AdSlot 1 (Leaderboard)

Work to do with Turnbull 2

The recent review of the Turnbull guidance on internal controls, led by HSBC
FD Douglas Flint, has left a perception that there is virtually no change in the
requirements, according to Martyn Jones, national technical partner at Deloitte.
In reality, he says, there are three significant changes. This briefing is based
on notes compiled by him.

1. There is now a requirement to give explicit confirmation
that necessary actions have been, or are being, taken to remedy any significant
failings or weaknesses identified from the review of the effectiveness of
internal control.

Previously, there was merely an expectation that the board should consider
whether necessary actions were being taken promptly to remedy any significant
failings or weaknesses. There was no corresponding requirement or recommendation
to publish detail on the outcome of the internal control review process except
to disclose the process applied to deal with material internal control aspects
of significant problems disclosed in the annual report and accounts.

2. Previously, the Turnbull guidance stated that the board
“may wish” to provide additional information in the annual report to assist
understanding of the company’s risk management processes and system of internal

This has now been amended to state that the annual report and accounts
“should include” such high level information as the board considers necessary to
assist shareholders’ understanding of the main features of the company’s risk
management processes and systems of internal control. Deloitte’s recent review
of 50 internal control statements revealed that only 60% had a description of
the risk management processes and of internal control.

3. The preface to the revised Turnbull guidance now
emphasises that the directors should review their application of the guidance on
a continuing basis.

There should, therefore, be evidence of more than a one-off review of
internal control for periods to which the revised guidance applies.


Jones says that the change in point 1 above, in particular, may give rise to
various difficulties:

• The revised Turnbull guidance is applicable for periods commencing on or
after 1 January 2006, but some boards may decide that they can adopt it early ­
for, say, 31 December 2005 year-ends with simple ‘boilerplate’ disclosure.

• Some boards will not want to imply that they have had any significant
failings or weaknesses in internal control, and may, therefore, state this
rather than giving a confirmation of actions. In reality, this new requirement
has been introduced partly to force boards to consider properly the results of
their review of the internal control system.

• Listed companies, which are also SEC registrants, might, in stating that
significant failings or weaknesses are being dealt with, imply to the SEC that
they may have material weaknesses in the controls relating to financial
reporting that the CEO and CFO have not properly disclosed, or which have not
been dealt with in the auditors’ report.

This is against the backdrop of section 397 of the Financial Services and
Markets Act 2000, which makes it a criminal offence to make a statement which is
known to be misleading, false or deceptive in a material respect. The maximum
sentence for directors for this offence is seven years in prison, or a fine or

Don’t go early

Given these changes, directors should be discouraged from going early with a
statement of compliance with the revised Turnbull guidance. They should also
give very full consideration to the issue presented by point 1 above. Deloitte
suggests a form of wording that may help manage the directors’ risk and to avoid
making any unequivocal statement providing open ended assurance:

“The board confirms that the actions it considers necessary has been taken to
remedy such failings and weaknesses, which it has determined to be significant
from its review of the internal control. This has involved considering the
matters reported to it and developing plans and programmes that it considers are
reasonable in the circumstances. [The board also confirms that it has not been
advised of material weaknesses in that part of the internal control system that
relates to financial reporting].”

The final sentence in square brackets is suggested for inclusion certainly by
SEC registrants, but potentially also by non-registrants.

Members of the board or the audit committee should also consider the
following questions.

• What is regarded as ‘significant’ for the purpose of this disclosure? Is it
• Should significant failings and weaknesses identified in the previous year, or
earlier periods, be included for consideration by the board when making their
statement of confirmation of actions taken?

• What indicators and sources of evidence have been examined to check whether
there are significant failings or weaknesses?
These might include:
­ internal audit reports;
­ confirmations from key department heads and from management of significant
subsidiaries and divisions;
­ reports by regulators;
­ internal correspondence;
­ history of past problems.

• Has consideration been given to whether an identified failing or weakness
has also affected or could also affect other areas of the business?

• Is someone allocated to each identified significant failing or weakness to
ensure that it is properly managed and reported upon?

• Is there sufficient documentation of the plans and remedial programmes in
respect of the rectification of significant failings and weaknesses? Has there
been adequate follow-up on this plan? Is separate assurance work necessary?

• Have proper key risk indicators and project reporting measures been put in
place for each identified significant failing or weakness?

• Are the heads of internal audit and the director of risk management
satisfied with the proposed disclosure?

• Are there sufficient board papers on this issue as a whole?

• How are these matters to be kept under review on a continuing basis?

Related reading