top stories

Share

Evidence Gathering Phase Consultation Paper by the Turnbull Review Group

Comments from ACCA
March 2005

Executive Summary

ACCA is pleased to comment on the consultation paper that was issued on 2 December 2004 as part of the evidence gathering phase of the review of the Turnbull Guidance on Internal Control.

Overall, we believe the existing Turnbull guidance has been a success and has been widely implemented by boards. Its high-level, principles-based approach has been an important strength. A possible disadvantage of this flexibility, however, is that companies can choose to give relatively little (sometimes minimal) information to users of annual reports, although this is not necessarily always indicative of poor internal control. Our recommendations include proposals, which if implemented, should help to raise the overall quality of disclosure.

In risk management, risk appetite is an important consideration that the review should address. We believe that few organisations have more than a rudimentary understanding or analysis of risk appetite.

We hope that any revisions to the guidance will take the opportunity to reinforce the benefits for boards of considering risk as part of their strategy formulation. We also hope that the concept of risk will be broadened so that companies consider ‘upside risk’, or opportunity, as well as negative risk. That should facilitate a more entrepreneurial culture by reducing the tendency for risk management practices to encourage a culture of risk aversion. It should also make risk management more relevant to, and embed it within, managerial decision making.

We would like any revised guidance to emphasise the benefit of using a suitable control framework to assess internal control and for this framework to include upside risk or opportunity.

Although we support the idea that boards should make public their conclusions on the effectiveness of internal control, we are doubtful what value these conclusions add as they involve some possibly highly subjective assessments. Any requirement to provide such conclusions could risk making the process focus too much on objective tests, to the detriment of subjective assessment of areas such as the control environment. We recommend further research into the options for making effectiveness statements and of the costs and benefits of making them. We expect that much can be learned from a close scrutiny of the US experience in implementing the Sarbanes-Oxley requirements for internal control over external financial reporting.

We would be pleased to discuss any of our comments in more detail with the Financial Reporting Council and to consider opportunities for joint research.

Responses to Specific Questions

These comments are based on the considerations of a committee of ACCA corporate governance specialists that was convened to respond to the consultation, and of our Technical Auditing Committee, as well as on responses from over 70 participants at an ACCA conference on enterprise risk management and from discussions among risk specialists of the Control and Risk Self-assessment Forum.

1. Has the Turnbull guidance succeeded in its objectives?

Owing to its high-level, principles-based approach, Turnbull has been widely implemented by boards. The flexibility of the guidance, however, has allowed a wide variety of approaches to be considered acceptable.

Although we encourage variety and flexibility, some approaches may tend more towards lip service and ‘ticking the boxes’ than to embracing fully the principles of the guidance. We note the opinion of Grant Thornton that although improvements have been made compared with previous years, still

‘34% of companies gave no summary of the process that boards and audit committees have applied in reviewing the effectiveness of the internal control systems and 30% of companies failed to acknowledge the full range of risks that are covered by their review, often referring only to financial controls.’

And

‘With 30% of companies still failing to, or only just meeting even the minimum requirements of Turnbull, this does not bode well given the greater number of detailed provisions that the Revised Code has introduced this [2003] November’.
We also suspect that companies will take the disclosures of other companies into account when drafting their own statements. Other companies may disclose little qualitative information yet may have sound internal control systems. This may lead to a general low level of disclosure, which may not reflect the real (and possibly much higher) level of internal control that exists.

Our answers to the other questions posed in the discussion document set out suggestions which, if implemented, should ensure that more informative disclosures are given in future. We also hope that the Review Group will be mindful of the costs and benefits of any increase in documentary requirements for companies that may result from the conclusions of the Review.

2. Are companies behaving differently as a result of the guidance? In particular, has the guidance had an impact on:
• the understanding of risks and controls (a) at board level; and (b) more widely within companies and groups?
• the way boards have approached business risk and strategy?
• the risk appetite of the board?
• improving the quality of risk management and internal control within companies?

We are of the opinion that the Turnbull Guidance has had a positive impact on understanding of risk at board level but less impact elsewhere within companies. We also believe it has positively affected how boards approach business risk. We suggest, however, that the Guidance has had less impact on how boards formulate strategy, as the Guidance does not emphasise the importance of considering risk before strategy is decided.

We recommend that any revised guidance should cover the need for boards to consider risk before deciding strategic plans, as well, of course, as in the implementation of strategy. We hope that any revised guidance will emphasise the benefits of a systematic and objective assessment of the relationship between strategy, risk and business outcomes. A key principle in embedding risk management is to make consideration of risk an integral part of decision making throughout the entire company.

A focus on what can go wrong, however, can contribute to a risk-averse mentality. A greater emphasis on strategy and opportunity (or upside risk) in any revised guidance should encourage boards to focus more on desired outcomes and management, with proportionately less emphasis on control and the avoidance of (downside) risk.

We are of the opinion that the Guidance has had relatively little impact on risk appetite. We have on two occasions facilitated discussions among risk specialists about risk management in listed companies and public sector organisations. These discussions have highlighted that there is little consensus on how to define risk appetite or how to consider or evaluate it as part of risk assessment. Most of the discussants concluded that their organisations are at an early stage in considering risk appetite.

We suggest that any revised guidance should explain what the Review Group means by ‘risk appetite’. In doing so, we believe it is important for the guidance to encourage companies to understand the nature of risk, and to formulate their risk appetite in terms of the outcomes they aim to deliver and the relationships between risks. This would inform their risk assessment.

There will be different views on risk appetite and tolerance in different parts of organisations. Risk appetite will also be influenced by culture and work functions. For example, and as a generalisation, sales and marketing people may have a greater appetite for risk than accountants.

3. What difficulties, if any, have organisations had in implementing the Turnbull guidance?

We have no comment.

4. Should the guidance continue to retain a high level and risk-based approach to internal control rather than move to a more prescriptive approach?

We give a strong ‘yes’. We note, however, that the present guidance does not recommend use of a prescribed control framework. The appendix offers questions based on the COSO control framework, which the board ‘may wish to consider and discuss with management’ for ‘assessing the effectiveness of the company’s risk and control processes’. The use of this framework is entirely optional and the guidance given is very brief in comparison with guidance in the COSO and CoCo frameworks themselves.

We consider that in any revised guidance, the main body of the document should either be based more recognisably on a suitable control framework or should recommend that companies adopt one of their own choosing. As implied in our answer to Question 7, such a framework should include upside risk as well as downside risk.

The COSO framework has become the standard framework in the US because it is required by the PCAOB Auditing Standard – ‘An Audit of Internal Control over Financial Reporting Performed in Conjunction with an Audit of Financial Statements’. COSO, however, does not address upside risk so it may not be the ideal choice in the UK. A framework which also considers business performance may be preferable. HM Treasury has developed a risk management framework for assessment based upon the EQFM Excellence model.

5. Should the guidance continue to cover all controls?

The Combined Code covers all controls. We strongly recommend that any revised guidance continue to consider the wider aspects of internal control rather than follow the Sarbanes-Oxley or earlier, Rutteman, approaches, which consider internal control only in relation to external financial reporting.

Consideration of all controls, and all types of risk (including those relating to strategy), should ensure that risk management and assessment of the effectiveness of internal control add more value to the business than consideration of a more limited range of controls.

6. Are there parts of the guidance on internal control that are (a) out of date or now unnecessary; (b) unclear; or (c) lacking in sufficient detail? If so, please identify them.

We suggest that any revised guidance include a glossary of terms (including the definitions of risk, internal control, risk management and risk appetite) and, as explained in our answer to question 5, more detailed guidance on the use of either a specified control framework or control frameworks generally.

7. If additions are needed to the guidance, what form should they take, what should they cover, and why would they be useful? Examples might include:
• additional questions in the current appendix;
• indicators to help boards and board committees identify where there may be potential cause for concern, for example of fraud or aggressive earnings management; or
• more examples of the types of risks that boards should consider, for example business continuity risk.

In addition to our answers to the earlier questions, in particular our answer to Question 2, we suggest that the existing guidance, by considering risks only as unwelcome events (downside risk) may discourage entrepreneurial activity and encourage a risk-averse mentality. We suggest that any revised guidance incorporate the concept of ‘upside risk’ which we would define as ‘the uncertainty of an event or events occurring which constitute a potential opportunity for the business which is outside the company’s business plan’.

This should help to ensure that opportunity is considered as part of the risk management process. It should assist boards to allow the risk management process to contribute more usefully to strategy and become better embedded in the organisation. It should also mean that companies manage uncertainty, rather than just risk, so that the outcome is what was planned or something better.

8. Do you have any other suggestions for changes to the guidance that are not covered by questions 6 and 7 above?

Yes. Our suggestions below arise from the fact that the original Turnbull guidance was a response to the Hampel Combined Code and, although the overall approach has not changed, the relevant provisions are slightly different in the 2003 Combined Code.

D.2 Internal Control (Hampel Combined Code)
Code Provisions
D.2.1 The directors should, at least annually, conduct a review of the effectiveness of the group’s system of internal control and should report to shareholders that they have done so. The review should cover all controls, including financial, operational and compliance controls and risk management.
D.2.2 Companies which do not have an internal audit function should from time to time review the need for one.

C.2 Internal Control (2003 Combined Code)
Code Provision
C.2.1 The board should, at least annually, conduct a review of the effectiveness of the group’s system of internal controls and should report to shareholders that they have done so. The review should cover all material controls, including financial, operational and compliance controls and risk management systems.

The newer Code refers to a review covering all material controls. We believe any revised guidance should define what ‘material’ means in this context and give guidance on how the board may decide what is material. ‘Significant’ may be a more appropriate term to use because ‘material’ has its own technical meaning in an accounting context.

The newer Code also refers to ‘risk management systems’, no longer just to ‘risk management’. This seems to open the possibility that boards need not consider specific risks and should consider only systems. Clear guidance is needed on this apparent change – should boards look at specific (material) risks or just at the process via which all risks are managed?

The provision on internal audit has now moved to section C3 ‘Audit Committee and Auditors’. As the Smith Report did not address internal control in detail, we are concerned that the review of Turnbull should ensure that none of the substance of the text on internal audit in paragraphs 42 to 47 of the present guidance, or anything about the role of the audit committee in assessing internal control, is lost. Any revised guidance should include an explanation of the expected role of internal audit rather than referring only to the existence or otherwise of an internal audit function.

9. How useful to investors and companies are the existing disclosures on internal control? What value is placed on such disclosures by investors when making investment decisions?

We are not aware of any research evidence which can satisfactorily answer this question.

10. Would a different or extended form of disclosure facilitate better decision making? If so, how?

We suspect that institutional investors will place greater value on more direct communication with companies. A report on internal control may have little observable effect on their decision making.

It is a basic tenet of financial reporting, however, that all shareholders should have equal access to information. Reports would be more valuable if they were informative, rather than merely giving a ‘boilerplate’ disclosure. If implemented, our recommendations should encourage more valuable disclosure. We would prefer enforcement of disclosure standards to be left to market pressure rather than to regulation.

Simple disclosures of effectiveness or ineffectiveness may be of little value but disclosures relating to an evaluation of different components of a control framework (eg the control environment) and saying more than simply ‘effective’ or ‘ineffective’ may have more value.

11. What distinctions or linkages should be made between the business risk-related disclosures to be made in the Operating and Financial Review and the disclosures made as a result of the Turnbull guidance?

Clearly, both sets of disclosure should be consistent with and complement each other so that users of these statements can gain a wider and more complete view.

We believe it would be desirable for companies to make a disclosure on risk appetite as part of their OFR disclosure of objectives and risks. Investors and other stakeholders may welcome disclosure on whether risk appetite is increasing or decreasing, especially if a new strategy is being embarked upon.

12. What are the advantages and disadvantages of turning the board’s private assessment of effectiveness into a public statement of their conclusion on effectiveness?

We are unsure what value public statements on effectiveness may have, given the inherent subjectivity of the assessment process. We would therefore prefer that there is no regulatory requirement for companies to make public effectiveness statements. We would, however, be happy if any revised guidance recommended or encouraged companies to make such a disclosure and hope that best practice would develop via which the users of such statements (internal and external) receive a benefit that exceeds the cost of producing them.

Assessment of effectiveness should be regarded primarily as a learning process through which companies can both improve control and their business. A conclusion on effectiveness, while desirable, is less important than the benefits that should accrue from the assessment process. Economy and efficiency should also be considered as a control can be effective but inefficient or more costly than necessary.

The present guidance covers the process for assessing effectiveness but does not explicitly require a conclusion on whether internal control is effective or not. Any revised guidance should make it clear whether a conclusion is required and, if so, give clear guidance as to how this can be done. Such guidance could include how boards can identify any boundary between ineffective and effective.

The US SEC has given a precise technical meaning to the word ‘effective’ in the context of internal control. This meaning may not be the meaning that all users of annual reports would infer from the use of the word. If effectiveness statements are to be made public, it is important that they are clear, readily understood and not readily capable of being misinterpreted.

As suggested in our answer to Question 10, disclosures relating to an evaluation of different components of a control framework (eg the control environment) may have more value than a simple statement on effectiveness.

13. Would boards and investors wish to see additional disclosures on the outcomes of the boards’ review of effectiveness and actions taken following that review? If so, what information would be appropriate?

See our answers to Questions 9 to 12. In addition, we recommend that research should be undertaken on the different forms that such disclosures might take and on the consequent benefits and costs to investors and companies.

14. What benefit does the existing work performed by external auditors on internal control, and the subsequent dialogue with the board, provide to: (a) the board of a company; and (b) investors?

We are not aware of any evidence from research in this area.

15. What are the advantages and disadvantages of extending the external auditors’ remit beyond the existing requirements? If you consider that any change should be made to the existing remit, what might this be and why?

We note that ISA 315 extends the role of the auditors, which will increase the external auditors’ understanding of internal control within the company. This should place the auditors in a more informed position when they relate the directors’ statement on internal control to their own knowledge.

We do not suggest extending the external auditors’ remit but would like to retain the existing requirement for auditors to report if they believe the directors’ statement on internal control is inconsistent with their knowledge or, in their opinion, is misleading.

Requiring more detailed reporting will probably mean that the whole assessment process (both by boards and by auditors) will become overly focused on objective testing and that the arguably more important subjective assessments (such as in relation to the control environment) will be scaled down or ignored.

16. What impact, if any, might an extended role for the external auditor have on the relationship and dialogue between the external auditor and the board and its committees?

See our answer to Question 15.

17. Are there any other matters that should be brought to the attention of the Review Group?

We would like to see greater clarity about the sanctions that can apply to boards of companies that do not have sound internal control.

We would also point out that the present guidance has a considerable influence beyond listed companies. For example, many parts of the public sector have made extensive use of the guidance. Where practicable, we hope that the Review Group will consider how other types of organisation might be affected by any revised guidance. ACCA has many members and students working in the public sector in the UK and we would be delighted to assist you with such a process.

Back to top