Institute of Chartered Accountants in England & WalesRH/jdfh Mr Jonathan G Katz
Dear Mr Katz File No. S7-40-02
The Institute of Chartered Accountants in England & Wales is pleased to provide a letter of comment in response to the Commission's consultation document entitled "Disclosure required by Sections 404, 406 and 407 of the Sarbanes-Oxley Act 2002". The Institute has been closely involved with developments in corporate governance and internal control in the UK for over ten years. Our credentials are provided in Appendix A. This letter, which deals with Section 404 only, provides information to help the SEC assess whether it will be in the interests of investors to require UK listed companies that are subject to the internal control provisions of the UK Listing Rules, and which are also SEC registrants, to be subject to the incremental requirements of Section 404 of the Sarbanes-Oxley Act. It is our view, inter alia, that:
The Sarbanes-Oxley Act extends the SEC's remit to include corporate governance and aspects of internal management within companies. As the SEC moves into these areas, we believe that the SEC should look to the experience of the UK Listing Authority. Background information Internal control requirements are part of a bigger framework of corporate governance which have been developed by, or on behalf of, the UK Listing Authority over a number of years as the Authority extended beyond its traditional role into the area of corporate governance. Rule 1.1 of the Listing Rules of the UK Listing Authority states that issuers must comply with all listing rules applicable to them. The Combined Code on Corporate Governance forms part of the Listing Rules. There are 14 Code principles and 45 Code provisions that apply to listed companies. Disclosure is a major element of the Combined Code's requirements. The provision of meaningful and substantive information to investors is of fundamental importance and the requirements on boards are tough. It is a `comply or explain' regime for Code provisions. For boards this essentially means `state you have complied or, if not, why not and for what period'. Code principles concentrate on outcomes that boards need to achieve. There is, deliberately, no prescribed wording for board statements on Code principles or provisions. This makes matters more difficult for boards and it discourages `boiler-plate' wording. Boards are therefore required to think carefully before making their disclosures to investors, which thereby encourages good board behaviour, something that is the intention of both the Sarbanes-Oxley Act and the Combined Code. Rule 12.43A of the Listing Rules states that in the case of a company incorporated in the United Kingdom, the following items must be included in its annual report and accounts: (a) a narrative statement of how it has applied the principles set out in Section 1 of the Combined Code, providing explanation which enables investors to evaluate how the principles have been applied; and (b) a statement as to whether or not the company has complied throughout the accounting period with the Code provisions set out in Section 1 of the Combined Code. A company that has not complied with the Code provisions, or complied with only some of the Code provisions, or in the case of provisions whose requirements are of a continuing nature complied for only part of an accounting period, must specify the Code provisions with which it has not complied, and (where relevant) for what part of the period such non-compliance continued, and give reasons for any non-compliance. In respect of internal control there is one Code principle and a specific Code provision. Principle D.2 - states that `The board should maintain a sound system of internal control to safeguard shareholders' investment and the company's assets'. Provision D.2.1 - states that `The directors should, at least annually, conduct a review of the effectiveness of the group's system of internal control and should report to shareholders that they have done so. The review should cover all controls, including financial, operational and compliance controls and risk management'. The Turnbull Report (1999) provides guidance on how to apply the principle and comply with the provision and the disclosures that directors have to make to investors. The UK's corporate governance framework, of which the Combined Code is a major part, is reviewed and developed to take account of new thinking. For example, a review is currently being undertaken of Code Principle D.3 and its two related Code provisions, all of which relate to audit committees and auditors. 1. Overall comments We strongly support the goal of improving the quality of financial reporting and corporate governance. The UK went through a crisis of confidence in financial reporting following corporate scandals in the late 1980s and early 1990s which ultimately led to the publication in 1992 of the highly respected `Report of the Committee on the Financial Aspects of Corporate Governance' (the Cadbury Report). Since 1992, the UK has been further developing and refining corporate governance and financial reporting, within which internal control plays an important part. This is on going. Considerable efforts have been made in the last decade to provide guidance on internal control that results in information on risks and controls that is workable for both business and auditors, and serves the needs of investors. Guidance on reporting on internal control was first produced in 1994 by the Rutteman Committee. It was linked to the London Stock Exchange's Listing Rules and concentrated on internal financial control like Section 404 of Sarbanes-Oxley. Following the publication of the Combined Code on Corporate Governance in 1998, which required companies to review the wider aspects of internal control, updated guidance was produced in 1999 by the Turnbull Committee. Consequently, the UK has now gone beyond reporting on internal control for financial reporting purposes as required by Section 404 of Sarbanes-Oxley. Boards of UK listed companies are required to disclose in their annual reports information on the wider aspects of internal control, including their risk assessment procedures, and the processes that they have adopted to review the effectiveness of internal control, and state that the work that the board has undertaken is in accordance with the guidance in the Turnbull Report. We are concerned that the imposition of rules relating to Section 404 on UK listed companies that are also foreign registrants with the SEC would place an additional burden on those companies as they would have to adopt two different bases for reporting on internal control. We sympathise with the SEC on many of the difficulties that it faces in arranging for the provision of pragmatic guidance on internal control reporting to implement the current requirements of the Sarbanes-Oxley Act. The combination of (a) a difficult concept (internal control) with (b) a requirement for measurement (effectiveness) for which there are no objective benchmarks, does not make for an easy solution. We would urge the SEC to carefully consider the work that has already been done on internal control reporting in other countries. In this regard we note that there is particular experience in other jurisdictions including the UK. We believe that the SEC should grant exemption to companies registered in countries that already have requirements for reporting on internal control that have been established, following due process, by a group of experts, and in particular where they have been in operation for a number of years. 2. Intentions of Sarbanes-Oxley and the Combined Code In the aftermath of corporate failures, governments and regulators in both the US and the UK wanted to see action to prevent the recurrence of such scandals. We believe that the overarching objective and intentions, in respect of matters related to internal control, has been to improve business practices by, inter alia:
Looking at some of the problems now being faced in the US, we see history repeating itself. Section 404 of the Sarbanes-Oxley Act is similar to a section in the Cadbury Report, written a decade earlier. The Report stated that `since an effective internal control system is a key aspect of the efficient management of a company, we recommend that the directors should make a statement in the report and accounts on the effectiveness of their system of internal control and that the auditors should report thereon.' From a similar starting point to that now facing the SEC, the UK has come up with its own solutions to the major and complex issues that surround reporting on internal control. However, when these issues were considered by the UK and a number of other European countries, the US-style frameworks (such as COSO) and attestation standards (such as AU 319, which does not provide evaluative criteria) have not been adopted. However, different solutions have been successfully developed and implemented and any imposition on a worldwide basis of COSO would not be desirable. The subsequent wording in legislation or corporate governance codes such as those in Section 404 or the Cadbury Report may appear to present a fairly straightforward solution to the problem, but these are complex issues. It took seven years (between the Cadbury Report in 1992 and the Turnbull Report in 1999) for the UK to build its present framework for internal control reporting. Achievement of this good foundation has involved a process of refinement, considerable thought and much effort. In the Turnbull Report, we believe we have a workable solution to internal control reporting for both business and auditors that also serves the needs of investors. Moreover, there continues to be active debate on how to build on this foundation and continue to improve the management and reporting of risk. We are not convinced that the overnight imposition of a legally-based sign off procedure will improve business practices. We believe that many listed companies derive business benefits from the application of the UK requirements on internal control as the requirements are aligned to a company's on-going processes for the identification, evaluation and monitoring of risks to the business. One of the significant advantages of the Turnbull approach compared to our previous UK approaches was to encourage companies to operationalise their risk assessment, internal control and reporting and disclosure processes. A periodic review and report clearly has some value but is not as valuable as measures that encourage behavioural change across all aspects of a business, leading to improvements in integrity, business effectiveness and reporting transparency. It is, however, against the overarching objectives mentioned above that both the UK and the US should measure success. The principles-based approach adopted by the UK in both the codes on corporate governance and the two reports on internal control appears to have had great benefit over the last decade. Great pains have been taken to encourage a thoughtful approach by companies and discourage a box-ticking approach to compliance. Looking back to the period before the Cadbury Report, we believe that the UK has gone a long way in the achievement of the overarching objective. Today boards of directors:
In addition, some assurance on the transparency of the processes adopted by boards is provided to the shareholders by the external auditors. All this has been achieved without requiring that companies or their auditors report that control is effective. The emphasis has been on improving internal company processes and reporting that the internal review processes are adequate. The risk in requiring reporting that internal control is effective is that it is human nature not to want to issue an adverse report; which in turn encourages directors to tick the boxes and put a gloss in public on situations that actually warrant significant improvement. Overall, we suggest that our more cautious approach to the corporate sector has had a strong measure of success. An indication of this success is that the Turnbull Report has also been enthusiastically adopted by the public and not-for-profit sectors in the UK. 3. The UK's corporate governance and internal control guidance documents It should be noted that the UK's corporate governance codes and the internal control documents have been written by committees whose aim was to provide tough but workable guidance. To serve the public interest, membership of these various committees has been drawn from the business and investor communities, the legal profession, and audit regulators as well as the accountancy profession. Membership of the Turnbull Committee, for example, included individuals who represented:
The UK Listing Authority, which in 1999 was the London Stock Exchange, approved the Turnbull Report as being consistent with both the internal control requirements of the Combined Code and the related Listing Rules disclosure requirements. They went on to state that that the guidance clarified to boards of directors of listed companies what is expected of them. All of the Committees undertook due process for preparing their documents. This included widespread consultation on draft documents with adequate time for consultation and measured responses. Guidance for external auditors on those aspects of the Combined Code with which they have to deal, including matters related to internal control, have been developed by the Auditing Practices Board, which since 1990 has comprised 50% non-accountants and a membership that is not appointed by the accountancy profession. Recently the non-accountants membership element has been increased to 60% to increase the public interest element of the membership of the Board. The Board has consistently taken an extremely cautious line as to whether it is economically feasible for directors and auditors to report publicly on the effectiveness of internal control in a manner that will be meaningful to investors. Brief details of the UK's reports on corporate governance and internal control and the work of the Auditing Practice Board are provided in Appendix B. 4. The issue of `effectiveness' reporting The Cadbury Report recommended that 'the directors should report on the effectiveness of the company's system of internal control' and that this report should be reviewed by the external auditors. (Underlining is for emphasis only). The follow-up report to Cadbury re-examined the matter in the light of practical experience. The Hampel Report (1998) stated that "the word 'effectiveness' has proved difficult both for directors and auditors in the context of public reporting. It can imply that controls can offer absolute assurance against misstatement or loss; in fact no system of control is proof against human error or deliberate override. There has also been concern that directors or auditors who confirmed the effectiveness of a company's control system may be exposed to legal liability if unintentional misstatement or loss of any kind is found to have occurred." The Hampel Report went on to state that Cadbury should be amended to read 'the Directors should report on the company's system of internal control' - i.e. dropping the word 'effectiveness'. Hampel's alteration did not require any change to the minimum requirements of the internal control guidance in that the directors would still need to review the system's effectiveness. The Hampel Committee believed that auditors should not be required to report publicly on directors' statements, but that they can contribute more effectively by reporting to directors privately. This would enable a more effective dialogue to take place; and allow best practice to continue to evolve in the scope and nature of such reports, rather than externally prescribing them. It would also protect auditors against unreasonable legal claims. The reality is that whatever assertions are made about the effectiveness of internal control there will always be business failures and after the event it can always be claimed that ineffective internal control was a contributory factor. Asking auditors to attest to the effectiveness of internal control without reasonable limitation of liability therefore opens them up to unlimited claims from an unlimited range of stakeholders for an unlimited time, an intolerable situation. Internal control is a process consisting of a series of complex interrelationships that, inter-alia, include the entity's objectives, risk identification and assessment, and the management of those risks. There is no single, objective set of rules and regulations that can be used to make a judgement about the effectiveness of internal control that recognises the unique circumstances of each company. The Turnbull Report recognises this by putting the onus on directors to satisfy themselves that the controls are appropriate to the company. Code provision D.2.1 states that `The directors should, at least annually, conduct a review of the effectiveness of the group's system of internal control and should report to shareholders that they have done so.' The difference is between (a) reporting on effectiveness (which has caused Hampel to make the changes outlined above) and (b) the Code requirement that the directors have reviewed the effectiveness of the system of internal control and reported that fact to the shareholders. The Turnbull Report (paragraphs 27 to 34) stipulates (a) the process that a board should go through for reporting on the review's effectiveness and (b) that boards cannot avoid responsibility for their own review of effectiveness. Paragraph 27 states that the board members (not their subordinates) should regularly receive and review reports on internal control and that they should undertake an annual assessment for the purposes of making the board's public statement on internal control, ensuring that the board has considered all significant aspects of internal control for the company for the year under review and up to the date of approval of the annual report and accounts. Boards then make their public statements and are required to state (paragraph 35) that their process accord with the guidance stipulated in the Turnbull Report. 5. Current UK disclosure on internal control With the parameters set down by Hampel and subsequently in the Combined Code, the following paragraphs are taken directly from the Turnbull Report. They deal with the disclosure requirements for the board's statement on internal control. Paragraph
We would be happy to supply examples of Turnbull reporting on internal control, and we would be happy to have further dialogue is the SEC so wishes. 6. External audit: reporting on internal control and liability issues Responsibility for good corporate governance and having an effective system of internal control rests with the board of directors, supported by senior management. They have to set the right control environment and 'tone from the top'. External auditors are skilled in providing assurance on a wide range of issues relevant to business. We are confident that they are capable and willing, in principle, to provide assurances on internal control (indeed they already do so in some UK regulatory situations) and there should be penalties for negligence or failure to report in accordance with requirements or professional standards. However, auditor liability issues must be considered because providing assurance on internal control reporting presents a significant extension to auditors' normal financial reporting responsibilities. As in the US, for statutory audits UK external auditors cannot currently limit their liability, but it is customary for them to enter into separate terms of engagement for other work, including attestation on internal control, that provide for some reasonable limitation of liability. The risk in preventing auditors from limiting their liability in respect of the much more onerous published reports on internal control effectiveness is that it appears to be unsustainable. There is a risk that in the long run the inevitable business failures will be used as a pretext for litigating all public company auditors out of existence. This is hardly an incentive for the recruitment of competent new people into the profession. In the even longer run, this will damage the availability of qualified professionals to work in business, whether in executive or in non-executive roles. Realistically, under the current liability regime, external auditors can only review and report publicly on whether the board's published summary of the process that it has adopted is supported by documentation and appropriately reflects that process. This in itself should provide comfort to the shareholders that an independent third party with the appropriate expertise has reviewed the directors' process and their statement to shareholders. We accept that it may be considered to be in the public interest in the current circumstances for auditors to attest publicly to directors' published statements on the effectiveness of internal control. However, we strongly assert it would be both unreasonable and in the long run against the public interest if auditors are both prevented from limiting their liability and were required so to do. Guidance for external auditors on reporting on internal control Following the Turnbull report's guidance for directors, the UK's Auditing Practices Board produced guidance (reference 1999/5) for external auditors on their responsibilities under the Combined Code, which include reviewing the Turnbull disclosures. The APB guidance states that a company's external auditor reviews whether the company's published summary of the process it has adopted in reviewing the effectiveness of its system of internal control is both supported by documentation prepared by, or for, the directors and appropriately reflects that process. External auditors are not required to provide assurance on the effectiveness of the company's internal control. The wording in the APB document on the standard audit report for listed companies states that the auditors `are not required to consider whether the board's statements on internal control cover all risks and controls, or to form an opinion on the effectiveness of the company's corporate governance procedures or its risk and control procedures.' However, auditors are required to insert an additional paragraph in their report if they believe that the statement on internal control is inconsistent with their knowledge or is, in their opinion, misleading. Conclusion and suggestions In the light of the overarching objective that both the US and the UK have to improve business practices by changing corporate behaviour, improving internal controls, and obtaining independent assurance on the assertions of directors have accurately reported thereon, we strongly believe that the UK has made good progress in the last decade. We believe that the UK has pragmatic and workable systems for reporting on internal control that have been operating for a number of years, which extend beyond financial reporting controls, and serve the needs of investors. We hope that, as part of its rule making, the SEC is willing to consider ways in which the Sarbanes-Oxley Act can be pragmatically interpreted to allow foreign registrants who comply with the Listing Rules, corporate governance codes and detailed requirements on internal control and related disclosures in their home countries to be regarded as having sufficient compliance for the purposes of Section 404 and therefore to be exempted from the additional requirements of Section 404. For the UK, this would be adherence to the Combined Code, compliance with Listing Rule 12.43A, and implementation of the requirements and disclosures required by the Turnbull Report. We consider that such companies should be allowed to make their internal control disclosures in the same format and with the same content as that required by UK regulations under which they are listed in the UK. It would be inequitable to force an additional burden onto UK listed companies to make statements on internal control under two bases for reporting on internal control when the rules and requirements of their primary listing obligations in the UK provide a strict internal control regime. We therefore make the following suggestions that the SEC should:
The above would enable UK foreign registrants to base their reporting on internal control on the Turnbull framework basis, and avoid creating a rule which specifies that the framework for internal control must solely be that of COSO. We suggest that the UK's experience might be useful to the SEC in relation to the provision of guidance on the implementation of the Act and any changes thereto. For example, the SEC might also reflect on whether it should be requiring CEOs and CFOs to describe in narrative form how the system of internal control functions and is reviewed by the board, rather than immediately requiring an effectiveness opinion. In addition, considerable thought should be given by the SEC to the issue of limiting of auditor liability on matters related to reporting on internal control. If you require any further information, please do contact me.
Appendix A Internal control credentials of the InstituteThe UK was confronted by a spate of corporate scandals in the late 1980's and early 1990's, including Maxwell and BCCI. The Institute took a leading role in a number of ways, thereby setting in train a decade of change that included:
The Institute has been involved with providing guidance on internal control in the UK for almost a decade. We were asked by the Committee on the Financial Aspects of Corporate Governance (which produced the Cadbury Report) to help set up the working party that provided guidance on the internal control aspects of its Code in 1993 (resulting in the Rutteman Report in 1994). Rutteman mainly dealt, as did Cadbury, with the financial aspects of internal control. . There are similarities to Section 404 of the Sarbanes-Oxley Act. When the Combined Code on Corporate Governance, the update to the Cadbury Report, was issued in 1998 we were asked by the London Stock Exchange to again establish a working party to provide updated guidance on internal control. The Combined Code developed from the Hampel Report stated that it was the wider aspects of business risk and internal control that directors should consider, not limiting themselves to internal financial control. The result of the working party was the Turnbull Report, published by the Institute in September 1999. The Turnbull Report, that is appended to the Listing Rules of the UK Listing Authority, is the guidance on internal control that boards of all companies listed on the London Stock Exchange are currently required to follow and to report on in their annual reports to shareholders. The Institute is the largest body of professionally qualified accountants in Europe. Appendix B Reporting on internal control - an outline of UK experienceInternal control is core to the successful operation of a business as well as to financial reporting. That a company should have an effective system of internal control is without question, nor is the requirement that the directors/management are responsible for the establishment, continuous evaluation and monitoring of the system of internal control. These matters are fundamental necessities. Reporting on internal control, let alone its effectiveness, is however something different, particularly for auditors. There are many issues to be considered, not the least of which include the nature of useful information, measurement criteria, reasonable disclosure by management, determinants of the level of assurance and auditor liability. UK experience of public reporting by directorsIntroduction The UK experienced corporate scandals in the late 1980s and early 1990s. This created a reduced level of confidence in financial reporting, and ultimately led to the formation of the Committee on the Financial Aspects of Corporate Governance (better known as the Cadbury Committee). The committee issued its ground breaking report in 1992. Cadbury Report (report on corporate governance) Recommendation 4.5 of the Cadbury committee stated that `the directors should report on the effectiveness of the company's system of internal control'. This was expanded in the main body of the report, and paragraph 4.32 stated that `since an effective internal control system is a key aspect of the efficient management of a company, we recommend that the directors should make a statement in the report and accounts on the effectiveness of their system of internal control and that the auditors should report thereon.' Whilst the words in paragraph 4.32 might appear to be straightforward, it took a further seven years, much effort and thought, and a further two reports for the UK to reach where it is today. The wording in Section 404 of the Sarbanes-Oxley Act 2002 is not dissimilar to that of paragraph 4.32 written 10 years earlier. The implementation of Recommendation 4.5 of Cadbury was delayed until guidance had been produced for both directors and for auditors. This led to the establishment the Rutteman Committee. Rutteman Report (report on internal financial control) The Rutteman Committee produced a consultation document containing a detailed framework and accompanying guidance to help companies review detailed aspects of their internal financial controls (67 pages). This approach was heavily criticised at the time, inter alia, because it was too detailed and the consultation document was more akin to a rules-based approach. Interestingly the Rutteman Committee at the time regarded the COSO report as an important source and was therefore surprised at the adverse reaction to its initial proposals. In 1994, the final report of the Rutteman Committee was produced. It was a much smaller document (8 pages) that was primarily based on a principles approach. The form of the statement which the directors should make was not prescribed by the Rutteman report. It did however contain the following minimum disclosures: (a) acknowledgement by the directors that they are responsible for the company's system of internal financial control; (b) an explanation that such a system can provide only reasonable and not absolute assurance against material misstatement or loss; (c) a description of the key [high level] procedures that the directors have established and which are designed to provide effective internal financial control; and (d) confirmation that the directors (or a board committee) have reviewed the effectiveness of the system of internal financial control. Hampel Report (report on corporate governance) The Hampel report (1998), that subsequently formed the basis of the Combined Code (1998), broadened the debate from internal financial control to internal control. Hampel accepted that it is difficult to distinguish `financial' from `other' controls and his committee's conclusions benefited from developments in companies' risk management practices, whereby it was becoming accepted that it was important for directors and management to consider all aspects of risk and control. The report also dealt with the `effectiveness' word. Paragraph 52 in the summary of the report's recommendations states `We recommend that the word "effectiveness" should be dropped from point 4.5 in the Cadbury code, which would then read `The directors should report on the company's system of internal control'. We also recommend that auditors should report on internal control privately to the directors, which allows for an effective dialogue to take place and for best practice to evolve'. Some reasons were given in paragraph 6.11. Hampel stated that "the word `effectiveness' has proved difficult for both directors and auditors in the context of public reporting. It can imply that controls can offer absolute assurance against misstatement or loss; in fact no system of control is proof against human error or deliberate override." Hampel goes on to refer to concern over exposure to legal liability if unintentional misstatement or loss of any kind is found to have occurred. The Combined Code on Corporate Governance Paragraph 12.43A of the London Stock Exchange Listing Rules states that "in the case of a company incorporated in the United Kingdom, the following additional items must be included in its annual report and accounts:
The Combined Code contained the following Principle and two Provisions related to internal control. These are:
As was the case post-Cadbury, further guidance was required on these two provisions, which led to the formation of the Turnbull Committee. Turnbull Report (report on internal control) The Turnbull Committee commenced work (under the auspices of the Institute of Chartered Accountants in England & Wales) in November 1998. It produced a generally well received consultation document in April 1999 and a final report in September 1999. There were transitional arrangements for companies reporting with December 1999 year-ends, and full implementation commenced in the year 2000. The guidance is based on the adoption by a company's board of a risk-based approach to establishing a sound system of internal control and reviewing its effectiveness that should be incorporated by the company within its normal management and governance processes. It was felt that, as well as being an exercise undertaken to meet regulatory requirements, there was a business benefit to help to improve their risk and control systems on a continuous basis. The Turnbull guidance is intended to:
The essence of the Turnbull report is that it is a high-level process upon which the directors (and in part, the external auditors) report. Key features of the report are:
In so far as disclosure is concerned, the report requires:
UK experience of reporting on internal control by external auditorsReporting publicly, both in 1992 but increasingly so today, raises threats of litigation against directors and auditors. There were also major risks to reputation and concerns over new expectation gaps. Reporting to shareholders by external auditors Following the Turnbull report's guidance for directors, the UK's Auditing Practices Board (APB) produced some guidance (reference 1999/5) for external auditors on their responsibilities under the Combined Code, which include reviewing the Turnbull disclosures under Code provision D.2.1. The guidance states that a company's external auditor reviews whether the company's published summary of the process it has adopted in reviewing the effectiveness of its system of internal control is both supported by documentation prepared by, or for, the directors and appropriately reflects that process. External auditors are not required to provide assurance on the effectiveness of the company's internal control. The wording in the APB document on the standard audit report for listed companies states that the auditors `are not required to consider whether the board's statements on internal control cover all risks and controls, or to form an opinion on the effectiveness of the company's corporate governance procedures or its risk and control procedures.' However, auditors are required to insert an additional paragraph in their report if they believe that the statement on internal control is inconsistent with their knowledge or is, in their opinion, misleading. Public vs. private reporting by external auditors Over the last few years, the APB has published two discussion papers (1995 and 1998) and a briefing paper (2001). The papers in the 1990's looked at the issues associated with providing assurance on internal control, especially in reports that are made public, and explored a number of possible approaches. In brief, it recognised that standardised short-form style reports were, because of litigation worries, defensive and heavily caveated and would possibly lead to misunderstandings and unfulfilled user expectations. Whilst the more discursive reports were favoured, these reports also presented problems. Problems also identified included the need for suitable evaluation criteria that are typically not available. Companies and their internal control needs differ by industry, size, culture and management philosophy and there are many options as to the nature and extent of controls that may be implemented. Controls may be preventive or detective in nature and may be performed by IT systems or by people; and a cost/benefit balance needs to be achieved. Consequently, one company's internal controls system may be very different from another's in relation to similar business processes. The APB's 2001 briefing paper entitled `Providing assurance on the effectiveness of internal control' sets out a framework for forming an opinion on the effectiveness of internal control. It covers the complex judgements involved in evaluating each of the processes and why external auditors may be able to provide only a moderate, rather than a high, level of assurance with respect to the more judgmental of the processes such as risk identification, risk assessment and internal control design. Reports that may be issued will, almost invariably, be a lengthy narrative report in order to communicate effectively the various judgements made by the external auditors, the reasoning underpinning those judgements, and the context in which the opinion is given. For example, the briefing paper provides an illustration (which runs to nine pages) of a narrative report based on a hypothetical engagement to provide assurance on the effectiveness of a newspaper publishing company's system of internal control over the recording of advertising revenue. It is impractical to circulate widely reports of such length. |