The 'Audit Reform and Corporate Governance Bill': Momentum for legislative reform continues, but what does the proposed legislation mean for management liability?

At the opening of parliament, King Charles III unveiled a suite of new bills which will be central to the Labour government's strategy to unlock growth in Britain.

Among these was the Audit Reform and Corporate Governance Bill (the Bill), poised to become landmark legislation that will overhaul the regulation of audit and corporate reporting.

In the wake of high-profile insolvencies, including the collapses of Carillion and BHS, which highlighted significant auditing failures, the government is committed to restoring investor and public trust in the corporate governance and financial practices of large businesses. A troubling study by the Audit Reform Lab, a think tank, revealed that 75% of audit reports failed to indicate that companies, which subsequently failed within the following year, were at risk of bankruptcy by providing a 'material uncertainty related to going concern' finding. The government recognises that trust in financial information - provided by directors - giving an accurate picture of the health of the company is vital for attracting long-term investment and promoting growth.

The proposed changes aim to transform the regulatory landscape, including as to scrutiny and accountability of company directors.

Background: How did we get here?

In December 2018, an independent review of the Financial Reporting Council (FRC) was completed. The review assessed the FRC's ability to effectively regulate audit quality and financial reporting. Led by Sir John Kingman, the review found that the FRC faced several constraints on its effectiveness, largely due to its lack of a clear statutory base, which limited powers and the clarity of its duties. The FRC had evolved from a private institution into a regulator through the 2014 Audit Directive, subsequent delegated powers, and voluntary agreements. This evolution resulted in a regulator with "responsibility without power." Additionally, the FRC continues to be partly funded by a voluntary levy which has blunted incentives to champion reform and often resulted in an "excessively consensual approach" to its regulatory functions. The review report recommended establishing a new regulator, the Audit, Reporting and Governance Authority (ARGA), which would be given statutory powers and structured in a way to overcome the FRC's historic shortcomings.

The recommendations from the independent review fed into the previous government's White Paper on "Restoring Trust in Audit and Corporate Governance: Proposals on Reforms" (White Paper) in May 2022. These proposals have now been incorporated into the outline of the Bill, for which a draft is pending.

The Audit Reform and Corporate Governance Bill

According to the outline, the Bill continues the work and the proposed legislative changes set out in the White Paper of the previous government. The draft legislation would involve replacing the FRC with a new regulator, namely ARGA who would differ from the FRC as follows:

• Wider Remit: The definition of Public Interest Entities (PIEs) will be extended to include the largest private companies thus subjecting them to the same reporting standards as large, listed companies; with a view to ensuring audits of these companies give early warning signs of financial issues.

   

• Streamlined Regulations: Unnecessary rules would be disapplied to smaller PIEs to ensure that reporting requirements are not disproportionately onerous on smaller businesses.

   

• Greater investigatory and enforcement powers: Currently, directors can only be held accountable for making incorrect financial statements if they are members of an accountancy body. This limits the efficacy of the existing enforcement regime. The Bill would give ARGA statutory powers to investigate concerns over the accuracy of financial reporting and sanction directors for neglect or breaches of their duties.

Recent related developments: FRC updates the UK Corporate Governance Code

In the backdrop to the Bill, the FRC published a revised UK Corporate Governance Code in January 2024 (2024 Code), which will apply to companies listed in the commercial companies category or the closed-ended investment funds category for financial years commencing on or after 1 January 2025. The existing 2018 version of the Code will continue to apply to such companies in the meantime. Previously only premium-listed companies were bound by the Code which was (and remains) voluntary for private companies; however, the Code does act as a guide to good board practices even where it is not formally adopted. 

The purpose of the Code is to "set high standards of corporate governance, reporting and audit by holding to account those responsible for delivering them". This development provides some colour to the context of the Bill which may potentially go further than the FRC in introducing US-style regulation.

In response to the White Paper, between May to September 2023, the FRC had conducted a consultation regarding proposed amendments to the Code aimed at addressing concerns highlighted in the White Paper. Of the 18 proposals set out in the consultation, explored in our previous article here, only a handful were ultimately retained in the 2024 Code.

The main substantive change to the 2024 Code involves reporting on internal controls. Prior to the changes, the Code required the Board to implement and monitor a management and internal control framework. Boards will now be required to include in their annual reports:

• A description of how the board has monitored and reviewed the effectiveness of the framework;
  
  
• A declaration of the effectiveness of the material controls as at the balance sheet date; and,
  
  
• A description of any material controls which have not operated effectively as at the balance sheet date, the action taken, or proposed, to improve them and any action taken to address previously reported issues.

This change deviates from the original proposal, which would have mandated Boards to report all identified material weaknesses (instead of only ineffective controls) and to provide an explanation for the basis of the Board declaration (rather than simply describing the review process of the systems). Additionally, Boards have retained a higher level of flexibility and control in their reporting on internal controls as they have the discretion to determine which controls are classified as 'material controls' for inclusion in the Board declaration. In particular, the 2024 Code retains the 'comply or explain' regime, which allows Boards to choose not to comply with provisions provided they explain why their alternative approach was more appropriate in upholding high standards of governance. This approach offers flexibility and reflects the fact that one approach does not fit all, in view of the diverse types of companies adhering to the Code. Boards are therefore at liberty to chose bespoke governance arrangements reflecting the company's particular circumstances or attributes.

The ICAEW and other stakeholders welcomed the watered-down changes which were ultimately implemented in the 2024 Code. Stakeholders had been concerned that the FRC may introduce requirements styled like those in the Sarbanes-Oxley Act 2002 (SOX) in the US. During the consultation, in feeding back on the above changes, stakeholders sought assurances that the proposed changes would not replicate the US's SOX regime which requires:

• That boards of US companies maintain and report annually on the operational effectiveness of the company's internal controls over financial reporting;

   

• And, that CEOs and CFOs attest personally to the effectiveness of internal controls and thereby imputing personal liability on directors for knowingly or wilfully misrepresenting the efficacy of the controls.

The FRC has listened to stakeholders and refrained from intrusive requirements akin to SOX. As above, it remains to be seen how the Bill will take shape in this respect once it has been fleshed out beyond the limited outline currently available.

What may the Bill mean for management liability?

Whilst the precise text of the Bill is awaited, the background to it has involved consistent calls for a new regulator with broader enforcement powers, including the ability to investigate and sanctions directors for neglect or breaches of duty.

In the spirit of the momentum behind these proposed legislative changes so far, King Charles III stated that it is:

"...important that all directors in the UK’s most significant companies face consequences if they neglect their duties in respect of financial reporting, so the bill will allow for this.”

Directors owe duties to the company to act in a way which promotes the success of the company, and in doing so must have regard for the desirability of the company maintaining a reputation for high standards of business conduct. Further, they have a duty to exercise reasonable care, skill and diligence in carrying out their duties whilst in office. The Bill intends to enhance the accountability of Directors for incorrect financial reporting.

It seems unlikely, on present information, that the Bill will implement duties on Directors which are as intrusive and stringent as SOX, but we will have to wait and see how the draft Bill develops. A UK adaptation of the SOX regime had been previously anticipated under the previous government, although this never materialised, as reflected in the ultimate 2024 Code. The question remains as to the direction and the detail the new government take with drafting the Bill. The SOX provisions in the US are highly litigated and place personal liability on directors for the efficacy of internal controls. Whether or not the reforms take a SOX-style or other approach, it seems from the outline of the Bill that obligations on directors may increase vis-à-vis the provision of accurate financial information. If that happens, directors (and, indeed, D&O insurers) will need to be alive to any increased risk of claims and ensure that internal controls meet any such higher standards.