Ethics articles

The Statement on Internal Control is critical to the effective risk management and governance of Ireland’s State bodies. Tom Ward and Níall Fitzgerald offer their best practice insights Recent challenges faced by Irish entities in the public, non-profit and private sector have emphasised for many boards (and, where relevant, their funding bodies) the critical importance of the adequacy and operational effectiveness of internal controls, risk management and governance. Ultimately, a systematic and proactive approach to testing and reviewing controls, addressing weaknesses and implementing remedial actions in a timely manner, can only enhance confidence in public sector governance and best practice. In this regard, the Statement on Internal Control (SIC) plays a crucial role. State bodies in Ireland are required to report on all of their internal controls, risk management and governance in their annual SIC in accordance with the Irish Code of Practice for the Governance of State Bodies 2016 (Code of Practice).  Such reporting encompasses financial, business, operational and compliance controls and State bodies are subject to a swathe of such controls as standard, spanning: The discharge of public business. Project delivery and cost management. Monitoring and control of assets. Fraud prevention and detection. IT systems and technology (including cybersecurity).  Procurement. Additional controls specific to the nature of each bodies’ activities include clinical governance for public hospitals, infrastructure guidelines for large infrastructural projects and controls relating to onward funding to other public bodies or non-profits. The SIC must acknowledge the Board’s responsibility for ensuring that effective internal control systems are in place, the approach taken to reviewing these systems to ensure they are working (including steps taken by the Board and its Committees) and must identify any significant weaknesses or breaches. While the format for the SIC is prescribed, the content should be tailored according to the size and complexity of the organisation. However, there is limited guidance on the extent to which the Board should tailor this approach and content. At a recent SIC event co-hosted by Chartered Accountants Ireland and the Institute of Public Administration’s Governance Forum, Andy Harkness, from the Comptroller and Auditor General (C&AG) Office, provided examples of SIC best practice for State bodies, including the need for:  Good documentation clearly explaining the work carried out to support the review of controls; Assurance statements provided by senior managers; The involvement of the internal audit team, including key changes arising from their reviews and recommendations; and  If appropriate, an assurance statement from  independent assurance service providers.  Within this approach, the C&AG highlighted the importance of documenting any issues that may arise and adequately supporting any work undertaken to ensure that significant risks have been identified, including risks arising from changes to the control environment. Also emphasised was the importance of assessing the effectiveness of the controls in place, the assurance results and the effectiveness of follow-up steps taken in response to any control deficiencies identified.  Board and board committees should minute their review and conclusions with regard to the effectiveness of the systems of internal controls under review, and record recommended changes to governance, internal controls and risk management matters arising from the review. Also speaking at the recent SIC event, several experienced non-executive directors provided examples of the approaches they have taken to preparing the SIC within their organisation. In particular, they noted challenges associated with the absence of formal guidance and the ambiguity surrounding the term “operating effectiveness”, which is typically associated with Sarbanes–Oxley applying to companies listed on the US Stock Exchange.  In an Anglo-Irish context, assurance on the effectiveness of controls has traditionally been limited to financial and reporting controls. This is, however, changing. To achieve best practice in SIC reporting, the Boards of State bodies in Ireland may currently rely on: Guidance issued by the Financial Reporting Council (FRC) in Britain in relation to the UK Corporate Governance; International Standards on Assurance Engagements (ISAE) 3402 Reports; Sarbanes–Oxley literature for directors and auditors;  Guidance or circulars issued by the Department of Public Expenditure, Infrastructure, Public Services, Reform and Digitalisation or the C&AG; and General assurance standards and guidance. Some best practice insights for State boards arising from the recent SIC event include: The benefit in defining, adopting and communicating a common framework for performing the review of internal controls. The importance of the work needed to support and underpin the SIC. The need to ensure that the findings reported in the SIC are consistent with other supporting documentation approved and minuted by the Board. The need to disclose any scope limitations encountered in the processes necessary to support the SIC and to consider their impact on the directors’ assertion on compliance with the Code and SIC requirements. Above all, the importance of understanding that the reporting of significant weakness is just one part of the equation—this must be accompanied by reporting on the steps since taken (or to be taken) to address these weaknesses. The focus on robust internal controls, comprehensive risk management and effective governance remains a critical requirement for State bodies.  The SIC is not just a compliance requirement; it also serves as a reflection of the organisation’s commitment to transparency, accountability and continuous improvement.  As State bodies navigate evolving challenges and expectations, adopting a standardised yet adaptable framework, combined with clear guidance, will strengthen overall SIC governance practice.    Dr Tom Ward is Senior Governance Specialist, Professional Development, with the Institute of Public Administration Níall Fitzgerald, FCA, is Head of Ethics and Governance at Chartered Accountants Ireland

Christine Nangle and Bríd Murphy explore how pre-audit training factors influence professional scepticism, uncovering insights into recruitment, education and decision-making that could enhance audit quality and address persistent challenges in the auditing profession The importance of professional scepticism (PS) gained prominence at the close of the last century. The failure of major companies and financial scandals highlighted the need for auditors to adopt a more questioning and sceptical approach to their work.  Despite numerous academic studies and a heightened focus on this issue in the profession, failure to exhibit PS is still the most cited reason for sanctions imposed on audit firms.  This constant challenge underscores the critical need to foster a culture of scepticism among auditors to enhance audit quality and mitigate the risk of failures. The Brydon Report (2019) assigns blame to the practice of ‘rules-following’ which has blunted scepticism as well as the application of judgement, and calls for improved auditor education to foster the development of PS.   PS includes both an innate ability (trait scepticism) and a temporary mindset influenced by situational factors (state scepticism). Many studies have looked into how PS develops, but there are conflicting findings about what increases PS levels.  With the International Auditing and Assurance Standards Board driving strategic focus on PS through its Professional Scepticism Consultation Group and standards development, the profession must better understand the factors contributing to PS development to ensure accountants and auditors are appropriately skilled to meet evolving requirements and expectations. This study looks at how factors in pre-audit training contracts influence PS. By investigating these pre-audit factors, the study aims to provide information that can improve recruitment practices and audit quality. Understanding what fosters PS in graduates could lead to enhanced training and development initiatives, ensuring new auditors develop the critical thinking and questioning mindset essential for effective auditing in today's complex financial landscape. This study was made possible by the cooperation of accounting firms and their newly hired trainees. It forms part of a broader PhD study in Dublin City University (DCU) which aims to re-measure the levels of PS in the same participants as they approach the completion of their training contracts. A range of firms, from large to medium-sized professional practices, helped collect 332 surveys from participants. Most participants began their training contracts one to three months before completing the survey, allowing the research findings to be connected to factors before their professional training. Influences The survey revealed no significant difference in PS levels between male and female participants. However, it found that participants aged 26+ demonstrated greater PS levels.  Of the 332 participants, 26 percent had undertaken postgraduate studies, and results indicate postgraduate education is positively linked to increased PS levels. And while 73 percent of participants in this study had engaged in ethics education prior to their training contract, this study found no relationship between ethics education and PS levels.  Professional scepticism vs judgement  PS influences decision-making processes and judgements. Higher levels of PS should improve critical evaluation, enhance objectivity and mitigate cognitive biases that may cloud judgment, improving risk assessment and overall audit quality.  This study used scenarios to assess how PS levels affect initial judgements about fraud and errors based on different client experiences –  neutral, positive and negative. Participants were presented with three scenarios, containing details of the same material misstatement. The first scenario involved a neutral client experience, the second indicated a positive experience, and the third showed a negative experience. Participants answered questions after each scenario, about their perceptions of fraud, risk and client trustworthiness. Participants with higher levels of PS made more prudent judgments in all three scenarios. However, this effect was stronger in the positive and neutral scenarios, suggesting individuals with higher levels of scepticism are less likely to change their judgments based on different client experiences.  The study also highlighted concepts from ancient philosophy, specifically Pyrrhonian scepticism, which encourages refraining from making judgments and suspending belief, which can result in indecision or inaction.  Philosopher Sextus Empiricus warned that being too sceptical could trap people in doubt and hinder decision-making. To allow for analysis of this phenomenon, the survey allowed participants to skip questions instead of forcing them to answer.  Interestingly, the findings show those who skipped four or more judgments had significantly higher PS scores than those who skipped fewer. This suggests an optimal level of scepticism where too little leads to poor judgment, while too much can impede one's decision-making capacity. These initial findings provide some insights regarding potential recruitment screening criteria. It is hoped that the broader study will offer further insights regarding the development of PS during trainee contracts. A greater understanding of PS development at this important stage in the career of an auditor will help to ensure audit trainees’ development aligns with regulatory priorities to improve public trust and mitigate sanctions in the audit profession. Christine Nangle is Head of Discipline of Accounting at TU Dublin Bríd Murphy is Associate Professor at DCU

The Irish Corporate Governance Code represents a progressive approach to ensuring best practice among companies listed on Euronext Dublin and enhances the reputation of ‘Ireland Inc’ globally. Níall Fitzgerald and Louise Gorman explain why Did you know that Ireland hosts one of the most extensive corporate governance infrastructures in Europe?  In Ireland, there are specific governance codes applicable to listed companies, charities, state bodies, financial services institutions, funds and sports organisations.  This is in addition to other entity-specific requirements that may also apply – charities may have to comply with multiple governance requirements as a condition of receiving state funding, for example.  Yet, until recently, Irish listed companies have relied on the best practice principles of the UK Corporate Governance Code (UK Code).  It is therefore worth considering the extent to which the recent publication of the Irish Corporate Governance Code 2024 (Irish Code) presents a new opportunity to tailor best practice in corporate governance to Irish listed companies. The Irish Code will apply initially to a small number of companies listed on Euronext Dublin, the Irish Stock Exchange, for financial years commencing 1 January 2025. Those dual-listed in both Ireland and the UK have the option to either follow the Irish Code or the UK Code in respect of their Irish listing.  The introduction of the Irish Corporate Governance Code is nonetheless significant.  Four years on from the UK’s departure from the European Union (EU), the Irish Code signals that the time has come for Irish companies to follow a path aligned with EU policy and practice, while remaining loyal to the overarching best practice principles established by the UK. It also reflects welcome proactivity in protecting and enhancing the reputation of ‘Ireland Inc’ on the global stage.  Historically, many corporate governance codes and laws internationally have been introduced in response to corporate failings.  By contrast, the Irish Code has emerged out of a desire to ensure that best practice is suitably tailored to the specific circumstances of Irish listed companies.  This comes at no cost to our competitiveness. We retain our well-established ‘comply or explain’ principles-based approach, while also remaining globally connected via our EU membership. Further, we host a US Public Company Accounting Oversight Board presence relating to both Irish companies listed on US Stock Exchanges and US listed companies operating in Ireland. What does this mean for Irish companies? Irish companies already complying with the UK Code will, for the most part, maintain their existing governance practices. They will need to address some specific Irish Code requirements, however. The extent of any differences here will vary depending on each company’s governance policies and structures.  Some companies may find the adjustment process less challenging, particularly those already preparing for the new UK Code applying from 1 January 2025 (apart from Provision 29, which applies from 1 January 2026).  The UK Code served as the basis for developing the Irish Code. Euronext Dublin has made changes only where necessary to ensure proportionality and relevance.  To enhance the principle-based approach, Euronext Dublin has also taken the decision not to include some of the more prescriptive requirements driven largely by the UK regulatory environment.  Maintaining close alignment makes sense as the UK Code is highly regarded and sets a high standard for corporate governance that is emulated internationally.  Our table illustrates some of the key differences between the Irish and the UK Code. Some of these differences, and what they mean for Irish companies, are further explained below. Internal control and risk management: A significant new requirement in the UK Code is included within Provision 29. This requires boards to provide a “declaration of effectiveness” on internal controls, identifying any ineffective controls as of the balance sheet date. Compliance will require boards to establish an independent framework to monitor and assess their internal control and risk management systems. The Irish Code also requires boards to review and report on the effectiveness of these systems, but it is less detailed, not requiring specific declarations or publication of ineffective controls at the balance sheet date. Audit committees: The UK Code requires audit committees to adhere to the Financial Reporting Council’s (FRC) “Audit Committees and the External Audit: Minimum Standard.” In contrast, the Irish Code outlines the roles and responsibilities of audit committees, which are consistent with Companies Act 2014 (Section 167) requirements, without reference to an additional standard, specifying that their work should be detailed in the annual report. Maintaining the principle-based approach in this area is practical, as best practices for audit committees are evolving in accordance with emerging recommendations on audit tendering oversight and sustainability reporting coming from bodies such as the FRC and Accountancy Europe. Less prescriptive and more proportionate: The Irish Code retains core principles, such as workforce engagement, but leaves it to boards to choose the most appropriate methods for their companies’ needs. This facilitates greater flexibility relative to equivalent parts of the UK Code which specify detailed considerations or criteria. The Irish Code aligns some provisions with those in smaller EU capital markets, enabling a proportionate governance approach. For example, while one of the criteria for assessing non-executive directors’ independence in the UK Code requires a five-year employee cooling-off period to be considered, the Irish Code sets this at three years, balancing market size and available talent. Regulatory oversight and enforcement: Like the UK, the Irish Code relies on the market mechanism. It aims to promote high standards of integrity, transparency and accountability. Investors and stakeholders can evaluate disclosures and make comparisons across companies in assessing corporate governance quality. These assessments then inform decisions and actions taken in the markets, such as the decision to buy or sell shares. The implication of this in the UK experience is that the FRC has no sanctioning authority in instances of weak compliance; sanctioning is left to the market mechanism. The FRC does, however, conduct thematic reviews to guide improvements in corporate reporting and governance. Ireland currently has no equivalent body for corporate governance assessment. However, the Irish Auditing and Accounting Supervisory Authority reviews annual reports for EU Transparency Directive compliance, without a specific corporate governance focus. While sanctions do not apply for weak governance compliance, Euronext Dublin can impose sanctions or suspend listings for violations of the listing rules. The Financial Conduct Authority in the UK has a similar approach.   The Irish Code and the UK Code: key differences Workforce engagement  The Irish Code requires boards to explain workforce engagement methods and their effectiveness, without mandating a specific method as in the UK Code. Additionally, it requires a board review of policies for raising concerns. This requirement aligns with the OECD Corporate Governance Principles 2023.  Threshold for addressing shareholder dissent The threshold for consulting with shareholders on a dissenting vote against a board recommendation is set at 25 percent under the Irish Code (20% in the UK Code). Unlike the UK, there is no requirement to provide a six-month shareholder update on the consultation, but it should be addressed in the next annual report. Non-executive director independence  When considering the independence of a non-executive director (NED), the criteria relating to previous employment by the company is whether they have been an employee of the company within the last three years (compared to five years in the UK Code). Board appointments The Irish Code does not include the UK Code restriction on the number of appointments a non-executive director has in a FTSE 100 or other significant undertaking. The Irish Code requires all commitments to be considered when determining whether the NED has the capacity to fully commit to the board. Company Secretary The Irish Code further elaborates on the role of the Company Secretary in ensuring a good information flow within the board, its committees and between management and non-executive directors – recording accurate minutes, facilitating induction and assisting with professional development of non-executive directors. Board evaluation The Irish Code replaces the UK Code reference to FTSE 350 companies with “companies with a market capitalisation in excess of €750 million” in the requirement to conduct an external board evaluation at least once every three years. Board skills and expertise The Irish Code includes an additional requirement for the nomination committee to use the results of a board evaluation to identify the board’s skills, knowledge and expertise requirements. This should be reflected in board succession plans, professional development plans and steps taken to ensure the board has access to the skills, knowledge and expertise it requires. This requirement is consistent with good governance practices in other EU countries, e.g. the 2020 Belgium Code on Corporate Governance. Diversity and inclusion Whereas the UK Code includes reference to UK equality legislation for diversity characteristics, the Irish Code requires companies to have a diversity and inclusion policy regarding gender and other aspects of diversity of relevance to the company and includes measurable objectives for implementing such a policy. The Irish Code requires this policy to be reviewed annually. Audit Committee To ensure consistency with the Companies Act 2014, the requirement for one member of the Audit Committee to have “recent and relevant financial experience” is changed to “competence in accounting or auditing”. Reference to “financial reporting process” is replaced with “corporate reporting process” to better reflect the audit committee’s role in monitoring financial and non-financial reporting, e.g. sustainability reporting. Reference to the UK specific Financial Reporting Council guidance on “Audit Committees and the External Audit: Minimum Standard” is also removed. Internal controls and risk management systems The Irish Code does not include the UK Code provision for the board to include a declaration of effectiveness of material controls, but the requirement to monitor the company’s internal control and risk management systems and review their effectiveness remains.  Remuneration Under the Irish Code, share awards in long-term incentive plans must vest over at least three years, unlike the UK’s five-year minimum. Malus and clawback provisions should be described generally in annual reports, and executive pensions require thoughtful comparison to workforce pensions, with less prescriptive rules than the UK Code. What next for the Irish Code?  Euronext Dublin is in the process of revising the Listing Rules to give effect to the new Irish Code and is further streamlining the requirements.  An Irish Corporate Governance Panel will be established, with responsibility for reviewing and advising on changes to the Irish Code in the context of the evolving corporate governance landscape in Ireland, the UK and Europe alongside other factors.  What impact the Irish Code will have remains to be seen. It represents a sensible approach to building on the reputation and quality of the UK Code, and while there are some differences between the Irish and UK Code, they are mostly aligned.  We have been careful to note that the Irish Code initially applies only to a small number of companies, so one may be forgiven for questioning its true significance. Nonetheless, key issues on the European regulatory horizon suggest that it may mark the start of a greater departure from the UK’s approach to governance.  The recent transposition of the Corporate Sustainability Reporting Directive into Irish law provides another example of this as the CSRD’s required disclosures on governance introduce an EU influence into governance in Irish companies.  Future revisions to the Irish Code may further reflect this newly established autonomy in governance in Ireland, particularly as we adopt the Corporate Sustainability Due Diligence Directive and other directives the European Commission will inevitably introduce over time.  Currently, best practice principles for Irish private companies are limited to voluntarily following the UK’s Wates Corporate Governance Principles for Large Private Companies. Just as the UK Code has influenced these principles, the Irish Code may provide a basis for further extension to large private entities.  There is also a strong argument that any evolution in corporate governance guidance deserves due consideration, particularly as boards deal with increasing risks and opportunities from environmental, social, economic and technological developments.  As it happens, there are no immediate plans to draft guidance to support the Irish Code, and the FRC’s Corporate Governance Code Guidance should, in the short term, be sufficient to fill the gap.  Experts in the area have long noted that attention tends be paid to corporate governance only when a failure occurs.  Given the level of public scrutiny such failures attract, and the associated reputational costs borne by board members, any Irish listed company director should be asking themselves if they can really afford not to pay attention to the new Irish Corporate Governance Code. Níall Fitzgerald, FCA, is Head of Ethics and Governance at Chartered Accountants Ireland Louise Gorman is Assistant Professor at Trinity Business School