What’s next for internal controls in the UK?

Current requirements of the UK Code of Corporate Governance

In November 2021, the FRC clarified their expectation that Boards complying with the Code should confirm the results of their annual review of the effectiveness of internal controls.  Previously, the requirement had been widely understood to relate to disclosure of the process undertaken.    

The Code requirement includes operational and compliance controls as well as financial controls. Whilst the benchmark for financial controls is the most mature, expectations in other areas such as Economic, Social and Governance (ESG) reporting are developing rapidly, and companies should plan to extend their control frameworks beyond financial controls.

The need for a recognised framework and ongoing evidence

A framework for internal control ensures that risk assessment and controls are kept up to date and embedded in the organisation. Elements of a control framework typically include organisation wide policies, structure and ‘tone at the top’, risk assessment, business, and IT controls, monitoring and reporting. We developed our four-step framework to help Boards demonstrate compliance with the UK Code. Documentation is essential to communicating a complete understanding of a process and enables accountability. However, documentation of control operation should be proportionate to risk and complexity. Wherever possible, controls should be automated and evidenced via system configuration. Most organisations already have some controls and, with visibility through documentation, effort can be focussed on areas of greatest risk as the organisation changes.

Effective internal controls are good for business

Internal controls enable transparency, accountability, operational efficiencies, and a positive culture of ‘right first time’. They also help to prevent and detect fraud, and a well understood and documented process is a solid base for transformation.

Where do controls typically fail?  

When companies first IPO in the US and report and/or are audited on internal controls under US SOX, our analysis shows the most common areas of material weaknesses include:

• Accounting related issues including lack of documentation, policies and/or procedures, inadequate numbers, competency, training of accounting personnel
• Material and/or numerous auditor year-end adjustments
• Segregation of duties and design of controls
• Information technology, software, security, and access issues
• Untimely or inadequate balance sheet account reconciliations
• Manual journal entry control issues

For more mature US listed companies, material weaknesses are more unusual and typically relate to:

• Management accounting judgements (e.g., impairment, liabilities & provisions and/or taxes)
• Areas impacted by significant changes (e.g., debt, equity, reorganisations, M&A, regulator expectations and/or change of auditor)

One of the key lessons is to be laser focussed on risk in the identification and design of controls.  The top-down view is critical to keep controls in proportion and to adapting to change, in addition to establishing clear accountability for controls. For more, see our blog:  gx-why-did-sox-stand-out.pdf (deloitte.com) 

Moving forwards

There is no one size fits all approach that UK companies should adopt. UK companies seeking to comply with the Code should start with their financial and fraud risk assessment now and determine their plan to establish a documented and evidenced internal control framework. 

Deloitte four step framework for assessing the effectiveness of internal controls over financial reporting

Step 1 – initial assessments and entity level controls

• Start with a detailed understanding of the business model
• Undertake a financial risk assessment and fraud risk assessment
• Establish clear and robust entity level controls to ensure the right “tone from the top”
• Define a hierarchy of delegated authorities from the board

Step 2 – confirmation of in scope systems and identification of material controls

• Obtain clarity over in scope systems and related general IT controls
• Generate robust process documentation for material business cycles, with clear process owners
• Identify the material controls

Step 3 – establish robust monitoring and review processes

• Define and evidence a robust process for on-going monitoring of the design and operating effectiveness of material controls
• Define and evidence a robust process for a year-end assessment of the design and operating effectiveness of material controls

Step 4 – establish clear reporting protocols and accountability for action

• Define a significant control failure or weakness that would require detailed consideration and disclosure of remediating actions
• Define reporting processes including remedial action tracking

Please contact one of the team for more information.