Do you want to access the full text of articles?

Please see our digital edition archive for the full text of articles.

Alternatively:

If you are a Chartered Accountants Ireland member, please visit the RIS service where Accountancy Ireland is available free of charge via the EBSCO databases.

If you are an Accountancy Ireland subscriber (i.e. you pay each year to receive your copy of Accountancy Ireland) please contact our Subscriptions Department quoting your subscription number and include details of the article you want.

All other users should enquire from their local public or college library about accessing full text Accountancy Ireland articles.

Home / ... / Directors' Compliance Statement : Impact Assessment

On 21 April 2005, the Minister for Trade and Commerce requested the Company Law Review Group to carry out a “Regulatory Impact Analysis” of section 45 of the Companies (Auditing and Accounting) Act, 2003 and to report back to the Government on their findings by the end of July 2005.

Section 45 was the subject of late changes. As such there was not public debate on the final version of S45. Also, in requesting feedback to its July 2004 draft guidance for directors, the ODCE confined responses to the guidance itself as distinct from the legislation. In light of CLRG's pending review, this article discusses the status and applicability of the Turnbull guidance invoked selectively in the ODCE guidance, as well as certain issues and observations concerning S45 itself. It is hoped that CLRG will have regard to these matters in the course of its review.

TURNBULL GUIDANCE In 1999, the Institute of Chartered Accountants in England & Wales (ICAEW) published the Turnbull guidance on internal control. The guidance, which is principles based, outlines what is expected of directors of listed companies to achieve a 'sound system of internal control' as envisaged in The Combined Code (Principle C.2). Under the guidance, the principal characteristics of such a system are that:-

-it is risk based, -it addresses all types of risks and controls including financial, operational and compliance, as well as risk management, -it is embedded in the operations of the business, -it includes sufficient reporting and assurance mechanisms, and -the effectiveness of the system of internal control is reviewed, at least annually.

The guidance states that such a system of internal control 'helps ensure compliance with applicable laws and regulations'. The directors are required to explain how they apply the Code's Principles. Disclosure should be in a manner that enables shareholders to evaluate how those Principles have been applied. One of these Principles is that the directors should maintain a sound system of internal control. The Turnbull guidance states that the board's related disclosures should be aimed at providing users of the annual report with meaningful high-level information that does not give 'a misleading impression.'

The Turnbull guidance incorporates The Combined Code requirement that the board should report to shareholders that the directors have conducted an annual review of the effectiveness of the group’s system of internal control (Provision C.2.1). The board is not required to review the effectiveness of immaterial risks but should otherwise consider all types of risks and controls in the course of its overall annual review, including financial, operational and compliance, as well as risk management.

The Turnbull guidance does not define 'effectiveness' or require the board to report publicly on the findings of its annual review of effectiveness. In practice, companies are not reporting publicly, most likely on the grounds that it might expose the directors to liability if for instance internal control weaknesses subsequently came to light.

The Turnbull guidance requires that where weaknesses in internal control have resulted in material losses or contingencies which require disclosure in the annual report, the board should describe what corrective action it has taken, or intends to take, or explain why no changes are considered necessary.

Auditors are not required to review or report on how the directors applied the Principles of the Code - as stated above one of these is that the board should maintain a sound system of internal control. Auditors are however required to review the directors' statement of compliance with the Provisions of The Combined Code but only in so far as it relates to the Code Provisions specified for their review by the Irish Stock Exchange / UK Financial Services Authority (9 out of 48). This includes the directors' statement as to whether they undertook an annual review of the effectiveness of internal control and risk management in accordance with the Turnbull guidance and, if so, to give a summary of the process applied in reviewing such effectiveness. Auditors are required to report by exception where they believe that the directors' statement does not reflect the company's compliance with any of the Code's 9 Provisions specified for their review.

The Financial Reporting Council (FRC) - as custodian of The Combined Code - is in the process of updating the Turnbull guidance. The Code's overall aim is to enhance board effectiveness and to improve investor confidence by raising standards of corporate governance, although existing standards in Ireland and the UK are already acknowledged to be extremely high.

The FRC's comment period ended on 2 March 2005. A revised draft of the Turnbull guidance will be issued for comment later this year with the final guidance expected to apply to accounting periods beginning on or after 1 January 2006.

The FRC plans to undertake regular reviews of The Combined Code, and hence of the Turnbull guidance, to ensure they are working effectively and to identify any amendments. The first such review of the Code will occur in the second half of 2006. The revised Turnbull guidance (due later this year) will align with the new Combined Code issued following the Higgs and Smith reviews in the UK. It will mirror, for example, the strengthened role for the audit committee in monitoring the integrity of the company's financial reporting, reinforcing the independence of the external auditors and reviewing the management of financial and other risks.

To date, the responses to the FRC on the Turnbull guidance (based on a scrutiny of websites) reveal 3 points of significance: 1. There is strong support for Turnbull style reporting that encompasses the full range of financial, operational and compliance controls, as well as risk management (and that covers the accounting period under review and up to and including the date of approval of the annual report); in particular there is little support for confining reporting to internal financial control and its effectiveness as at the balance sheet date - the US model. 2. There is little demand for directors to report publicly on their annual assessment of the effectiveness of internal control and risk management - apart from the potential of exposing directors to liability in the event that problems subsequently come to light there is the perceived absence of a generally accepted definition of ‘internal control effectiveness' that could provide a basis on which directors and the audit committees can conclude; it is also argued that reporting on effectiveness could create a false impression of the reliability of the system of internal control. 3. There is broad satisfaction that the current limited scope of the auditors' review of the directors' statement concerning compliance with the Provisions of the Code and related exception reporting should remain unchanged.

THE LEGISLATION Directors' & Secretary's responsibilities S45 of the Companies (Auditing and Accounting) Act 2003 implements a new Section 205E(5) into the Companies Act 1990 that requires the directors to acknowledge in the ‘Annual Compliance Statement' that, inter alia, they are responsible for securing the company's compliance with its relevant obligations.

The section makes no explicit reference to the company secretary even though s(he) also has responsibilities in this respect. Under S100 of the Company Law Enforcement Act, 2001, it is the duty of each director and the company secretary to ensure that the requirements of the Companies Acts, which include S45 of the new Act, are complied with by the company.

It follows that the company secretary has specific responsibility for ensuring that the requirements of S45 are followed. Scope of Section 45 S45 applies to the directors of: -all public limited companies, whether listed or not, and -private companies limited by shares whose turnover exceeds €15.23m (IR£12m) or whose balance sheet total exceeds €7.6 m (IR£5m).

The consensus view is that S45 casts too wide a net - certain medium-sized companies fall within its scope! The Minister is however empowered by S48(1)(l) of the Act to prescribe by regulation a 'balance sheet total' and / or 'turnover' amount that is higher than the amounts specified in the Act. There is a body of opinion suggesting that a cutoff in the order of €50m/€100m is justified; also that a company should be exempt only if it does not exceed both criteria, as distinct from one of the two criteria specified in the Act. The turnover criterion does not impact on banks, insurance companies and other financial service providers as they do not have turnover as defined in the Act. As such, for financial service providers the applicability of S45 is assessed by reference solely to the balance sheet total criterion. In the interests of equity, consideration might be given to including an activity measure in lieu of turnover for such companies.

There is support for applying S45 on a group basis using group materiality levels i.e. in the manner that the Turnbull guidance is applied by listed companies with underlying companies then being exempt from separate disclosure under S45, irrespective of their size.

Proponents of this view argue that the applicability of S45 should be confined to parents that require an audit committee and internal audit function i.e. listed companies and large financial service providers. They also argue that listed companies already report in accordance with the Turnbull guidance. In the case of financial service providers (unlike in other companies) there is not a major distinction between financial, operational and compliance risks that would hinder reporting on compliance / financial controls. Moreover, management of such entities are already knowledgeable of Turnbull-style risk management techniques.

In all other cases there must be serious doubt as to whether the provisions of S45 of the Act can be applied in a cost efficient manner with compliance risks being reported on selectively at individual company level (or at group level) in the absence of: -a comprehensive control environment, -information and communication processes, and -processes for monitoring that cover financial, operational and compliance controls, as well as risk management (paragraph 22 of the Turnbull guidance). This is due to the fact that compliance impacts on each of these elements and there is therefore a resultant knock on effect on reporting on compliance. Moreover the cost of such a 'sound system of internal control' would , for most companies, constitute an administrative compliance burden with the costs outweighing any perceived public benefit of reporting on compliance with laws and regulations, especially for companies that view themselves as already being in full compliance.

Section 48(1)(j)(ii) S48(1)(j)(ii) of the Act empowers the Minister to exempt by regulation “classes” of companies where in the Minister's opinion it is ‘unnecessary or inappropriate’ to apply the provisions of S45 to that class of company. Subsidiary companies that avail of the irrevocable parent guarantee under S17 of the Companies (Amendment) Act, 1986 and that do not therefore file a directors' report or financial statements with the Registrar of Companies would conceivably constitute a class of company that might seek exemption here.

Unlimited Companies All unlimited companies are exempt from the scope of S45, including those unlimited companies that fall within the scope of Part III of The European Communities (Accounts) Regulations, 1993. The latter are already treated as being in substance equivalent to companies limited by shares for financial statement preparation and filing purposes e.g. they can avail of the SME size exemption and the S17 parent guarantee. There is no compelling reason why such unlimited companies, typically all of whose members have limited liability, should be exempt from S45 of the Act. In the absence of a change to the legislation, it remains to be seen how many private companies currently caught under S45 will elect to re-register as unlimited companies and thereby fall outside of its provisions.

Relevant obligations The expressions ‘Companies Acts’ and ‘tax law’ are 2 (out of 3) constituents of 'relevant obligations' that are not qualified by reference to materiality. This could have implications for the documentation of policies and procedures unless a more pragmatic approach is adopted to interpreting obligations, identifying those that demand development of related procedures and as to the level of supporting documentation required e.g. VAT issues and changes to tax laws and an interpretation of the effect of such changes. In particular it is questionable whether a company needs to identify ‘all’ of its obligations under the Companies Acts and tax law irrespective of materiality considerations (see paragraph 6.3.3 of the ODCE Guidance for Directors), document these, develop policies, design related procedures for securing compliance, implement these, monitor and examine them on an ongoing basis in terms of them achieving their objective of providing ‘reasonable assurance of compliance in all material respects’ with the company's relevant obligations, assess the impact of any instances of non-compliance effect appropriate changes, and conduct an annual review of effectiveness.

The fact is that the Act and related ODCE guidance aspire to the highest standard. What is envisaged are compliance procedures that are 'designed to secure compliance' with relevant obligations, that will be effective in achieving such compliance, that provide a reasonable assurance of compliance ‘in all material respects', that 'minimise' as distinct from 'manage' the risk of non-compliance (the latter would take place by reference to factors such as the company's past record of compliance in specified areas, the likelihood of future non-compliance in those areas, the damage to reputation, available resources and related cost / benefit considerations, the impact of fines, penalties, etc., as well as the perceived benefit to the company of having comprehensive procedures for certain of the relatively lower risk compliance areas. There is also the matter that the Act and the ODCE guidance do not fully recognise the relative roles of directors and management in the compliance function i.e that the role of the directors is to set policy and for key management to design, implement and operate a system of compliance and to report to the directors on an ongoing basis on its operation. This still enables the directors to oversee the compliance function, intervene appropriately, and carry out an annual review of effectiveness of the whole system of internal control with particular reference to the key risk areas e.g. health and safety, environmental issues, fraud, internet IT security, procedures for ensuring compliance with S45, etc. It remains to be seen what impact S45 will have on D&O (directors and officer) insurance premiums. In this regard, the provisions of S383 of the Companies Act, 1963 as inserted by S100 of the Company Law Enforcement Act 2001 need to be factored in. Under that section, a director or secretary is in default if they authorise or, in breach of their duty, permit a default. Moreover such a person is presumed to have permitted the default unless they can establish that they took all reasonable steps to prevent it, or that, by reason of circumstances beyond their control, they were unable to do so. In summary, the Act appears to set the highest standard as to the degree of compliance envisaged and as to the form and level of reporting expected. In regard to the latter, the directors are required to assess whether they used all reasonable endeavours to secure the company’s compliance solely in terms of their review of procedures in place that should, under the Act, in any case be designed to be effective. Furthermore, in the event of a problem arising, there is the presumption that a director has defaulted or permitted default in complying with S45 in the absence of evidence to the contrary.

The above should be contrasted with other jurisdictions where such a requirement -if it existed - would most likely be on the lines that the company should have in place a system of compliance that is designed to provide reasonable assurance of compliance with laws and regulations i.e. that does not contain a legal requirement for the directors to carry out a review of effectiveness or to report publicly on compliance with relevant obligations and with default being assessed by reference to whether the director took all reasonable steps to achieve compliance rather than a rebuttable presumption of default in the absence if evidence to the contrary. Directors compliance statement (referred to in the ODCE guidance as the directors' 'Compliance Policy Statement') The new S205E(3) to the Companies Act, 1990 makes reference to a company's 'policies respecting compliance' and 'procedures for securing compliance with its relevant obligations' but does not otherwise define 'policies' and 'procedures' (or indeed ‘compliance’). What these constitute is particularly important e.g. the Act requires the preparation of a 'directors' compliance statement' as soon as possible after S45 becomes applicable to the company and it must include the company's policies and procedures, including its monitoring arrangements and the process for the directors' annual review of effectiveness.

The structure of S205E suggests that 'policies' and 'procedures' are inextricably linked, with the latter being responsive to the former. As such policies constitute the board's dictate of what needs to be done to manage the risk of non-compliance and have regard to the matters the board sees as important in managing compliance risk. Policies therefore indicate the extent to which compliance measures need to be incorporated into procedures / processes and related controls. As such procedures are the actions of management to implement the company's policies. They include the means of identifying 'relevant obligations', the methods used for analysing the risk of non-compliance, for identifying and prioritising categories of risk, for managing those risks, the process for the ongoing monitoring and reporting to the board on compliance matters, the form of exception reporting e.g. in relation to the outcome of any independent testing and on instances of non-compliance, as well as the process for the directors' annual review of effectiveness.

It follows that ‘policies’ should not be interpreted narrowly as meaning that a company has no choice but to comply with laws and regulations. In light of this, the 'directors' compliance statement' should more correctly be considered a 'Policies and Procedures Statement' and invariably will be of undue length, in terms of its inclusion in the annual report, even for straightforward companies. Disclosure will give rise to a proportionally bulkier and more burdensome 'Policies and Procedures Statement' if a materiality constraint is not imposed in the legislation in determining obligations under 'the Companies Acts and under 'tax law'.

The new S205E(4) requires the 'Policies and Procedures Statement (unabridged), incorporating any revisions, to be included verbatim in the directors' report (sic)! The inclusion of a statement of such potential length and detail serves no useful purpose to a reader of the annual report. It is also questionable whether, apart from larger financial service providers, there is a demand from shareholders and users of annual reports for a shorter statement on the lines that there is a compliance function in place, that major risks of non compliance with laws and regulations are addressed, that these are subject to ongoing review by the directors, and that an annual effectiveness review has been undertaken by the directors.

Measures undertaken by companies to secure compliance with relevant obligations should be cost effective, proportionate, and have regard to the risk of non-compliance with significant obligations assessed by reference to materiality in the context of the financial statements. Any disclosure should be on a group basis and should be confined to directors acknowledging their responsibility for securing the company’s compliance with laws and regulations and confirming that measures are in place to secure compliance with significant obligations.

Denis Murphy, ACA is Director of Ernst & Young’s Financial Reporting Group.