The audit profession has avoided obligations to undertake US-style
assessments of risk management for its UK-only clients.
Following a review of the Turnbull guidance on internal controls, the
Financial Reporting Council has concluded that the current system is working
It has argued that there is no need to introduce rules, such as those in
section 404 of the US Sarbanes-Oxley Act, which would require directors to make
statements on the effectiveness of internal controls and for auditors to attest
to such a statement.
Instead, just minor alterations to the guidance have been recommended.
‘The overwhelming view was that the Turnbull guidance continues to provide an
appropriate framework for risk management and internal control,’ said Douglas
Flint, HSBC finance director and chairman of the Turnbull review working group.
‘Its relative lack of prescription is considered to have been a major factor
contributing to the successful way it has been implemented, and we have
therefore decided against recommending substantial changes.’
Instead of a statement on internal control effectiveness, companies will only
be obliged to confirm that action has been or is being taken to address any
weaknesses identified in its effectiveness assessment.
Michael Hughes, chairman of audit at KPMG, who also sat on the review group,
said: ‘Any extension of this would have significantly increased compliance cost
out of proportion to benefits to shareholders.’
Glyn Barker, head of assurance at PricewaterhouseCoopers, said that the
decision made by the review group was ‘understandable’.
He added: ‘Sarbanes-Oxley was seen as necessary to bring about some “deferred
maintenance” of internal controls in an environment where many boards previously
had no explicit responsibility for control. The UK is not starting from that
Ernst & Young partner and Audit Quality Forum chairman Gerald Russell
said the review group’s decision was to be ‘immensely welcomed’.
The revised guidance, which is out for consultation for the next three
months, also says that companies should review their application of the guidance
on a continual basis.
Simon Wright of CareersinAudit.com discusses how an effective cyber defence force is critical to businesses worldwide and how internal auditors can make the transition to a new career in cyber security
The FRC has said that the investigation will 'consider, but not be restricted to, issues regarding misstated accounting balances'
Craig Maxwell joins the audit and assurance team in Scotland
Stephen Grayson to join the audit department in Manchester