Review of the Turnbull Guidance on Internal Control
Proposals for updating the guidance
Turnbull Review Group
Comments from ACCA
September 2005
Executive Summary
ACCA is pleased to comment on the consultation paper by the Turnbull Review Group giving their proposals for updating the guidance on internal control issued on 16 June 2005.
Overall, we are pleased that the Review Group is not proposing significant changes to the Guidance. In particular, we are pleased that the Guidance will continue to consider the wider aspects of internal control and that it will not require public reporting of conclusions on effectiveness. We agree with most of the recommendations.
Nevertheless, as discussed in our submission in March to the evidence-gathering consultation, we would have preferred further changes to take more account of developments in risk management, to ensure that risk management considers strategic matters, and to reduce the tendency for boards to become too risk averse.
Our main comments on the proposed new guidance are these.
- We consider that the references to the OFR should be clearer. The mandatory
OFR will herald important changes in the way that companies report on risks.
Members and other users of the annual report and accounts are entitled to
expect more seamless reporting on the risk management process (under Turnbull)
and on particular risks (under the OFR). As a result of additional disclosures
required by the OFR, the proposed guidance also creates an ambiguity on how
companies should report on the process applied to deal with reported internal
control problems. In our detailed comments, we suggest how the proposed guidance
could more clearly set out the complementarity between Turnbull and the OFR.
- We would prefer that the appendix be amended to reflect the COSO Enterprise
Risk Management Framework.
- We disagree with the proposal to drop the section on internal audit.
Finally, although we recognise that the Turnbull Guidance is addressed to listed companies, it has and will continue to exert a strong influence on other sectors. We would like to see the guidance acknowledge this influence. For example, the preface could note that internal control is important to all large organisations, public as well as private, and that while the guidance is written for listed companies, its principles are relevant to, and have been applied in, other sectors.
We would be pleased to discuss any of our comments in more detail with the Financial Reporting Council or the Review Group.
Detailed Comments on the Recommendations
These comments refer to the summary of recommendations on page 5 of the Consultation Paper. We agree with each of the recommendations except where discussed below.
A. Significant changes to the Turnbull guidance are not required (paragraph 2.12).
We agree; however, we would prefer a few further minor changes as indicated elsewhere in this response.
D. A new preface should be added to the guidance which will encourage boards to review on a continuing basis their application of the guidance (paragraph 3.18) and look on the internal control statement as an opportunity to communicate to their shareholders how they manage risk effectively (paragraph 4.40).
The words ‘continuing basis’ could be interpreted as meaning that boards should make their review at each board meeting, which we assume is not the Review Group’s intention. We suggest the last paragraph of the preface could make its recommendation clearer and add, for example, that ‘continuing’ means ‘at least annually’.
E. The guidance should be amended to:
(iv) remove the section relating to internal audit, which is now dealt with in provision C.3.5 of the Combined Code, and which the FRC should incorporate into the Smith guidance on audit committees (paragraph 3.22)
We would prefer the internal audit section to stay in the Turnbull Guidance. Moving it to the Smith Report would mean that the section would have less impact for the following reasons.
- While Turnbull and Smith are both formally addressed to entire boards, audit
committees comprise only independent non-executive directors. The Smith Report
therefore gets less attention from management and from executive directors
than does the Turnbull Report.
- Internal audit is the main source of assurance on internal control for
the board and for the audit committee.
- The Smith Report has not, and will not, achieve the seminal status of the Turnbull Report, and so dealing with internal audit in the Smith Report risks reducing its impact.
If the internal audit section is moved to the Smith Report, we would like the new Turnbull Guidance to include a suitably prominent cross-reference to where it will appear in the Smith Report.
(v) require boards to confirm that necessary action has been or is being taken
to remedy any significant failings or weaknesses identified from their review
of the effectiveness of the internal control system (paragraph 4.29) and to
include in the annual report and accounts such information as the board considers
necessary to assist shareholders’ understanding of the main features of
the company’s risk management processes and system of internal control
(paragraph 4.39).
We agree, although we note that this leaves boards with the options of either saying simply that necessary action has been taken, or providing fuller explanation of the action that has been taken to allow the reader to assess the quality and sufficiency of the action.
G. There should be no need for companies that are already applying the Turnbull guidance to develop additional processes in order to comply with the requirement to identify principal risks in the OFR (paragraph 4.33), but companies are encouraged to ensure that the OFR and the internal control statement are complementary (paragraph 4.36).
We agree. We consider, however, that the guidance should state more clearly the ways in which the Turnbull Guidance and the OFR requirements are complementary. The Turnbull Guidance covers the process for review of effectiveness and for reporting on the review, whereas the OFR requires disclosure of actual risks.
At present, the only reference to the OFR in the proposed guidance is in the appendix, which says that the risk assessment is likely to include the principal risks identified in the OFR. This part of the proposed text could be interpreted as meaning that the OFR process is driving risk identification. We believe that risk identification is part of the process covered by Turnbull that will be used to inform those preparing the OFR. We therefore suggest that the sentence ‘These are likely to include the principal risks identified in the Operating and Financial Review’ be changed to ‘The principal risks identified in the Turnbull process will be reflected in the OFR’.
We are also concerned that there is scope for confusion in paragraph 36 of the proposed guidance. The last sentence refers to the board’s disclosure of ‘the process it has applied to deal with material internal control aspects of any significant problems disclosed in the annual report and accounts’. The mandatory OFR will require boards to report significant risks. We hope the Review Group will clarify whether it is their intention for the word ‘problems’ to include risks and for the sentence to mean that boards in future will also have to report the process applied to deal with the risks identified in the OFR.
We support the idea that boards should make this sort of disclosure but it seems inappropriate for risks to be disclosed in the OFR and treatment of those risks to be disclosed in the internal control report. Boards would, of course, have the option of including their OFR disclosure of risks as part of their internal control report, but the practice at present is for separate reports. We recommend that the guidance should clarify what is meant, in paragraph 36, by the word ‘problems’.
Other Comments
We would prefer the control questions in the appendix, which are based on the 1992 COSO report, to be amended to reflect the greater emphasis on risk management, and its relationship to strategy, contained in the updated COSO Enterprise Risk Management framework. For example, in the appendix, the second bullet of risk assessment could include strategic risks in the list of risks, and the subdivisions of this appendix could be brought in line with COSO’s eight components of enterprise risk management.
It follows that we would also like the types of risk listed in paragraph 19 to include risks to strategy. We recognise that most boards will in any case consider risks to strategy but this does not justify omitting explicit reference from an otherwise comprehensive list. We note that paragraph 55 of ASB Reporting Standard 1 on the OFR requires disclosure of strategic risks.