A Chief Auditor’s perspective following the Brydon Review

We asked Rania Bejjani, an international Chief Audit and Risk Officer, and a Chartered Management Accountant with a rich cross-sector and cross-functional experience, for her practical insights and perspective following the Brydon review.

Rania has led the modernisation of global Audit & Risk teams across multiple industries, including €10bn revenue telecoms and technology multi-national VEON, UK listed international transport operator FirstGroup Plc, and US owned technology and telecoms group Colt, where she also developed, transformed and strengthened Internal Controls. 

Rania also successfully led Sarbanes-Oxley readiness for a number of large corporates including Cable & Wireless, Corus Steel and QVC during her tenure at Deloitte.

The Brydon report, published in December 2019, followed by the “Restoring Trust in Audit & Corporate Governance” white paper issued on 18 March 2021, set the tone for the next corporate governance evolution. As to when the proposed changes are to be legislated is unclear, though change is unquestionably coming, and soon – most likely over the next few months.

What is the latest on the Brydon Report?

The Brydon report led by Sir Donald Brydon, a former chair of the London Stock Exchange, includes over 60 recommendations. The white paper is open for consultation and offers three scenarios with a preferred option, which largely aligns to Brydon’s report. Primarily, Sir Brydon recommends that a new regulatory body is formed, the auditing profession is separated from accounting, and that audit firms separate assurance from advisory, and strengthen the rigour of their work, leverage technology better, expand their scope and include fraud considerations.

As per both papers, businesses and boards are also expected to improve their governance, internal controls, information flows and corporate reporting. In particular, a heavy emphasis is put on expanding the responsibilities of directors. The preferred option provided in the white paper has many similarities to Sarbanes-Oxley (SOX) requirements and recommends an annual assessment of controls over financial reporting, with deficiencies identified and remediated. Whilst it’s anticipated that new corporate governance guidelines will continue to be principles-based, away from the prescriptive approach from across the pond, even ‘lighter SOX’ efforts to address these potential requirements are still likely to be significant.

It would be advantageous for boards and businesses to start the conversation now and seize the opportunity to plan ahead.

The responsibility to guide the Board and challenge management on this matter rests on the shoulders of the Audit Committee Chair. What are the five things Audit Chairs should consider?

It would be beneficial for Audit Chairs to:

1. Understand applicability and accountability

Whilst it has not been clearly stipulated yet, and a phased approach is likely, it is expected that the new corporate governance changes will apply to all UK businesses, public and private across all sectors and across their geographical footprint; this is also anticipated to include universities, trusts, and charities.

The proposal applies to all listed businesses. If a privately owned business is of a certain size that currently requires to be audited, it is safe to expect it would be subject to the new governance requirements too, albeit perhaps with a time lag after the listed companies. Both the Brydon report and the whitepaper recommend expanding directors’ responsibilities. The white paper proposes that directors are directly accountable for material failures of management, internal controls and reporting (financial as well as cyber, ESG, resilience, etc). The Brydon report recommends directors are responsible for new policies, statements and transparency, including:

• Issuing a three-year rolling Audit & Assurance policy, to be made available to shareholders for discussion, covering all aspects of the external audit process including appointment of auditors, scope, materiality and risk relationships.
• Improving on and publishing Principal risks and Uncertainties Statement before agreeing the scope of the external audit (and perhaps by extension that of Internal Audit too).
• Replacing the current Going Concern & Viability Statement with a new revamped and broader Resilience Statement to cover a short-term going concern opinion and both a medium and long-term resilience opinion in view of risks.
• Publishing a Public Interest Statement explaining the organisation’s views of its obligations to public interest in the prior year, be it statutory or other.
• Taking direct responsibility, in the form of Audit Committee, to agree an annual assurance budget and to negotiate and agree themselves (as opposed to the CFO in the past) the audit fees.

If and when these recommendations are legislated, irrespective of which form these requirements take, there will be a marked change in terms of director responsibilities and culture. Embedding such changes would take some time to discuss, define, develop, educate and adopt. Therefore, early brainstorming and preparation would be vitally beneficial. 

2. Gauge complexity and effort

A high-level reflection by the Audit Chair on the company’s size, structure, footprint, systems, and the degree of internal controls (compliance, consistency, centralisation, automation, and integration) in place will help gauge the level of complexity and effort needed. Take a moment to consider, is the business local or geographically diverse? Is it centrally run or decentralised? Is it supported by one or more well-structured shared service centres, one accounting policy, consistent processes and one ERP system or is it a collection of disparate unintegrated local systems and inconsistent procedures? What is the calibre of the finance community at head office and across subsidiaries? Is the business well controlled? Is there a culture of compliance? Is there a history of fraud? What significant audit issues have been raised repeatedly in the past?

The more diverse, decentralised, and disintegrated systems and the more inconsistent or delinquent processes the company has, the more complex, sizeable and time-consuming efforts are likely to be needed to improve governance, controls and compliance in line with Brydon’s recommendations. If this is the case, it would be wise for the Chair to look to answer these types of questions and prioritise initiating this conversation with the Board and management. 

3. Adopt a pragmatic approach

Approach this change as a catalyst for improvement, not just a compliance exercise. An Audit Chair can expect management to start with a risk assessment of the internal controls environment covering policies, processes, systems and programmes. The assessment will flash out priority areas and some gaps, and management are likely to develop an action plan to address these and start testing controls. Going by the SOX experience, companies would achieve greater benefit if they were to approach this change as an opportunity for transformation, not just a regular compliance exercise. Companies who seized the opportunity to step back pragmatically and proactively, and looked to standardise processes, re-design and automate as many controls as possible, benefited significantly more than those who frantically documented and tested controls in-time to meet the imminent deadline. Improved efficiency, cost savings, and more reliable corporate reporting, all translate into benefits to shareholders, employees, suppliers, customers, and the public at large.

Challenge management on their scope (to include tone at the top, governance structures, information flows, reporting mechanisms and assurance functions such as risk management and audit), prioritisation, rationale, and approach. With many businesses still struggling with the implications of the pandemic, it is not possible to do everything, and businesses need a set of clearly defined parameters to prioritise action plans and resources. As a date for compliance has not been set yet, companies now have the time and opportunity to start early, effect positive change and drive long-term value, rather than just comply. 

4. Consider people and skills

Evolving governance and controls will need people with the right proficiencies to lead and execute these efforts. These people are typically skilled and knowledgeable Audit and Control professionals with experience in both Finance and IT. A conversation with management around existing resource numbers, calibre and skills, and any potential backfilling would be advantageous to ascertain what additional resources might be required. Keep in mind there is a finite number of people with the right skills and experience. Going by the situation that arose nearly 20 years ago with Sarbanes-Oxley, resource demand may rise sharply when recommendations are legislated, and the supply of resources would become increasingly scarce and costly. 

5. Act Now

The more complex the business, the greater the efforts required; hence, earlier efforts should begin. These anticipated changes are to be a series of both cultural internal changes and new responsibilities that take time, involving the whole organisation, not just immediate control adjustments made by Finance.

As the world gradually comes out of the pandemic, many businesses are rethinking their business model and driving transformation, cost control and new growth avenues. With that in mind, now becomes the opportune time to respond to this review and incorporate the recommendations.

In this ongoing transformation, businesses that sooner identify and consider inter-dependencies of process, system, controls, and wider governance, rather than those waiting for legislation, place themselves into a stronger position; minimising time and cost pressures.

Starting now also means improvements can be paced and more room to address unexpected complications. It enables an increased chance of securing the best skills available and companies will be in a greater position to lobby the government when the legislation comes up for discussion. The white paper is out and companies are now invited to respond to the consultation by 8 July 2021.

In conclusion

Change is coming, it is not a question of if, but when.

Rania Bejjani says that irrespective of what form the legislation will take, embracing the key recommendations today offers businesses a valuable platform to pro-actively reflect on their governance, controls, reporting and assurance, and to seize the opportunity to refresh and modernise; be well-positioned to enable the business to launch into a stronger, more resilient recovery.

Get in touch 

The CFO practice at Odgers Berndtson is amongst the top three in the UK executive search market and handles nearly 20% of the firm's assignments each year. It is the only global search firm with a dedicated Regional Practice working with clients across the Midlands and the North from offices in Manchester, Birmingham and Leeds.