Discussion Paper by the Chartered IIA

Transcription

1 Discussion Paper by the Chartered IIA The Chartered IIA s discussion paper on corporate governance reform in the UK and the update of the UK Corporate Governance Code Introduction Despite the UK s global renown for high standards of corporate governance, the frequency of corporate scandals has not declined over the last 25 years, and the resulting economic and societal impacts are still significant. Furthermore, trust in business has been declining; the 2017 Edelman Trust Barometer revealed that CEO credibility had declined 12 points to 37% the lowest score since the Barometer began. 1 With this in mind, the Department for Business, Energy and Industrial Strategy (BEIS) last year released a Green Paper for consultation on how the UK could improve its corporate governance; in addition, the BEIS Select Committee undertook an inquiry into corporate governance in the UK. Moreover, the Financial Reporting Council (FRC) announced that they were to review the UK Corporate Governance Code. A commitment to corporate governance reform was a feature in the manifestos of the three major UK parties in the 2017 General Election, all similarly seeking greater social responsibility, increased individual accountability and encouraging management to focus on the long term. In August 2017, the government announced a raft of corporate governance reforms including the introduction of secondary legislation to require all companies of significant size (private as well as public) to explain how their directors comply with the requirements of section 172 of the Companies Act 2 and to develop a voluntary set of corporate governance principles for large private companies. For the last decade, the Chartered IIA has contributed to the debate around defining and moving towards best practice for corporate governance. Internal audit plays a crucial role in contributing to an organisation s sound corporate governance. Consequently, the Chartered IIA has a strong interest, and seeks to support internal audit professionals to fulfil their role through our professional practice and guidance work. With a strong relationship with government, regulators, business and 1 Edelman Trust Barometer, 2017, pg. 11, 2 The Companies Act 2006, which governs all companies registered in the UK, sets out a range of general and specific directors duties in section 172(1). Currently, directors are required to have regards to employees, suppliers, the community and the environment; however, their primary responsibility is to shareholders. 1

2 other sectors, we are well placed to promote the crucial role of internal audit in the corporate governance regime. The aim of this discussion paper is to present the Chartered IIA s views on corporate governance and the role of internal audit, and to obtain your feedback on our policy proposals. The Chartered IIA presents eleven policy proposals under three areas: The definition of corporate governance The Chartered IIA advocates a clear, broad but concise definition of corporate governance. Corporate governance reform in the UK Large private companies should be expected to follow a corporate governance code. Section 172(1) of the Companies Act 2006 should be reformed to create a positive obligation on directors to mitigate adverse impacts on stakeholders, not just shareholders. Secondary legislation should be introduced stating that all listed companies are required to comply or explain with all sections of the Corporate Governance Code and detail appropriate enforcement mechanisms. Directors should be held to account through a more effective enforcement regime when they fail to meet their responsibilities. Updating the UK Corporate Governance Code The UK Corporate Governance Code should be updated to provide greater clarity and simplification of principles and provisions. Internal audit should be recognised as one of the integral elements of good corporate governance in the UK Corporate Governance Code. The role of internal audit should be explicitly stated in the UK Corporate Governance Code. All companies should be required to have a Code of Ethics for staff to sign at the beginning of their employment and this be stipulated in the Code. The FRC s Guidance on Audit Committees should state that heads of internal audit must report to the chair of the audit committee. The FRC s Guidance on Audit Committees should provide a direct assertion of the independence of the internal audit function. Under each section the Chartered IIA s policy proposals are listed, and the rationale behind each proposal is explained. Following each rationale is a set of questions for internal auditors to answer. We are interested to hear your opinions on corporate governance reform. The Chartered IIA is a member of the FRC s stakeholder advisory panel established to discuss the FRC s fundamental review of the Corporate Governance Code. Your answers will help form the basis of the Chartered IIA s approach to corporate governance in the context of our work with the FRC and more widely in the coming months. 2

3 How to respond You are invited to comment on the questions summarised in Appendix B. Responses can be submitted in two ways: (i) By to (ii) In hard copy to the Chartered Institute of Internal Auditors, 13 Abbeville Mews, 88 Clapham Park Road, London SW4 7BX. Issued Tuesday 10 October 2017 Responses by Friday 8 December

4 The definition of corporate governance The Chartered IIA advocates a clear, broad but concise definition of corporate governance. The Cadbury Report states the definition of corporate governance as: the system by which companies are directed and controlled. Boards of directors are responsible for the governance of their companies. The shareholders role in governance is to appoint the directors and the auditors and to satisfy themselves that an appropriate governance structure is in place. The responsibilities of the board include setting the company s strategic aims, providing the leadership to put them into effect, supervising the management of the business and reporting to shareholders on their stewardship. The board s actions are subject to laws, regulations and the shareholders in general meeting. 3 This definition is used by the FRC in the UK Corporate Governance Code. While the Cadbury definition is detailed, sound and has formed the backbone of corporate governance in the UK for the last three decades, the Chartered IIA considers that it may not necessarily adequately reflect current governance requirements. Although, the definition of corporate governance needs to be broad it also needs to be concise, proportionate to the size of a company and the nature of its risks. Therefore, the Chartered IIA suggests the definition of corporate governance should include: Reference to the framework of rules and practices by which companies are directed and controlled; Reference to the role of the board and the role of shareholders; Mention that directors ensure accountability, fairness, and transparency in a company's relationship with stakeholders; Reference to all stakeholders including investors, customers, management, employees, government and the community. The Chartered IIA suggests that the FRC update its definition of corporate governance in the UK Corporate Governance Code to reflect modern governance elements. The Chartered IIA hopes to see this question in the FRC s consultation on the Code. Question 1: What do you think should be included in a definition of corporate governance? Do you agree with the list above? Question 2: Do you agree that the FRC should update the definition of corporate governance in the Code to reflect modern governance requirements? 3 The Financial Aspects of Corporate Governance, 1992, pg /media/corporate/files/library/subjects/corporate-governance/financial-aspects-of-corporate-governance.ashx?la=en 4

5 Corporate governance reform in the UK Large private companies should be expected to follow a corporate governance code. The current Corporate Governance Code only applies to listed companies. Recent high-profile examples, such as BHS and Sports Direct, highlight that many corporate failures have a wide economic and societal impact whether or not the company is listed. In their Green Paper, the government suggested that large private companies should follow a voluntary set of corporate governance principles. The Chartered IIA welcomes the government s recommendation and will support the FRC in undertaking this task. There are many different ways to define if a company is large, for example, number of staff, turnover, balance sheet total, or number of investments. The government has suggested that a company is large if it has 2000 or more employees. Question 3: Do you agree with the government s suggestion that a large company should be defined as a company with 2000 or more employees? If not, what definition should be used? The Chartered IIA considers that a code for large private companies should be less prescriptive than the current Corporate Governance Code. Currently, there is a complex matrix of corporate reporting requirements set out in a number of different statutes, secondary legislation, rules and regulations, as well as the Corporate Governance Code and other codes and guidelines. The Chartered IIA suggests a code for large private companies could synthesise these and create a clear and succinct corporate governance regime that will protect the public interest without inhibiting the freedom of these businesses to define their own optimal practices. Question 4: Which principles, provisions or issues should be included in a code for large private companies? Which should not be included? Question 5: What, if any, enforcement mechanisms should exist for large private companies if they fail to meet their responsibilities under the new corporate governance regime? Section 172(1) of the Companies Act 2006 should be reformed to create a positive obligation on directors to mitigate adverse impacts on stakeholders, not just shareholders. The Companies Act 2006, which governs all companies registered in the UK, sets out a range of general and specific directors duties in section 172(1). Currently, directors are required to have regards to employees, suppliers, the community and the environment; however, their primary responsibility is to shareholders. 5

6 The government s response to the Green Paper consultation states that secondary legislation will be introduced requiring all companies of significant size (both public and private) to explain how their directors comply with section 172 of the Companies Act. The Chartered IIA suggests that the amendment to the Companies Act should go further and create a positive obligation on directors not only to consider and explain but also to prioritise stakeholders as well as shareholders. This might encourage directors to act in the best interests for all and ensure a sustainable business model. Question 6: Should the secondary legislation amending section 172(1) of the Companies Act be extended further to create a wider positive obligation on directors to mitigate adverse impacts on stakeholders? Question 7: Would you like to see directors given positive obligations towards any of the following stakeholders? If so, which ones? Employees Suppliers Customers The community The environment Any other stakeholders Secondary legislation should be introduced stating that all listed companies are required to comply or explain with all sections of the Corporate Governance Code and detail appropriate enforcement mechanisms. The comply or explain approach is a distinctive characteristic of corporate governance in the UK. The approach means that companies are free not to comply, if they provide an explanation. It has been in operation since the Code s beginnings and is the foundation of its flexibility. It is strongly supported by both companies and shareholders and has been widely admired and imitated internationally. The Chartered IIA strongly recommends keeping this principle based approach. Currently, there are no legal ramifications for companies should they not either comply or explain. Therefore, the Chartered IIA advocates that secondary legislation be introduced that states that all listed companies are required to comply or explain with all sections of the Corporate Governance Code. This measure will add an additional corporate governance safeguard; companies are still free to explain why they do not meet one (or many) principles in the Corporate Governance Code, but if they don t comply or explain they may face judicial consequences. 6

7 The Chartered IIA suggests that the secondary legislation could be an amendment in the Companies Act 2006 and compliance could be monitored by the FRC. The Chartered IIA supports the government s suggestion to introduce secondary legislation to require companies of a significant size to disclose their corporate governance arrangements in their Directors Report and on their website, including whether they follow any formal code. Nonetheless, the Chartered IIA suggests that the legislation could go further and listed companies should comply or explain with all sections of the Corporate Governance Code. Question 8: Should the Chartered IIA recommend to have government introduce secondary legislation that requires all listed companies by law to comply or explain with all sections of the Corporate Governance Code? Question 9: Does there need to be a review of the penalties that can be applied to directors and in what circumstances? Directors should be held to account through a more effective enforcement regime when they fail to meet their responsibilities. In addition to reforming The Companies Act, the Chartered IIA suggests there needs to be a stronger enforcement regime to be able to hold directors to account when they do not meet their responsibilities under section 172. Currently there is a complex framework of different organisations, professional bodies, regulators and government who play a role in holding directors to account. For example: The Insolvency Service, Companies House, the Competition and Markets Authority, the courts, and a company insolvency practitioner are able to apply to disqualify a director if they do not meet their legal responsibilities; The FRC can take action against directors who are auditors, actuaries or accountants who are members of professional accountancy bodies; but not against those who are not, even if there is evidence of wrong doing 4 ; and Finally, some professional bodies are able to strip members of their membership. This multifaceted structure delays and dilutes the ability to enforce accountability of directors and other senior managers when they do not meet their responsibilities under the UK corporate governance regime. This notion is reiterated by the FRC s response to the BEIS Green Paper, which states: enforcement is not fully effective at present. 5 4 Financial Reporting Council, Response to BEIS Green Paper on Corporate Governance, 17 February 2017, pg. 9, C.pdf 5 Financial Reporting Council, Response to BEIS Green Paper on Corporate Governance, 17 February 2017, pg. 8, C.pdf 7

8 The government announced they will ask the FRC, the Financial Conduct Authority and the Insolvency Service to produce new or revised letters of understanding with each other before the end of 2017 to ensure the most effective use of their existing powers to sanction directors. While the Chartered IIA acknowledges this is an important first step, this is not enough to hold directors to account. The Chartered IIA suggests there should be a more effective and streamlined enforcement regime for directors because holding individual business leaders accountable will encourage mindful risktaking and long-term planning, benefitting the economy and society while rebuilding trust. The FRC has offered to undertake the role of enforcement, and the Chartered IIA considers the FRC best placed to do so. This will allow for a more cohesive enforcement regime. Question 10: Should there be a more effective enforcement regime to hold directors to account if they fail to meet their responsibilities under section 172? Question 11: Should the FRC undertake the role of enforcement? 8

9 Updating the UK Corporate Governance Code The UK Corporate Governance Code should be updated to provide greater clarity and simplification of principles and provisions. Currently, the UK Corporate Governance Code has three different types of principles and provisions: Main principles; Supporting principles; and Code provisions. The Chartered IIA believes these three different principles and provisions can at times be unclear, repetitive and confusing. Therefore, the Chartered IIA advocates the Code be simplified by reviewing the principles and provisions and consolidating them into a limited number of essential principles. This will provide clarity for organisations on how they should promote good corporate governance. As mentioned above, the Corporate Governance Code adopts a comply or explain approach which allows companies to be free not to comply, if they provide a reasonable explanation. The Chartered IIA suggests clarity and consolidation of the principles and provisions in the Code will promote higher levels of compliance under comply or explain. Question 12: Would you like to see the three different types of Code principles and provisions be consolidated and articulated more clearly? Internal audit should be recognised as one of the integral elements of good corporate governance in the UK Corporate Governance Code. There is no 'one size fits all' governance model. Governance structures and practices should be proportionate to the organisation. Nonetheless, an effective internal audit function represents best practice and its absence is an unnecessary risk. Currently, the UK Corporate Governance Code mentions internal audit explicitly six times in the 37- page document. The main section that discusses internal audit is section C Accountability, subsections C.3.2. and section C.3.6. The Code states that audit committees should monitor and review the effectiveness of the internal audit activities. It also requires audit committees to consider annually if there is the need for an internal audit function and make the recommendation as appropriate to the board. In addition, mentioned in C.3.6, is the requirement for a company without an internal audit function to explain the reasons for this in the annual report (under comply or explain ). The Chartered IIA proposes that the public interest would be better served if the Code were to state explicitly that an internal audit function is an integral element of good corporate governance as it 9

10 would highlight to boards and audit committee chairs the vital role that internal audit plays in providing assurance on corporate governance. Question 13: Should the Corporate Governance Code state explicitly that internal audit is an integral element of good corporate governance? The role of internal audit should be explicitly stated in the UK Corporate Governance Code. The Chartered IIA advocates that the UK Corporate Governance Code should explicitly state the role of internal audit. The Chartered IIA considers the role of internal audit to be: To help the board and executive management to protect the assets, reputation and sustainability of the organisation. It does this by providing independent assurance that an organisation's risk management, governance and internal control processes are operating effectively. The Chartered IIA proposes this clause be included in the updated Corporate Governance Code because under comply or explain, explicitly stating the role of internal audit will require companies without an internal audit function to make specific assurances about how they are managing the oversight of governance, risk and internal control in their organisation. Therefore, rather than simply explaining why an organisation does not have internal audit, companies will have to explain how these needs are otherwise satisfied. Furthermore, the Chartered IIA considers that including the role of internal audit in the UK Corporate Governance Code will highlight which companies may be lacking internal controls and not actively managing their risks, which can negatively impact shareholders, customers, employees and the community. Question 14: Should the Corporate Governance Code explicitly state the role of internal audit? All companies should be required to have a Code of Ethics for staff to sign at the beginning of their employment and this be stipulated in the Code. The Chartered IIA supports the Institute of Business Ethics (IBE) suggestion that there be a requirement in the Corporate Governance Code for companies to have a code of ethical behaviour which is overseen by the board. 10

11 A Code of Ethics that all members of staff sign up to at the beginning of their employment, creating a common framework upon which decisions are founded, would help encourage individuals to conduct business with honesty and integrity. Question 15: Would you like to see a requirement for all companies to have a Code of Ethics included in the Code? The FRC s Guidance on Audit Committees should state that heads of internal audit must report to the chair of the audit committee. The role of internal audit is to provide assurance to the board that the organisation s risks are being managed effectively. One key element of this is providing assurance that there are effective corporate governance structures in place. To do this, it is vital that internal audit is seen as independent from the executive committee and able to critique the executive and its structures if necessary. Therefore, the Chartered IIA advocates that the FRC s Guidance on Audit Committees should state that it is best practice for heads of internal audit to have a direct reporting line to the chair of the audit committee. Currently, the Guidance states: The audit committee should approve the appointment or termination of appointment of the head of internal audit. Internal audit should have access to the audit committee and board chairman where necessary and the audit committee should ensure internal audit has a reporting line which enables it to be independent of the executive and so able to exercise independent judgement. 6 The Chartered IIA advocates the Guidance should be amended to explicitly state that the head of internal audit should report directly to the chair of the audit committee. In the past, it has often been the norm for the head of internal audit to report to the chief financial officer. This does not allow for the independence that internal audit requires, to provide assurance that the executive team is functioning effectively and meeting corporate governance standards. The Chartered IIA would be very happy to work with the FRC on updating the Guidance or work with the FRC to produce new guidance for audit committees and boards on best practice for internal audit functions. 6 Financial Reporting Council, Guidance on Audit Committees, April 2016, pg. 9, pdf 11

12 Question 16: Should the FRC s Guidance on Audit Committees state that the head of internal audit should have a direct reporting line to the chair of the audit committee? The FRC s Guidance on Audit Committees should provide a direct assertion of the independence of the internal audit function. Furthermore, the Chartered IIA believes that the FRC s Guidance on Audit Committees must assert independence as a defining characteristic of an internal audit function. Currently, the Guidance only states that the reporting line should allow for independent judgement by internal audit. This is compared to the Guidance on the independence of external audit, which stipulates: The audit committee should assess the independence and objectivity of the external auditor annually, taking into consideration relevant UK law, regulation, the Ethical Standard and other professional requirements. 7 The Chartered IIA considers the independence of internal audit to be as important as the independence of external audit and therefore the FRC s Guidance should be updated as such. This would reflect the International Standards for the Professional Practice of Internal Auditing which states that: The internal audit activity must be independent, and internal auditors must be objective in performing their work. 8 In addition, the Guidance should state that internal audit has the right to attend and observe, in whole or in part, executive committee meetings and any other key management decision-making fora. It should be made clear, however, that because internal audit is present it does not mean internal audit approves the decisions taken and this should be understood from the outset of the meeting. As mentioned above, the Chartered IIA would be very happy to work with the FRC on updating the Guidance or work with the FRC to produce new guidance for audit committees and boards on best practice for internal audit functions. Question 17: Should there be a specific mention of internal audit s independence in the FRC s Guidance on Audit Committees? 7 Financial Reporting Council, Guidance on Audit Committees, April 2016, pg. 11, pdf 8 International Standards for the Professional Practice of Internal Auditing (Standards), 2016, pg. 3, 12

13 Question 18: Should the FRC s Guidance on Audit Committees state that internal audit has the right to sit in at any decision making fora which they consider appropriate and relevant to the role of internal audit? 13

14 Appendix A: Internal audit and corporate governance The Chartered IIA describes the role of internal audit to be: To help the board and executive management to protect the assets, reputation and sustainability of the organisation. It does this by providing independent assurance that an organisation's risk management, governance and internal control processes are operating effectively. Therefore, as stipulated in the role of internal audit, auditing corporate governance is a key element of internal audit. Auditing corporate governance is also stated in the International Standards for the Professional Practice of Internal Auditing. Standard 2110, describes the role of internal audit and corporate governance: The internal audit activity must assess and make appropriate recommendations to improve the organization s governance processes for: Making strategic and operational decisions. Overseeing risk management and control. Promoting appropriate ethics and values within the organization. Ensuring effective organizational performance management and accountability. Communicating risk and control information to appropriate areas of the organization. Coordinating the activities of, and communicating information among, the board, external and internal auditors, other assurance providers, and management A1 The internal audit activity must evaluate the design, implementation, and effectiveness of the organization s ethics-related objectives, programs, and activities A2 The internal audit activity must assess whether the information technology governance of the organization supports the organization s strategies and objectives. All internal auditors are obliged to conform to the international standards. Therefore, to undertake their role, as internal auditors, it is required that internal audit measures risk and control in the corporate governance arena. This is why internal audit should be at the heart of any reform of the corporate governance regime. The Chartered IIA is the only professional body dedicated exclusively to training, supporting and representing internal auditors in the UK and Ireland, and represents almost 10,000 members. 14

15 Appendix B: Complete set of questions posed The definition of corporate governance Question 1: What do you think should be included in a definition of corporate governance? Do you agree with the list above? Question 2: Do you agree that the FRC should update the definition of corporate governance in the Code to reflect modern governance requirements? Corporate governance reform in the UK Question 3: Do you agree with the government s suggestion that a large company should be defined as a company with 2000 or more employees? If not, what definition should be used? Question 4: Which principles, provisions or issues should be included in a code for large private companies? Which should not be included? Question 5: What, if any, enforcement mechanisms should exist for large private companies if they fail to meet their responsibilities under the new corporate governance regime? Question 6: Should the secondary legislation amending section 172(1) of the Companies Act be extended further to create a wider positive obligation on directors to mitigate adverse impacts on stakeholders? Question 7: Would you like to see directors given positive obligations towards any of the following stakeholders? If so, which ones? Employees Suppliers Customers The community The environment Any other stakeholders Question 8: Should the Chartered IIA recommend to have government introduce secondary legislation that requires all listed companies by law to comply or explain with all sections of the Corporate Governance Code? Question 9: Does there need to be a review of the penalties that can be applied to directors and in what circumstances? Question 10: Should there be a more effective enforcement regime to hold directors to account if they fail to meet their responsibilities under section 172? 15

16 Question 11: Should the FRC undertake the role of enforcement? Updating the UK Corporate Governance Code Question 12: Would you like to see the three different types of Code principles and provisions be consolidated and articulated more clearly? Question 13: Should the Corporate Governance Code state explicitly that internal audit is an integral element of good corporate governance? Question 14: Should the Corporate Governance Code explicitly state the role of internal audit? Question 15: Would you like to see a requirement for all companies to have a Code of Ethics included in the Code? Question 16: Should the FRC s Guidance on Audit Committees state that the head of internal audit should have a direct reporting line to the chair of the audit committee? Question 17: Should there be a specific mention of internal audit s independence in the FRC s Guidance on Audit Committees? Question 18: Should the FRC s Guidance on Audit Committees state that internal audit has the right to sit in at any decision making fora which they consider appropriate and relevant to the role of internal audit? 16