ey policy pulse january 2017

Policy PulseJanuary 2017

Sections

Policy Pulse contents

2Welcome

4Culture: the key to sustainable growth

10 Regulatory spotlight shines again on executive remuneration

16Integrated reporting comes of age

22Data protection: once more unto the breach

28Investing in high quality audits

34Brexit: navigating uncertainty

40Recent regulatory developments worth watching

Since our last issue, the UK Government continues to prioritise innovation, growth and prosperity in a world of disruption. Our Prime Minister continues to communicate a keen willingness to partner with business to build an economy and society that works for everyone. This is evidenced by the Green Paper on corporate governance reform published on 29 November 2016, to which we will respond. It shows that the new team at Number 10 recognises that the UK’s unitary board system is a real strength and that the Prime Minister is open to exploring different models of worker representation other than imposing workers on boards. Coupled with this is the ongoing debate about how and when Brexit will be managed, and of course the upcoming change in the presidency of the USA looks set to add more uncertainty in terms of international trade and commerce.

Against this back-drop of shifting political perspectives and priorities it’s more important than ever to keep your finger on the regulatory pulse. As the name implies, Policy Pulse is here to help you do just that, with the insight and questions you need to help you navigate your way through these interesting times and capitalise on the opportunities they present.

This edition includes content from EY’s leading experts on the topics of executive remuneration, data protection, integrated reporting, audit quality and Brexit. In addition, we are delighted to include comments from Sir Win Bischoff, Chairman of the Financial Reporting Council, on the importance of developing and managing an effective corporate culture.

To discuss any of these articles in more detail, please contact EY’s Regulatory and Public Policy team.

Eamonn McGrath UK Head of Regulatory and Public Policy

Welcome to EY UK’s Policy Pulse

2

Our publication is designed to provide you with an overview of the most important regulatory and public policy developments facing you and your business today, in the areas of reporting, auditing and governance.

3Policy Pulse — Regulatory & Public Policy — January 2017

Section 1

Culture: the key to

sustainable growth


In July 2016 the Financial Reporting Council (FRC) published the results of its study on corporate culture and the role of Boards. It “looks at the increasing importance which corporate culture plays in delivering long-term business and economic success”.

EY’s Corporate Governance team has completed their third annual review of annual reports and accounts published by the FTSE350 and found ‘Culture and People’ to be among the five key themes reported on.

Culture: the key to sustainable growth

Reference source: Annual reporting in 2015: evolving communication in a changing world, page 31, published by EY.

Was there a clear indication of how the board measures culture? 9% 91%

6

Interview with Sir Winfried Bischoff, Chairman, Financial Reporting Council (FRC)

Culture in a corporate context can be defined as a combination of the values, attitudes and behaviours manifested by a company in its operations and relations with its stakeholders. These stakeholders include shareholders, employees, customers, suppliers and the wider community and environment which are affected by a company’s conduct.

Business, society and the corporate governance frameworkCompanies do not exist in isolation. They need to build and maintain successful relationships with a wide range of stakeholders in order to prosper. These relationships will be successful and enduring if they are based on respect, trust and mutual benefit.

Business’ reputation is still recovering from the impact of the global financial crisis and continuing examples of poor corporate

behaviour. As we have seen, cultural failures damage reputation and have a substantial impact on shareholder value. Intangible assets such as intellectual property, customer base and brand now account for over 80 per cent of total corporate value, compared to under 20 per cent 40 years ago. This shift magnifies the impact on total value when a reputational crisis occurs. This is a challenge for boards, which must find ways to understand and influence the factors which affect culture and behaviours.

The debate about the role of business in society is directly linked to the way in which companies create and sustain long-term value for the benefit of a wide range of stakeholders. From the outset of our work the FRC has been clear that we wish to offer constructive observations which have practical application. We are not suggesting changes to the current flexible framework of corporate governance.

While legislation, regulation and codes influence individual and corporate behaviour, they do not ultimately control it.

The Companies Act 2006 makes it clear that in pursuit of the overarching duty to promote the success of the company for the benefit of the members as a whole, directors should take account of a range of stakeholders in making decisions. Inevitable conflicts will arise between the interests of different sets of stakeholders but where there is a broad alignment between their objectives, a focus on how business is conducted and how stakeholders are treated will create opportunities for value creation that have mutually reinforcing benefits for all.

All of the copy above is an extract from the FRC’s report called: ‘Corporate culture and the role of boards, report of observations, July 2016’. Shortly after this report was published we asked Sir Win for his views on the following points:


1.Why does trust and integrity need to improve? Trustworthy behaviour throughout a company is as important as trustworthy information. This helps investors decide where to allocate their much needed capital and help deliver jobs, growth and prosperity to drive the economy and support society as a whole. Treating all stakeholders, including customers, staff and suppliers with respect makes companies more investable. Culture sits at the heart of this cycle.

When deciding the cultural direction of a company, it is important to consider the views of all stakeholders not just those of shareholders. Adopting such an approach is a vital component of corporate success and an essential indicator of trust. A positive culture is backed up by incentives, clear communication and training opportunities to promote the delivery of value.

2.Why now?With the Government and others taking a close interest in issues that portray business as out of touch and uncaring, companies face a wake-up call to look at their own cultures before winning back broad support from society as a whole. Companies must establish a culture that encourages good behaviour, which operates through all levels of the organisation and which becomes embedded in the mentality of all staff.

3.Whose trust needs to be won?Society as a whole. Society wants company behaviour to improve, and culture to change. It expects a company’s culture to instil confidence among its investors and other stakeholders, and to deliver the company’s objectives in a way that enhances long-term value.

4.How do you define and measure it?The most commonly cited sources of cultural insights are:

1. Employee engagement surveys and pulse surveys

2. Whistleblowing incidents 3. Employee turnover and exit

interviews4. Customer feedback5. Grievance data6. Incentive payments

There are many others. HR holds a lot of data which can be drawn on. Also customer and supplier feedback, attitudes to compliance, remuneration policies and decisions and attitudes to employees, social media and sites such as Glassdoor, where employees give views on what it is like working for their employer. These are all worthwhile sources.

Some companies have developed a cultural health index which they run at regular intervals and which can identify hotspots before they become evident in other ways. These can then be investigated further.

More sophisticated measurement tools are being developed such as the one we were shown by EY recently. They capitalise on the explosion in the volume of data available and the technological capacity to mine that data and extract the underlying messages and identify risk areas. As measuring culture becomes mainstream, it seems likely that more companies will deploy such methods to track what is happening in their organisations.

Questions & Answers

8

5.When do you know when you’ve got it? And how do you preserve it?Fostering a healthy culture that is aligned to the company’s purpose, strategy and business model is not a one-off exercise. As the external environment and challenges affecting business change, so may the culture needed to deliver long- term value. In a healthy culture, the systems, the procedures, and the overall functioning and mutual support of an organisation exist in harmony. Boards need to assure themselves that they know the culture they have, and the culture they want by asking good questions and making informed decisions. This will contribute to the overall success of business and create an environment on which society can depend and our economy can continue to prosper.

6.What’s the FRC’s role in all of this?The FRC strives to promote high quality corporate governance and reporting in the public interest. Trustworthy information helps meet the needs of investors, generates confidence in the stewardship undertaken by corporate boards and is an important indicator of good culture in action. High standards of corporate governance and reporting are important for the fair and effective functioning of the capital markets that benefits investors, companies and the wider public interest.

As custodians of the UK Corporate Governance Code we have played a strong and positive role in defining and helping companies to set down in practice what good corporate governance means. The Code is not a rulebook and the FRC does not wish it to be viewed as such. The “comply or explain” approach gives companies flexibility in how they govern themselves. Boards should give extensive thought to how they apply the Principles of the Code and consider carefully when they wish to depart from its Provisions, providing a clear rationale when this is the case.

The FRC is well aware that strict adherence to the Principles and Provisions of the Code is not, on its own, an indication that company culture is completely healthy. Codes set out principles for best practice that, if followed, make bad behaviour less likely to occur; and public reporting can make it harder to conceal such behaviour.

But, by itself, a Code does not prevent inappropriate behaviour, strategies or decisions. Only the people, particularly the leaders within a business, can do that.

The focus on the longer term was underlined in 2014 when the Code introduced a ‘viability statement’ to strengthen boards’ attention of the longer term and the sustainability of value creation. This will also provide investors with an improved picture of the state of the business and its prospects.

This is why in 2016 we took a closer look at the role of the board in shaping, embedding and measuring culture. Our report sought to provide boards with a prompt to reflect on the role it plays in relation to company culture and provide some practical ways the board can take action.

The UK voted to leave the EU, and Prime Minister Theresa May announced Article 50 will be triggered by the end of March 2017, with no running commentary on the negotiations, meaning there will be a continuing knowledge vacuum in which markets will make assumptions and react accordingly. As regulators we mustn’t be complacent but tread carefully. No knee-jerk decisions! We will carefully consider what is best for the sectors and professionals we regulate and right for the long-term health of the stakeholders we serve.


Section 2

Regulatory spotlight

shines again on executive

remuneration


Since the Cadbury report in 1992 executive remuneration has become increasingly topical amongst legislators and regulators. This culminated in 20131 with new UK legislation on remuneration policy and reporting. It now seems as though everything is coming full circle with, amongst other things, the Government’s Green Paper on corporate governance reform which seeks views on the following three topics:

Regulatory spotlight shines again on executive remuneration

Shareholder influence on executive pay

Increasing the connection between boards and other interested groups, such as employees

Extending corporate governance features to large privately-held companies

1 The Large and Medium-sized Companies and Groups (Accounts and Reports) (Amendment) Regulations 2013.

12

In September 2016 the Business, Energy and Industrial Strategy (BEIS) Committee launched an inquiry into corporate governance. During the same month the UK Prime Minister Theresa May made various statements about the Government’s aims to seek reforms to the way companies are governed, with a focus on executive remuneration (e.g., curbing excessive pay). In response, the Financial Reporting Council said in November 2016 that when it next reviews the UK Corporate Governance Code it will consider the role of the remuneration committee, especially in relation to reporting on the link between remuneration structure and the company’s strategy. The Investment Association also published a revised copy of its guidance on remuneration in October 20162, and at the end of November 2016 BEIS published a Green Paper on corporate governance reform. The paper seeks views on:

• Shareholder influence on executive pay

• Increasing the connection between boards and other interested groups, such as employees

• Extending corporate governance features to large privately-held companies

The continued focus on executive pay has an underlying aim of maintaining and protecting the UK’s strong reputation for corporate governance. However, whether further Government intervention in this area will reduce the overall quantum of executive pay levels and increase public confidence in the business sector remains to be seen, and will no doubt be strongly debated. We will take a closer look at the Green Paper in our next edition of Policy Pulse.

A mix of new initiatives

This new influx of initiatives has broadened the debate on remuneration amongst the media and other interested parties. For example, in addition to key aspects of the Green Paper, we see views expressed on topics ranging from the capping of remuneration to the abolition of bonuses.

Remuneration committee chairmen could easily be forgiven for being distracted by these and other initiatives, in terms of considering which ones should be prioritised for the attention of committee members. Outlined below are the ones we would expect to see on the committee’s agenda.

Influencing how executives are paidSince the UK Government’s regulations on remuneration were introduced in 2013 there have been calls from investors and others for less complex remuneration policies e.g., reducing the number of pay elements, paying executives only in equity, removing complicated share schemes and reducing the number and complexity of metrics used in bonus schemes.

Particular attention is being paid to Long Term Incentive Plan (LTIP) structures, led by the Executive Remuneration Working Group (ERWG). The ERWG was established by the Investment Association in the autumn of 2015 as an independent panel to address the concern that executive remuneration has become too complex and is not fulfilling its purpose. In its July 2016 report3 it suggests that companies feel under pressure to adopt a one-size-fits-all LTIP model, which is helping to create this complexity.

One approach advocated by some investors is the wider use of restricted share plans. These involve the receipt of shares by executives which remain subject to forfeiture if certain performance requirements are not met.

2 The Investment Association’s Principles of Remuneration, October 2016 3 Executive Remuneration Working Group – Final Report (July 2016)


Such plans are often simpler than LTIPs and provide a much clearer upfront indication of costs. However, restricted share plans are not the new one-size-fits-all solution and companies should assess whether they are appropriate for their business (e.g., in terms of growth cycle and industry sector(s)).

Limiting what executives are paid In a statement made to Parliament in September 2016, UK Prime Minister Theresa May referred to the G20 Summit in China and restated her Government’s aim to, amongst other things, crack down on excessive pay. This has raised expectations on when and how the Government will cross the Rubicon and determine what excessive pay means and how it can be curtailed. Responses to the Green Paper should help to give an indication of the Government’s future direction of travel on this issue.

Many companies are preparing to re-submit their remuneration policy to a binding shareholder vote. Investors are encouraging companies to make changes to their remuneration policies which go above and beyond the regulations (and clarifications following the Government’s paper assessing how companies have implemented the UK reporting regulations of 20134). For example, some are calling for bonuses to be capped as a percentage of salary, or for a maximum level of total remuneration to be paid. Although caps should initially limit remuneration, introducing them without proper consideration may result in unintended consequences.

For example, over time a cap can evolve into a minimum level which all expect to receive. This can have the effect of ratcheting-up the level of fixed pay (which in turn drives up variable pay). Limiting total remuneration can

also have negative effects on high performing businesses where, for example, further potential growth goes unrealised as it would not be rewarded. In the UK financial services sector such an approach has resulted in more complex pay arrangements with the introduction of special allowances.

Given the range of issues which can arise from capping, it seems that perhaps more attention should be focused on the link between performance and pay, be it the mechanics (e.g., special bonuses and awards), metrics or targets. The Investment Association’s latest principles on remuneration include the provision that remuneration structures should include pre-agreed and documented malus and/or claw back provisions for each executive, allowing respectively the forfeiture of all or part of a bonus or long-term incentive award before it has vested and been paid, and/or the recovery of sums already paid.

Enhancing the governance of executive payOne approach under consideration in the Green Paper is the introduction of an additional binding shareholder vote (currently only applicable to the remuneration policy report). The intention is that enhanced voting powers will enable shareholders to hold companies to account more effectively on executive pay levels. The potential downside is the risk of protracted voting processes which could undermine relationships with shareholders, and negatively impact on future company performance.

Another approach is the publication of ratios between executive and employee pay. This would take a similar form to the new UK legislation5 requiring large employers to calculate their gender pay gap from April 2017 and publish the details by April 2018.

Focusing on sector league tables (as is the case with the pay gap) may help address the problem of different ratios being used in different industry sectors. However, the risk remains that using a single statistic may drive the wrong behaviours in some companies. For example, some businesses may attempt to change their structure and/or outsource lower paid jobs to shared services providers to help improve their ratios.

Next steps Although the outcome from the current debate on remuneration is uncertain, the sheer volume of initiatives and ideas on the subject leaves us in no doubt that there is a desire for change amongst legislators, companies and their stakeholders.

The Green Paper brings all of this into focus, and what remains clear is the underlying principle upon which executive remuneration is founded. It should, first and foremost, support the achievement of a company’s long-term business strategy. This means that as each company’s condition and situation changes, its remuneration policy should change accordingly.

This task rests with the board and its remuneration committee, to meet the needs of the business while balancing the demands of its stakeholders. The challenge is to develop a remuneration policy that meets with the approval of shareholders, and for these committees to stay focused on this task by keeping informed of shareholder requirements and regulatory developments on an ongoing basis.

4 BIS Research Paper No. 208 - How companies and shareholders have responded to new requirements on the reporting and governance of directors’ remuneration – March 2015.

5 Equality Act 2010 (Gender Pay Gap Information) Regulations 2016 issued on 12 February 2016, setting out the detail of the gender pay gap reporting duty.

14

Questions worth asking

• What steps will the board take to develop a policy that reflects incentives for the long-term interests of the business?

• How will the board engage with investors and other stakeholders on next year’s remuneration policy?

• How does the board plan to formulate a remuneration policy that meets with the approval of shareholders?


Section 3

Integrated reporting

comes of age


In December 2016, The International Corporate Governance Network (ICGN) and the International Integrated Reporting Council (IIRC) presented a joint conference to inspire dialogue around the alignment of corporate reporting to long-term value creation.

In light of this, some companies are beginning to adopt the principles of the International Integrated Reporting Framework (“the Framework”)6, including the application of ‘six capitals’ in their annual reports and accounts.

6 The International Integrated Reporting Framework was developed by the International Integrated Reporting Council (IIRC), and launched in December 2013. Paul Druckman, former CEO of the IIRC, joined the board of the Financial Reporting Council on 1 January 2017. He chairs the Corporate Reporting Council and sits on the Codes and Standards Committee.

Integrated reporting comes of age

Integrated thinking and integrated reporting will play a critical role in the creation of a sustainable economy in the UK and beyond.

The adoption of the Framework is building momentum at different rates in various countries and regions.

Such reports will be inherently constrained by the limitations of the language available (or permitted) to the accountant.

18

7 In August 2013 The Companies Act 2006 (Strategic Report and Directors’ Report) Regulations 2013 took effect. This requires UK incorporated quoted companies to provide a description of their strategy, objectives and business model. In addition, they have to explain the main trends and factors affecting the entity; a description of its principal risks and uncertainties; an analysis of the development and performance of the business; and an analysis using KPIs. Disclosures about the environment, employees, social, community and human rights issues are also required when material. There is also a requirement to include disclosures on gender diversity at a senior level, greenhouse gas emissions and human rights in the supply chain of the organisation.

This is enabling them to publish Integrated Reports (IR), showing how the input capitals of their business models are converting into output capitals, creating competitive advantage and commercial return, as well as broader social value (e.g., British Telecom, Philips and UBS).

The six capitals, used for the production of goods and the provision of services, can be summarised as follows: i) financial (e.g., raised through debt and/or equity); ii) manufactured (e.g., plant and machinery, as well as the broader physical infrastructure which sustains a modern economy); iii) intellectual (e.g., know-how, patents, copyrights and licences); iv) human (e.g., competencies, skills and professional experiences of employees); v) social (e.g., relationships within and between stakeholders and other networks); and vi) natural (e.g., all renewable and non-renewable resources).

The option of adoption The adoption of the Framework is building momentum at different rates in various countries and regions. The UK appears to be more advanced than most in this regard, spear-heading the principles of the IR

with a close alignment between the Framework and the UK’s requirement for a Strategic Report (SR)7. The recently implemented Directive for Non-financial Reporting is also expected to act as an accelerant for these principles in the UK, despite the impending Brexit.

Divided by a common report

Our clients frequently ask us to explain the difference between an IR and an SR. Whilst there are a number of important areas of overlap (e.g., business model, description of the business strategy, a focus on value creation and a de minimis requirement for certain non-financial KPIs), there remains one significant difference between the two. This can be boiled down to the simple question of whether the company is choosing to tell the story of how it creates value through the exclusive lens of financial and manufactured capital, or whether it is looking at value creation through a broader prism which encompasses other types of capital such as human, social, intellectual and natural.

Financial and manufactured capital are the natural domain of the professional accountant. Whilst many

companies are publishing an SR which only references financial and manufactured capital as the basis of their value creation, such reports will be inherently constrained by the limitations of the language available (or permitted) to the accountant. By contrast, leading integrated reporters are looking at how they create value across all six capitals, drawing on emerging frameworks for the likes of human capital or natural capital accounting. BT, for example, describes how its investment in stakeholders and relationships (i.e., social capital) is helping to create a more digitally-inclusive society, whilst Philips looks at the contribution of its investment in intellectual capital to new patent applications and intellectual property royalties.

The six capitals help address the question of how companies communicate their historic value creation and provide a perspective on their future value creation prospects in a more substantive and meaningful way to their investors. By addressing value creation across six capitals rather than one or two, integrated reporting is enabling a corporate reporting model from the steam age to be adapted to the digital age.


Taking the plunge There are two significant challenges companies must be prepared to face if they decide to follow the Framework. Firstly, they have to identify the right mix of KPIs, collecting the supporting data and where appropriate assuring it, to demonstrate how effectively they are realising their strategic objectives. Secondly, they need to demonstrate the connections across the six capitals, especially the relationship of each one to the organisation’s underlying commercial performance.

The first challenge is the easier one to address, especially in the world of Big Data where it has never been easier to assess a range of perspectives on how an organisation is creating (or destroying) value. For example, companies have supplemented formal employee engagement surveys or supplier surveys with social media trends, to provide an external and informal (but no less insightful) assessment of corporate performance.

The second challenge is more difficult because research is only just emerging that demonstrates objectively how certain so called non-financial capitals impact on commercial performance (e.g.,

that greater diversity contributes to better decision making). This challenge becomes even greater when consideration is given to the dynamic interplay between all six capitals, and how this mix impacts on performance. This requires a more sophisticated appreciation of value creation and its drivers.

Thinking and reporting in an integrated wayCompanies in highly regulated industries (e.g., utilities) are beginning to embed the interplay of different capitals into their strategic decision making, drawing on this objective analysis of value creation across the six capitals in their discussions with the UK Government.

This creates more integrated thinking, and we regard integrated thinking and integrated reporting as two sides of the same coin. They are inter-related processes and cultures, which have in common a broadening of horizons on what is meant by value from a narrowly prescriptive focus on financial and manufactured capital, to a more complete and encompassing perspective on how other types of capital contribute to value creation.

Integrated thinking and integrated reporting will play a critical role in the creation of a sustainable economy in the UK and beyond. It will provide companies with the insights they require to make the right long-term investments, and investors with the information they require to allocate their capital to the most sustainable companies which will generate the strongest long-term returns.

20


• How embedded is integrated thinking in your organisation?

• Have you identified all the capitals which contribute to the value your organisation creates?

• How effectively does the company’s annual report reflect this underlying integrated thinking?


Section 4

Data protection: once more unto

the breach


From 25 May 2018 EU Member States will be expected to have implemented the General Data Protection Regulations (GDPR) and the Directive on the Security of Network and Information Systems (the Directive).

Data protection: once more unto the breach

A failure to report a data breach within the specified time frame and without a reasonable explanation, may lead to a fine of €20mn OR 4% of gross annual turnover, whichever is the greater.

Regardless of when Brexit happens, this legislation will prevail in the UK in one form or another.

We expect that companies’ customers will be considering how an organisation rates in terms of data security, as well as the quality of its goods and services.

24

This will introduce several changes for EU citizens. The most notable will be more control over personal data, with the assurance that holders of this information subject to a breach in security, will be required to report the incident within 72 hours of it occurring.

We take a look at these and other GDPR requirements from a Brexit perspective, with reference to guidance published on 5 October 2016 by the Information Commissioners Office (ICO).

From if to whenThe ICO acknowledges that regardless of when Brexit happens, this legislation will prevail in the UK in one form or another. The need for effective legislative intervention on data protection is now a given.

Indeed, over the past 30 years the realisation has finally dawned amongst government and business, that it’s not a matter of if the security of an organisation’s data is breached, it’s a case of when and the level of

preparedness to deal with it. This means developing incident response capabilities and forensic readiness planning, incorporating the usual security representatives as well as teams of experts in legal, public and media relations, and customer services.

Defining a breachOne issue the GDPR seeks to address is the challenge of developing consistent and comparable definitions. This is in relation to data and what constitutes a breach of that data, with the corresponding follow up procedures.

The GDPR states that: ‘Data Controllers will be required to report data breaches to their data protection authority unless it is unlikely to represent a risk to the rights and freedoms of the data subjects in question. The notice must be made within 72 hours of data controllers becoming aware of it, unless there are exceptional circumstances, which will have to be justified.’

The Directive complements this with standardised requirements which aim to boost the overall level of cyber security in the EU, by ensuring that Member States are:

• Prepared and appropriately equipped, e.g. via a Computer Security Incident Response Team (CSIRT) and a competent National Information Security Authority (NISA)

• Willing and able to work with each other by setting up a Cooperation Group, in order to support and facilitate strategic cooperation and the exchange of information, and a cross-state CSIRT network to promote swift and effective responses to specific cyber security incidents

• Capable of developing a “culture of security” across sectors, especially those with significant infrastructure implications including utilities, transport, banking, healthcare and digital (e.g., providers of cloud-computing services).


Defining dataThe data to which this legislation refers includes any digital Personally Identifiable Information (PII). The GDPR requires that entities need to conduct Private Impact Assessments of their PII, so they understand the scope and scale of their IT estate and where precisely PII is held.

PII data assets come in many forms from spreadsheets, purpose built databases and emails, to unstructured data. Many different areas of a business will generate, collect and process PII data on an ongoing basis. So keeping a track of it is a herculean task which many companies seem to have regarded as a low priority. Once the GDPR is in place they will be obliged to make this a high priority.

Fines and fall-out The task of identifying and accurately reporting a data breach can be a challenge for most companies. It should also be noted that when a breach occurs, fallout from negative publicity will no doubt make some more reluctant than others to publicise it. In addition to this it seems that regulatory sanctions have been relatively modest and accordingly they have not offered much of a deterrent against the loss of data. The maximum fine the ICO can levy against a company for losing PII is £500,000.

A potential consequence of this is that some companies may be less inclined to prioritise investment in the prevention of such breaches. The GDPR aims to counter this and shake out any remnants of complacency or foot-dragging by companies which find themselves a victim of a data breach. For instance, a failure to report a data breach within the specified time frame and without a reasonable explanation, may lead to a fine of €20mn or 4% of gross annual turnover, whichever is the greater. So there will be nowhere to hide and a financial penalty likely to arouse the interests of investors and other stakeholders who might ordinarily be indifferent or disengaged on the subject.

Taking the next stepsCompanies need to develop a security strategy so they know exactly what it is they are trying to protect. To do this they need to create and maintain an asset inventory. An additional element to this is the requirement to perform a Privacy Impact Assessment (PIA) for each system that processes PII data.

Whilst some companies may be doing this already (e.g., banks), it’s less likely that smaller businesses have taken the same steps. So therein lies the challenge for service providers to develop the capacity and economies of scale to offer help and advice on this topic to all companies that will be affected by the GDPR.

Before too long we expect that companies’ customers will be considering how an organisation rates in terms of data security, as well as the quality of its goods and services; a potentially seismic shift in terms of consumer priorities.

Our interest in these changes lie across many business areas, particularly in the fields of cyber threat intelligence, incident response and the legal landscape. The proactive hunt for PII data within corporate infrastructures is also proving to be invaluable to businesses, especially those which are mindful of the potential fine that awaits if/when their PII is breached. So making an early start and preparing now is the best advice we can offer.

For ease of reference we have included links to the ICO’s guidance on the GDPR and the Directive.

Information Commissioners Office (ICO) published some guidance: ico.org.uk/for-organisations/ data-protection-reform/overview-of-the-gdpr/

Directive on the security of Network & Information Systems (NIS): ec.europa.eu/digital-single-market/en/network-and-information-security-nis-directive

26


• How will the board develop a data security strategy for the business?

• How will the business conduct a Privacy Impact Assessment?

• What steps have been taken already to identify where personal data is held in the business?


Section 5

Investing in high quality

audits


Investing in high quality audits

As the scope of the audit changes over time, together with the use of new technology, investment in people will remain highly important.

The audit of the future will look at other indicators beyond those constrained by structured financial data.

We are investing in assessing our clients’ cultures using various analytics tools. The understanding we gain, when combined with other structured and unstructured data observations, is giving us greater insight into potential risk areas.

Regulatory oversight on audit quality has never been greater, which reflects the vital role played by auditors in the functioning of capital markets by promoting transparency and supporting investor confidence. Companies, regulators and other stakeholders count on us to deliver excellence on every audit, and meeting their expectations is an absolute priority for us.

30

Here we outline the investment we make to meet these requirements:

The fourth industrial revolution We live in a world where the pace of change is relentless. Often referred to as the fourth industrial revolution, the combined effects of data proliferation, digital disruption, globalisation and technological advances are just some of the matters that we all grapple with in our working world. This is why we have to keep investing in our audit business to continue improving the audit quality on which we pride ourselves, so we can be certain of sustaining trust and confidence in what we do. In practical terms this means investment in technology, people, training and processes.

Technology Over the past three years we have invested heavily to create the technologies needed for the audit of the future. $400mn has been spent on new audit technology to utilise analytics and automate audit

workflows. Teams can now develop and share best-in-class algorithms and apply these on client data, securely hosted on EY platforms. The audit of the future will look at other indicators beyond those constrained by structured financial data. To this end, we are investing in assessing our clients’ cultures using various analytics tools. The understanding we gain, when combined with other structured and unstructured data observations, is giving us greater insight into potential risk areas.

People Our people are the bedrock of our business and we invest in them in many ways from the time we spend recruiting them, to the provision of on-the-job coaching, review processes and support systems. As the scope of the audit changes over time, together with the use of new technology, investment in people will remain highly important. We want to be the most favoured employer, and to this end we are winning awards for our people experience, but we continue to aim for more. We recognise that the growth we

are achieving, and want to continue to achieve, requires additional investment in people.

For example, in 2015/16 we increased the size of our audit team headcount by 17%, placed a greater focus on our recognition and reward system and began work with cognitive psychologists to carry out behavioral modelling. This involves identifying what our highest performing auditors do, so that our coaching programmes can help others to emulate their success.

TrainingOur policy is that every one of our auditors must receive at least 20 hours training per year and 120 hours over each 3 year period. In reality, the actual level of training is far higher. Looking at the calendar year of 2015, partners and qualified staff received between 48 and 76 hours training each. Our people who are not yet qualified will receive even more training as they participate in our own internal training, as well as training for professional qualifications.


ProcessesWe should not ignore the significant amount of processes we have to support people delivering high quality audits. These are numerous but key ones are the technical departments, the subject matter specialists, and the consultation processes and the quality control checks on audits.

For example, two years ago we established a new detailed hot file review process for c.50 audits each year to provide additional support for engagements with higher risk factors. This work is in addition to our annual cycle of quality reviews of individual directors and partners authorised to sign audit reports which cover more than a third of all UK colleagues holding this responsibility.

The acid testSo what does all this tell us? Firstly, audits are never easy and we are conducting them against a backdrop of change, which makes it all the more challenging to maintain the highest quality. Secondly, we only achieve what is required with continued investment and keeping a clear line of sight to the needs of our ultimate customers i.e., the investors.

This is why we continue to engage with investors to understand their future needs. One way we do this is through our Investor Dialogue events. For the third consecutive year we have met with many of the leading investment firms for broad discussions on areas of interest to them e.g., the delivery of long-term value from companies, and the growing significance of intangible assets as drivers of that value. This helps inform us where the provision of assurance will evolve, and where we will need to invest to maintain high quality audits in the future.

32


• What are the main qualities you look for in an auditor?

• How does your audit committee assess the quality of the audit process?

• When the audit next comes up for tender, how will the committee make use of external regulatory reports on the auditor?


Section 6

Brexit: navigating

uncertainty


We have recently published the latest issue in our series of Thought Leadership papers on the impact of Brexit on financial institutions operating in the UK. It explores some of the options and questions facing their boards. It also contains a discussion of the potential longer-term implications for the City of London. Of course, implications for the City will have ramifications for businesses of all kinds.

Brexit: navigating uncertainty

We do not anticipate that Brexit will prove catastrophic for the City of London.

We present a set of assumptions which we believe represent a sensible starting point for strategic planning.

Implications for the City will have ramifications for businesses of all kinds.

36

This is especially the case in terms of having a ready access to primary markets to achieve a public listing, and/or the use of liquid secondary markets to attract new investors and finance for long-term growth. Added to this is the provision of insurance in all its various forms, the management of pensions, forex and the plethora of commodity markets.

The providers of all of these services and facilities face similar challenges related to Brexit. The key themes which underpin them include: the strategic considerations for boards to take, both now and as the negotiation process becomes clearer; how best to frame the potential deal between the EU and the UK amidst the numerous commentaries and theories surrounding the negotiations; and the European-wide political context behind the talks — how national interests and events across the continent may play a large role.

On this third point, the paper includes a calendar overview of major governmental and political events in the next three years. This offers a wider understanding of how the negotiation process will be just one part of many moving parts over the coming years, and how timing should be a key consideration in a board’s Brexit strategy.

Questions for the boardThe paper is neither an exhaustive analysis of all possible scenarios, nor is it a forecast. Rather, recognising that time is short and that major strategic decisions will have to be made rapidly, we present a set of assumptions which we believe represent a sensible starting point for strategic planning, and for the intellectual challenge that should accompany it.

The immediate questions that we consider key for boards to be asking now include:

• What elements of my current business are dependent upon access to the EU Single Market?

• What are the specific legal, regulatory or treaty provisions that enable that?

• What indirect elements of UK membership of the EU facilitate or enable some or all of my business activities?

• To what extent does my business rely on EU free movement provisions? (i.e., employees’ right to reside and work, internal and client travel, future hiring plans?)

• What are the worst and best case scenarios for access to the EU Single Market for my preferred mix of financial services and the consequent implications for my business?

• What remedial actions are open to me?

• Can I anticipate any new opportunities or lines of business as a consequence of Brexit?

• How attractive does London continue to be as a location for some or all of my businesses?

• Do I need to alter the physical or legal structure of my businesses?

Overall, whilst the effect of Brexit may well prove material for some business models and firms, we do not anticipate that Brexit will prove catastrophic for the City of London. The paper outlines the importance of the ‘Cluster Effect’ of London, and how its culture, hard-won reputation for prudential and regulatory excellence, and flexibility will continue to ensure its status as a leading financial centre. We would be very interested in your response to this work, and would be delighted to discuss the findings in more detail.

http://www.ey.com/gl/en/industries/financial-services/fso-insights-uk-eu-planning-for-uncertainty



• What steps will you take to help ensure your business model is Brexit-ready?

• How will you manage and mitigate the risks of Brexit to your business?

• How will you report on Brexit to your people, investors and other stakeholders?

38

Section 6

Recent regulatory

developments worth

watching

40

Audit quality reviews by the Financial Reporting Council (FRC)The FRC conducted a thematic review of the use of Root Cause Analysis (RCA) as undertaken by audit firms, as part of the FRC audit quality review programme. The aim is to provide an understanding of audit firms’ RCA procedures to identify how they may be improved, in the interests of promoting good practice and driving a continuous improvement in audit quality. The FRC states that RCA enable firms to implement more focused actions by understanding the causes of audit quality inspection results.

UK Government inquiry into corporate governanceThe Business Energy and Industrial Strategy (BEIS) committee launched an inquiry into the way UK companies govern themselves. The committee is interested in assessing executive pay, directors’ duties and the composition of boards, including worker representation and gender balance. It wants to see if company law is sufficiently clear on the role of directors and non-executive directors, and whether companies should face additional duties to promote greater transparency.

Auditor skills gap report published by the Institute of Chartered Accountants of Scotland (ICAS) and the Financial Reporting Council (FRC) ICAS and the FRC published a report in September 2016, as a “call to action” to help prevent a potential audit skills gap in the future. Called ‘The Auditor skills in a changing business world’, the report finds that the skill-set of auditors needs to evolve to deliver high quality audits in the future. It calls for a debate on the future of audit and the skills needed (e.g., including skills in data analytics and business acumen) as audits evolve beyond the traditional financial statement audit.

Sept

embe

r 201

6 Sept

16

Sept

22


Revised operating procedures for reviewing corporate reports by the Financial Reporting Council (FRC) The FRC commissioned an independent assessment of review procedures to find ways of improving their efficiency and effectiveness. The assessment highlighted, amongst other things, that stakeholders (investors in particular) want more information about specific corporate reporting review inspection findings. In response the FRC has decided that the audit committee is best placed to make such disclosures. It also stated that it will publish the names of its closed cases, after each company has had the opportunity of reporting on the review in their next set of published accounts. The first list will be published in 2017, in respect of December 2015 reporters.

Advice on corporate reporting issued by the Financial Reporting Council (FRC) to preparers The FRC stated in October 2016 that the strategic report should be presented in a user-friendly, clear and concise manner. It added that in an era where, for example, cyber-risk, climate change and Brexit pose economic, social and environmental uncertainty, companies should consider a broad range of factors when determining principal risks and uncertainties facing the business, and when management is performing its analysis for the viability statement. It added that the relationship between IFRS or UK GAAP measures, and any alternative performance measures used, should also be clearly explained.

Annual review of corporate reports conducted by the Financial Reporting Council (FRC)This report outlines the regulator’s assessment of the quality of corporate reporting in the UK based on its monitoring work for the year to 31 March 2016. Of the 192 companies whose reports were reviewed, the FRC raised queries with approximately a third. Most companies concerned have agreed action to resolve the matters satisfactorily, primarily through their future reporting. One of the points made by the FRC is that companies need to be more balanced in their reporting of their performance e.g., there are examples where companies make excessive use of underlying profit figures or inappropriate use of alternative performance measures. Findings of the FRC’s Conduct Committee are also included in a separate slide deck published by the FRC on 25 Oct 2016.

Oct

ober

201

6 Oct

4

Oct

11

Oct

21

42

Review of the use of business models by the Financial Reporting Lab (FRL)This review reflects the views of 19 companies, 36 investors from 27 investment and analyst organisations, and two retail shareholders. The FRL conducted research into the use of business models (BM) in corporate reports. The report found that e.g: i) BM information is fundamental to investors’ understanding of a company; ii) poor BM disclosure raises concerns over the quality of management; iii) BM provides context to the other information in the R&A, so most investors want it positioned towards the front of the strategic report; iv) where a company operates a number of BMs, disclosures of each one is desirable; and v) investors are looking for better linkages between BM content and other sections of the R&A.

Corporate reporting (tax disclosure) thematic review by the Financial Reporting Council (FRC) The objective of the review, published on 31 October 2016, is to encourage more transparent reporting of the relationship between tax charges and accounting profit, and the factors that can affect this relationship in the future. The report sets out the FRC’s principal findings and examples of good practice in the following areas: i) tax in strategic reports; ii) effective tax rate reconciliation disclosures; and iii) uncertainties relating to tax liabilities and assets. The FRC also encourages companies to consider whether there are significant judgements and estimation uncertainties relating to tax, and to report accordingly. Where uncertainties remain unchanged year-on-year, the FRC may challenge whether the disclosure of quantified risk is sufficiently clear.

Oct

27

Oct

31


The Parker review on the ethnic diversity of boardsThe report, led by Sir John Parker and co-sponsored by EY, with the backing of Business Minister Rt Hon Margot James MP, presents findings of a review of ethnic minority representation on FTSE 350 boards. It found that the level of representation is very low and accordingly recommends that each FTSE 100 board should have at least one director of colour by 2021; and each FTSE 250 board should have at least one director of colour by 2024. It adds that nomcoms of all FTSE 350 companies should require their HR teams or search firms (as applicable) to identify and present qualified people of colour to be considered for board appointment when vacancies occur.

UK transposition of the fourth Money Laundering Directive (MLD)The UK Government issued in November 2016 a discussion paper on the UK’s transposition of Article 30 of the fourth Money Laundering Directive. This relates to the disclosure of beneficial ownership of corporate and other legal entities. To transpose effectively, it is proposing to extend the scope of the UK’s Persons with Significant Control (PSC) regime to all entities that are incorporated in the UK and are constitutionally capable of legitimately having a beneficial owner (e.g., unregistered companies and open-ended investment companies). It is also considering bringing companies admitted to trading on prescribed markets (such as AIM and ISDX) within the scope of the PSC regime.

UK Government implements the EU’s Non-Financial Reporting DirectiveThe UK Government announced in November 2016 how it plans to transpose the Non-Financial Reporting Directive. It will implement the Directive as an addition to the current UK strategic reporting framework. Companies within the scope of the Directive will be required to report in accordance with the Directive. Other companies can choose to comply with the EU requirements, rather than the comparable domestic provisions, on a voluntary basis in order to prevent those companies at the margins of the Directive’s scope from having to move between regimes due to changes in their size from year to year. There will be no requirement in the UK for companies to seek independent assurance on their non-financial disclosures.

Nov

embe

r 201

6 Nov

2

Nov

8

44

The Regulatory and Public Policy Team

Hampton and Alexander review on gender diversityThe results of a review, headed by Sir Philip Hampton, Chair of GlaxoSmithKline, and Dame Helen Alexander, Chair of UBM, was published. It focuses on senior women below the company board, and builds on the work of the Davies Review and extends its scope to include executive committees and direct reports to the executive committees of FTSE 350 companies. Its recommendations include e.g: that FTSE 350 companies should aim for a minimum of 33% women’s representation on boards by 2020. FTSE 100 companies should aim for a minimum of 33% women’s representation across their executive committees and in the direct reports to the executive committees by 2020.

UK Stewardship Code inspections by the Financial Reporting Council (FRC)The FRC published the first ever results of its inspections of individual signatories to the Code. The FRC’s assessments focused on the quality of descriptions of each signatory’s approach to stewardship, and their explanations in accordance with the ‘comply or explain’ basis of the Code. Each institution is listed in one of three tiers. Tier 1 includes those whose compliance was considered to be good. Names in Tier 3 are in need of significant improvement.

The UK Government published a Green Paper on corporate governance reform, as part of its drive to help ensure the UK economy works for everyoneIt considers three aspects of corporate governance which may be appropriate for enhancement. These cover the following: i) better governance of executive pay (e.g., greater transparency and shareholder engagement); ii) strengthening the employee, customer and supplier voice (e.g., an advisory panel to represent employees’ views); and iii) improvement in the corporate governance of the UK’s largest privately-held businesses.

Nov

14

Nov

29

Nov

9

Kristel TchambaRegulatory [email protected]

Emma WrightRegulatory Affairs [email protected]

Eamonn [email protected]

Andrew HobbsPartner [email protected]

David ParrishAssociate [email protected]

Jane Hayward GreenAssociate [email protected]

Loree [email protected]


Content contributorsFor further information on any of the issues raised here, please contact one of the following content contributors or your usual EY adviser:

About EYEY is a global leader in assurance, tax, transaction and advisory services. The insights and quality services we deliver help build trust and confidence in the capital markets and in economies the world over. We develop outstanding leaders who team to deliver on our promises to all of our stakeholders. In so doing, we play a critical role in building a better working world for our people, for our clients and for our communities.EY refers to the global organization, and may refer to one or more, of the member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients. For more information about our organization, please visit ey.com.

Ernst & Young LLP The UK firm Ernst & Young LLP is a limited liability partnership registered in England and Wales with registered number OC300001 and is a member firm of Ernst & Young Global Limited.

Ernst & Young LLP, 1 More London Place, London, SE1 2AF.

© 2016 Ernst & Young LLP. Published in the UK. All Rights Reserved.

ED None

In line with Ernst & Young’s commitment to minimise its impact on the environment, this document has been printed on paper with a high recycled content.

Information in this publication is intended to provide only a general outline of the subjects covered. It should neither be regarded as comprehensive nor sufficient for making decisions, nor should it be used in place of professional advice. Ernst & Young LLP accepts no responsibility for any loss arising from any action taken or not taken by anyone using this material.

ey.com/UK

EY | Assurance | Tax | Transactions | Advisory

Regulatory spotlight shines again on executive remunerationIsobel Evans +44 (0) 20 7951 3113 [email protected]

Integrated reporting comes of ageJeremy Osborn +44 (0) 20 795 19665 [email protected]

Data protection: once more unto the breachDarren Desmond +44 (0) 20 7980 0491 [email protected]

Investing in high quality auditsMarguerita Martin +44 (0) 11 8928 1149 [email protected]

Brexit: navigating uncertaintyDamian Allinson +44 (0) 20 7951 0969 [email protected]

ey policy pulse january 2017

News & Politics