EY Policy Pulse January 2017

Sections
Policy
Pulse
contents
2
Welcome
4
Culture: the key
to sustainable
growth
10
Regulatory
spotlight shines
again on executive
remuneration
16
Integrated
reporting comes
of age

22
Data protection:
once more unto
the breach
28
Investing in high
quality audits
34
Brexit: navigating
uncertainty
40
Recent regulatory
developments
worth watching

Since our last issue, the UK Government continues to
prioritise innovation, growth and prosperity in a world of
disruption. Our Prime Minister continues to communicate a
keen willingness to partner with business to build an economy
and society that works for everyone. This is evidenced by the
Green Paper on corporate governance reform published on
29 November 2016, to which we will respond. It shows that
the new team at Number 10 recognises that the UK’s unitary
board system is a real strength and that the Prime Minister is
open to exploring different models of worker representation
other than imposing workers on boards. Coupled with
this is the ongoing debate about how and when Brexit will
be managed, and of course the upcoming change in the
presidency of the USA looks set to add more uncertainty in
terms of international trade and commerce.
Against this back-drop of shifting political perspectives and
priorities it’s more important than ever to keep your finger
on the regulatory pulse. As the name implies, Policy Pulse is
here to help you do just that, with the insight and questions
you need to help you navigate your way through these
interesting times and capitalise on the opportunities
they present.
This edition includes content from EY’s leading experts
on the topics of executive remuneration, data protection,
integrated reporting, audit quality and Brexit. In addition,
we are delighted to include comments from Sir Win
Bischoff, Chairman of the Financial Reporting Council, on
the importance of developing and managing an effective
corporate culture.
To discuss any of these articles in more detail, please
contact EY’s Regulatory and Public Policy team.
Eamonn McGrath
UK Head of Regulatory and Public Policy
Welcome to EY UK’s
Policy Pulse
2

Our publication is
designed to provide
you with an overview
of the most important
regulatory and public
policy developments
facing you and your
business today, in the
areas of reporting,
auditing and
governance.
3Policy Pulse — Regulatory & Public Policy — January 2017

Section 1
Culture:
the key to
sustainable
growth

In July 2016 the Financial Reporting Council (FRC)
published the results of its study on corporate culture
and the role of Boards. It “looks at the increasing
importance which corporate culture plays in delivering
long-term business and economic success”.
EY’s Corporate Governance team has completed their
third annual review of annual reports and accounts
published by the FTSE350 and found ‘Culture and
People’ to be among the five key themes reported on.
Culture: the key to
sustainable growth
Reference source: Annual reporting in 2015: evolving communication in a changing world, page 31, published by EY.
Was there a clear
indication of how
the board measures
culture? 9% 91%
6

Interview with Sir Winfried Bischoff,
Chairman, Financial Reporting Council
(FRC)
Culture in a corporate context can
be defined as a combination of the
values, attitudes and behaviours
manifested by a company in its
operations and relations with its
stakeholders. These stakeholders
include shareholders, employees,
customers, suppliers and the wider
community and environment which
are affected by a company’s conduct.
Business, society and the
corporate governance
framework
Companies do not exist in isolation.
They need to build and maintain
successful relationships with a wide
range of stakeholders in order to
prosper. These relationships will
be successful and enduring if they
are based on respect, trust and
mutual benefit.
Business’ reputation is still
recovering from the impact of the
global financial crisis and continuing
examples of poor corporate
behaviour. As we have seen, cultural
failures damage reputation and have
a substantial impact on shareholder
value. Intangible assets such as
intellectual property, customer base
and brand now account for over 80
per cent of total corporate value,
compared to under 20 per cent
40 years ago. This shift magnifies
the impact on total value when a
reputational crisis occurs. This is a
challenge for boards, which must
find ways to understand and
influence the factors which affect
culture and behaviours.
The debate about the role of
business in society is directly linked
to the way in which companies
create and sustain long-term value
for the benefit of a wide range of
stakeholders. From the outset of
our work the FRC has been clear
that we wish to offer constructive
observations which have practical
application. We are not suggesting
changes to the current flexible
framework of corporate governance.
While legislation, regulation and
codes influence individual and
corporate behaviour, they do not
ultimately control it.
The Companies Act 2006 makes it
clear that in pursuit of the overarching
duty to promote the success of
the company for the benefit of the
members as a whole, directors
should take account of a range of
stakeholders in making decisions.
Inevitable conflicts will arise between
the interests of different sets of
stakeholders but where there is
a broad alignment between their
objectives, a focus on how business
is conducted and how stakeholders
are treated will create opportunities
for value creation that have mutually
reinforcing benefits for all.
All of the copy above is an extract
from the FRC’s report called:
‘Corporate culture and the role of
boards, report of observations, July
2016’. Shortly after this report was
published we asked Sir Win for his
views on the following points:

1.
Why does trust and
integrity need to improve?
Trustworthy behaviour throughout
a company is as important as
trustworthy information. This helps
investors decide where to allocate
their much needed capital and help
deliver jobs, growth and prosperity
to drive the economy and support
society as a whole. Treating all
stakeholders, including customers,
staff and suppliers with respect
makes companies more investable.
Culture sits at the heart of this cycle.
When deciding the cultural
direction of a company, it is
important to consider the views of
all stakeholders not just those of
shareholders. Adopting such an
approach is a vital component of
corporate success and an essential
indicator of trust. A positive
culture is backed up by incentives,
clear communication and training
opportunities to promote the
delivery of value.
2.
Why now?
With the Government and others
taking a close interest in issues
that portray business as out of
touch and uncaring, companies
face a wake-up call to look at their
own cultures before winning back
broad support from society as a
whole. Companies must establish
a culture that encourages good
behaviour, which operates through
all levels of the organisation and
which becomes embedded in the
mentality of all staff.
3.
Whose trust needs to
be won?
Society as a whole. Society wants
company behaviour to improve,
and culture to change. It expects
a company’s culture to instil
confidence among its investors and
other stakeholders, and to deliver
the company’s objectives in a way
that enhances long-term value.
4.
How do you define and
measure it?
The most commonly cited sources
of cultural insights are:
1. Employee engagement surveys
and pulse surveys
2. Whistleblowing incidents
3. Employee turnover and exit
interviews
4. Customer feedback
5. Grievance data
6. Incentive payments
There are many others. HR holds
a lot of data which can be drawn
on. Also customer and supplier
feedback, attitudes to compliance,
remuneration policies and decisions
and attitudes to employees, social
media and sites such as Glassdoor,
where employees give views on
what it is like working for their
employer. These are all worthwhile
sources.
Some companies have developed
a cultural health index which they
run at regular intervals and which
can identify hotspots before they
become evident in other ways.
These can then be investigated
further.
More sophisticated measurement
tools are being developed such
as the one we were shown by EY
recently. They capitalise on the
explosion in the volume of data
available and the technological
capacity to mine that data and
extract the underlying messages
and identify risk areas. As
measuring culture becomes
mainstream, it seems likely that
more companies will deploy such
methods to track what is happening
in their organisations.
Questions & Answers
8

5.
When do you know when
you’ve got it? And how do
you preserve it?
Fostering a healthy culture that is
aligned to the company’s purpose,
strategy and business model is not
a one-off exercise. As the external
environment and challenges
affecting business change, so may
the culture needed to deliver long-
term value. In a healthy culture,
the systems, the procedures, and
the overall functioning and mutual
support of an organisation exist in
harmony. Boards need to assure
themselves that they know the
culture they have, and the culture
they want by asking good questions
and making informed decisions.
This will contribute to the overall
success of business and create
an environment on which society
can depend and our economy can
continue to prosper.
6.
What’s the FRC’s role in all
of this?
The FRC strives to promote high
quality corporate governance and
reporting in the public interest.
Trustworthy information helps meet
the needs of investors, generates
confidence in the stewardship
undertaken by corporate boards
and is an important indicator
of good culture in action. High
standards of corporate governance
and reporting are important for
the fair and effective functioning
of the capital markets that benefits
investors, companies and the wider
public interest.
As custodians of the UK Corporate
Governance Code we have played a
strong and positive role in defining
and helping companies to set down
in practice what good corporate
governance means. The Code is not
a rulebook and the FRC does not
wish it to be viewed as such. The
“comply or explain” approach gives
companies flexibility in how they
govern themselves. Boards should
give extensive thought to how they
apply the Principles of the Code
and consider carefully when they
wish to depart from its Provisions,
providing a clear rationale when
this is the case.
The FRC is well aware that strict
adherence to the Principles and
Provisions of the Code is not, on its
own, an indication that company
culture is completely healthy.
Codes set out principles for best
practice that, if followed, make bad
behaviour less likely to occur; and
public reporting can make it harder
to conceal such behaviour.
But, by itself, a Code does not
prevent inappropriate behaviour,
strategies or decisions. Only the
people, particularly the leaders
within a business, can do that.
The focus on the longer term was
underlined in 2014 when the Code
introduced a ‘viability statement’ to
strengthen boards’ attention of the
longer term and the sustainability
of value creation. This will also
provide investors with an improved
picture of the state of the business
and its prospects.
This is why in 2016 we took a closer
look at the role of the board in
shaping, embedding and measuring
culture. Our report sought to
provide boards with a prompt
to reflect on the role it plays in
relation to company culture and
provide some practical ways the
board can take action.
The UK voted to leave the EU,
and Prime Minister Theresa May
announced Article 50 will be
triggered by the end of March 2017,
with no running commentary on
the negotiations, meaning there
will be a continuing knowledge
vacuum in which markets will make
assumptions and react accordingly.
As regulators we mustn’t be
complacent but tread carefully.
No knee-jerk decisions! We will
carefully consider what is best for
the sectors and professionals we
regulate and right for the long-term
health of the stakeholders we serve.

Section 2
Regulatory
spotlight
shines again
on executive
remuneration

Since the Cadbury report in 1992 executive
remuneration has become increasingly topical amongst
legislators and regulators. This culminated in 20131
with
new UK legislation on remuneration policy and reporting.
It now seems as though everything is coming full circle
with, amongst other things, the Government’s Green
Paper on corporate governance reform which seeks
views on the following three topics:
Regulatory spotlight shines
again on executive remuneration
Shareholder influence
on executive pay
Increasing the
connection between
boards and other
interested groups,
such as employees
Extending corporate
governance features
to large privately-held
companies
1
The Large and Medium-sized Companies and Groups (Accounts and Reports) (Amendment) Regulations 2013.
12

In September 2016 the Business,
Energy and Industrial Strategy (BEIS)
Committee launched an inquiry
into corporate governance. During
the same month the UK Prime
Minister Theresa May made various
statements about the Government’s
aims to seek reforms to the way
companies are governed, with a
focus on executive remuneration
(e.g., curbing excessive pay). In
response, the Financial Reporting
Council said in November 2016
that when it next reviews the UK
Corporate Governance Code it will
consider the role of the remuneration
committee, especially in relation
to reporting on the link between
remuneration structure and the
company’s strategy. The Investment
Association also published a revised
copy of its guidance on remuneration
in October 20162
, and at the end
of November 2016 BEIS published
a Green Paper on corporate
governance reform. The paper seeks
views on:
• Shareholder influence on
executive pay
• Increasing the connection between
boards and other interested
groups, such as employees
• Extending corporate governance
features to large privately-held
companies
The continued focus on executive
pay has an underlying aim of
maintaining and protecting the UK’s
strong reputation for corporate
governance. However, whether
further Government intervention
in this area will reduce the overall
quantum of executive pay levels
and increase public confidence in
the business sector remains to be
seen, and will no doubt be strongly
debated. We will take a closer look at
the Green Paper in our next edition
of Policy Pulse.
A mix of new initiatives
This new influx of initiatives
has broadened the debate on
remuneration amongst the media
and other interested parties. For
example, in addition to key aspects
of the Green Paper, we see views
expressed on topics ranging from
the capping of remuneration to the
abolition of bonuses.
Remuneration committee chairmen
could easily be forgiven for being
distracted by these and other
initiatives, in terms of considering
which ones should be prioritised
for the attention of committee
members. Outlined below are the
ones we would expect to see on the
committee’s agenda.
Influencing how executives
are paid
Since the UK Government’s
regulations on remuneration were
introduced in 2013 there have been
calls from investors and others for
less complex remuneration policies
e.g., reducing the number of pay
elements, paying executives only in
equity, removing complicated share
schemes and reducing the number
and complexity of metrics used in
bonus schemes.
Particular attention is being paid
to Long Term Incentive Plan (LTIP)
structures, led by the Executive
Remuneration Working Group
(ERWG). The ERWG was established
by the Investment Association in the
autumn of 2015 as an independent
panel to address the concern that
executive remuneration has become
too complex and is not fulfilling its
purpose. In its July 2016 report3
it
suggests that companies feel under
pressure to adopt a one-size-fits-
all LTIP model, which is helping to
create this complexity.
One approach advocated by
some investors is the wider use of
restricted share plans. These involve
the receipt of shares by executives
which remain subject to forfeiture if
certain performance requirements
are not met.
2
The Investment Association’s Principles of Remuneration, October 2016
3
Executive Remuneration Working Group – Final Report (July 2016)
13Policy Pulse — Regulatory Public Policy — January 2017

Such plans are often simpler than
LTIPs and provide a much clearer
upfront indication of costs. However,
restricted share plans are not the
new one-size-fits-all solution and
companies should assess whether
they are appropriate for their
business (e.g., in terms of growth
cycle and industry sector(s)).
Limiting what executives
are paid
In a statement made to Parliament in
September 2016, UK Prime Minister
Theresa May referred to the G20
Summit in China and restated her
Government’s aim to, amongst other
things, crack down on excessive
pay. This has raised expectations on
when and how the Government will
cross the Rubicon and determine
what excessive pay means and how
it can be curtailed. Responses to the
Green Paper should help to give an
indication of the Government’s future
direction of travel on this issue.
Many companies are preparing to re-
submit their remuneration policy to
a binding shareholder vote. Investors
are encouraging companies to make
changes to their remuneration
policies which go above and beyond
the regulations (and clarifications
following the Government’s paper
assessing how companies have
implemented the UK reporting
regulations of 20134
). For example,
some are calling for bonuses to
be capped as a percentage of
salary, or for a maximum level
of total remuneration to be paid.
Although caps should initially limit
remuneration, introducing them
without proper consideration may
result in unintended consequences.
For example, over time a cap
can evolve into a minimum level
which all expect to receive. This
can have the effect of ratcheting-
up the level of fixed pay (which
in turn drives up variable pay).
Limiting total remuneration can
also have negative effects on high
performing businesses where, for
example, further potential growth
goes unrealised as it would not
be rewarded. In the UK financial
services sector such an approach
has resulted in more complex pay
arrangements with the introduction
of special allowances.
Given the range of issues which
can arise from capping, it seems
that perhaps more attention should
be focused on the link between
performance and pay, be it the
mechanics (e.g., special bonuses
and awards), metrics or targets.
The Investment Association’s latest
principles on remuneration include
the provision that remuneration
structures should include pre-agreed
and documented malus and/or claw
back provisions for each executive,
allowing respectively the forfeiture
of all or part of a bonus or long-term
incentive award before it has vested
and been paid, and/or the recovery
of sums already paid.
Enhancing the governance of
executive pay
One approach under consideration in
the Green Paper is the introduction
of an additional binding shareholder
vote (currently only applicable to the
remuneration policy report). The
intention is that enhanced voting
powers will enable shareholders to
hold companies to account more
effectively on executive pay levels.
The potential downside is the risk of
protracted voting processes which
could undermine relationships with
shareholders, and negatively impact
on future company performance.
Another approach is the publication
of ratios between executive and
employee pay. This would take
a similar form to the new UK
legislation5
requiring large employers
to calculate their gender pay gap
from April 2017 and publish the
details by April 2018.
Focusing on sector league tables (as
is the case with the pay gap) may
help address the problem of different
ratios being used in different
industry sectors. However, the risk
remains that using a single statistic
may drive the wrong behaviours in
some companies. For example, some
businesses may attempt to change
their structure and/or outsource
lower paid jobs to shared services
providers to help improve their ratios.
Next steps
Although the outcome from the
current debate on remuneration
is uncertain, the sheer volume of
initiatives and ideas on the subject
leaves us in no doubt that there
is a desire for change amongst
legislators, companies and their
stakeholders.
The Green Paper brings all of this
into focus, and what remains clear is
the underlying principle upon which
executive remuneration is founded.
It should, first and foremost, support
the achievement of a company’s
long-term business strategy. This
means that as each company’s
condition and situation changes, its
remuneration policy should change
accordingly.
This task rests with the board and
its remuneration committee, to
meet the needs of the business
while balancing the demands of
its stakeholders. The challenge is
to develop a remuneration policy
that meets with the approval
of shareholders, and for these
committees to stay focused on
this task by keeping informed of
shareholder requirements and
regulatory developments on an
ongoing basis.
4
BIS Research Paper No. 208 - How companies and shareholders have responded to new requirements on the reporting and governance of directors’
remuneration – March 2015.
5
Equality Act 2010 (Gender Pay Gap Information) Regulations 2016 issued on 12 February 2016, setting out the detail of the gender pay gap reporting duty.
14

Questions
worth asking
• What steps will the board take
to develop a policy that reflects
incentives for the long-term
interests of the business?
• How will the board engage with
investors and other stakeholders on
next year’s remuneration policy?
• How does the board plan to
formulate a remuneration policy
that meets with the approval of
shareholders?

Section 3
Integrated
reporting
comes of age

In December 2016, The International Corporate Governance
Network (ICGN) and the International Integrated Reporting Council
(IIRC) presented a joint conference to inspire dialogue around the
alignment of corporate reporting to long-term value creation.
In light of this, some companies are beginning to adopt the
principles of the International Integrated Reporting Framework
(“the Framework”)6
, including the application of ‘six capitals’ in
their annual reports and accounts.
6
The International Integrated Reporting Framework was developed by the International Integrated Reporting Council (IIRC), and launched in December 2013.
Paul Druckman, former CEO of the IIRC, joined the board of the Financial Reporting Council on 1 January 2017. He chairs the Corporate Reporting Council
and sits on the Codes and Standards Committee.
Integrated reporting
comes of age
Integrated thinking and
integrated reporting
will play a critical role
in the creation of a
sustainable economy in
the UK and beyond.
The adoption of
the Framework is
building momentum
at different rates in
various countries
and regions.
Such reports will be
inherently constrained
by the limitations of
the language available
(or permitted) to the
accountant.
18

7
In August 2013 The Companies Act 2006 (Strategic Report and Directors’ Report) Regulations 2013 took effect. This requires UK incorporated quoted
companies to provide a description of their strategy, objectives and business model. In addition, they have to explain the main trends and factors affecting
the entity; a description of its principal risks and uncertainties; an analysis of the development and performance of the business; and an analysis using KPIs.
Disclosures about the environment, employees, social, community and human rights issues are also required when material. There is also a requirement to
include disclosures on gender diversity at a senior level, greenhouse gas emissions and human rights in the supply chain of the organisation.
This is enabling them to publish
Integrated Reports (IR), showing
how the input capitals of their
business models are converting into
output capitals, creating competitive
advantage and commercial return,
as well as broader social value (e.g.,
British Telecom, Philips and UBS).
The six capitals, used for the
production of goods and the
provision of services, can be
summarised as follows: i) financial
(e.g., raised through debt and/
or equity); ii) manufactured (e.g.,
plant and machinery, as well as the
broader physical infrastructure
which sustains a modern economy);
iii) intellectual (e.g., know-how,
patents, copyrights and licences);
iv) human (e.g., competencies,
skills and professional experiences
of employees); v) social (e.g.,
relationships within and between
stakeholders and other networks);
and vi) natural (e.g., all renewable
and non-renewable resources).
The option of adoption
The adoption of the Framework is
building momentum at different
rates in various countries and
regions. The UK appears to be more
advanced than most in this regard,
spear-heading the principles of the IR
with a close alignment between the
Framework and the UK’s requirement
for a Strategic Report (SR)7
. The
recently implemented Directive
for Non-financial Reporting is also
expected to act as an accelerant for
these principles in the UK, despite
the impending Brexit.
Divided by a common report
Our clients frequently ask us to
explain the difference between an IR
and an SR. Whilst there are a number
of important areas of overlap (e.g.,
business model, description of
the business strategy, a focus on
value creation and a de minimis
requirement for certain non-financial
KPIs), there remains one significant
difference between the two. This
can be boiled down to the simple
question of whether the company is
choosing to tell the story of how it
creates value through the exclusive
lens of financial and manufactured
capital, or whether it is looking at
value creation through a broader
prism which encompasses other
types of capital such as human,
social, intellectual and natural.
Financial and manufactured capital
are the natural domain of the
professional accountant. Whilst many
companies are publishing an SR
which only references financial and
manufactured capital as the basis
of their value creation, such reports
will be inherently constrained by the
limitations of the language available
(or permitted) to the accountant.
By contrast, leading integrated
reporters are looking at how they
create value across all six capitals,
drawing on emerging frameworks for
the likes of human capital or natural
capital accounting. BT, for example,
describes how its investment in
stakeholders and relationships (i.e.,
social capital) is helping to create a
more digitally-inclusive society, whilst
Philips looks at the contribution of
its investment in intellectual capital
to new patent applications and
intellectual property royalties.
The six capitals help address
the question of how companies
communicate their historic value
creation and provide a perspective
on their future value creation
prospects in a more substantive and
meaningful way to their investors.
By addressing value creation across
six capitals rather than one or two,
integrated reporting is enabling a
corporate reporting model from
the steam age to be adapted to the
digital age.

Taking the plunge
There are two significant challenges
companies must be prepared to
face if they decide to follow the
Framework. Firstly, they have
to identify the right mix of KPIs,
collecting the supporting data and
where appropriate assuring it, to
demonstrate how effectively they are
realising their strategic objectives.
Secondly, they need to demonstrate
the connections across the six
capitals, especially the relationship
of each one to the organisation’s
underlying commercial performance.
The first challenge is the easier
one to address, especially in the
world of Big Data where it has never
been easier to assess a range of
perspectives on how an organisation
is creating (or destroying) value.
For example, companies have
supplemented formal employee
engagement surveys or supplier
surveys with social media trends,
to provide an external and informal
(but no less insightful) assessment of
corporate performance.
The second challenge is more
difficult because research is only
just emerging that demonstrates
objectively how certain so called
non-financial capitals impact on
commercial performance (e.g.,
that greater diversity contributes
to better decision making). This
challenge becomes even greater
when consideration is given to the
dynamic interplay between all six
capitals, and how this mix impacts on
performance. This requires a more
sophisticated appreciation of value
creation and its drivers.
Thinking and reporting in an
integrated way
Companies in highly regulated
industries (e.g., utilities) are
beginning to embed the interplay of
different capitals into their strategic
decision making, drawing on this
objective analysis of value creation
across the six capitals in their
discussions with the UK Government.
This creates more integrated
thinking, and we regard integrated
thinking and integrated reporting as
two sides of the same coin. They are
inter-related processes and cultures,
which have in common a broadening
of horizons on what is meant by
value from a narrowly prescriptive
focus on financial and manufactured
capital, to a more complete and
encompassing perspective on how
other types of capital contribute to
value creation.
Integrated thinking and integrated
reporting will play a critical role in the
creation of a sustainable economy
in the UK and beyond. It will provide
companies with the insights they
require to make the right long-term
investments, and investors with the
information they require to allocate
their capital to the most sustainable
companies which will generate the
strongest long-term returns.
20

Questions
worth asking
• How embedded is integrated
thinking in your organisation?
• Have you identified all the
capitals which contribute to the
value your organisation creates?
• How effectively does the
company’s annual report
reflect this underlying
integrated thinking?

Section 4
Data protection:
once more unto
the breach

From 25 May 2018 EU Member States will be expected
to have implemented the General Data Protection
Regulations (GDPR) and the Directive on the Security
of Network and Information Systems (the Directive).
Data protection: once
more unto the breach
A failure to report a
data breach within the
specified time frame and
without a reasonable
explanation, may lead to
a fine of €20mn OR 4%
of gross annual turnover,
whichever is the greater.
Regardless of when
Brexit happens, this
legislation will prevail
in the UK in one form
or another.
We expect that
companies’ customers
will be considering how
an organisation rates in
terms of data security,
as well as the quality of
its goods and services.
24

This will introduce several changes
for EU citizens. The most notable will
be more control over personal data,
with the assurance that holders of
this information subject to a breach
in security, will be required to report
the incident within 72 hours of it
occurring.
We take a look at these and other
GDPR requirements from a Brexit
perspective, with reference
to guidance published on 5
October 2016 by the Information
Commissioners Office (ICO).
From if to when
The ICO acknowledges that
regardless of when Brexit happens,
this legislation will prevail in the UK
in one form or another. The need for
effective legislative intervention on
data protection is now a given.
Indeed, over the past 30 years
the realisation has finally dawned
amongst government and business,
that it’s not a matter of if the security
of an organisation’s data is breached,
it’s a case of when and the level of
preparedness to deal with it. This
means developing incident response
capabilities and forensic readiness
planning, incorporating the usual
security representatives as well as
teams of experts in legal, public
and media relations, and customer
services.
Defining a breach
One issue the GDPR seeks to address
is the challenge of developing
consistent and comparable
definitions. This is in relation to data
and what constitutes a breach of that
data, with the corresponding follow
up procedures.
The GDPR states that: ‘Data
Controllers will be required to
report data breaches to their data
protection authority unless it is
unlikely to represent a risk to the
rights and freedoms of the data
subjects in question. The notice
must be made within 72 hours of
data controllers becoming aware
of it, unless there are exceptional
circumstances, which will have to
be justified.’
The Directive complements this with
standardised requirements which
aim to boost the overall level of cyber
security in the EU, by ensuring that
Member States are:
• Prepared and appropriately
equipped, e.g. via a Computer
Security Incident Response Team
(CSIRT) and a competent National
Information Security Authority
(NISA)
• Willing and able to work with each
other by setting up a Cooperation
Group, in order to support and
facilitate strategic cooperation
and the exchange of information,
and a cross-state CSIRT network
to promote swift and effective
responses to specific cyber
security incidents
• Capable of developing a “culture
of security” across sectors,
especially those with significant
infrastructure implications
including utilities, transport,
banking, healthcare and digital
(e.g., providers of cloud-
computing services).

Defining data
The data to which this legislation
refers includes any digital Personally
Identifiable Information (PII). The
GDPR requires that entities need to
conduct Private Impact Assessments
of their PII, so they understand the
scope and scale of their IT estate and
where precisely PII is held.
PII data assets come in many
forms from spreadsheets, purpose
built databases and emails, to
unstructured data. Many different
areas of a business will generate,
collect and process PII data on an
ongoing basis. So keeping a track
of it is a herculean task which many
companies seem to have regarded
as a low priority. Once the GDPR is
in place they will be obliged to make
this a high priority.
Fines and fall-out
The task of identifying and accurately
reporting a data breach can be a
challenge for most companies. It
should also be noted that when a
breach occurs, fallout from negative
publicity will no doubt make some
more reluctant than others to
publicise it. In addition to this it
seems that regulatory sanctions
have been relatively modest and
accordingly they have not offered
much of a deterrent against the loss
of data. The maximum fine the ICO
can levy against a company for losing
PII is £500,000.
A potential consequence of this is
that some companies may be less
inclined to prioritise investment in
the prevention of such breaches. The
GDPR aims to counter this and shake
out any remnants of complacency
or foot-dragging by companies
which find themselves a victim of a
data breach. For instance, a failure
to report a data breach within the
specified time frame and without a
reasonable explanation, may lead
to a fine of €20mn or 4% of gross
annual turnover, whichever is the
greater. So there will be nowhere
to hide and a financial penalty
likely to arouse the interests of
investors and other stakeholders
who might ordinarily be indifferent or
disengaged on the subject.
Taking the next steps
Companies need to develop a
security strategy so they know
exactly what it is they are trying
to protect. To do this they need
to create and maintain an asset
inventory. An additional element to
this is the requirement to perform a
Privacy Impact Assessment (PIA) for
each system that processes PII data.
Whilst some companies may be doing
this already (e.g., banks), it’s less
likely that smaller businesses have
taken the same steps. So therein lies
the challenge for service providers to
develop the capacity and economies
of scale to offer help and advice on
this topic to all companies that will be
affected by the GDPR.
Before too long we expect that
companies’ customers will be
considering how an organisation
rates in terms of data security, as
well as the quality of its goods and
services; a potentially seismic shift in
terms of consumer priorities.
Our interest in these changes
lie across many business areas,
particularly in the fields of cyber
threat intelligence, incident
response and the legal landscape.
The proactive hunt for PII data
within corporate infrastructures
is also proving to be invaluable to
businesses, especially those which
are mindful of the potential fine that
awaits if/when their PII is breached.
So making an early start and
preparing now is the best advice we
can offer.
For ease of reference we have
included links to the ICO’s guidance
on the GDPR and the Directive.
Information Commissioners Office
(ICO) published some guidance:
ico.org.uk/for-organisations/
data-protection-reform/overview-of-
the-gdpr/
Directive on the security of Network
Information Systems (NIS):
ec.europa.eu/digital-single-market/
en/network-and-information-security-
nis-directive
26

Questions
worth asking
• How will the board develop
a data security strategy for
the business?
• How will the business conduct
a Privacy Impact Assessment?
• What steps have been taken
already to identify where
personal data is held in
the business?

Section 5
Investing in
high quality
audits

Investing in high
quality audits
As the scope of the
audit changes over
time, together with the
use of new technology,
investment in people
will remain highly
important.
The audit of the
future will look
at other indicators
beyond those
constrained by
structured
financial data.
We are investing in assessing
our clients’ cultures using
various analytics tools. The
understanding we gain,
when combined with other
structured and unstructured
data observations, is giving
us greater insight into
potential risk areas.
Regulatory oversight on audit quality has never been greater,
which reflects the vital role played by auditors in the functioning
of capital markets by promoting transparency and supporting
investor confidence. Companies, regulators and other
stakeholders count on us to deliver excellence on every audit,
and meeting their expectations is an absolute priority for us.
30

Here we outline the investment we
make to meet these requirements:
The fourth industrial
revolution
We live in a world where the pace
of change is relentless. Often
referred to as the fourth industrial
revolution, the combined effects of
data proliferation, digital disruption,
globalisation and technological
advances are just some of the
matters that we all grapple with in
our working world. This is why we
have to keep investing in our audit
business to continue improving
the audit quality on which we pride
ourselves, so we can be certain of
sustaining trust and confidence in
what we do. In practical terms this
means investment in technology,
people, training and processes.
Technology
Over the past three years we have
invested heavily to create the
technologies needed for the audit
of the future. $400mn has been
spent on new audit technology to
utilise analytics and automate audit
workflows. Teams can now develop
and share best-in-class algorithms
and apply these on client data,
securely hosted on EY platforms. The
audit of the future will look at other
indicators beyond those constrained
by structured financial data. To this
end, we are investing in assessing
our clients’ cultures using various
analytics tools. The understanding
we gain, when combined with other
structured and unstructured data
observations, is giving us greater
insight into potential risk areas.
People
Our people are the bedrock of our
business and we invest in them in
many ways from the time we spend
recruiting them, to the provision
of on-the-job coaching, review
processes and support systems. As
the scope of the audit changes over
time, together with the use of new
technology, investment in people will
remain highly important. We want
to be the most favoured employer,
and to this end we are winning
awards for our people experience,
but we continue to aim for more.
We recognise that the growth we
are achieving, and want to continue
to achieve, requires additional
investment in people.
For example, in 2015/16 we
increased the size of our audit
team headcount by 17%, placed a
greater focus on our recognition
and reward system and began work
with cognitive psychologists to
carry out behavioral modelling. This
involves identifying what our highest
performing auditors do, so that our
coaching programmes can help
others to emulate their success.
Training
Our policy is that every one of our
auditors must receive at least 20
hours training per year and 120
hours over each 3 year period. In
reality, the actual level of training is
far higher. Looking at the calendar
year of 2015, partners and qualified
staff received between 48 and 76
hours training each. Our people who
are not yet qualified will receive even
more training as they participate
in our own internal training, as
well as training for professional
qualifications.

Processes
We should not ignore the significant
amount of processes we have to
support people delivering high
quality audits. These are numerous
but key ones are the technical
departments, the subject matter
specialists, and the consultation
processes and the quality control
checks on audits.
For example, two years ago we
established a new detailed hot file
review process for c.50 audits each
year to provide additional support
for engagements with higher risk
factors. This work is in addition to
our annual cycle of quality reviews
of individual directors and partners
authorised to sign audit reports
which cover more than a third
of all UK colleagues holding this
responsibility.
The acid test
So what does all this tell us? Firstly,
audits are never easy and we are
conducting them against a backdrop
of change, which makes it all the
more challenging to maintain
the highest quality. Secondly, we
only achieve what is required with
continued investment and keeping
a clear line of sight to the needs
of our ultimate customers i.e., the
investors.
This is why we continue to engage
with investors to understand their
future needs. One way we do this
is through our Investor Dialogue
events. For the third consecutive
year we have met with many of the
leading investment firms for broad
discussions on areas of interest to
them e.g., the delivery of long-term
value from companies, and the
growing significance of intangible
assets as drivers of that value. This
helps inform us where the provision
of assurance will evolve, and where
we will need to invest to maintain
high quality audits in the future.
32

Questions
worth asking
• What are the main qualities
you look for in an auditor?
• How does your audit
committee assess the quality
of the audit process?
• When the audit next comes
up for tender, how will the
committee make use of
external regulatory reports
on the auditor?

Section 6
Brexit:
navigating
uncertainty

We have recently published the latest issue in our series
of Thought Leadership papers on the impact of Brexit
on financial institutions operating in the UK. It explores
some of the options and questions facing their boards.
It also contains a discussion of the potential longer-
term implications for the City of London. Of course,
implications for the City will have ramifications for
businesses of all kinds.
Brexit: navigating
uncertainty
We do not anticipate
that Brexit will prove
catastrophic for the
City of London.
We present a set of
assumptions which we
believe represent a
sensible starting point
for strategic planning.
Implications for
the City will have
ramifications for
businesses of
all kinds.
36

This is especially the case in terms
of having a ready access to primary
markets to achieve a public listing,
and/or the use of liquid secondary
markets to attract new investors
and finance for long-term growth.
Added to this is the provision of
insurance in all its various forms, the
management of pensions, forex and
the plethora of commodity markets.
The providers of all of these services
and facilities face similar challenges
related to Brexit. The key themes
which underpin them include:
the strategic considerations for
boards to take, both now and as the
negotiation process becomes clearer;
how best to frame the potential
deal between the EU and the UK
amidst the numerous commentaries
and theories surrounding the
negotiations; and the European-wide
political context behind the talks — how
national interests and events across
the continent may play a large role.
On this third point, the paper
includes a calendar overview of
major governmental and political
events in the next three years. This
offers a wider understanding of how
the negotiation process will be just
one part of many moving parts over
the coming years, and how timing
should be a key consideration in a
board’s Brexit strategy.
Questions for the board
The paper is neither an exhaustive
analysis of all possible scenarios, nor
is it a forecast. Rather, recognising
that time is short and that major
strategic decisions will have to be
made rapidly, we present a set
of assumptions which we believe
represent a sensible starting point
for strategic planning, and for the
intellectual challenge that should
accompany it.
The immediate questions that we
consider key for boards to be
asking now include:
• What elements of my current
business are dependent upon
access to the EU Single Market?
• What are the specific legal,
regulatory or treaty provisions that
enable that?
• What indirect elements of UK
membership of the EU facilitate or
enable some or all of my business
activities?
• To what extent does my business
rely on EU free movement
provisions? (i.e., employees’ right
to reside and work, internal and
client travel, future hiring plans?)
• What are the worst and best case
scenarios for access to the EU
Single Market for my preferred
mix of financial services and the
consequent implications for my
business?
• What remedial actions are open
to me?
• Can I anticipate any new
opportunities or lines of business
as a consequence of Brexit?
• How attractive does London
continue to be as a location for
some or all of my businesses?
• Do I need to alter the physical or
legal structure of my businesses?
Overall, whilst the effect of Brexit
may well prove material for some
business models and firms, we
do not anticipate that Brexit will
prove catastrophic for the City of
London. The paper outlines the
importance of the ‘Cluster Effect’ of
London, and how its culture, hard-
won reputation for prudential and
regulatory excellence, and flexibility
will continue to ensure its status as a
leading financial centre. We would be
very interested in your response to
this work, and would be delighted to
discuss the findings in more detail.
http://www.ey.com/gl/en/industries/
financial-services/fso-insights-uk-eu-
planning-for-uncertainty

Questions
worth asking
• What steps will you take to help
ensure your business model is
Brexit-ready?
• How will you manage and
mitigate the risks of Brexit to
your business?
• How will you report on Brexit
to your people, investors and
other stakeholders?
38

Section 6
Recent
regulatory
developments
worth
watching
40

Audit quality reviews by the Financial
Reporting Council (FRC)
The FRC conducted a thematic review of
the use of Root Cause Analysis (RCA) as
undertaken by audit firms, as part of the FRC
audit quality review programme. The aim is
to provide an understanding of audit firms’
RCA procedures to identify how they may be
improved, in the interests of promoting good
practice and driving a continuous improvement
in audit quality. The FRC states that RCA enable
firms to implement more focused actions by
understanding the causes of audit quality
inspection results.
UK Government inquiry into
corporate governance
The Business Energy and Industrial Strategy
(BEIS) committee launched an inquiry into the
way UK companies govern themselves. The
committee is interested in assessing executive
pay, directors’ duties and the composition of
boards, including worker representation and
gender balance. It wants to see if company
law is sufficiently clear on the role of directors
and non-executive directors, and whether
companies should face additional duties to
promote greater transparency.
Auditor skills gap report published by
the Institute of Chartered Accountants
of Scotland (ICAS) and the Financial
Reporting Council (FRC)
ICAS and the FRC published a report in
September 2016, as a “call to action” to help
prevent a potential audit skills gap in the future.
Called ‘The Auditor skills in a changing business
world’, the report finds that the skill-set of
auditors needs to evolve to deliver high quality
audits in the future. It calls for a debate on
the future of audit and the skills needed (e.g.,
including skills in data analytics and business
acumen) as audits evolve beyond the traditional
financial statement audit.
September2016
Sept
16
Sept
22

Revised operating procedures for reviewing
corporate reports by the Financial Reporting
Council (FRC)
The FRC commissioned an independent assessment
of review procedures to find ways of improving
their efficiency and effectiveness. The assessment
highlighted, amongst other things, that stakeholders
(investors in particular) want more information
about specific corporate reporting review inspection
findings. In response the FRC has decided that the audit
committee is best placed to make such disclosures. It
also stated that it will publish the names of its closed
cases, after each company has had the opportunity of
reporting on the review in their next set of published
accounts. The first list will be published in 2017, in
respect of December 2015 reporters.
Advice on corporate reporting issued by the
Financial Reporting Council (FRC) to preparers
The FRC stated in October 2016 that the strategic
report should be presented in a user-friendly, clear
and concise manner. It added that in an era where,
for example, cyber-risk, climate change and Brexit
pose economic, social and environmental uncertainty,
companies should consider a broad range of factors
when determining principal risks and uncertainties
facing the business, and when management is
performing its analysis for the viability statement. It
added that the relationship between IFRS or UK GAAP
measures, and any alternative performance measures
used, should also be clearly explained.
Annual review of corporate reports conducted by
the Financial Reporting Council (FRC)
This report outlines the regulator’s assessment of the
quality of corporate reporting in the UK based on its
monitoring work for the year to 31 March 2016. Of
the 192 companies whose reports were reviewed, the
FRC raised queries with approximately a third. Most
companies concerned have agreed action to resolve the
matters satisfactorily, primarily through their future
reporting. One of the points made by the FRC is that
companies need to be more balanced in their reporting
of their performance e.g., there are examples where
companies make excessive use of underlying profit
figures or inappropriate use of alternative performance
measures. Findings of the FRC’s Conduct Committee
are also included in a separate slide deck published by
the FRC on 25 Oct 2016.
October2016
Oct
4
Oct
11
Oct
21
42

Review of the use of business models by
the Financial Reporting Lab (FRL)
This review reflects the views of 19 companies,
36 investors from 27 investment and analyst
organisations, and two retail shareholders. The
FRL conducted research into the use of business
models (BM) in corporate reports. The report
found that e.g: i) BM information is fundamental
to investors’ understanding of a company; ii)
poor BM disclosure raises concerns over the
quality of management; iii) BM provides context
to the other information in the RA, so most
investors want it positioned towards the front
of the strategic report; iv) where a company
operates a number of BMs, disclosures of each
one is desirable; and v) investors are looking for
better linkages between BM content and other
sections of the RA.
Corporate reporting (tax disclosure)
thematic review by the Financial Reporting
Council (FRC)
The objective of the review, published on
31 October 2016, is to encourage more
transparent reporting of the relationship
between tax charges and accounting profit,
and the factors that can affect this relationship
in the future. The report sets out the FRC’s
principal findings and examples of good practice
in the following areas: i) tax in strategic reports;
ii) effective tax rate reconciliation disclosures;
and iii) uncertainties relating to tax liabilities
and assets. The FRC also encourages companies
to consider whether there are significant
judgements and estimation uncertainties
relating to tax, and to report accordingly. Where
uncertainties remain unchanged year-on-year,
the FRC may challenge whether the disclosure
of quantified risk is sufficiently clear.
Oct
27
Oct
31

The Parker review on the ethnic diversity
of boards
The report, led by Sir John Parker and co-sponsored
by EY, with the backing of Business Minister Rt Hon
Margot James MP, presents findings of a review of
ethnic minority representation on FTSE 350 boards.
It found that the level of representation is very low
and accordingly recommends that each FTSE 100
board should have at least one director of colour by
2021; and each FTSE 250 board should have at least
one director of colour by 2024. It adds that nomcoms
of all FTSE 350 companies should require their HR
teams or search firms (as applicable) to identify and
present qualified people of colour to be considered
for board appointment when vacancies occur.
UK transposition of the fourth Money
Laundering Directive (MLD)
The UK Government issued in November 2016 a
discussion paper on the UK’s transposition of Article
30 of the fourth Money Laundering Directive. This
relates to the disclosure of beneficial ownership
of corporate and other legal entities. To transpose
effectively, it is proposing to extend the scope of the
UK’s Persons with Significant Control (PSC) regime
to all entities that are incorporated in the UK and
are constitutionally capable of legitimately having
a beneficial owner (e.g., unregistered companies
and open-ended investment companies). It is also
considering bringing companies admitted to trading
on prescribed markets (such as AIM and ISDX) within
the scope of the PSC regime.
UK Government implements the EU’s Non-
Financial Reporting Directive
The UK Government announced in November
2016 how it plans to transpose the Non-Financial
Reporting Directive. It will implement the Directive
as an addition to the current UK strategic reporting
framework. Companies within the scope of the
Directive will be required to report in accordance
with the Directive. Other companies can choose to
comply with the EU requirements, rather than the
comparable domestic provisions, on a voluntary basis
in order to prevent those companies at the margins
of the Directive’s scope from having to move between
regimes due to changes in their size from year to
year. There will be no requirement in the UK for
companies to seek independent assurance on their
non-financial disclosures.
November2016
Nov
2
Nov
8
44

The Regulatory
and Public
Policy TeamHampton and Alexander review on
gender diversity
The results of a review, headed by Sir Philip
Hampton, Chair of GlaxoSmithKline, and
Dame Helen Alexander, Chair of UBM, was
published. It focuses on senior women
below the company board, and builds on
the work of the Davies Review and extends
its scope to include executive committees
and direct reports to the executive
committees of FTSE 350 companies.
Its recommendations include e.g: that
FTSE 350 companies should aim for a
minimum of 33% women’s representation
on boards by 2020. FTSE 100 companies
should aim for a minimum of 33% women’s
representation across their executive
committees and in the direct reports to the
executive committees by 2020.
UK Stewardship Code inspections by
the Financial Reporting Council (FRC)
The FRC published the first ever results of
its inspections of individual signatories to
the Code. The FRC’s assessments focused
on the quality of descriptions of each
signatory’s approach to stewardship, and
their explanations in accordance with the
‘comply or explain’ basis of the Code. Each
institution is listed in one of three tiers. Tier
1 includes those whose compliance was
considered to be good. Names in Tier 3 are
in need of significant improvement.
The UK Government published
a Green Paper on corporate
governance reform, as part of its
drive to help ensure the UK economy
works for everyone
It considers three aspects of corporate
governance which may be appropriate for
enhancement. These cover the following:
i) better governance of executive pay (e.g.,
greater transparency and shareholder
engagement); ii) strengthening the
employee, customer and supplier voice
(e.g., an advisory panel to represent
employees’ views); and iii) improvement
in the corporate governance of the UK’s
largest privately-held businesses.
Nov
14
Nov
29
Nov
9
Kristel Tchamba
Regulatory Analyst
ktchamba@uk.ey.com
Emma Wright
Regulatory Affairs
Specialist
ewright2@uk.ey.com
Eamonn McGrath
Partner
emcgrath@uk.ey.com
Andrew Hobbs
Partner
ahobbs@uk.ey.com
David Parrish
Associate Director
dparrish@uk.ey.com
Jane Hayward
Green
Associate Director
jgreen4@uk.ey.com
Loree Gourley
Director
lgourley@uk.ey.com

Content contributors
For further information on any
of the issues raised here, please
contact one of the following
content contributors or your usual
EY adviser:
About EY
EY is a global leader in assurance, tax, transaction and advisory
services. The insights and quality services we deliver help build trust
and confidence in the capital markets and in economies the world
over. We develop outstanding leaders who team to deliver on our
promises to all of our stakeholders. In so doing, we play a critical role
in building a better working world for our people, for our clients and
for our communities.
EY refers to the global organization, and may refer to one or more,
of the member firms of Ernst Young Global Limited, each of
which is a separate legal entity. Ernst Young Global Limited, a UK
company limited by guarantee, does not provide services to clients.
For more information about our organization, please visit ey.com.
Ernst Young LLP
The UK firm Ernst Young LLP is a limited liability partnership
registered in England and Wales with registered number OC300001
and is a member firm of Ernst Young Global Limited.
Ernst Young LLP, 1 More London Place, London, SE1 2AF.
© 2016 Ernst Young LLP. Published in the UK.
All Rights Reserved.
ED None
In line with Ernst Young’s commitment to minimise its impact on the
environment, this document has been printed on paper with a high
recycled content.
Information in this publication is intended to provide only a general outline
of the subjects covered. It should neither be regarded as comprehensive nor
sufficient for making decisions, nor should it be used in place of professional
advice. Ernst Young LLP accepts no responsibility for any loss arising from
any action taken or not taken by anyone using this material.
ey.com/UK
EY | Assurance | Tax | Transactions | Advisory
Regulatory spotlight shines
again on executive remuneration
Isobel Evans
+44 (0) 20 7951 3113
ievans@uk.ey.com
Integrated reporting comes
of age
Jeremy Osborn
+44 (0) 20 795 19665
josborn@uk.ey.com
Data protection: once more
unto the breach
Darren Desmond
+44 (0) 20 7980 0491
ddesmond@uk.ey.com
Investing in high quality audits
Marguerita Martin
+44 (0) 11 8928 1149
marguerita.martin@uk.ey.com
Brexit: navigating uncertainty
Damian Allinson
+44 (0) 20 7951 0969
dallinson1@uk.ey.com

EY Policy Pulse January 2017

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Viewers also liked

Viewers also liked (13)

Similar to EY Policy Pulse January 2017

Similar to EY Policy Pulse January 2017 (20)

Recently uploaded

Recently uploaded (20)

EY Policy Pulse January 2017