Turnbull Review Rejects 404 Provisions, Seeks Comments

Companies have one more month to comment on proposed revisions to the Turnbull Guidance, which sets out "best practices" on internal control for public companies in the United Kingdom, and assists them in complying with internal control requirements.

Almost exactly one year ago, the UK-based Financial Reporting Council established a group to review the 14-page guidance, which was published in 1999 by the Institute of Chartered Accountants in England and Wales. The group’s goal was to revise the guidance as necessary, and to bring it up to date following the 2002 passage of the Sarbanes-Oxley Act.

When the review was announced last year, it was expected to add a new obligation for auditors to examine a company’s internal controls and risk management, bringing the guidance more in line with Section 404 of SOX. However, the review group’s recommendations, published in June, stated that it would “not be appropriate to require boards to make a statement in the annual report and accounts on the effectiveness of the company’s internal control system.”

Flint

The panel, led by HSBC Holdings’ group finance director Douglas Flint, said it considered whether the disclosure requirements of SOX Section 404 constitute “an appropriate model for disclosures made in the UK under the Combined Code and Turnbull guidance.” The group concluded that the provisions do not, in part, because of the broader scope of the Combined Code and Turnbull guidance.

In addition, the review group said a requirement for a certification stating that processes are effective “would be bound to lead to expensive testing and verification work to a low level of detail.” The group did not believe that the benefits outweighed the costs, and was concerned that it might result “in a focus on compliance rather than substantive assessment and management of risk, undermining what was seen as one of the main strengths of the Turnbull approach.”

The review group concluded that the less-prescriptive guidance contributed to improvements in internal control in UK listed companies, and hence recommended only limited changes to bring it up to date. “Its relative lack of prescription is considered to have been a major factor contributing to the successful way it has been implemented, and we have therefore decided against recommending substantial changes,” Flint said in announcing the review group’s recommendations.

That’s not the first time that Flint voiced a preference for less rigid or prescriptive rules. At a U.S. Senate committee hearing in September 2004, Flint described several "unfortunate consequences, perhaps unintended" of Sarbanes-Oxley, specifically noting that the way SOX was being implemented by the accounting profession had become "meticulously prescriptive." The danger, noted Flint, was that SOX 404 "becomes the objective rather than the means to the end."

However, in commenting on the review group’s findings, Flint noted that boards should not assume that there is nothing new to do, or that boards shouldn’t make better use of the guidance. Specifically, Flint noted that boards “need to ensure that their internal control systems develop to take account of new and emerging risks,” and added that some boards could do more to explain to shareholders how they are managing risk. “But we believe that these issues are better addressed by boards reviewing on a continuing basis their application of the Guidance, rather than by more prescriptive guidance,” he said.

The main conclusions of the Turnbull Review Group were as follows:

The Turnbull guidance has contributed to improvements in internal control in UK listed companies, and significant changes are not required;

The guidance should continue to cover all internal controls, and not be limited to internal controls over financial reporting;

No changes should be made to the guidance that would have the effect of restricting a company’s ability to apply the guidance in a manner suitable to its own particular circumstances;

The guidance should be updated to reflect changes in the Combined Code and Listing Rules since 1999 and the proposed statement of directors’ duties in the draft Company Law Reform Bill;

Boards should review their application of the guidance on a continuing basis.

It would not be appropriate to require boards to make a statement in the annual report and accounts on the effectiveness of the company’s internal control system, but boards should confirm that necessary action has been or is being taken to remedy any significant failings or weaknesses identified from the reviews of the effectiveness of the internal control system.

Boards should look on the internal control statement in the annual report and accounts as an opportunity to communicate to their shareholders how they manage risk effectively, and include such information as is considered necessary to assist shareholders’ understanding of the main features of the company’s risk management processes and system of internal control.

There should be no need for companies that are already applying the Turnbull guidance to develop additional processes in order to comply with the requirement to identify principal risks in the Operating and Financial Review (OFR), but companies are encouraged to ensure that the OFR and the internal control statement are complementary.

There should be no expansion of the external auditors’ responsibilities in relation to the company’s internal control statement.

The FRC is seeking feedback on the recommendations; the comment period closes Sept. 16. Subject to the results of the consultation, the revised guidance is expected to come into effect for financial years beginning on or after Jan. 1, 2006.

To see all of the review group’s recommendations, and for information on commenting on the revised guidance, see box above, right.