Exploring options for attestations on internal controls

Original recommendation

The Kingman Review recommended that BEIS should give serious consideration to the case for a strengthened framework around internal controls in the UK, learning any relevant lessons from operation of the Sarbanes-Oxley regime in the US. It recommended that the pros and cons of options for change should be analysed and consulted upon, giving special consideration to the importance of proportionality in relation to the size of the company. (Source: Kingman 51)

The Brydon Review also recommended that the Government give serious consideration to mandating a UK Internal Controls Statement consisting of a signed attestation by the CEO and CFO to the Board that an evaluation of the effectiveness of the company’s internal controls over financial reporting had been completed and whether or not they were effective, as in SOX 302(c) and (d). It also recommended that the attestation should be received by the Board no later than 28 days before the accounts of the company for the relevant financial period are signed and that the Board should then report to shareholders that it has received such an attestation. (Source: Brydon 13.1.8)


In the BEIS White Paper (Section 2.1) views are sought on the following three options, which are not intended to be mutually exclusive:

  • Company directors should be required to carry out a review of the effectiveness of their company’s internal controls each year and make a statement, as part of the annual report, as to whether they consider them to have operated effectively. The statement should disclose the benchmark system used and explain how the directors have assured themselves that it is appropriate to make the statement.
  • The audit report should describe the work the auditor is already required to do to understand the company’s internal control systems to the extent needed to perform the audit, and to state how that work has influenced the audit, but without a formal auditor opinion on the internal controls’ effectiveness being required.
  • The auditor should be required to provide a formal opinion on the directors’ annual attestation about the effectiveness of the company’s internal controls, potentially limited to key internal controls over financial reporting, or a sub-set of that.

The Government has set out a tentative preferred option which would require a directors’ statement about the effectiveness of the internal controls, but (unlike the US’s approach to internal controls which mandates external auditor attestation in most cases) leave the decision on whether the statement should be assured by an external auditor to the directors, audit committee and shareholders. The paper makes clear that this preferred option is not intended to shut down discussion of alternatives.

Government response

The Government will invite the regulator to strengthen the UK Corporate Governance Code for premium listed companies to provide for an explicit directors’ statement about the effectiveness of the company’s internal controls and the basis for that assessment, and to work with companies, investors and auditors to develop appropriate guidance. The Government agrees that directors should be more open and accountable for operating an effective internal control system, not only for financial reporting but also for wider operational and compliance risks.

The Government expects that this would be underpinned with guidance on how boards should approach the preparation of the statement, which would be developed following a review of the FRC’s existing Guidance on Risk Management, Internal Control and Related Financial and Business Reporting. This guidance would be intended to cover the identification of acceptable standards, benchmarks or principles and address definitional issues and the circumstances in which external assurance might be considered appropriate.

The intention is that the new Audit and Assurance Policy will require companies to state whether or not they plan to seek external assurance of the company’s reporting on internal controls. The FRC will be asked to explore with investors and other stakeholders whether and how the content of the auditors’ report could be improved to provide more information about the work auditors have undertaken on the internal controls over financial reporting.

Correction list for hyphenation

These words serve as exceptions. Once entered, they are only hyphenated at the specified hyphenation points. Each word should be on a separate line.