controls
Corporate law in the UK requires all companies to maintain “adequate” accounting records that are sufficient to: 103 (i) show and explain the company’s transactions; (ii) disclose with reasonable accuracy, at any time, the financial position of the company at that time; and (iii) enable the directors to ensure that the accounts they are required to prepare comply with the relevant requirements of the law.
The United Kingdom Listing Authority Listing Rules 104 also set out some of the rules applicable to a company that is listed or seeking admission to list on the London Stock Exchange (LSE). In the case of most listed securities these will supplement the Disclosure and Transparency Rules (DTR) and Prospectus Rules. For all companies with listed shares, the rules on financial statements are set out in the DTR. Annual reports are required within four months of the year end 105 and for an EEA incorporated company preparing consolidated accounts, must be prepared in accordance with IFRS as adopted by the EU. For companies with premium listing of shares on the LSE, there are additional rules regarding the annual report contents set out in Listing Rule 9.8. There are also corporate governance requirements set out in the DTR, supplemented by the requirements for a premium listed company to report their compliance with the UK Corporate Governance Code 106 (UKCG) set out in LR 9.8.
The FRC is responsible for the UKCG and associated guidance. The requirements for UK premium listed companies to apply the UKCG and its precursors since the Cadbury Code 1992 predate the US SOX legislation by a decade, as do the requirements for auditors to report on certain aspects of compliance. The UKCG operates on a “comply or explain” basis and this applies only to the provisions of the UKCG. These provisions provide detailed and specific suggestions for best practice, which may not be suitable for companies of all types and sizes or in all contexts. Hence the UKCG states that its focus is on the application of the “Principles.” The Listing Rules require companies to state how they have applied the Principles and to articulate what action has been taken and the resulting outcomes. This requirement is supported by high-quality reporting on the provisions on a “comply or explain” basis. As some commentators put it, “comply or explain” is thus in some respects a misnomer. “Comply and explain” more accurately reflect the objective, especially given that a large number of companies to which the UKCG applies comply with all its provisions. 107
Provisions relating to internal control mechanisms of UK-listed companies are stipulated under Heading 4 of the UKCG, Audit, Risk and Internal Control 108 , requiring boards to ensure that sound risk management and internal control systems are in place to manage the principal risks to the business. Boards should establish procedures to manage risk, oversee the internal control framework, and determine the nature and extent of the principal risks the company is willing to take in order to achieve its long-term strategic objectives. 109 Apart from the UKCG, the FRC is responsible for the Guidance on Risk Management, Internal Control and Related Financial and Business Reporting. 110 This Guidance requires board to oversee the risk management and internal control systems on an ongoing basis, to review their effectiveness at least annually, and more importantly, to report to shareholders on the results of that review. 111 In the UK, responsibility for the development and maintenance of an appropriate set of controls, including financial reporting control, lies collectively with the board of directors. 112 These reports appear publicly in annual reports and cover the full system of internal control, not just controls over financial reporting, as is the case in the US.
Any company seeking to list in the UK financial market as part of an IPO process is required to perform a thorough due diligence exercise on its internal control system before it is admitted to listing. The Listing Rules require directors at companies applying for an IPO to establish procedures providing a reasonable basis for them to make proper judgments about the company’s financial position and prospects. Applicants are required to appoint a sponsor, and the sponsor is required to make a specific declaration in relation to the directors’ procedures. Sponsors invariably engage reporting accountants for these purposes. The framework used by reporting accountants who report on compliance with this obligation is set out in ICAEW guidance Tech 14/14 CFF: Guidance on financial position and prospects procedures. 113 The reporting on directors’ procedures is no mere formality. If reporting accountants are unable to report, the application is very unlikely to proceed. 114
Since the Cadbury Report in 1992, UK corporate governance has gradually evolved, usually following reviews and reports established to tackle a particular failing. This evolutionary approach to reform, although frequently reactive in nature, has served to refresh the UK’s corporate governance framework and helped to keep it at the leading edge of international standards. 115 According to the UK Parliament report on corporate governance, published in April 2017, the UK’s strong corporate governance regime is a considerable asset which enhances the reputation of the UK as a place to do business. 116 However, it simultaneously states that despite a high international reputation in this field, there should be no complacency, nor any sense that improvements cannot be made. 117 Accordingly, the challenge is for business and government to keep improving standards, without the impetus of high profile corporate scandals, in order to minimize the risks of future failings and to reflect both changes to the business environment and the rising expectations of society and stakeholders. The report claims that the government must help ensure that the UK stays ahead of the game in the light of changing business trends and practices. 118
Yet since 2018, after a succession of corporate collapses from Carillion to Thomas Cook more recently, the UK is facing a battle to restore trust in business. As a result of these scandals, the effectiveness of the UK audit regime has been seriously questioned. One criticism of the UK audit regime is that, while the basic requirements for adequate accounting records have been in place since the Companies Act 1948, and soft law such as the UKCG exists, they lack detail. 119
The collapse of Thomas Cook, after 178 years in business, further exposed the deficiencies of the UK’s audit regime, as experts believe it is becoming too easy for companies to conceal bad news in opaque financial reports. As one corporate finance partner put it, it is obvious there has been no financial control in Thomas Cook for some time and there appears to be a “litany of accounting failures.” 120 It was discovered that Thomas Cook’s Group accounts for the year-end of 30 September 2018, contains a 194 page set of accounts, which presents positive earnings several pages before the losses are made clear. Only on page 118 that one sees the profit and loss, and not until page 122 that one sees the weak balance sheet. 121 Thomas Cook was warned over its accounting method in 2018 by its auditor, Ernst & Young (EY), that made its profits appear larger and could be used to boost executives’ bonuses. 122 It is revealed that the company reported pre-tax “underlying profits” of £250 million in its 2018 financial statement, a figure which was reached after it wrote off £150 million in costs as “exceptional” and “one off.” Meanwhile its reported operating profit was just £97 million. 123 Although EY claims that it challenged the company’s decision and strongly urged Thomas Cook to be careful over what costs were declared exceptional in the future, yet it nevertheless signed off on the financial figures. In the aftermath of the scandal, the FRC announced that it will look at the audit of the company conducted by EY. 124
Many experts believe legal requirements could be improved with greater clarity about the linkage between accounting records and financial statements, and specifically about exactly what is expected of directors. 125 Consideration could be given to how directors can be better motivated to keep adequate records that clearly support the financial statements. That auditors report on the truth and fairness of financial statements is widely understood. Less well known is the fact that auditors, not directors, have long been required to report publicly on the adequacy of accounting records, on a “by-exception” basis. This means that if auditors believe that adequate records have not been kept, they are required to say so in the audit report. However, the fact that auditors are required to report on accounting records, but directors are not, seems anomalous. 126
As mentioned earlier, the Kingman review which was eventually published in December 2018 recommended a major overhaul of the UK corporate financial reporting and audit regulations. A key recommendation is to replace the current FRC with a new independent regulator which should be named the ARGA. A number of respondents to the Kingman Review suggested that there is a serious case for considering the introduction of stronger regulation in respect of companies’ internal controls, similar to that applying in the US under SOX. The review is particularly struck by the extent of support for these provisions amongst senior audit committee chairs with experience of operating this regime in US-listed companies. It argues that a number of members of the Review’s own advisory group also support the provisions and recommends that BEIS should give serious consideration to this. 127
With strong support from the BEIS 128 and the House of Commons BEIS Committee 129 , it seems that it is just a matter of time as to when a SOX-style regime of internal controls would be introduced in the UK. It is therefore important for regulators and UK-listed companies to prepare themselves for this highly-likely legal enactment, as consultation on this proposal is expected in the first quarter of 2020. Hence the following section will provide some suggestions as to what measures regulators and companies in the UK could adopt in order to prepare themselves to adjust for a SOX-style regime of internal controls by drawing lessons and experiences from the US.
Measures regulators and companies in the UK could adopt to prepare themselves for the likely enactment of a SOX-style regime of internal controls
As discussed above, when SOX 302 and 404 came into force, there were initial concerns regarding the cost of complying with the provisions and how it could affect the competitiveness of US companies and its’ financial market. Many studies did find that the cost of compliance for many entities was high and burdensome at least in the early years after the provisions came into force. Although many of the latter studies conducted towards the second decade of the 21st century have found that SOX 302 and 404 are providing investors in US market with the most reliable financial statements in history. Yet experiences from the US market show that it takes a relatively lengthy period for companies to fully adapt to SOX-style internal control mechanisms before they can realize the actual benefits. It is therefore imperative for any financial market seeking to implement a SOX-style regime to prepare well ahead in order to facilitate the adaptation to such mechanism and minimize the impact in its implementation. The following suggested measures will hopefully help UK regulators and companies to better prepare themselves for the likely introduction of a SOX-style regime of internal controls.
Adoption of the COSO framework of Internal Control
A well-established and well-recognized internal control framework, against which to judge effectiveness of internal controls, is the Committee of Sponsoring Organizations of the Treadway Commission (COSO) 130 framework. The COSO framework was originally developed as a model for evaluating internal controls back in 1992 and was considerably updated in 2013. 131 The framework recognizes five components of internal control that need to be present and operating for a control environment to be considered effective. These five components are: (i) control environment; (ii) risk assessment; (iii) control activities; (iv) information and communication; and (v) monitoring activities. These five components are further broken down into 17 principles and the framework specific points of focus as a guide to help with each of those principles. 132
In 1978, the Cohen Commission in the US, a blue ribbon group convened by the American Institute of Certified Public Accountants (AICPA) noted that users of financial information have a legitimate interest in the condition of the controls over the accounting system and management’s response to the suggestion of the auditor for correction of weaknesses. 133 Soon thereafter, the Treadway Commission, a private group sponsored by five accounting organizations, also recognized the importance of internal controls and made several recommendations for improving them. The Treadway Commission originally focused on fraud prevention, but later addressed internal controls as a broader concept. 134 This eventually led to the formulation of the first COSO framework in 1992. 135
During the early years when SOX came into force, there were intense debates in the US as to the definition of “internal control” under the provisions. In an attempt to clear the controversies, the SEC eventually issued a Final Rule 136 on the matter in 2008 and held that the term “internal control over financial reporting” under SOX 302 and 404 encompasses the subset of internal controls addressed in the COSO framework that pertains to financial reporting objectives. 137 Accordingly, the SEC final rules define ICFR as a process designed by, or under the supervision of, the company’s principal executive and principal financial officers, or persons performing similar functions, and effected by the company’s board of directors, management, and other personnel, to provide reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements for external purposes in accordance with generally accepted accounting principles. 138 The Final Rule also made it clear that “the safeguarding of assets” is one of the elements of ICFR and the SEC’s definition addresses the supplementation of the COSO framework after it was originally promulgated. To achieve the desired result and to provide consistency with COSO, the SEC incorporated COSO’s definition of the term “internal control over safeguarding of assets against unauthorized acquisition, use or disposition” into its definition of ICFR. 139 In the SEC’s own words, this is appropriate given the fact that its definition shall be used for purposes of public management reporting, and that companies subject to the SOX 404 requirements would be subject to this definition of ICFR. 140
Moreover, when the 1992 COSO framework was superseded by the updated 2013 framework after 15 December 2014, the SEC explicitly indicated that it expects companies to use the 2013 framework as criteria for evaluating their effectiveness of ICFR as required by SOX 404. 141
If regulators in the UK aim to ultimately enact a SOX-style regime of internal controls then it should follow the footstep of its US counterpart and explicitly adopt the COSO framework as the benchmark for effective ICFR. In principle, there is alignment between the COSO framework and the FRC’s Guidance on internal controls yet some would argue that, within the UK, there is not a sufficiently clear vision of a framework which UK boards can use to meet their responsibilities under the Code to establish a “framework of prudent and effective controls” and which can then be used to hold management to account through the board and audit committee’s oversight roles. 142
The FRC (or its successor) should take the initiative to revise and update both the UKCG and the Guidance on internal controls and explicitly recommend companies to adopt the COSO framework of internal control as best practice of corporate governance. Simultaneously, notwithstanding the ongoing government activity which could take the UK in more prescriptive direction around the board’s responsibilities for internal controls, companies themselves should take a greater responsibility to establish a framework of prudent and effective controls such as that of COSO, to oversee that framework and to perform an annual review of effectiveness of ICFR.
Companies’ boards in the UK are often under the impression that the auditors play a significant role in reviewing and assessing the effectiveness of internal controls yet the reality is potentially very different. Under current auditing standards, the auditor must certainly inform the board about any significant deficiencies they have found in the course of their work but the scope of that work, in relation to controls specifically, may in fact be very limited. It should be recognized that because there is very limited UK guidance on what constitutes effective controls, there is also little guidance on how to interpret a significant deficiency. 143
Lessons from the US show that reporting under SOX against the COSO framework eventually resulted in an overall strengthening of ICFR. Many CFOs discovered that some of the controls they had thought were in place and effective were, in fact, not there, or were ineffective or undocumented. 144
Both SOX and COSO have been influential around the world. Variations on the SOX legislation have been enacted in, among other jurisdictions, Canada, Australia, India, and Japan. The UK and international auditing standard on risk assessment, ISA 315, is in fact aligned at a high level with COSO. 145
The COSO framework, with its five basic components, should in theory be capable of application anywhere, and implementing it in the UK would permit an “integrated audit” of controls over financial reporting, as seen in the US. 146
Greater support to smaller public companies to enhance internal controls
Should the UK introduce a SOX-style regime of internal controls, then regulators must put financial reporting quality of smaller public companies as a top priority given that studies conducted by the FRC have found that quality of financial reporting by these entities in the UK has been a matter of concern.
In 2014, the FRC initiated a project looking at whether the quality of reporting matters to investors in smaller listed companies and, if so, how to support these companies to improve the quality of their reporting. During the course of this project, the FRC focused on listed companies with a market capitalization between £20 million and 100 million and UK quoted companies on the Alternative Investment Market (AIM) 147 with a market capitalization of greater than £5 million. 148 The findings were published in June 2015. This study found that overall, the quality of reporting by smaller listed companies in the UK is generally regarded by investors and other users to be of timely and of a good standard, but with room for improvement in a number of key areas. 149 Accordingly, it is found that “whilst the system of reporting is not fundamentally flawed, there is a higher incidence of poorer quality annual reports by smaller quoted companies than by their larger counterparts.” 150
The 2015 findings stated that some smaller listed companies find preparing their annual reports challenging. 151 The most significant challenge facing smaller listed companies relates to the adequacy of appropriate resource to prepare the annual report, which often results in their preparation being left until the last minute. This places pressure on both the finance function and auditors to finalize the annual report in a short space of time, which may have an adverse impact on quality. 152
As a result of the 2015 findings, the FRC announced at the end of 2017 that it would conduct a thematic review focusing exclusively on the quality of reporting by smaller companies. In December 2017, the FRC wrote to 40 smaller listed and AIM quoted companies informing them that Corporate Reporting Review would review certain aspects of reporting in their next annual report and accounts. 153 At the date of selection, the chosen companies comprised 22 listed companies outside the FTSE 350 and 18 AIM quoted companies, with years-ends ranging from 31 December 2017 to 31 March 2018. 154
The results of the thematic review were published in November 2018 which identified that although there was some degree of progress made against the 2015 findings, there remained much scope for improvement in reporting by smaller listed and AIM quoted companies. 155 The FRC were disappointed to see that few companies provided sensitivity analyses or quantified ranges of possible outcomes when describing sources of estimation uncertainty. 156 Also, the review of cash flow statements identified apparent errors such as the misclassification of cash flows between operating, investing, or financing activities. 157
For smaller listed companies and AIM quoted companies, financial reporting is not always seen as a top priority. While some of these companies may be planning for a period of growth and therefore require high-quality financial reporting and information for investment purposes, others may have listed as a one-time financing exercise with no need for further investment. The effect of this diversity has contributed to varying standards of financial reporting quality in this segment of the market.
Hence in order to further strengthen the overall quality of financial reporting by smaller companies, the FRC and ICAEW published a practical guidance for these companies in May 2019. 158 The guide is aimed at audit committees, which, with responsibility for oversight of the annual reporting process, are well positioned to drive up the quality of the annual report and accounts. The practical guide acknowledges that smaller listed companies face specific challenges, such as constraints on time and resources within finance departments. It therefore aims to encourage good practice and to help audit committees and boards evaluate the adequacy of a company’s financial reporting function and processes and drive improvements in quality. 159 It recommends that by asking the right questions at the right time and suggesting practical changes, audit committees can nurture a general culture of continuous improvement in financial reporting. 160
Lessons from the US provide that many years of exemption were granted to smaller companies before they were required to comply fully with the SOX provisions and perhaps this is a route which the UK can take, at least during the first five years after the relevant legislation comes into force. When SOX 404 came into force in 2004, smaller public companies, defined as those with less than US$75 million of shares in the hands of public investors 161 , have been granted several deadline extensions because the SEC had not interpreted how the rules should apply to them. These extensions meant that smaller public companies were not required to provide the attestation reports under SOX 404(b) in their annual reports until for fiscal years ending December 2009. 162 In a testimony made before the US House of Representatives Committee on Small Business in December 2007 163 , Christopher Cox, former Chairman of the SEC, acknowledged that the delay in compliance of SOX 404 by smaller public companies was a recognition that their needs were different than larger companies. SEC’s own review of the first three year under SOX 404 had found that implementation was too expensive for everyone. Hence imposing that system on the smallest companies would impose “unacceptably high costs” from the standpoint of the companies’ investors. 164
In delaying the compliance of SOX 404 for smaller public companies, the SEC then worked on developing guidance for these entities’ managements recognizing that their needs were different than those of larger companies. 165 In June 2007, the SEC issued interpretive guidance to help companies assess their internal controls. 166 This guidance was developed specifically with smaller companies in mind.
In specifically targeting smaller public companies, the 2007 guidance recognizes that internal control systems and the methods and procedures necessary to evaluate their effectiveness may be different in smaller companies than in larger companies. 167 The guidance explicitly states that in smaller companies, management’s daily interaction with its controls may provide it with sufficient knowledge about their operation to evaluate the operation of ICFR. 168 Management should consider its particular facts and circumstances when determining whether its daily interaction with controls provides sufficient evidence to evaluate the operating effectiveness of ICFR. 169 The guidance goes on and provides that in smaller companies, where management’s daily interaction with its controls provides the basis for its assessment, management may have limited documentation created specifically for the evaluation of ICFR. 170 Yet in these instances, management should consider whether reasonable support for its assessment would include documentation of how its interaction provided it with sufficient evidence. This documentation might include memoranda, emails, and instructions or directions to and from management to company employees. 171
However, the 2007 guidance stresses that the flexibility provided is not meant to imply that evaluations for smaller companies be conducted with less rigor, or to provide anything less than reasonable assurance as to the effectiveness of ICFR at such companies. 172 It urges smaller companies to utilize the flexibility provided in the guidance to cost-effectively tailor and scale their methods and approaches for identifying and documenting financial reporting risks and the related controls and for evaluating whether operation of controls is effective, so that they provide the evidence needed to assess whether ICFR is effective. 173 For example, the guidance recommends smaller companies to refer to other sources for guidance, such as the COSO framework for smaller public companies 174 and argues that this will enable smaller companies to have a better understanding of the requirements of a control framework, its role in effective internal control systems, and the relationship to evaluation and disclosure requirements. 175
UK regulators such as the FRC or BEIS should commence as soon as practicable, to urge smaller companies the potential costs and burdens they could face if a SOX-style regime of internal controls were to be implemented, allowing these companies to prepare well in advance. Firstly, during the consultation process, it should take the initiative to conduct a survey of smaller listed companies outside the FTSE 350 and AIM quoted companies on how the legislative proposal to strengthen internal control specifically impacts them. This will help ensure the regulators’ cost-benefit analyses and judgments of proportionality take account of smaller companies’ circumstances.
Moreover, regulators must be candid in providing relevant information that based on US experiences, complying with SOX internal control provisions can be costly and that smaller companies could potentially struggle to comply fully at least during the early years of the law coming into force. An empirical study conducted by Foster et al. 176 examined the impact of cost to comply with SOX 404 and the overall impact on material weaknesses in reporting. The study found that companies with revenues less than US$1 billion have an increased probability of reporting a material weakness than larger companies. 177 Companies that have material weaknesses pay proportionately higher audit fees. 178
Other studies have found that the mean compliance cost of SOX 404 paid by a company is US$ 2.2 million, and median cost of US$1.2 million. 179 In looking at determining factors of these costs, factors such as company size, the presence of internal control weaknesses, the cost of setting up new computer systems and establishing formal internal control policies, the involvement of large auditors, and the appointment of new CEOs all had a significant bearing. 180
Meanwhile, it is highly recommended that smaller companies should start control testing earlier in order to prepare themselves for the likely introduction of SOX-style internal controls as evidence from the US have shown that smaller companies that start control testing later tend to experience greater material weaknesses and subsequently pay higher audit fees. 181
One approach which smaller listed companies in the UK can adopt, apart from referring to the practical guidance for smaller companies published by the FRC, they should also seriously consider referring to the COSO framework for smaller public companies published in 2006 182 to assess the effectiveness of their internal control systems which many of their US counterparts have done. This guidance specifically demonstrates the applicability of ICFR concepts to help smaller public companies design and implement internal controls to support the achievement of financial reporting objectives. 183 In particular, COSO 2006 guidance for smaller public companies was developed in response to the request made by the SEC to COSO after a roundtable discussion held in April 2005, that gave public companies and accounting firms an opportunity to provide feedback to the SEC on what went well and what did not during the first year of SOX 404 implementation. 184
Require CEOs and CFOs to certify the effectiveness of ICFR as in SOX 302
One major difference between the existing mechanism of the UK and US in terms of internal controls is that, in the UK, responsibility for the development and maintenance of an appropriate set of controls, including financial reporting controls, lies collectively with the board of directors. The UK corporate governance regime, as discussed earlier, allows and encourages boards to set up audit committees to deal with many of the detailed aspects of such responsibility. Yet in the US, SOX 302 provides that CEOs and CFOs are responsible for internal controls, and requires them, and external auditors, to report publicly and annually on internal control effectiveness.
In terms of reporting under the current UK regime, boards are only required to explain the process for their review of the effectiveness of the risk management and internal control systems rather than comment on the outcome of the review. 185 The SOX on the other hand, is a much more demanding piece of legislation. Under SOX, CEOs and CFOs not only must certify that they have reviewed the annual or quarterly reports, but must also certify that the financial information included is “fairly presented.” The report must not contain any untrue statement of material fact or omission that would make the financial statements misleading. Most important of all, CEOs and CFOs must acknowledge their responsibility for establishing, maintaining, and evaluating ICFR plus disclosure controls and procedures. Moreover, CEOs and CFOs must certify that each periodic report containing financial statements complies with US securities laws and fairly presents, in all material respects, the financial condition and results of operations. 186
The SOX legislation appears to have a degree of discipline that is lacking in the UK. This is because statements regarding responsibility for internal controls are made annually, clearly, and publicly in the US. This in turn makes accountability when things go wrong much clearer, and much more keenly felt. 187
In early 2019, the Secretary of State for BEIS invited Sir Donald Brydon to conduct a review into the quality and effectiveness of audit in the UK. The Brydon review was eventually submitted to the BEIS in December 2019. 188 One of the key findings in the Brydon review is that, the effectiveness of internal controls is clearly of great relevance to the reliability of a company’s financial reporting. It therefore suggests how directors might report “more meaningfully” on their internal controls and the potential role of the auditor in relation to that reporting. 189
On the issue of introducing a SOX-style regime for internal controls, the Brydon review fully agrees with recommendations made under the Kingman review and cited that since the introduction of SOX, there has been a reduction in the number of reissuance statements from accelerated filers in the US, from 460 in 2005 to just 29 in 2017. 190
Although the Brydon review recognizes that due to the structure of the unitary board system in the UK, the singling out of CEOs and CFOs to make attestations of the effectiveness of internal controls to shareholders and public is potentially problematic. 191 Yet this has been applied in the US since SOX 302, given the fact that the board system is identical. There is also sufficient evidence to suggest that such attestations have improved relevant internal controls and may have helped to lower the cost of capital. 192
Empirical studies on SOX 302 have found that investors responded positively to SEC certification requirements and recognized certification as a statistically significant event. 193 Positive response was greater for companies with prior securities litigation, indicating that investor confidence increased after certification. 194
Other studies have found that investors were using signals of internal control weaknesses from SOX 302 reports to evaluate risks even before the first official disclosures of internal control deficiencies. 195 Companies with poor internal controls had less reliable financial reporting, which created increased information risk for investors, resulting, in turn, higher costs of capital. 196
These studies of SOX 302 strongly affirm that executive certifications provide valuable information to the financial markets in a timely fashion, boost investor confidence in the information they are receiving, and thereby enable companies with strong internal controls to reduce their capital costs significantly. 197
Based on these findings, the author fully concurs with the recommendation made in the Brydon review that the UK authority gives serious consideration to mandating a UK Internal Controls Statement consisting of a signed attestation by the CEO and CFO to the Board as in SOX 302(c) and (d), that an evaluation of the effectiveness of the company’s ICFR has been completed and whether or not they were effective. 198 The FRC should revise and update the UKCG and FRC Guidance on internal controls recommending companies’ CEOs and CFOs to adopt such practice. Final endorsement of these principles and how this would apply in the UK context is something that the FRC (or its successor) should consult closely with companies and stakeholders such as the Audit Committee Chairs’ Independent Forum (ACCIF). 199
Conclusions
This paper has examined useful lessons about accountability that can be learned from the experiences in the US. Improvements in the quality of internal controls have arisen in many respects as a result of clarity about responsibilities for effective internal controls provided under SOX.
The focus on the role and responsibilities of the directors is important, as auditors do not and cannot take responsibility for the controls they report on, and the focus of any change of regime needs to be on directors and senior management. Auditors are certainly prohibited from providing services relating to the controls they report on. Yet corporate collapses such as Carillion and Thomas Cook have shown that auditors cannot do what directors and senior management failed to do.
The new regulator that is likely to replace the FRC, the ARGA, should be tasked with investigating how the UK framework for financial reporting on internal controls by directors and auditors can be strengthened and this should include a rigorous consultation process for change. Lessons and experiences from the US show that over a decade of compliance requirement, management of companies has realized tangible benefits from SOX. In the early years, there were significant fears over SOX 404 as a result of the impact the law would have on so many companies. These fears as well as uncertainties led many to question the merit of the law as well as generate significant costs to manage both the fear and initial set up to comply. 200 Over time, compliance became reality, fear reduced and many researches do illustrate that overall reporting quality did increase as a result of SOX.
The UK authority in proposing a SOX-style regime of internal controls must acknowledge that costs are high to comply and an area of concern is that smaller companies tend to have more difficulty in managing internal controls, and may end up facing more audit fee pressure in the future than larger companies. This is an issue that needs to be considered by lawmakers, as well as professional trade organizations so that these businesses can be helped in some way to mitigate this issue.
Understanding the current positions of where SOX internal control provisions is from a success standpoint can put lawmakers, regulators, and company management in a proper perspective to work and address the areas of concern and weaknesses by strengthening ICFR. It is therefore confidently argued here that by implementing a SOX-style regime of internal controls in the UK would in the long run improve the quality of financial reporting, corporate governance, and reduce the costs of capital.
The measures suggested towards the end of this paper seek to provide recommendations as to how regulators and companies in the UK could adopt them in order to prepare themselves to adjust for a SOX-style regime of internal controls, by making the transition smoother should the law comes into force. As lessons and experiences from the US show that strengthening ICFR based on SOX can be both challenging and costly. Yet by adopting a systematic framework, together with proper guidance from regulators, the intended purpose of improving financial reporting quality through effective ICFR and boosting investors’ confidence can be achieved over time.
Footnotes
Conflict of interest
The author(s) declared no potential conflicts of interest with respect to the research, authorship, and/or publication of this article.
Funding
The author(s) received no financial support for the research, authorship, and/or publication of this article.
