Ethics and Governance

The Statement on Internal Control is critical to the effective risk management and governance of Ireland’s State bodies. Tom Ward and Níall Fitzgerald offer their best practice insights Recent challenges faced by Irish entities in the public, non-profit and private sector have emphasised for many boards (and, where relevant, their funding bodies) the critical importance of the adequacy and operational effectiveness of internal controls, risk management and governance. Ultimately, a systematic and proactive approach to testing and reviewing controls, addressing weaknesses and implementing remedial actions in a timely manner, can only enhance confidence in public sector governance and best practice. In this regard, the Statement on Internal Control (SIC) plays a crucial role. State bodies in Ireland are required to report on all of their internal controls, risk management and governance in their annual SIC in accordance with the Irish Code of Practice for the Governance of State Bodies 2016 (Code of Practice).  Such reporting encompasses financial, business, operational and compliance controls and State bodies are subject to a swathe of such controls as standard, spanning: The discharge of public business. Project delivery and cost management. Monitoring and control of assets. Fraud prevention and detection. IT systems and technology (including cybersecurity).  Procurement. Additional controls specific to the nature of each bodies’ activities include clinical governance for public hospitals, infrastructure guidelines for large infrastructural projects and controls relating to onward funding to other public bodies or non-profits. The SIC must acknowledge the Board’s responsibility for ensuring that effective internal control systems are in place, the approach taken to reviewing these systems to ensure they are working (including steps taken by the Board and its Committees) and must identify any significant weaknesses or breaches. While the format for the SIC is prescribed, the content should be tailored according to the size and complexity of the organisation. However, there is limited guidance on the extent to which the Board should tailor this approach and content. At a recent SIC event co-hosted by Chartered Accountants Ireland and the Institute of Public Administration’s Governance Forum, Andy Harkness, from the Comptroller and Auditor General (C&AG) Office, provided examples of SIC best practice for State bodies, including the need for:  Good documentation clearly explaining the work carried out to support the review of controls; Assurance statements provided by senior managers; The involvement of the internal audit team, including key changes arising from their reviews and recommendations; and  If appropriate, an assurance statement from  independent assurance service providers.  Within this approach, the C&AG highlighted the importance of documenting any issues that may arise and adequately supporting any work undertaken to ensure that significant risks have been identified, including risks arising from changes to the control environment. Also emphasised was the importance of assessing the effectiveness of the controls in place, the assurance results and the effectiveness of follow-up steps taken in response to any control deficiencies identified.  Board and board committees should minute their review and conclusions with regard to the effectiveness of the systems of internal controls under review, and record recommended changes to governance, internal controls and risk management matters arising from the review. Also speaking at the recent SIC event, several experienced non-executive directors provided examples of the approaches they have taken to preparing the SIC within their organisation. In particular, they noted challenges associated with the absence of formal guidance and the ambiguity surrounding the term “operating effectiveness”, which is typically associated with Sarbanes–Oxley applying to companies listed on the US Stock Exchange.  In an Anglo-Irish context, assurance on the effectiveness of controls has traditionally been limited to financial and reporting controls. This is, however, changing. To achieve best practice in SIC reporting, the Boards of State bodies in Ireland may currently rely on: Guidance issued by the Financial Reporting Council (FRC) in Britain in relation to the UK Corporate Governance; International Standards on Assurance Engagements (ISAE) 3402 Reports; Sarbanes–Oxley literature for directors and auditors;  Guidance or circulars issued by the Department of Public Expenditure, Infrastructure, Public Services, Reform and Digitalisation or the C&AG; and General assurance standards and guidance. Some best practice insights for State boards arising from the recent SIC event include: The benefit in defining, adopting and communicating a common framework for performing the review of internal controls. The importance of the work needed to support and underpin the SIC. The need to ensure that the findings reported in the SIC are consistent with other supporting documentation approved and minuted by the Board. The need to disclose any scope limitations encountered in the processes necessary to support the SIC and to consider their impact on the directors’ assertion on compliance with the Code and SIC requirements. Above all, the importance of understanding that the reporting of significant weakness is just one part of the equation—this must be accompanied by reporting on the steps since taken (or to be taken) to address these weaknesses. The focus on robust internal controls, comprehensive risk management and effective governance remains a critical requirement for State bodies.  The SIC is not just a compliance requirement; it also serves as a reflection of the organisation’s commitment to transparency, accountability and continuous improvement.  As State bodies navigate evolving challenges and expectations, adopting a standardised yet adaptable framework, combined with clear guidance, will strengthen overall SIC governance practice.    Dr Tom Ward is Senior Governance Specialist, Professional Development, with the Institute of Public Administration Níall Fitzgerald, FCA, is Head of Ethics and Governance at Chartered Accountants Ireland

The Irish Corporate Governance Code represents a progressive approach to ensuring best practice among companies listed on Euronext Dublin and enhances the reputation of ‘Ireland Inc’ globally. Níall Fitzgerald and Louise Gorman explain why Did you know that Ireland hosts one of the most extensive corporate governance infrastructures in Europe?  In Ireland, there are specific governance codes applicable to listed companies, charities, state bodies, financial services institutions, funds and sports organisations.  This is in addition to other entity-specific requirements that may also apply – charities may have to comply with multiple governance requirements as a condition of receiving state funding, for example.  Yet, until recently, Irish listed companies have relied on the best practice principles of the UK Corporate Governance Code (UK Code).  It is therefore worth considering the extent to which the recent publication of the Irish Corporate Governance Code 2024 (Irish Code) presents a new opportunity to tailor best practice in corporate governance to Irish listed companies. The Irish Code will apply initially to a small number of companies listed on Euronext Dublin, the Irish Stock Exchange, for financial years commencing 1 January 2025. Those dual-listed in both Ireland and the UK have the option to either follow the Irish Code or the UK Code in respect of their Irish listing.  The introduction of the Irish Corporate Governance Code is nonetheless significant.  Four years on from the UK’s departure from the European Union (EU), the Irish Code signals that the time has come for Irish companies to follow a path aligned with EU policy and practice, while remaining loyal to the overarching best practice principles established by the UK. It also reflects welcome proactivity in protecting and enhancing the reputation of ‘Ireland Inc’ on the global stage.  Historically, many corporate governance codes and laws internationally have been introduced in response to corporate failings.  By contrast, the Irish Code has emerged out of a desire to ensure that best practice is suitably tailored to the specific circumstances of Irish listed companies.  This comes at no cost to our competitiveness. We retain our well-established ‘comply or explain’ principles-based approach, while also remaining globally connected via our EU membership. Further, we host a US Public Company Accounting Oversight Board presence relating to both Irish companies listed on US Stock Exchanges and US listed companies operating in Ireland. What does this mean for Irish companies? Irish companies already complying with the UK Code will, for the most part, maintain their existing governance practices. They will need to address some specific Irish Code requirements, however. The extent of any differences here will vary depending on each company’s governance policies and structures.  Some companies may find the adjustment process less challenging, particularly those already preparing for the new UK Code applying from 1 January 2025 (apart from Provision 29, which applies from 1 January 2026).  The UK Code served as the basis for developing the Irish Code. Euronext Dublin has made changes only where necessary to ensure proportionality and relevance.  To enhance the principle-based approach, Euronext Dublin has also taken the decision not to include some of the more prescriptive requirements driven largely by the UK regulatory environment.  Maintaining close alignment makes sense as the UK Code is highly regarded and sets a high standard for corporate governance that is emulated internationally.  Our table illustrates some of the key differences between the Irish and the UK Code. Some of these differences, and what they mean for Irish companies, are further explained below. Internal control and risk management: A significant new requirement in the UK Code is included within Provision 29. This requires boards to provide a “declaration of effectiveness” on internal controls, identifying any ineffective controls as of the balance sheet date. Compliance will require boards to establish an independent framework to monitor and assess their internal control and risk management systems. The Irish Code also requires boards to review and report on the effectiveness of these systems, but it is less detailed, not requiring specific declarations or publication of ineffective controls at the balance sheet date. Audit committees: The UK Code requires audit committees to adhere to the Financial Reporting Council’s (FRC) “Audit Committees and the External Audit: Minimum Standard.” In contrast, the Irish Code outlines the roles and responsibilities of audit committees, which are consistent with Companies Act 2014 (Section 167) requirements, without reference to an additional standard, specifying that their work should be detailed in the annual report. Maintaining the principle-based approach in this area is practical, as best practices for audit committees are evolving in accordance with emerging recommendations on audit tendering oversight and sustainability reporting coming from bodies such as the FRC and Accountancy Europe. Less prescriptive and more proportionate: The Irish Code retains core principles, such as workforce engagement, but leaves it to boards to choose the most appropriate methods for their companies’ needs. This facilitates greater flexibility relative to equivalent parts of the UK Code which specify detailed considerations or criteria. The Irish Code aligns some provisions with those in smaller EU capital markets, enabling a proportionate governance approach. For example, while one of the criteria for assessing non-executive directors’ independence in the UK Code requires a five-year employee cooling-off period to be considered, the Irish Code sets this at three years, balancing market size and available talent. Regulatory oversight and enforcement: Like the UK, the Irish Code relies on the market mechanism. It aims to promote high standards of integrity, transparency and accountability. Investors and stakeholders can evaluate disclosures and make comparisons across companies in assessing corporate governance quality. These assessments then inform decisions and actions taken in the markets, such as the decision to buy or sell shares. The implication of this in the UK experience is that the FRC has no sanctioning authority in instances of weak compliance; sanctioning is left to the market mechanism. The FRC does, however, conduct thematic reviews to guide improvements in corporate reporting and governance. Ireland currently has no equivalent body for corporate governance assessment. However, the Irish Auditing and Accounting Supervisory Authority reviews annual reports for EU Transparency Directive compliance, without a specific corporate governance focus. While sanctions do not apply for weak governance compliance, Euronext Dublin can impose sanctions or suspend listings for violations of the listing rules. The Financial Conduct Authority in the UK has a similar approach.   The Irish Code and the UK Code: key differences Workforce engagement  The Irish Code requires boards to explain workforce engagement methods and their effectiveness, without mandating a specific method as in the UK Code. Additionally, it requires a board review of policies for raising concerns. This requirement aligns with the OECD Corporate Governance Principles 2023.  Threshold for addressing shareholder dissent The threshold for consulting with shareholders on a dissenting vote against a board recommendation is set at 25 percent under the Irish Code (20% in the UK Code). Unlike the UK, there is no requirement to provide a six-month shareholder update on the consultation, but it should be addressed in the next annual report. Non-executive director independence  When considering the independence of a non-executive director (NED), the criteria relating to previous employment by the company is whether they have been an employee of the company within the last three years (compared to five years in the UK Code). Board appointments The Irish Code does not include the UK Code restriction on the number of appointments a non-executive director has in a FTSE 100 or other significant undertaking. The Irish Code requires all commitments to be considered when determining whether the NED has the capacity to fully commit to the board. Company Secretary The Irish Code further elaborates on the role of the Company Secretary in ensuring a good information flow within the board, its committees and between management and non-executive directors – recording accurate minutes, facilitating induction and assisting with professional development of non-executive directors. Board evaluation The Irish Code replaces the UK Code reference to FTSE 350 companies with “companies with a market capitalisation in excess of €750 million” in the requirement to conduct an external board evaluation at least once every three years. Board skills and expertise The Irish Code includes an additional requirement for the nomination committee to use the results of a board evaluation to identify the board’s skills, knowledge and expertise requirements. This should be reflected in board succession plans, professional development plans and steps taken to ensure the board has access to the skills, knowledge and expertise it requires. This requirement is consistent with good governance practices in other EU countries, e.g. the 2020 Belgium Code on Corporate Governance. Diversity and inclusion Whereas the UK Code includes reference to UK equality legislation for diversity characteristics, the Irish Code requires companies to have a diversity and inclusion policy regarding gender and other aspects of diversity of relevance to the company and includes measurable objectives for implementing such a policy. The Irish Code requires this policy to be reviewed annually. Audit Committee To ensure consistency with the Companies Act 2014, the requirement for one member of the Audit Committee to have “recent and relevant financial experience” is changed to “competence in accounting or auditing”. Reference to “financial reporting process” is replaced with “corporate reporting process” to better reflect the audit committee’s role in monitoring financial and non-financial reporting, e.g. sustainability reporting. Reference to the UK specific Financial Reporting Council guidance on “Audit Committees and the External Audit: Minimum Standard” is also removed. Internal controls and risk management systems The Irish Code does not include the UK Code provision for the board to include a declaration of effectiveness of material controls, but the requirement to monitor the company’s internal control and risk management systems and review their effectiveness remains.  Remuneration Under the Irish Code, share awards in long-term incentive plans must vest over at least three years, unlike the UK’s five-year minimum. Malus and clawback provisions should be described generally in annual reports, and executive pensions require thoughtful comparison to workforce pensions, with less prescriptive rules than the UK Code. What next for the Irish Code?  Euronext Dublin is in the process of revising the Listing Rules to give effect to the new Irish Code and is further streamlining the requirements.  An Irish Corporate Governance Panel will be established, with responsibility for reviewing and advising on changes to the Irish Code in the context of the evolving corporate governance landscape in Ireland, the UK and Europe alongside other factors.  What impact the Irish Code will have remains to be seen. It represents a sensible approach to building on the reputation and quality of the UK Code, and while there are some differences between the Irish and UK Code, they are mostly aligned.  We have been careful to note that the Irish Code initially applies only to a small number of companies, so one may be forgiven for questioning its true significance. Nonetheless, key issues on the European regulatory horizon suggest that it may mark the start of a greater departure from the UK’s approach to governance.  The recent transposition of the Corporate Sustainability Reporting Directive into Irish law provides another example of this as the CSRD’s required disclosures on governance introduce an EU influence into governance in Irish companies.  Future revisions to the Irish Code may further reflect this newly established autonomy in governance in Ireland, particularly as we adopt the Corporate Sustainability Due Diligence Directive and other directives the European Commission will inevitably introduce over time.  Currently, best practice principles for Irish private companies are limited to voluntarily following the UK’s Wates Corporate Governance Principles for Large Private Companies. Just as the UK Code has influenced these principles, the Irish Code may provide a basis for further extension to large private entities.  There is also a strong argument that any evolution in corporate governance guidance deserves due consideration, particularly as boards deal with increasing risks and opportunities from environmental, social, economic and technological developments.  As it happens, there are no immediate plans to draft guidance to support the Irish Code, and the FRC’s Corporate Governance Code Guidance should, in the short term, be sufficient to fill the gap.  Experts in the area have long noted that attention tends be paid to corporate governance only when a failure occurs.  Given the level of public scrutiny such failures attract, and the associated reputational costs borne by board members, any Irish listed company director should be asking themselves if they can really afford not to pay attention to the new Irish Corporate Governance Code. Níall Fitzgerald, FCA, is Head of Ethics and Governance at Chartered Accountants Ireland Louise Gorman is Assistant Professor at Trinity Business School

Accountants will be the profession best placed to bring the necessary rigour to the analysis and governance of critical data in the age of AI, writes Sharon Cotter Canadian philosopher Marshall McLuhan has suggested: “We become what we behold. We shape our tools, and thereafter our tools shape us”. This is important to remember today, when the spotlight is on the potential consequences, intended and unintended, of the artificial intelligence (AI) tools being shaped by humans. The rise of AI AI encompasses a vast range of computer science research. Since the 1950s, scientists have pursued the goal of building machines capable of completing tasks that normally require intelligent human behaviour.  Machine learning (ML), a subset of AI, enables machines to extract knowledge from data and to learn from it autonomously.  In the past decade, the exponential increase in the volume of data generated, captured, stored and available for analysis, coupled with advances in computing power, have created the impetus and means to rapidly advance ML, which in turn has facilitated the development of narrow AI applications.  In essence, narrow AI applications are computer programs, or algorithms, specifically trained, using very large datasets, to carry out one task, or a limited number of tasks. Best suited to tasks that do not require complex thought, narrow AI algorithms can often accomplish such tasks better and more swiftly than humans.  Most of the AI capability we use today is narrow AI – from Alexa and Siri, which carry out human voice commands, to ChatGPT and Bard, which generate output based on conversational text prompts, and Dall-E2, which generates visual images based on text prompts, to name but a few.  In the field of accounting, we can utilise coding languages and software tools such as Python, ‘R’ and Alteryx to generate predictive forecasts and models.  We often use these tools without realising that we are using elements of narrow AI. For example, these programming languages and software tools embed many of the statistical algorithms that allow us to easily carry out linear regression analysis, a common method of predicting future outcomes based on past data. Adapting to broaden our role The word ‘computer’ was first coined by the English poet Richard Brathwaite in 1613 to describe a person who carried out calculations or computations. For the next 350 years or so, most humans who needed to perform calculations used mental arithmetic, an abacus or slide rules until the widespread availability of electronic handheld calculators in the 1970s. As accountants, we have seamlessly adapted to the tools available to us – whether these are an abacus, double-analysis paper, a totting machine, or computer software tools like Excel and Alteryx.   The use of these tools, and the time saved by their use, have allowed us to broaden our role from recording, summarising and presenting the underlying economic transactions to providing a much wider range of useful information to decision-makers both within, and outside, organisations.  This is reflected in commentary from the professional accountancy bodies emphasising the importance of good organisational decision-making and suggesting that the core purpose of our profession should be to facilitate better decisions and identify the business problems that better decisions will resolve. Asking the right questions In 1968, Pablo Picasso is reputed to have said: “Computers are useless. They can only give you answers”. While the remark may have been dismissive of the then cumbersome mainframe computer, it does encapsulate the notion that the real skill lies in figuring out the right question to ask, as this requires both judgement and creativity.  Useful, timely and relevant information for decision-making can only be produced if the right question is asked of the right data at the right time. On the face of it, this seems simple and straightforward, but in practice it is often much more difficult to achieve.  Deciding what question to ask requires knowledge of the business context, and an understanding of the issue being addressed as well as an ability to clearly articulate the issue. Critical thinking is key to identifying what answers are needed to identify the range of solutions for the issue at hand. Deciding what data is appropriate to use in the analysis requires an understanding of what data is available, where it is stored, how it is stored, what each data element selected represents, how compatible it is with other data, and how current that data is. It also requires knowledge of the limitations posed by using particular sets of data. Being able to generate the answer to the right question using the right data is only relevant if it can be produced at the point at which this information is needed. Sometimes, not all the data needed to answer the question is readily available, or available in the required format. Data from several sources may need to be combined and, where data is incomplete, judgement will be needed on the assumptions necessary to generate a relevant and timely set of data. Accountants are well-positioned The skills, experience and mindsets we develop as part of our professional training positions accountants well to provide the best possible decision-enabling information to decision-makers.  Scepticism is a key tenet of our profession. We look to spot anomalies in data and information, and to question the information by asking “does it make sense?” We are trained to be methodical, thorough and to look beyond the obvious. Training and experience enable us to develop our professional judgement, which we apply when determining what is relevant, appropriate and faithfully represents the underlying economic transactions.  We are adaptable and flexible in the tools we use, and aware of the need to stay up to date with the law and regulation applying to the storage and use of data. In short, we are valued problem-solvers and critical thinkers. Accountants’ ‘jurisdiction’ In his book The System of Professions: An Essay on the Division of Expert Labor, Andrew Abbott uses the term ‘jurisdiction’ to represent the link between a profession and its work.  Jurisdiction is an important concept, as the acknowledged owner of a task is likely to be able to shape the characteristics of that task. In the context of accountants’ work, the term ‘jurisdiction’ means the extent to which organisations, and society, accept that due to their professional expertise, only specific roles and responsibilities should be carried out by accountants.  Within organisations, accountants’ jurisdiction is not static. The roles and responsibilities that fall within their remit can, and do, change.  The jurisdiction of accountants can be encroached upon. Others within the organisation may also have expertise allowing them to claim work once exclusively identified with accountants. Challenges to jurisdiction The emergence of new roles, such as data or information specialists, who collect, clean and analyse data, has meant that complex analysis of financial information can now be done by non-accountants.  Some organisations have explored ways in which operational managers and decision-makers can be given direct access to financial systems.  Known as ‘self-service’ menus, such direct access to information allows decision-makers to drill down into the detail of transactions – for example, to identify the underlying causes of deviations from budget, all without the need to consult with their colleagues in the finance department.  If an organisation transfers responsibility for data analysis and decision support to data specialists and/or decision-makers, then the jurisdiction of the accountant may be narrowed or reduced. Opportunities for role expansion Equally, however, accountants’ roles and responsibilities can be increased, resulting in their jurisdiction being broadened or expanded.  The expansion of an accountant’s role requirements can either result from increased job tasks and responsibilities, or from changes in the tools and technologies available to carry out these tasks and responsibilities.  Recent research and professional body commentary has, for example, explored the extent to which management accountants have embraced changes in their role or taken on wider responsibilities, such as business partnering.  Multiple elements such as role identity, the ability to embrace change in a positive way and developing strong communication skills, to name but a few, all contribute to the successful adoption of additional responsibility. Futureproofing with digital fluency The rapid and on-going development, enhancement and availability of software tools that can be used to capture, store, identify, slice and dice data, and present information in visual graphics, are forcing accounting professionals to consider the level of IT competency required to operate efficiently and effectively in today’s digital world.   Professional accountancy bodies emphasise the importance of digital skills in futureproofing the accountant’s role while many of the larger multinational companies espouse the need for finance staff to have good digital fluency. Challenges and opportunities Both encroachments and expansions to the jurisdiction of accountants bring their own set of challenges and opportunities.  Maintaining, and expanding, accountants’ jurisdiction over the integrity of data, and the provision of information for decision-making, should be a key part of the profession’s strategy in the digital age.  I believe that the ‘governance’ of data, rather than the use of specific AI tools, should be the focus of the accountancy profession when formulating strategies for its future direction. In addition to enhancing our digital skills, we need to consider strategies such as adapting and changing the role of the chief financial officer to include overall direct responsibility for data analytics.  The governance, management and analysis of data should be as important as traditional responsibilities in finance.  Governance of data requires rigour and objectivity to ensure that its integrity is preserved. We should noticeably stake our claim as the profession best placed to bring that rigour and objectivity to the governance and analysis of data used for decision-making.  Failure to consider such strategies may mean we increase the risk that encroachments rather than expansions to our role – our jurisdiction – will become a reality. We should strive to ensure that our future role is shaped by us rather than by these new digital tools and techniques. Sharon Cotter, FCA, lectures in accounting and finance at the University of Galway

Michael Diviney and Níall Fitzgerald explore the ethical challenges arising from artificial intelligence (AI), particularly ‘narrow’ AI, and highlight the importance of ethics and professional competence in its deployment Earlier this year, artificial intelligence (AI) industry leaders, leading researchers and influencers signed a succinct statement and warning: “Mitigating the risk of extinction from AI should be a global priority alongside other societal-scale risks such as pandemics and nuclear war.” Was this a publicity stunt? Well, probably not, as the generative AI ChatGPT was already the fastest-adopted application in history.  Was this an over-the-top, alarmist statement by a group possibly trying to steal a march on self-regulation of a rapidly emerging technology and growing industry?  Again, this is unlikely if one considers the warnings of pioneer thinkers like Nick Bostrom, Max Tegmark, Stephen Hawking and Astronomer Royal Martin Rees. They concur that there is an existential threat to humankind if human-level or ‘general’ AI is developed and the ‘singularity’ is reached when AI surpasses human intelligence.  Autonomous weapons and targeting are a clear risk, but more broadly, unless we can ensure that the goals of a future superintelligence are aligned and remain aligned with our goals, we may be considered superfluous and dispensable by that superintelligence.  As well as the extinction threat, general AI presents other potential ethical challenges.  For example, if AI attains subjective consciousness and is capable of suffering, does it then acquire rights? Do we have the right to interfere with these, including the right to attempt to switch it off and end its digital life?  Will AI become a legal entity and have property rights? After all, much of our economy is owned by companies, another form of artificial ‘person’. Ethical challenges from ‘narrow’ AI Until general AI is here, however – and there is informed scepticism about its possibility – the AI tools currently in use are weak or ‘narrow’ AI. They are designed to perform a specific task or a group of related tasks and rely on algorithms to process data on which they have been trained.  Narrow AI presents various ethical challenges:  Unfairness arising from bias and opacity (e.g. AI used in the initial screening of job candidates include a gender bias based on historical data – in the past more men were hired); The right to privacy (AI trained with data without the consent of the data subjects); Threats to physical safety (e.g. self-driving vehicles); Intellectual property and moral rights, plagiarism and passing-off issues in the use of generative AI like ChatGPT and Bard; and Threats to human dignity from the hollowing out of work and loss of purpose. Regulation vs. ethics Such issues arising from the use of AI, particularly related to personal data, mean that regulation is inevitable.  We can see this, for example, with the EU’s landmark AI Act, due to apply by the end of 2025, which aims to regulate AI’s potential to cause harm and to hold companies accountable for how their systems are used. However, as Professor Pat Barker explained at a recent Consultative Committee of Accountancy Bodies (CCAB) webinar, until such laws are in place, and in the absence of clear rules, ethics are required for deciding on the right way to use AI.  Even when the regulation is in place, there are likely to be cases and dilemmas that it has not anticipated or about which it is unclear. Legal compliance should not be assumed to have all the ethical issues covered, and as AI is evolving so quickly, new ethical issues and choices will inevitably emerge.  Ethics involves the application of a decision-making framework to a dilemma or choice about the right thing to do. While such a framework or philosophy can reflect one’s values, it must also be objective, considered, universalisable and not just based on an instinctual response or what may be expedient. Established ethics frameworks include: the consequentialist or utilitarian approach – in the case of AI, does it maximise benefits for the greatest number of people?; and the deontological approach, which is based on first principles, such as the inalienable rights of the individual (an underlying philosophy of the EU’s AI Act). (The Institute’s Ethics Quick Reference Guide, found on the charteredaccountants.ie website, outlines five steps to prepare for ethical dilemmas and decision-making.)  A practical approach While such philosophical approaches are effective for questions like “Should we do this?” and “Is it good for society”, as Reid Blackman argues in Harvard Business Review, businesses and professionals may need a more practical approach, asking: “Given that we are going to [use AI], how can we do it without making ourselves vulnerable to ethical risks?”  Clear protocols, policies, due diligence and an emphasis on ethical risk management and mitigation are required, for example responsible AI clauses in agreements with suppliers. In this respect, accountants have an arguably competitive advantage in being members of a profession; they can access and apply an existing ethical framework, which is evolving and adapting as the technology, its opportunities and challenges change.  The Code of Ethics The International Ethics Standards Board for Accountants (IESBA) recently revised the Code of Ethics for Professional Accountants (Code) to reflect the impact of technology, including AI, on the profession. The Chartered Accountants Ireland Code of Ethics will ultimately reflect these revisions.  IESBA has identified the two types of AI likely to have the most impact on the ethical behaviour of accountants:  Assisted intelligence or robotic process automation (RPA) in which machines carry out tasks previously done by humans, who continue to make decisions; and  Augmented intelligence, which involves collaboration between human and machine in decision-making. The revisions also include guidance on how accountants might address the risks presented by AI to ethical behaviour and decision-making in performing their role and responsibilities.  Professional competence and due care The Code requires an accountant to ensure they have an appropriate level of understanding relevant to their role and responsibilities and the work they undertake. The revisions acknowledge that the accountant’s role is evolving and that many of the activities they undertake can be impacted by AI.  The degree of competency required in relation to AI will be commensurate with the extent of an accountant’s use of and/or reliance on it. While programming AI may be beyond the competency of many accountants, they have the skill set to:  identify and articulate the problem the AI is being used to solve;  understand the type, source and integrity of the data required; and assess the utility and reasonableness of the output.  This makes accountants well placed to advise on aspects of the use of AI. The Code provides some examples of risks and considerations to be managed by professional accountants using AI, including: The data available might not be sufficient for the effective use of the AI tool. The accountant needs to consider the appropriateness of the source data (e.g. relevance, completeness and integrity) and other inputs, such as the decisions and assumptions being used as inputs by the AI. This includes identifying any underlying bias so that it can be addressed in final decision-making. The AI might not be appropriate for the purpose for which the organisation intends to use it. Is it the right tool for the job and designed for that particular purpose? Are users of the AI tool authorised and trained in its correct use within the organisation’s control framework? (One chief technology officer has suggested not only considering the capabilities of the AI tool but also its limitations to be better aware of the risks of something going wrong or where its use may not be appropriate.) The accountant may not have the ability, or have access to an expert with that ability, to understand and explain the AI and its appropriate use.  If the AI has been appropriately tested and evaluated for the purpose intended. The controls relating to the source data and the AI’s design, implementation and use, including user access. So, how does the accountant apply their skills and expertise in this context?  It is expected that accountants will use many of the established skills for which the profession is known to assess the input and interpret the output of an AI tool, including interpersonal, communication and organisational skills, but also technical knowledge relevant to the activity they are performing, whether it is an accounting, tax, auditing, compliance, strategic or operational business decision that is being made.  Data and confidentiality According to the Code, when an accountant receives or acquires confidential information, their duty of confidentiality begins. AI requires data, usually lots of it, with which it is trained. It also requires decisions by individuals in relation to how the AI should work (programming), when it should be used, how its use should be controlled, etc.  The use of confidential information with AI presents several confidentiality challenges for accountants. The Code includes several considerations for accountants in this regard, including: Obtaining authorisation from the source (e.g. clients or customers) for the use of confidential information, whether anonymised or otherwise, for purposes other than those for which it was provided. This includes whether the information can be used for training AI tools.  Considering controls to safeguard confidentiality, including anonymising data, encryption and access controls, and security policies to protect against data leaks.  Ensuring controls are in place for the coding and updating of the AI used in the organisation. Outdated code, bugs and irregular updates to the software can pose a security risk. Reviewing the security certification of the AI tool and ensuring it is up to date can offer some comfort.  Many data breaches result from human error, e.g. inputting confidential information into an open-access web-based application is a confidentiality breach if that information is saved, stored and later used by that application. Staff need to be trained in the correct use and purpose of AI applications and the safeguarding of confidential information. Dealing with complexity The Code acknowledges that technology, including AI, can help manage complexity.  AI tools can be particularly useful for performing complex analysis or financial modelling to inform decision-making or alerting the accountant to any developments or changes that require a re-assessment of a situation. In doing so, vast amounts of data are collected and used by AI, and the ability to check and verify the integrity of the data introduces another level of complexity.  The Code makes frequent reference to “relevancy” in relation to the analysis of information, scenarios, variables, relationships, etc., and highlights the importance of ensuring that data is relevant to the problem or issue being addressed. IESBA was mindful, when revising the Code, that there are various conceivable ways AI tools can be designed and developed to use and interpret data.  For example, objectivity can be challenged when faced with the complexity of divergent views supported by data, making it difficult to come to a decision. AI can present additional complexity for accountants, but the considerations set out in the Code are useful reminders of the essential skills necessary to manage complexity. Changing how we work As well as its hugely beneficial applications in, for example, healthcare and science, AI is proving to be transformative as a source of business value.  With a range of significant new tools launched daily, from personal effectiveness to analysis and process optimisation, AI is changing how we work. These are powerful tools, but with power comes responsibility. For the professional accountant, certain skills will be brought to the fore, including adaptability, change and risk management, and leadership amidst rapidly evolving work practices and business models. Accountants are well placed to provide these skills and support the responsible and ethical use of AI.  Rather than fearing being replaced by AI, accountants can prepare to meet expectations to provide added value and be at the helm of using AI tools for finance, management, strategic decision-making and other opportunities. Michael Diviney is Executive Head of Thought Leadership at Chartered Accountants Ireland Níall Fitzgerald is Head of Ethics and Governance at Chartered Accountants Ireland

With the Central Bank of Ireland’s consultation on the Individual Accountability Framework drawing to a close later this month, Níall Fitzgerald reviews the scope and effectiveness of similar regimes already in place in other parts of the world Following the 2008 financial crisis, global governance and regulatory reforms in the financial services sector have had a significant impact on how financial institutions, such as banks, insurance companies and investment firms, are run.  The EU has been at the forefront of regulatory change in financial services in Ireland since the creation of the Banking Union, which includes the European Supervisory Mechanism, and significant regulatory developments from rule-setters such as the European Banking Authority.  The Central Bank of Ireland has also put in place governance requirements for all financial institutions and implemented fitness and probity standards. These have included regulations requiring minimum competencies for individuals working in certain roles and, in some cases, regulatory pre-approval before individuals can be appointed to certain management positions, such as – to name just a few – board director, head of compliance, head of internal audit and chief risk officer. The proposed Central Bank of Ireland Individual Accountability Framework (IAF) is an extension of the current suite of regulations and efforts to address cultural failings and ensure better governance, performance and accountability among financial services firms.  The IAF is not the first of its kind, however, and while it has some unique features, it also shares similarities with regimes of this nature operating in other parts of the world.  UK: Senior Managers and Certification Regime The UK introduced the Senior Managers and Certification Regime (SM&CR) in 2016. Following a three-phase roll-out over three years, the SM&CR now applies to banks, insurance companies and a large portion of the remaining regulated financial services firms in the UK. This regime introduced: Prescribed responsibilities for certain roles; Requirements for firms to follow when allocating those roles to individuals, including: applying a certification process (up to obtaining pre-approval from the Regulator for an appointment to a role); and  the introduction of individual conduct rules. Hong Kong: Manager-in-Charge Regime In Hong Kong, The Securities and Futures Commission introduced the Manager-in-Charge (MIC) Regime for licensed corporations in 2017.  The regime did not bring in any new sanctions and was implemented by way of circular, rather than legislation, but it provided the regulator with additional powers of enforcement and the ability to hold individuals to account. A key objective of the MIC regime is to enable Hong Kong’s Securities and Futures Commission to assess culture within the licensed organisation.  The regulator attributes non-compliance with elements of the regime – e.g. failure to assess whether individuals have discharged their responsibilities appropriately, as evidence of cultural failings. Australia: Banking Executive Accountability Regime  Australia’s Banking Executive Accountability Regime (BEAR) came into effect in 2018, applying to the directors of, and the most senior and influential executives within, banks and authorised deposit-taking institutions (ADIs). The regime introduced prescribed responsibilities for certain roles, an accountability framework, and a list of accountability obligations, which look a lot like conduct rules.  The regime also introduced a requirement for relevant firms to defer a portion of the variable remuneration of any person found to be non-compliant with the regime until an investigation concludes, whether or not any or all of the remuneration is subject to clawback.  Singapore: Individual Accountability and Conduct Guidelines  The Individual Accountability and Conduct (IAC) Guidelines were introduced in Singapore in 2021. Like the MIC regime in Hong Kong, Singapore’s IAC Guidelines are not supported by underlying legislation and are described as “best practice standards”.  The level of adherence to IAC Guidelines among the financial institutions will impact the Monetary Authority of Singapore’s overall risk assessment of the relevant organisation or individual.  These guidelines focus on embedding a strong culture of responsibility and ethical behaviour by ensuring individual accountability and a supportive governance framework within regulated organisations.  Prevention is better than cure While there are similarities between the accountability regimes outlined above, none is the same.  The instances of enforcement action taken under these regimes are very low and, if prevention is better than cure, this may be a good measure of success.  Just one enforcement action was taken against an individual for non-compliance during the first four years of the UK’s SM&CR, for example. Following a review of Australia’s Banking Executive Accountability Regime, and amid public criticism citing the lack of enforcement action, the Australian government is currently proposing the wider reaching Financial Accountability Regime (FAR).  The FAR contains additional requirements and extends the regime beyond banks to other financial service providers regulated by the Australian Prudential Regulation Authority.  Elsewhere, the United Arab Emirates does not have a specific accountability regime. However, its laws and regulations, which pre-date 2016, give financial services regulators enforcement powers to hold individuals to account and apply sanctions.  Looking at just one member of the United Arab Emirates, Dubai, the Dubai Financial Services Authority has taken enforcement action against 32 individuals since 2016. The majority of these cases have related to individuals providing investment services.  Perhaps it is still too early to reliably judge the effectiveness of these various models of individual accountability regimes.  Sometimes, there is a benefit in not being first past the post in introducing a regime of this nature and being able to stand back and learn from global experiences.  With our Individual Accountability Framework, Ireland is building on a solid foundation of banking regulations and governance requirements. The IAF is only one of many regulatory changes impacting financial services providers. Other requirements on the way include the EU’s Digital Operational Resilience Act (DORA) and the inevitable evolution of governance codes, and other regulations, addressing sustainability and other emerging risks.  World-class standards are laudable, but their true outcome is only evident when we have a high level of public trust and a financial services sector that is efficient and competitive, driving a better future for society and a prosperous economy. Níall Fitzgerald, FCA, is Head of Ethics and Governance at Chartered Accountants Ireland Impact of individual accountability on organisational culture Chartered Accountants Ireland welcomes the timely publication by the Central Bank of Ireland (CBI) of the Individual Accountability Framework (IAF) draft regulations and guidance, and the certainty of action required for Irish financial services firms, writes Níall Fitzgerald.  The framework contains measures, including conduct standards and prescribed responsibilities, designed to enhance customer-focused cultures and embed responsibility and ethical behaviour across financial services in Ireland.  While it promotes the necessity for cultural change, the CBI agrees that more is required to achieve this. Insights from the introduction of similar measures in other jurisdictions show that an individual accountability regime better impacts on organisational culture when supported by: Promoting individual accountability but emphasising collective decision-making Being accountable as individuals for actions and behaviour is not new. Professionals are accountable to codes of ethics. There are also many laws and regulations that hold individuals accountable for their roles in an organisation, such as fiduciary duties of directors. However, many organisations thrive on collaboration, teamwork and diversity, which improve collective decision-making. Individual accountability is not designed to override this, and emphasising other positive behaviours, such as these, supports the objectives of the IAF. Promoting a ‘just culture’ and avoiding a ‘blame culture’ A blame culture focuses on identifying culprit/s, penalising them, and moving forward on the assumption that the same issue/s won’t happen again, because an example has been set.  A just culture acknowledges that mistakes and underperformance can occur, but that both are better addressed by reflecting on what went wrong and focusing on what can be learned to improve future outcomes.  Individual accountability exists in both scenarios, but the latter will have a more positive impact amongst the workforce, helping to achieve the objectives of the IAF. Promoting trust and integrity Certain informal reactions to a regime such as the Individual Accountability Framework can undermine its objectives. In some jurisdictions individuals with prescribed responsibilities prepare personal compliance files, for example, privately maintained outside of the firm’s documentation system.  A ‘cover your actions’ (CYA) approach has developed in these jurisdictions, whereby there is a tendency to give advice formally (e.g. in writing), which would differ if given informally (e.g. verbally).  Notwithstanding the risk of breaching privacy and confidentiality rules, these informal practices are indicative of low levels of trust and integrity within a firm.  Embedding a culture of psychological safety can deter this risk and foster greater trust within the organisation.

The roadmap for the EU Commission’s milestone Corporate Sustainability Reporting Directive is taking shape and now is the time to start preparing for a brave new era in non-financial reporting, writes Conor Holland With the Corporate Sustainability Reporting Directive (CSRD) now approved by the European Council, entities in the EU must begin to invest significant time and resources in preparing for the advent of a new era in non-financial reporting, which places the public disclosure of environmental, social affairs and governance matters (ESG) matters on a par with financial information. Under the CSRD, entities will have to disclose much more sustainability-related information about their business models, strategy and supply chains than they have to date. They will also need to report ESG information in a standardised format that can be assured by an independent third party. For those charged with governance, the CSRD will bring further augmented requirements. Audit committees will need to oversee new reporting processes and monitor the effectiveness of systems and controls setup. They will also have enhanced responsibilities. Along with monitoring an entity’s ESG reporting process, and evaluating the integrity of the sustainability information reported by that entity, audit committees will need to: Monitor the effectiveness of the entity’s internal quality control and risk management systems and internal audit functions; Monitor the assurance of annual and consolidated sustainability reporting; Inform the entity’s administrative or supervisory body of the outcome of the assurance of sustainability reporting; and Review and monitor the independence of the assurance provider. The CSRD stipulates the requirement for limited assurance over the reported information. However, it also includes the option for assurance requirements to evolve to reasonable assurance at a later stage. The EU estimates that 49,000 companies across the EU will fall under the requirements of the new CSRD Directive, compared to the 11,600 companies that currently have reporting obligations. The EU has confirmed that the implementation of the CSRD will take place in three stages: 1 January 2024 for companies already subject to the non-financial reporting directive (reporting in 2025 for the financial year 2024); 1 January 2025 for large companies that are not presently subject to the non-financial reporting directive (reporting in 2026 for the financial year 2025); 1 January 2026 for listed SMEs, small and non-complex credit institutions, and captive insurance undertakings (reporting in 2027 for the financial year 2026). A large undertaking is defined as an entity that exceeds at least two of the following criteria: A net turnover of €40 million A balance sheet total of €20 million 250 employees on average over the financial year The final text of the CSRD has also set timelines for when the Commission should adopt further delegated acts on reporting standards, with 30 June 2023 set as the date by which the Commission should adopt delegated acts specifying the information that undertakings will be required to report. European Financial Reporting Advisory Group In tandem, the European Financial Reporting Advisory Group (EFRAG) is working on a first set of draft sustainability reporting standards (ESRS). These draft standards will be ready for consideration by the Commission once the Parliament and Council have agreed a legislative text. The current draft standards provide an outline as to the depth and breadth of what entities will be required to report. Significantly, the ESRS should be considered as analogous to accountancy standards—with detailed disclosure requirements (qualitative and quantitative), a conceptual framework and associated application guidance. Readers should take note—the ESRS are much more than a handful of metrics supplementary to the financial statements. They represent a step change in what corporate reporting entails, moving non-financial information toward an equilibrium with financial information. Moreover, the reporting boundaries would be based on financial statements but expanded significantly for the upstream and downstream value chain, meaning an entity would need to capture material sustainability matters that are connected to the entity by its direct or indirect business relationships, regardless of its level of control over them. While the standards and associated requirements are now largely finalised, in early November 2022, EFRAG published a revised iteration to the draft ESRS, introducing certain changes to the original draft standards. While the broad requirements and content remain largely the same, some notable changes include: Structure of the reporting areas has been aligned with TCFD (Task Force on Climate-Related Financial Disclosures) and ISSB (International Sustainability Standards Board) standards – specifically, the ESRS will be tailored around “governance”, “strategy”, “management of impacts, risks and opportunities”, and “metrics and targets”. Definition of financial materiality is now more closely aligned to ISSB standards. Impact materiality is more commensurate with the GRI (Global Reporting Initiative) definition of impact materiality. Time horizons are now just a recommendation; entities may deviate and would disclose their entity-specific time horizons used. Incorporation of one governance standard into the cross-cutting standard requirements on the reporting area of governance. Slight reduction in the number of data points required within the disclosure requirements. ESRS and international standards By adopting double materiality principles, the proposed ESRS consider a wider range of stakeholders than IFRS® Sustainability Disclosure Standards or the US Securities and Exchange Commission (SEC) published proposal. Instead, they aim to meet public policy objectives as well as meeting the needs of capital markets. It is the ISSB’s aim to create a global baseline for sustainability reporting standards that allows local standard setters to add additional requirements (building blocks), rather than face a coexistence of multiple separate frameworks. The CSRD requires EFRAG to take account of global standard-setting initiatives to the greatest extent possible. In this regard, EFRAG has published a comparison with the ISSB’s proposals and committed to joining an ISSB working group to drive global alignment. However, in the short term, entities and investors may potentially have to deal with three sets of sustainability reporting standards in setting up their reporting processes, controls, and governance. Key differences The proposed ESRS list detailed disclosure requirements for all ESG topics. The proposed IFRS Sustainability Disclosure Standards would also require disclosure in relation to all relevant ESG topics, but the ISSB has to date only prepared a detailed exposure draft on climate, asking preparers to consider general requirements and other sources of information to report on other sustainability topics. The SEC focused on climate in its recent proposal. The proposed ESRS are more prescriptive, and the number of disclosure requirements significantly exceeds those in the proposed IFRS Sustainability Disclosure Standards. Whereas the proposed IFRS Sustainability Disclosure Standards are intended to focus on the information needs of capital markets, ESRS also aim to address the policy objectives of the EU by addressing wider stakeholder needs. Given the significance of the directive—and the remaining time to get ready for it—entities should now start preparing for its implementation. It is important that entities develop plans to understand the full extent of the CSRD requirements, and the implications for their reporting infrastructure. As such, they should take some immediate steps to prepare, and consider: Performing a gap analysis—i.e. what the entity reports today, contrasted with what will be required under the CSRD. This is a useful exercise to inform entities on where resources should be directed, including how management identify sustainability-related information, and what KPIs they will be required to report on. Undertaking a ‘double materiality’ analysis to identify what topics would be considered material from an impact and financial perspective—as required under the CSRD. Get ‘assurance ready’—entities will need to be comfortable that processes and controls exist to support ESG information, and that the information can ultimately be assured. The Corporate Sustainability Reporting Directive represents a fundamental change in the nature of corporate reporting—the time to act is now and the first deadline is closing in.