An effective internal control environment for EU filers: does it lead to greater protection of capital-market stakeholders?
Internal controls that are effectively designed, operated, and maintained, with appropriate oversight, are fundamental to high-quality corporate reporting.
Recent high profile corporate failures and scandals in Europe have damaged the public’s confidence in both the quality of financial information and in the transparent functioning of capital markets. In many cases, these failures have been attributed to inadequacies in the corporate internal control environment.
Existing EU legislation requires an entity whose securities are traded on an EU regulated market to include, in its annual financial reporting, a corporate governance report describing the key aspects of its internal control and risk management systems pertaining to financial reporting. Individual Member States may set more extensive requirements and national legislative frameworks cover a wide range of different approaches. These factors have contributed to an EU debate over the need for a more consistent and stronger approach to legislation governing corporate internal controls in Member States.
In this context, in November 2021 the European Commission (EC) published its Consultation Paper ‘Strengthening of the Quality of Corporate Reporting and its Enforcement’. It seeks views on whether and how to strengthen the three pillars of high-quality and reliable corporate reporting: corporate governance, statutory audit, and supervision both of auditors and companies, acknowledging their key importance for healthy financial markets, business investment, and economic growth.
Internal controls are fundamental for high-quality and reliable corporate reporting
Deloitte believes that high-quality and reliable corporate reporting, including future sustainability information, is of paramount importance for both capital markets and society in Europe. It helps protect stakeholders against unexpected corporate failures, channels finance to strong, sustainable businesses, and encourages cross-border investments. Internal controls that are effectively designed, operated, and maintained, with appropriate oversight, are fundamental to high-quality corporate reporting.
To this end, we welcome the EC’s holistic approach, which aims to address possible shortcomings in the corporate reporting ecosystem. We support evidence-backed and proportionate changes to EU legislation in the three pillars (corporate governance, statutory audit, and supervision both of auditors and companies), to help safeguard the long-term sustainability of enterprises and improve the reliability of corporate reporting.
Management’s role is key to designing, implementing, and maintaining effective internal controls
The primary responsibility for the quality and integrity of corporate reporting rests with the company’s management and board. Consequently, management should design, implement, and maintain effective internal controls over corporate reporting, as well as assess their effectiveness, under an established, reliable, and well-understood internal control framework aligned to the key risks in the entity’s business model, including a focus on the risk of fraud and going concern. In this context, enhanced requirements for management to publicly assess the proper design and the operating effectiveness of the company´s relevant internal procedures and controls are key to greater reliability of financial reporting.
Deloitte supports EU legislative proposals that further contribute to audit quality and the value that an audit provides
External auditors are responsible for delivering audit services with quality and integrity, in accordance with appropriate standards. Later in this article we refer to research that shows:
- The external auditor’s ability to conduct a high-quality financial audit would benefit from an increase in the quality of the internal control environment of the audited company and the effectiveness of the company’s corporate governance
- High quality external audits of the system of internal controls pertaining to financial reporting benefit the quality of the overall information in financial statements and increases the entity’s focus on their control system.
Therefore, we support EU legislative proposals that: i. require the auditor to audit the design, implementation, and operating effectiveness of relevant internal controls, and; ii. set standards to issue an associated assurance report.
In addition, we believe that any future developments that will further contribute to audit quality and the value that an audit provides, will also increase the attractiveness and credibility of the audit profession, which in turn will help it provide enduring support to capital markets.
Changes to the EU’s legislative framework should be scalable and proportionate. We recognize that designing and maintaining effective internal controls can be more challenging for smaller companies, so the legislation could exclude smaller issuers in the initial phase, with the option to change the threshold at a later stage. Smaller listed companies could, of course, elect to report on the effectiveness of internal controls and obtain an auditor’s assurance too, on a voluntary basis.
Components of an optimal EU legislative and regulatory framework to evaluate and report on internal controls systems
The need to provide an independent point of view on reported information is more important than ever.
Meaningful reporting and robust governance mechanisms are key tenets of public interest and drive trust