Protecting

stakeholders
Implementing ICFR
in the UK
October 2020
Contents
Foreword2

Background3

A framework for internal control

over financial reporting (ICFR)  4

 n overview of ICFR for

A
the FTSE 100 11

Lessons learnt from

US Sarbanes-Oxley 13

Accelerating ICFR
implementation 15

Protecting stakeholders Implementing ICFR in the UK | 1

Foreword
A holistic approach to support Hywel Ball
resilience and enhance integrity at UK Chair and UK&I Regional
Managing Partner
times of crisis.
Businesses have been facing unprecedented challenges and Now is the time to introduce constructive reforms, and committees, as they are responsible for the accuracy
disruption throughout the COVID-19 pandemic. The survival embed cultural and operational changes to better equip of corporate information on which shareholders and
of many companies still hinges upon their ability to react businesses with the tools to respond to fluid and uncertain stakeholders rely.
at speed to changing influences, rapidly identify risks and business environments; give stakeholders and regulators
The introduction in the UK of a mandatory framework
mitigate their impact. the opportunity to make timely interventions; and ensure
for ICFR — and potentially broader internal controls in
The pandemic presents nevertheless the opportunity to companies’ long-term survival.
future — would support both the innovation of audit to
raise standards. In recent years, business leaders have been Recent reviews into the audit market provide a crucial meet users’ needs and expectations more effectively,
facing increasing pressures to run businesses in a more
opportunity to respond to the breakdown in society’s and companies’ response to fluid and uncertain
socially responsible way, considering effective opportunities
trust in business by strengthening the entire ecosystem business scenarios.
for value creation. The current crisis is accelerating this
for the longer term and introduce safeguards to mitigate
trend, requiring boards to demonstrate that the public I hope this publication will be useful to policy makers and
future crises.
interest is integrated in the company’s purpose, in order to regulators while developing reform measures; to businesses
deliver benefits to employees, customers, pensioners and EY has long been an advocate for effective accountability in considering suitable approaches and readiness; and to
wider society as well as to shareholders. of management and directors, including audit investors to inform and strengthen their engagement with
companies.

Protecting stakeholders Implementing ICFR in the UK | 2

1 Background
In August 2019, we published a paper¹ contributing to the
public debate around the introduction in the UK of an internal
control accountability framework, leveraging certain aspects
from the US Sarbanes-Oxley Act of 2002 (SOX or the ‘Act’).

Our paper followed the independent review of the Financial

Reporting Council (FRC) led by Sir John Kingman², which
concluded in December 2018 and recommended to give
serious consideration to the case for a strengthened
framework around internal controls within UK companies,
learning relevant lessons from the US.

In December 2019, Sir Donald Brydon published his report

into the future of auditing (the Report)³, providing further
impetus to the debate, elaborating on the importance and the
mechanics of introducing stronger internal control measures
and making specific recommendations. The Report takes an
important stance on the risks in financial statements and
recommends the introduction of mandatory internal control
statements requirements on boards.

The ICAEW’s latest essay on internal controls4 reports on

widespread stakeholders’ agreement that “work is needed
on the foundations for the review of internal control
effectiveness that is already required in the UK. There is
also agreement that the focus of this work needs to be on
companies, rather than external auditors, and that greater Building on our August 2019 paper, and in light of the developments that followed, this paper provides additional
clarity is needed about who is responsible for internal controls considerations and further analysis and insights to support the development of a coherent internal controls framework for
within companies”. the UK market.

1
“Protecting Stakeholders — Enhancing internal control accountability in the UK”, EY August 2019
2
https://www.gov.uk/government/news/independent-review-of-the-financial-reporting-council-frc-launches-report
3
https://www.gov.uk/government/publications/the-quality-and-effectiveness-of-audit-independent-review
4
https://www.icaew.com/technical/thought-leadership/audit-and-assurance-thought-leadership/internal-controls- Protecting stakeholders Implementing ICFR in the UK | 3
reporting-sketching-out-the-options
2 A framework for ICFR
The UK is an important economy. It has long been
regarded as a world leader in corporate governance
2.1. Reforming the corporate 2.2. ICFR in the UK and SOX
and reporting, audit and accounting and regulatory ecosystem Strengthening the capital markets and the UK economy
oversight. The balance of high standards, proportionate for the long term, will heavily rely on the successful
COVID-19 is continuing to increase systemic risks and
legislative requirements and appropriate levels of implementation of the reforms currently being developed.
impose huge disruption to businesses’ operations.
flexibility have made it an attractive place to invest and Restoring stakeholders’ confidence in business will require a
Moving forward will require a robust recovery plan, the
do business. strong focus on protecting the public interest.
success of which — particularly in the longer term —
Confidence of stakeholders, in the quality of business will heavily rely upon a holistic reform of the business EY has been consistently vocal about the need to include, in
ecosystem. the wider audit reform objectives, particular focus on raising
frameworks, is vital for the UK to retain its position
the bar on internal control effectiveness and accountability.
in capital markets. But high-profile corporate failures Comprehensive legislation, additional regulatory Boards must be made to take responsibility for having
over the past few years have raised alarms as to the requirements and revised standards delivering audit reform, appropriate systems and internal controls in place and be
effectiveness of existing frameworks. The subsequent must be accompanied by decisive changes in corporate accountable for their effectiveness.
Government reforms in corporate governance5 and governance, reporting and accountability, ensuring
stewardship have sought to further strengthen the In terms of the extent of internal controls, we are of the
oversight of all these by a strengthened regulator.
system and enhance accountability mechanisms as view that it would be beneficial to introduce a requirement
effective safeguards. Crucially, a cohesive and balanced package of measures for companies — such as for management, on behalf of the
should give shareholders the right incentives and powers board — to provide an attestation on all internal controls,
Following the 2018 corporate governance legislative to exercise responsible stewardship. This package of using a recognised framework. This approach would be
measures, the Government has since embarked on measures will also ensure that each player in the business consistent with the UK Corporate Governance Code, and the
wide-ranging reviews of the audit regulation, the audit environment does its part and is accountable, including statement boards already make on risk management and
profession and the future of audit, as elements of a giving a broader range of stakeholders — employees, internal control systems.
comprehensive industrial strategy. The publication of a customers and wider society — greater insight on how However, this may prove too demanding for UK companies
comprehensive package of consultations and proposed companies are run. as they would need to have better evidence gathering
measures is expected in the coming months.
mechanisms in place, more rigour and the agility of linking
controls to risk mitigation. In alternative, and in addition to
ICFR, consideration should be given to requiring an attestation
to all internal controls at least for the principal risks or a
subset of ‘viability risks’ even if for the medium term.

5
https://www.legislation.gov.uk/uksi/2018/860/made

Protecting stakeholders Implementing ICFR in the UK | 4

 A framework for internal control over financial reporting (ICFR)

While we recognise that any reforms need to remain Standards improved in the US after the introduction of Our August 2019 paper considered an approach
proportionate in the current challenging environment, we the Sarbanes-Oxley Act in 2002, with restatements of directionally aligned with that adopted in the US through
also think that it is this very environment that needs some financial statements now at the lowest level since 2006. SOX and set out six options for an enhanced internal
key changes. control accountability framework in the UK (see box below).

Immediate efforts and resources should concentrate on

introducing a strong ICFR framework, ensuring boards
and management are subject to scrutiny, accountable to Our recommendation from our August 2019 paper
an external party — whether the regulator or the external The potential options in considering an enhanced internal control accountability framework in the UK include:
auditor or both — and required to provide evidence on a
regular basis that the mechanism is designed and operating US SEC Registrants
effectively.

While we agree with the aim of identifying an approach 1 2 3 4 5 6

consistent with domestic frameworks, we nevertheless
believe that there is merit in learning from experience in Current UK Management Assessment of, Auditor reporting Assessment of, and Auditor reporting
director certification of and reporting on, on ICFR reporting on, the on entity wide
other jurisdictions.
accountability annual report the effectiveness effectiveness of entity internal controls
Since its implementation in the United States, SOX has led of ICFR wide internal controls
to improvements in financial reporting (i.e., reduced number We recommend consideration be given to option 3 above: operating their framework for appropriate supervision
of restatements), strengthened the corporate governance CEO and CFO certification of all disclosures in the annual and oversight.
requirements for listed companies (particularly with respect report and accounts and management’s assessment of,
to audit committees), enhanced auditor independence The recommendations in our August 2019 paper may
and reporting on, the effectiveness of ICFR.
(by prohibiting external auditors from providing certain be perceived as a significant undertaking and will require
non-audit services to audit clients) and increased investor We are advocating enhancements with respect to greater clarity with respect to the roles and responsibilities
confidence6. internal control accountability, in addition to the board’s of directors, management, audit committees and the
current responsibilities, not replacing or diminishing the auditor with appropriate standards, regulatory oversight
SOX provisions underline clearly that primary responsibility, board’s accountability. The US experience demonstrates and enforcement for the parties involved.
for internal financial controls and the accuracy of financial that the requirement for certifications will facilitate
reporting, rests with the management of a company. They Now, more than ever, the UK capital markets must
greater responsibility and focus by CEOs and CFOs to
require the CEO and CFO to gain a deeper understanding continue to remain attractive to both investors and
ensure that there are effective internal controls and
of their data and their business in order to anticipate or issuers. Enhanced corporate reporting can play an
accountability throughout their organisations.
identify failures and take appropriate action to reduce important role in protecting stakeholders. EY continues
business risk. SOX has increased the levels of trust and We also believe that requiring such certifications to believe that reinforcing accountability of directors is
confidence in business, particularly where auditors provide would support the new regulator, The Audit, Reporting one of the pillars of enhanced corporate reporting.
some form of assurance. and Governance Authority (ARGA), in designing and

6
“The Sarbanes Oxley Act at 15: What has changed?”, EY, June 2017 Protecting stakeholders Implementing ICFR in the UK | 5
 A framework for internal control over financial reporting (ICFR)

provide explicit disclaimer, the risk of increasing the audit

2.3. Effective frameworks, Allowing directors the flexibility to request additional
assurance and only requiring an auditor’s attestation expectation gap is significantly higher.
scrutiny and accountability when management identified a ‘relevant control failure’
Strong internal control requirements and effective
as suggested by Sir Donald Brydon in his report,
The ICAEW June 2020 essay paper — referred to scrutiny, supported by adequate sanctions, have proven
whether or not a failure of control has been identified,
above — discusses whether a new UK ICFR approach to contribute to companies’ resilience and sustainability,
would not provide sufficient scrutiny of the work done
should be based on the Committee of Sponsoring improved protection to shareholders and a wider range of
by directors and management, but rather trigger a
Organizations of the Treadway Commission (COSO) stakeholders’ interests, and driven audit quality.
perverse incentive model. If not required by law, the
initiative7, specifically the 2013 framework over internal
decision on whether to request external audit should
control or something else.
rest with the regulator and, ideally, be informed by a Poorly governed companies may lack incentives to
COSO is understood globally by regulators, companies shareholders’ vote. improve. A light-touch approach, focused on minimal
and auditors alike. In our view, there would be clear burdens combined with the absence of a monitoring
Additionally, where directors attest on the effectiveness and enforcement regime, would not address the
advantages in aligning any new mechanisms to an
of internal controls and there is no requirement for problem.
already widely adopted framework and the informal
external assurance, nor a mechanism for the auditor to
feedback we get from companies we audit and other
non-audit clients confirms it.

Developing or adopting a UK specific framework may

prove counterproductive, particularly when applied across EY point of view — key requirements for effective ICFR
a global group, where subsidiaries are already familiar or • The starting point should be the purpose — a strong ‘material weakness’ and ‘significant deficiency’ and
trained in COSO. ICFR helps to reduce the risk of fraud and corporate the criteria for reporting such findings publicly.
Crucially, irrespective of whichever framework is concluded collapses and therefore protects shareholders and
wider stakeholders. • Significant investment in robust process
upon as being suitable for the UK market, minimum
documentation and clear control evidence would be
requirements should be in place. • In terms of which entities should be caught,
needed to achieve meaningful outcomes.
thresholds should be heavily influenced by investors’
With regards to external assurance over the management/
and other stakeholders’ views. There may be merit in • The framework should clarify principles for the
board’s attestation to the effectiveness of ICFR, direct
considering a phased implementation, as suggested board’s attestation, including a mechanism for
experience and evidence-based analysis demonstrate
in the EY 2019 paper referred to previously. directors to be required to provide documentary
that it provides clear benefits. In the absence of a blanket
evidence of how they have reached their conclusions
requirement for companies to seek additional assurance, it • Any new mechanism should clearly indicate
on ICFR, whether to an external regulator, external
should be mandatory for the evidence supporting the design relevant materiality definitions including for
auditors or some other body.
and operating effectiveness of ICFR to be retained to an
auditable standard.

7
https://www.coso.org/Pages/default.aspx

Protecting stakeholders Implementing ICFR in the UK | 6

 A framework for internal control over financial reporting (ICFR)

2.4. Typical areas of strength and 3. Senior leaders with ICFR knowledge
and expertise
challenges for UK companies
We know of several companies effectively implementing
Using the COSO framework as a starting point, we held robust ICFR with no background in US SOX. Many UK
a number of meetings with FTSE 100 and FSTE 250 companies would benefit from appointing senior finance
companies to conduct an ‘ICFR readiness assessment’. leaders with experience of ICFR or US SOX as it would
These meetings helped identify areas of strength and facilitate adopting a controls mindset. The numbers of
challenges for UK companies in ICFR. Based only on the executives with such experience is relatively limited within
companies we met, the observations include: UK companies. So the challenge still lies in expanding
relevant knowledge, training companies, and setting
1. Leadership appropriate rewards, incentives and penalties in order to
Many UK companies say they have a good ‘tone at the top’, embed a controls culture.
including appropriate board and governance structures
and accountability. In improving ICFR, the challenge is for 4. Maintaining a strong and independent
the approach to be cascaded down and embedded across internal audit function
the rest of the organisation. This starts with a review of
the operating model across the three lines of defence Our discussions confirmed that most UK corporates have an
including IT. internal audit function with a broad range of responsibilities
across enterprise risk. When a company enhances ICFR,
the internal audit function can provide advice around who
2. Strong focus on operational
should be designing and testing any new ICFR controls. The
performance
internal audit function will need to be careful to maintain its
Our interviews revealed that UK corporates generally have independence of control design and operating effectiveness.
a strong focus on operational and business performance, This can be a challenge for companies with fewer people
which tends to be prioritised over internal controls. involved in risk management.
For such companies, the successful implementation of
ICFR will rely on a change of culture, which will give 5. Reasonably strong IT policies and
internal controls equal emphasis along with more focus on procedures including cybersecurity
assessing ICFR risks.
Companies we met confirmed that they are mostly aware
of cyber risks and have good policies to address them,
along with good policies around access control and change
management. The challenge is in actually turning the
policies into practice. This means designing, implementing
and testing the operating effectiveness of these controls.

Protecting stakeholders Implementing ICFR in the UK | 7

 A framework for internal control over financial reporting (ICFR)

2.5. Deficiencies and gaps include: systems and reports. However, some companies lack
visibility and understanding in most or all of their end-to-end
processes. Setting this out clearly can be done using flow
1. Lack of understanding of the importance of
charts and risk and control matrices (RACMs). This is
processes, risks and controls. typically the most significant part of an ICFR improvement
It was a common finding that many entities lack a process, but there are now many tools available which can
widespread appreciation of the importance of robust help companies accelerate this exercise.
processes, risk identification and controls. Those groups
who emphasise financial and commercial performance 5. Monitoring activities are in early stages
above financial reporting controls will find they will need
of maturity
to address the tone from the top if they are to genuinely
Effective monitoring can offer powerful ‘detect and prevent’
embed a culture of controls.
controls, but only if it is set up reliably to prevent or detect
2. Inconsistent accountability and ownership material issues. For UK groups, where monitoring is done,
it is typically ad-hoc and not consistently followed month to
of controls, issues and procedures
month. UK companies should evolve controls monitoring to
Accountability and ownership of controls, issues, policies
a consistent and reliable state and drive towards data driven
and procedures is inconsistent within many companies.
‘continuous control’ monitoring.
This is exacerbated when there are multiple hand-offs, for
instance between business and a shared service centre, and
6. Non-interconnected, aging and legacy
no global process owners (GPO) or where responsibility sits
outside of the finance team (e.g., taxation). IT architecture
Some UK companies have disconnected, aging, legacy IT
3. Financial and fraud risk architecture. In any ICFR strengthening programme, the
assessment process IT applications that are used to generate information that
It was surprisingly common to hear that most UK companies is used in the financial statements would need to have
have no formalised financial reporting risk assessment robust IT controls. For UK companies that have evolved by
and no formalised fraud risk assessment. These will be an acquisition and have not integrated their IT systems or who
essential starting point to comply with Sir Donald Brydon’s have old customised IT systems, the IT SOX challenge will
recommendations, not just on ICFR but also on fraud. be significant. Even with cutting edge modern enterprise
resource planning (ERP) systems there is a significant
4. End-to-end process understanding challenge if the implementation is not adequately controlled.
and visibility In addition to this we often see challenges in communication
To establish effective ICFR, it is vital to ensure a good and accountability for data and controls between the finance
understanding of business process and underlying IT and the IT departments.

Protecting stakeholders Implementing ICFR in the UK | 8

 A framework for internal control over financial reporting (ICFR)

2.6. Perception of strengthening ICFR among UK companies

In June 2020 we held a webcast8 for CFOs, controllers and heads of internal audit where we discussed the introduction of a SOX-inspired framework for ICFR in the UK. We asked delegates
a number of questions to explore the perception of strengthening ICFR in the UK. The findings* can be seen below.

For your company what would you hope to be Which aspects should be addressed by What will be the main challenges of
the main benefits of strengthening your ICFR? Government and regulators to help UK entities strengthening your financial controls?
(# responses = 257) implement an effective ICFR regime? (# responses = 236)
Increased directors’ accountability, (# responses = 249) Managing and aligning
tone from the top and establishing 49.4% the programme with 57.2%
Establish a clear definition other priorities
a controls culture in our people 65.1%
of material weakness

Increased confidence Establishing a controls

48.6% Allow for a reasonable 46.2%
in the numbers 63.9% culture with our people
implementation period

More focus on risk Require the ICFR

37.7% 37.8% Fixing our IT estate,
including fraud risk statement to be audited 44.1%
data and reports

Better insights from Introduce a monitoring and

35.0% 36.5%
more reliable data enforcement mechanism Proving the business
case and getting the 35.6%
Improved IT, data Exempt ICFR attestation right investment
27.2% for smaller groups 28.9%
and internal reports
Getting buy in from
Setting up for evolving Encourage greater use of the CEO and CFO 13.1%
19.8% data analytics 26.5% and other leaders
financial reporting needs
0% 10% 20% 30% 40% 50% 60%
0% 10% 20% 30% 40% 50% Please drop it
and let us focus on 5.6%
other priorities instead
0% 10% 20% 30% 40% 50% 60% 70%

* Note: Participants were able to select up to two options per question and the results are shown here. The first three questions are about
benefits, regulation and challenges of implementing ICFR. The fourth question concerns the use of technology and was added to give a sense of
where companies may be able to implement ICFR more efficiently than was the case when US SOX was introduced.

8
https://event.on24.com/eventRegistration/EventLobbyServlet?target=reg20.jsp&referrer=&eventid=2395968&sessionid=1&key=
B09423B4EF5093D463D045C794633FD1&regTag=&sourcepage=register

Protecting stakeholders Implementing ICFR in the UK | 9

 A framework for internal control over financial reporting (ICFR)

Responses showed that the main benefits of Where do you think investment now in your
strengthening ICFR, were increased directors’ organisation would bring most value later?
accountability and increased confidence in the numbers,
Select two.
followed by a focus on risk including fraud risk, better
quality data and improved IT. Increased directors’ (# responses = 227)
accountability and confidence in numbers were significantly
Technology to
aligned with a necessary change in the companies’ internal optimise controls 72.7%
culture, which demonstrate an understanding that, in
order to be effective, reforms require the ‘buy-in’ of the Technology to
entire organisation. pre-assess 43.6%
high risk areas
While clarity on materiality definitions and sufficient
time to implement the reforms were identified as top Technology to
priorities, about a third of respondents were in favour improve scoping and 39.2%
of the ICFR statement being audited and a further third understanding
(with a small amount of overlap) voted in favour of a
Technology to
monitoring and enforcement mechanism for ICFR. Less support project 20.3%
than 30% wanted smaller groups to be exempt from ICFR management
attestation and only about 5% voted for ICFR changes to 0% 10% 20% 30% 40% 50% 60% 70% 80%
be dropped entirely. The majority of respondents noted that automating controls
in their IT systems would be a good investment now,
In summary, from the sample surveyed, there is compared to investing in project management technology.
broad support for an effective, monitored and enforced, Indeed, using more automation to help eliminate some
and possibly audited, ICFR mechanism to be introduced manual processes should enable companies to reinvest
in the UK. savings into other areas of improving ICFR.

Protecting stakeholders Implementing ICFR in the UK | 10

3 An overview of ICFR
for the FTSE 1009
Out of the FTSE 100 companies, 22 are already foreign
private issuers (FPIs) i.e., they already file ICFR audit
The Report, as indicated in previous sections, does not
recommend a mandatory ICFR audit opinion, unless an
satisfy this requirement are generally high level and lack the
specificity that would be needed when, for example, an FPI
opinions in the US markets. internal control failure has occurred. reports a material weakness under US SOX. Although none
of the 78 non-FPIs reported a material weakness, in a small
90 number of audit opinions, the auditors stated that they were
78 FPI unable to rely on controls for the purposes of their audit and
80
70 so performed additional substantive procedures instead.
60 Non-FPI In addition to auditors commenting on controls in their
50 audit opinions, companies are also highlighting ICFR
40 weaknesses elsewhere in their annual report, often in
0% 10% 20%
the audit committee report.
30
22
20 Auditors report a material weakness FPIs report a higher percentage of control issues than
10 non-FPIs, as might be expected given their requirement to
comply with US SOX. Furthermore, FPI auditors and their
0 In the audit opinions in their most recently filed annual
Non-FPIs FPIs management teams are generally more aligned on ICFR
reports (August 2020) two out of the 22 FPIs (circa 9%) in
issues than non-FPIs.
the FTSE 100 reported a material weakness in ICFR. None
For this reason, and to avoid a two tier approach in of the 78 non-FPIs reported a material weakness in ICFR,
If the UK mandates an ICFR attestation requirement,
the UK, we would encourage avoiding duplication of although there is no basis for such reporting under ISAs.
we would expect UK companies to report more material
requirements. Instead, we think that a reasonable The UK Corporate Governance Code requires directors to weaknesses in internal controls than they report
degree of equivalence or relief, with the exception of any report on their review of the effectiveness of the system today. If, in addition, the UK mandates external auditor
new potential requirements in the areas highlighted in Sir of risk management and internal control. As part of this attestation on ICFR we would also expect (i) a further
Donald Brydon’s Report (such as fraud, key performance they need to explain actions which have been or are being step up in the number of material weaknesses reported
indicators and alternative performance measures and the taken ‘to remedy any significant failings or weaknesses’. and (ii) there to be more alignment between auditors and
resilience statement), should be allowed. In practice the statements that UK companies make to management about what the ICFR issues actually are.

9
Source: EY analysis August 2020

Protecting stakeholders Implementing ICFR in the UK | 11

 An overview of ICFR for the FTSE 100

3.1. Audit opinions on the

effectiveness on ICFR Involving your auditor
Our 2018 FPI SOX survey noted that those companies
Did you change your auditor recently and what was the impact?
that changed auditor reported relatively more material
weaknesses and significant deficiencies than those who did
Auditor change within the last two fiscal years Did you experience an increase in control
not change auditor. This finding may imply that a fresh pair
deficiencies? (Yes answers)
of eyes is more likely to identify ICFR issues.

The finding also supports the view that external audit Yes
of ICFR is likely to facilitate identification of material New auditor 38%
16%
weaknesses in ICFR, therefore highlighting one of the
advantages of involving auditors from the outset.

Incumbent
EY point of view auditor
7%

84%
Evidence from the US generally supports the view
No
that CEO and CFO accountability for, and attestation
of, the effectiveness of ICFR contributes to increased
quality of the financial reporting and reduction in the
number of material misstatements. For US reporters,
• When auditors test ICFR controls for the first time, they tend to find issues which may be beyond what
the involvement of the auditor further supports this
management has identified.
aim by providing an independent opinion on the
effectiveness of ICFR. • Involving the auditor to test and report on the effectiveness of ICFR will increase the audit fee for the company.
However, if the auditor’s work helps management focus its efforts on areas where they may have had a blind-spot,
it will reduce the risk of errors, increase trust and confidence in the financial reporting and lower remediation
costs later.

Source: EY Foreign Private Issuer SOX Survey 2018

Protecting stakeholders Implementing ICFR in the UK | 12

4 Lessons learnt from
US Sarbanes-Oxley
4.1. Restatements and material
weaknesses after US SOX
Restatements in the financial statements of
accelerated filers publicly listed in US11
Reported numbers of material weaknesses12
1,800

was introduced 500

450
1,600
1,400
Restatements are a very strong indicator that there was a 400 1,200
material weakness (MW) in ICFR. So, in assessing whether 350
1,000
US SOX has been effective in its objective, it is worth 300
800
revisiting the US history of (i) restatements and (ii) material 250
600
weaknesses in ICFR. 200
150 400
(i) Restatements 100 200
50 0
(‘Big R’ restatements)10

2004
2005
2006
2007
2008
2009
2010
2011
2012
2013
2014
2015
2016
2017
2018
2019
0
A restatement happens when companies discover a material

2004
2005
2006
2007
2008
2009
2010
2011
2012
2013
2014
2015
2016
2017
2018
2019
error, after the fact, in already issued financial statements The number of reported material weaknesses for domestic
and need to correct that error and disclose that correction. It US and foreign filers increased from 2004 to 2009 and it
This picture offers some evidence that mandating CFOs and
tells the shareholders that the previously reported financial has remained at a high level since then. At the same time
CEOs to attest to the effectiveness of ICFR may have helped
results were not reliable. A restatement represents the most the number of restatements of financial statements filed
to reduce the volume of restatements for US reporters by
severe issue with financial reporting and the situation can get with the SEC has been steadily decreasing since 2004, with
around 90%.
more serious if the error was a result of a fraud. a significant drop in the years following SOX implementation.
A restatement may cause stakeholders to lose confidence (ii) Material weaknesses The auditor’s regulator in the US, the Public Company
in the management team and therefore may have a Accounting Oversight Board (PCAOB)13, plays a critical
According to Auditing Standard 5 in the US, a material
disproportionately negative impact on market value. role. Through inspections of audit firms, the PCAOB in
weakness in a control environment is a deficiency, or a
The number of restatements reported by US public combination of deficiencies, in internal control over financial effect is setting out what is expected for ICFR audits. This
companies has been steadily decreasing since the reporting, such that there is a reasonable possibility that a has brought more consistency and standardisation in the
introduction of SOX. material misstatement of the company’s annual or interim application of ICFR findings in US corporates.
financial statements will not be prevented or detected on a
timely basis.12 The lesson learnt from the US is that, with the CEO
10
Restatements, known as ‘small R restatements’ are also required
as a result of transition to a new accounting standard but these are A material weakness must be reported in management’s and the CFO being held responsible, there’s a drive for
not considered to be as a result of errors. assessment and the auditor’s attestation on ICFR in improvement in ICFR, and there are subsequently fewer
11
Source: EY Analysis of SEC data the annual report and informs shareholders that the restatements resulting in more trust and confidence in
12
https://pcaobus.org/Standards/Archived/PreReorgStandards/ management team failed to effectively design or operate financial reporting.
Pages/Auditing_Standard_5_Appendix_A.aspx controls over ICFR.
13
https://pcaobus.org/Pages/default.aspx2 “The Sarbanes Oxley Act at
Protecting stakeholders Implementing ICFR in the UK | 13
15: What has changed?”, EY, June 2017
 Lessons learnt from US SOX

Before and after SOX, if a control was going to be relied on,

for the purposes of the audit, it would have had to be verified
as effective or substantive procedures would be performed.
That did not change. However, it is an observation that, at
the same time as the numbers of restatements have been
decreasing, the numbers of reported material weaknesses
increased from 2004–2009 and have then stayed fairly high.
When a material weaknesses in ICFR is identified during an
audit, the auditor will generally perform more substantive
procedures to compensate for being unable to rely on
certain controls and reduce the audit risk to a reasonable
level. This approach should reduce the risk of an error in the
financial statement audit and therefore reduce the risk of a
restatement.

4.2. Cost and scope of ICFR

When establishing ICFR, companies face two types of costs:
(i) the cost of external assurance over ICFR if external
assurance is required and (ii) the entity’s own internal costs
to establish and maintain ICFR. The ICAEW paper14 points
out that, in the US, the latter cost is typically much more
significant than the former. not capture entities with less than $75 million of free
float. In the UK, this would currently equate to smaller A 2014 University of Kentucky and Louisiana Tech
The Brydon Report recommends that ICFR should be companies in the FTSE 250. We note however, that US University study16 of the period from 2007 to
mandatory for all listed companies that benefit from companies are generally larger, so a like for like cut off in 2013 found that companies subject to ICFR audits
public investments, and that external auditor assurance the UK should be lower than this level and so include more experienced higher valuation premiums and higher
should only be required where there has been a failure in companies in scope. The US ICFR audit rules also exclude credit ratings (which results in overall lower costs of
financial reporting controls within the last three years. As emerging growth companies15 in their first five years debt). A Butler University and North Florida study17
noted, 22 of the FTSE 100 companies are already listed post initial public offering (IPO). of the impact of SOX on the cost of equity capital of
in the US markets. The US ICFR audit threshold does Standard & Poors (S&P) firms (for the period from
January 1996 to December 2006) found that the
cost of equity capital decreased post-SOX for the
smaller firms.
14
https://www.icaew.com/insights/viewpoints-on-the-news/2020/june-2020/icaew-publishes-internal-controls-reporting-paper
15
An Emerging Growth Company in the US has annual revenues of under $1,07 billion and other conditions have been met as further explained
in https://www.sec.gov/smallbusiness/goingpublic/EGC
16
An Analysis of the Costs and Benefits of Auditor Attestation of Internal Control Over Financial Reporting (October 2014). Protecting stakeholders Implementing ICFR in the UK | 14
17
The Impact of the Sarbanes-Oxley Act (SOX) on the Cost of Equity Capital of S&P Firms.
5 Accelerating ICFR
implementation
Imagine a future world where UK directors are attesting
to the effectiveness of their ICFR and there is general
agreement that the introduction of UK SOX is positive and
valuable for the companies they oversee.

In such a world, management teams would have established

an appropriate governance structure for ICFR and will have
developed a deep understanding of their data and the risks
impacting their businesses and the controls to mitigate
these risks. They may see, perhaps on an automated
dashboard, when controls fail and take appropriate action
to reduce business risk. Management teams will be using
reliable data and analytics to give additional assurance and
insights into business and commercial operations.

The good news is that UK entities in 2020 can expect to

implement ICFR more efficiently than their US counterparts
in 2004. The main drivers for this include:

• ICFR practices and understanding: ICFR practices,

auditing standards, accounting standards and regulatory
practices have been evolving over the years driven by
the work of audit firms, regulators and risk management
professionals so that generally, there is a far better
understanding and appreciation of ICFR now than in
2004 which leads to more effective and focused ICFR
programmes. Arguably this is the most important driver.

• Technology: 15 years of technological progress

and the development of relevant software will help
entities accelerate and reduce the risk of their ICFR
implementations. Useful software includes analytical
tools, process mining, spreadsheet analysers, SOX
controls dashboards and modern IT systems that have
built-in automated controls.
Protecting stakeholders Implementing ICFR in the UK | 15
 Accelerating ICFR implementation

5.1 ICFR FAQs • For complex IT environments with a history of

acquisitions that have not been integrated, assess
This section will address typical queries we receive from UK options available to rationalise IT applications and use
businesses. It sets out how companies can strengthen their automated IT controls. IT change programmes can be
ICFR and take advantage of some of the technologies, tools multi-year exercises so companies should ensure a
and practices available to make their programme effective strong degree of linkage between the IT and the finance
and successful. department during the IT and the ICFR improvement
programmes. Investing in this area may help save SOX
How should companies typically implementation costs later. We recommend that any IT
change programme should include people with finance
get started with an ICFR knowledge skills so they can design appropriate ICFR
strengthening programme? controls into any new systems.

While there are many challenges in implementing any ICFR • Establish an effective monitoring regime across the lines
improvement programme, we highlight some of the actions of defence.
companies take in order to make a start on their ICFR The three lines of defence model divides responsibilities for
improvement journey. internal control as follows:
Chief among our recommendations are: • The first line of defence — functions that own and
• Establish appropriate governance, resourcing and manage risk
accountability in finance and IT to promote and bring • The second line of defence — functions that oversee or
a culture of controls to life. This may include the use specialise in risk management and compliance
of training, and establishing a suitable three lines of
defence model. • The third line of defence — functions that provide
independent assurance
• Run a detailed scoping and ICFR risk assessment
and a fraud risk assessment and prioritise the most Controls readiness assessment: We recommend
significant risks. companies start off with an internal controls readiness
assessment. A readiness assessment tool which covers
• For the most important processes in scope, develop an the COSO framework and is benchmarked against many
end-to-end understanding of the business process and other companies, should allow management teams to have
supporting IT applications. Identify and fix any control a good indication of where a company’s current control
gaps in both business and IT processes. environment stands versus peers and identify areas of
weakness.

Protecting stakeholders Implementing ICFR in the UK | 16

 Accelerating ICFR implementation

their ICFR. All IT systems used in the processing of financial

What does a typical ICFR If you did identify a MW or SD in your last ICFR
transactions and financial reporting for in-scope business
assessment, what did it relate to?
improvement programme look like? processes will be in scope. Key IT controls operating in
these applications, including IT general controls (ITGCs), will
Companies generally undertake their scoping and top-down Information technology
20% therefore be in scope. ITGCs include logical access controls,
risk assessment to identify financial reporting risks and general controls
fraud risks in all significant classes of transactions. This IT change management controls and IT operations controls.
Management review controls
3%
risk assessment is done with an end-to-end walkthrough level of precision
of the main processes from initiation to final completion
IPE 5%
What are the most common IT
and recording. This ensures that risks are identified
before designing and finalising the relevant controls to control failures?
Application of GAAP 5%
mitigate them. ITGCs and IT application controls (ITACs) underpin the
It is during this risk assessment and walkthrough phase Control not implemented for accuracy and completeness of data in key IT systems
8%
significant accounts which are used in reports and preparing financial reporting
that companies should consider any IT implications and
assess how to use technology to drive efficiency — through Non-routine and information. If ITGCs cannot be relied on, then the reports
8%
automation of, and monitoring of, controls. non-systematic transactions that finance professionals use may not be relied on either.
Antifraud programmes
Antifraud programs 10% Since IT systems underpin much of financial reporting, a
Gaps in the framework will be identified at this time, and
control failure in IT can often result in a material weakness
so controls to cover these gaps must be designed, or
Financial statements in internal control. Even after 15 years of SOX, IT remains
improvements to existing controls must be made in order to 13%
close process one of the most significant reasons for companies reporting
meet the relevant objectives and cover the relevant risk.
Others 30% material weaknesses.
Once the company has documented a robust end to end
Challenges that arise when companies set out to establish
process for each significant class of transactions, the SD: Significant deficiency
improved controls framework must be implemented, and strong controls over IT include:
IPE: Information produced by the entity
then regularly tested. CAAP: Generally accepted accounting principles • Obtaining a complete list of applications and reports
AI: Artificial intelligence in scope.

What is the definition of a control Source: EY Foreign Private Issuer SOX Survey 2019 • Identifying data used in reports and the appropriate

failure and how would directors Would IT controls be in scope for data owners.

identify these? UK ICFR? • Establishing appropriate access controls, change

controls and IT operations controls.
Although there are many more aspects to ICFR than IT
A control has failed when it was either not designed For access control, companies need to include controls
only, we focus in the sections below on IT for two reasons.
properly, or its operation is ineffective such around password complexity, administrative access,
Firstly, IT is an area where US SOX reporters experience
that it does not mitigate the risk it was intended user generic accounts, logging and monitoring of IT
the highest number of material weaknesses and secondly
to cover. Control failures would be identified administrative activities, provisioning/de-provisioning
because, based on our interviews with FTSE 100 and FTSE
during the walkthrough or testing phases of work. of user access and the execution of periodic user
250 companies, we have seen that there will be significant
access reviews.
IT challenges for UK companies when it comes to improving
Protecting stakeholders Implementing ICFR in the UK | 17
 Accelerating ICFR implementation

For change management, companies need to include

Risk and control matrices have therefore assist in identifying duplicate controls that are
controls around approval of all changes to IT applications,
testing of such changes and segregation of environments to previously been advocated as a reducing efficiency. Such technology has the potential
to create savings which can be reinvested in further
ensure the same individual cannot develop and implement a measure to assess financial risks strengthening ICFR.
change without authorisation.

For general IT operations, companies must establish controls

and manage the responses to 2. For companies doing ICFR for the first time, data
analytics can identify higher risk areas by showing
around backup and recovery of data and the appropriate these risks. Are these matrices insights into the data, spotting outliers in a population
management and monitoring of IT batch jobs.
still relevant? where there may be a heightened risk requiring an
Many IT controls are detective controls with a strong additional control (for example a monitoring control) to
Risk and control matrices still play an important part in the
manual component such as periodic user access reviews mitigate the risk.
overall risk assessment process. However, they are just one
or removal of access to leavers. This results in inefficiency
step in an internal control’s improvement programme. It is 3. Data analytics can assist with the initial scoping and
but also a greater likelihood of manual error and such
also good practice to use a summary flow chart on one page understanding of existing processes and controls.
controls commonly fail. It is important that companies start
to give an overview of how a process works and the controls
implementing automated system controls, which prevent the 4. Project management tools are available to support the
and IT applications supporting it.
risk from occurring in first place, or enable the automated ICFR programme, particularly for controls attestation
handling of such risk. or testing, i.e., showing on a live dashboard which
How can technology be controls have been operated and which have not yet

How do companies monitor used to support an internal been performed and highlight any challenges. Many
US companies are still using spreadsheets to do this in
compliance of their internal controls framework? 2020. When setting up their ICFR programme for the

controls framework? As mentioned above, in a recent client webcast we explored first time, UK companies could now use inexpensive
technology that would show a real-time controls
the significant role technology can play in accelerating
Monitoring should be performed by evaluating the controls dashboard which would be updated live as people
and de-risking ICFR improvement programmes. Four areas
in place — either by management, or by third parties. Any perform their controls as part of the month end close
where technology can help are set out below:
issues identified in the evaluation process should be logged process. This will significantly increase productivity and
and timely corrective action be taken. It is critical that the 1. Technology can be used to optimise controls through effectiveness compared to using a spreadsheet.
correct level of accountability is in place for this monitoring embedding controls within applications, or helping
process to be effective. set out how transactions flow through a process and

Protecting stakeholders Implementing ICFR in the UK | 18

Appendix
Checklist for getting started on an ICFR project
Readiness assessments Governance 7. Establish clear and consistent accounting policies.
1. Undertake an ICFR COSO readiness assessment to 3. Establish the appropriate governance, accountability, 8. Although not a quick win, if you are already planning an
benchmark against other entities and prioritise where to tone at the top and controls culture using training IT rationalisation or upgrade, this action will significantly
focus your efforts. Typically these will be in many of the and incentivising the desired behaviours. Compare help any ICFR improvement later: Establish a common
areas set out below. the ‘as-is’ operating model for risk management to data model, chart of accounts and ERP IT system.
the ‘to-be’ operating model and identify any gaps in 9. Involve finance professionals in the design of any
2. Conduct an IT general controls readiness assessment
resources and skills ongoing or planned IT transformation.
to get an idea of the IT landscape and the number
of systems that will be in scope, and how an ICFR 10. Do a pilot: prepare end to end process
programme may fit in with the IT strategy.
Risk assessment and fraud risk assessment documentation for a pilot process e.g., record to report
and scoping or purchase to pay.
a. For access controls include: password complexity,
4. Run a comprehensive ICFR risk assessment and fraud
privileged access, generic accounts, logging and Documentation
risk assessment in the business.
monitoring, and joiners and leavers.
5. Use technology to achieve an efficient scoping and 11. Use flow charts to aid understanding of the end to end
b. For change management include: approval of all process.
risk assessment. Where possible, use data analytics to
changes to IT applications, testing of IT changes, and
identify outliers and risks. 12. Establish what assurance you will need from service
segregation of environments.
organisations.
c. For IT operations controls include: backup and Quick wins
13. Establish the appropriate project management,
recovery of data, and IT batch jobs management. 6. Identify opportunities for automating controls and
reporting and monitoring tools.
access savings.

Protecting stakeholders Implementing ICFR in the UK | 19

Contacts
Kath Barrow Christabel Cowling

Managing Partner Partner, UK&I

UK&I Assurance UK Head of Regulatory & Public Policy

Tel: + 44 20 7951 0979 Tel: + 44 113 298 2364

Email: [email protected] Email: [email protected]

Dan Feather Ilaria Lavalle-Miller

Partner Associate Director

Assurance Regulatory & Public Policy

Tel: + 44 7747 764 838 Tel: + 44 7393 758 878

Email: [email protected] Email: [email protected]

Protecting stakeholders Implementing ICFR in the UK | 20

Notes:

Protecting stakeholders Implementing ICFR in the UK | 21

Notes:

Protecting stakeholders Implementing ICFR in the UK | 22

EY | Building a better working world

EY exists to build a better working world, helping to create

long-term value for clients, people and society and build trust
in the capital markets.
Enabled by data and technology, diverse EY teams in over
150 countries provide trust through assurance and help
clients grow, transform and operate.
Working across assurance, consulting, law, strategy, tax and
transactions, EY teams ask better questions to find new
answers for the complex issues facing our world today.

EY refers to the global organization, and may refer to one or more,

of the member firms of Ernst & Young Global Limited, each of which is
a separate legal entity. Ernst & Young Global Limited, a UK company
limited by guarantee, does not provide services to clients. Information
about how EY collects and uses personal data and a description of the
rights individuals have under data protection legislation are available
via ey.com/privacy. EY member firms do not practice law where
prohibited by local laws. For more information about our organization,
please visit ey.com.

© 2020 EYGM Limited.

All Rights Reserved.

EYG No. XX0000

EY-000126770.indd (UK) 11/20.
Artwork by Creative Services Group London.

ED None

In line with EY’s commitment to minimize its impact on the environment, this
document has been printed on paper with a high recycled content.

This material has been prepared for general informational purposes only and is not intended
to be relied upon as accounting, tax, legal or other professional advice. Please refer to your
advisors for specific advice.

ey.com