The corporate reporting landscape in the UK continues to develop rapidly as demand grows for relevant and transparent information that meets the requirements of today’s users of annual reports. Stakeholders seek to understand how companies are pivoting to meet the challenging social, economic and political changes of the day, and how they plan to remain resilient in the face of uncertainty. Stakeholders expect businesses to play a crucial role in driving sustainable economic and social development by responding to existential challenges, including climate change, regulatory scrutiny and developments in technology, including artificial intelligence. Annual reports are a critical component in this ongoing dialogue between business and wider society. Our Corporate Reporting Insights focus on timely, short and topical observations designed to help you navigate new disclosure requirements, emerging practices and growing expectations for greater transparency and accountability.Explore our reports to discover these trends in corporate reporting.
Explore our 2025 insights
Sign up here to hear about future updates
Controls & Assurance Laying the foundations for the new declaration on the effectiveness of internal controls
The 2024 UK Corporate Governance Code (‘the 2024 Code’) aims to strengthen board accountability for the effectiveness of the risk management and internal control framework. Provision 29 includes a new requirement for a board declaration on the effectiveness of material controls together with a clear explanation of how the board has undertaken its monitoring and review responsibilities. This goes beyond the current Provision 29 of the 2018 UK Corporate Governance Code, which sets the expectation for the board to monitor and review the effectiveness of financial, operational and compliance controls. In their latest corporate governance review the UK FRC highlighted the need for directors to focus on explaining their actual practices, as opposed to policies and procedures in order to demonstrate that a company is well governed, sustainable and able to deliver investment, growth and competitiveness. The updated Provision 29 will apply for reporting periods beginning on or after 1 January 2026. Building on our 2024 survey, we have looked at how 50 FTSE 350 December 2024 reporters explained their approach to controls and assurance. We have considered how reporting practices are evolving in readiness for the new declaration. We also highlight better practice examples of reporting.Read the full report
Key takeaways
88% of companies included some description of how risk appetite is used as part of the risk management framework (consistent with 2024), 50% of those also described what different risk appetite categories the company used or the factors affecting the level of risk appetite
48% (2024: 44%) of companies explained clearly how each of the three lines of defence (operational management, internal monitoring and internal audit) operated within their organisation with a further 20% (2024: 24%) explaining some aspects and 32% (unchanged from 2024) making no reference at all
30% of companies stated clearly whether non-financial reporting controls had been covered by the board’s monitoring and review activities (unchanged from 2024)
82% of companies referenced planned activities in preparation for the new declaration on the effectiveness of material controls (up from 64% in 2024)
48% of companies clearly stated that monitoring and reviewing activities over risk management and internal controls are currently focused on the organisation’s material or significant controls
32% (2024: 50%) of companies provided a positive conclusion on the effectiveness of their risk management and internal control systems; 22% (2024: 16%) included the attestation required by the Sarbanes-Oxley Act on controls over financial reporting; 20% (2024: 20%) provided a negative conclusion; 22% (2024: 14%) provided no conclusion; and 4% (2024: 2%) just referred to the systems being in accordance with the FRC Guidance
Over two thirds of the SOX reporters in our sample provided the required SOX attestation on financial reporting controls and also a broader confirmation on the effectiveness of the internal control framework, including operational, compliance and financial controls
20% of companies either had introduced or were developing a policy on audit and assurance to assist the board with planning for assurance to support the new declaration (up from 14% in 2024)
Actions to take
Review the processes related to risk appetite, risk culture and define ‘materiality’ in respect of controls to be covered by the declaration
Consider whether existing monitoring and review activities cover all aspects of the risk management and internal control framework, not just in relation to financial reporting
Ensure all responsibilities to support the declaration on the effectiveness of material controls (including communication with the rest of the board on the approach) are clearly defined and incorporated appropriately in the board committees’ terms of reference
Conduct an assurance mapping process across the different sources of assurance available to the organisation (both internal and external) to determine whether the appropriate level of assurance will be available for the purposes of the upcoming declaration and consider whether developing a policy on audit and assurance would be beneficial for internal and external stakeholders
Corporate Reporting Insights 2024Diversity & Inclusion:Are companies achieving the targets in the new Listing Rule?
The background to our surveyThe FCA oversees the Listing Rules and introduced a new requirement1 for premium and standard listed companies to provide disclosures on board and leadership diversity for periods commencing on or after 1 April 2022, reflecting the drive for transparency around social issues.Our survey looks at how the first 30 FTSE 350 December 2023 reporters met the new Listing Rule requirements for the first year of mandatory disclosure. We also explore whether the annual reports reflect the transparency society and regulators are looking for around board diversity, executive management diversity and how diversity and inclusion are integrated within the business — for instance whether they are included in disclosures on purpose, culture, values, strategy, succession planning, reward, and board performance review.Last year we conducted a survey to explore whether December 2022 year end reporters were complying early with the new Listing Rule requirements and how their disclosures reflected diversity and inclusion; where we provide a comparator figure this is from those findings.1 Listing Rules LR 9.8.6R(9-11) for premium listed companies and LR 14.3.33R for standard listed companies with a listing of equity shares.Provide a statement setting out whether the company has met the following targets on board diversity as at a chosen reference date within its accounting period:
At least 40% of the individuals on its board of directors are women
At least one of the senior positions on the board of directors is held by a woman – the chair, the chief executive, the senior independent director, or the chief financial officer
At least one individual on the board of directors is from a minority ethnic background
In cases where the company has not met all these targets, state the targets it has not met and the reasons for not meeting those targets.Set out the reference date used for the statement and if it is not the same as the year end date, an explanation as to why.Disclose numerical data: a table in a set format for each of the ethnic background and the gender identity or sex of the individuals on the board and in executive management.Provide an explanation of the approach to collecting the data used for the purposes of making all the disclosures above; that should be consistent for all elements of the reporting and across all individuals. The explanation should include the method of collection and / or source of the data, and where data collection is done on the basis of self-reporting by the individuals concerned, it should include a description of the questions asked.The new Listing Rule statement90% of companies in our sample – all but three – presented the required statement explaining whether they had met the three targets set out in the Listing Rules. Over 80% of companies that provided a statement used the year end, 31 December, as their reference date – this is likely to make it simpler for these companies to achieve consistent disclosure year-on-year.Just over half of companies had met all three Listing Rule targets for their 2023 reports. Of those that hadn't met all the targets, around two-thirds described specific actions they were planning to take to meet targets in the coming year or future years. A handful of companies disclosed more challenging board diversity targets they had set themselves, having met the Listing Rule targets.The Listing Rule requires a set format for two separate tables – reporting on sex or gender identity and on ethnic diversity. This is intended to make it more straightforward for investors to compare data across different reports. All but one company had produced these tables, with almost all using the correct format.
However, in line with the findings in our 2022 Diversity and Inclusion survey, for those who disclosed the required data, it wasn’t always obvious which of sex or gender identity they had chosen to report on. Half of companies still did not make this clear, with many using the table heading “Reporting on gender identity or sex”. A handful stated they were reporting on “gender identity and sex”. Of those that did seem to be clear on the distinction, 80% reported on gender identity rather than sex, with some of those voluntarily including additional categories such as non-binary in their tables.Almost three out of four companies (73%) explained the approach they had taken to collecting the data used for the purposes of making diversity disclosures at board and executive level – a Listing Rule requirement. However, although all of those companies indicated that self-reporting had been used to gather the data, only six companies clearly described the questions they had posed to the board and executive management.Of the three companies that did not present a statement on whether they had met the Listing Rule targets, two of those explained that their future plans included seeking greater diversity on the board and only one also omitted the numerical tables.In terms of location in the annual report, over half of companies included their statement in the Nomination Committee report, with a third placing it elsewhere in the corporate governance statement. A handful of companies included disclosure in the strategic report or (in the case of the numerical tables) in the directors’ report. Have companies met the Listing Rule targets?Board diversity and inclusion: succession planningDiversity and inclusion are inextricably linked to the quality and thoughtfulness of succession planning throughout the organisation, including at executive and board levels. We have examined what companies say about how they assess their succession planning needs, how they instruct search and recruitment agencies and how accessible they make their appointment process.The UK Corporate Governance Code requires companies to describe the work of the nomination committee and the process used in relation to appointments, the approach to succession planning, and how both support developing a diverse pipeline.77% of boards – generally nomination committees – discuss the importance for their business of achieving a diverse board when talking about planning for skills and experience at board level. Nomination committees discuss the benefits of board diversity in the broadest sense for improved decision-making, breadth of strategic vision, and understanding global, local or customer context. Some also mention that it is helpful to reflect the make-up of the broader workforce. A handful mention the impact of investor pressure for the board to become more diverse, including through AGM votes.This disclosure does not appear to be driven by any specific regulatory requirement, instead by the "soft pressure" of the FTSE Women Leaders and Parker reviews, which are mentioned by a large majority of companies. In practice it often sits alongside disclosures mandated by the DTR, the UK Corporate Governance Code and now by the Listing Rules.In line with our findings last year, comparatively few companies set out how they make the board appointment process accessible to a wider pool of talent. In some cases the accessibility of recruitment has been drawn out for the workforce but this is not reiterated in the nomination committee's report in respect of board and executive team searches. This can be a key driver of improved access to diverse candidates, particularly where candidates are neurodivergent or have caring responsibilities.Do succession planning disclosures reflect diversity and inclusion initiatives?Board diversity and inclusion: board performance reviewsOur findings suggest that there are fewer outcomes and fewer actions being set over time with respect to diversity and inclusion at board level. Based on the companies we reviewed, rather than a failing in governance, this seems to reflect ongoing success in embedding diversity and inclusion as a key feature of the board, thus leading to fewer actionable findings in board performance reviews.Many of the actions set out relating to diversity and inclusion for the coming year relate to boards extending their focus to executive management or the business as a whole, rather than the board itself.This year we noted an increasing cohort recognising the skills and experience of individual board members on diversity and inclusion matters, highlighting recent relevant external roles or expertise in board biographies.Do board performance review disclosures reflect diversity and inclusion initiatives?Reporting on how diversity and inclusion is embedded into the businessThe FRC has highlighted the need to draw out in the annual report why diversity and inclusion are important to the strategy of the business. Although this continues to be a challenge for companies to articulate, we were encouraged to find that 87% explained persuasively why workforce diversity and inclusion was important to the business – although most companies could be more effective at explaining the link between diversity and inclusion and corporate strategy.The overwhelming majority of companies discussed workforce diversity and inclusion in their workforce engagement disclosures this year – 87%, up from 73% in 2022. A handful of companies had newly introduced KPIs regarding diversity and inclusion, with new measures relating to executive management, adding to the more usual KPI regarding the proportion of women in the workforce. Fewer companies felt the need to discuss diversity and inclusion in connection with their values or purpose statement.Almost 90% of companies also discussed diversity and inclusion in the context of training and skills. For the most part this related to training dedicated to bringing on women, Indigenous people, or individuals from an ethnic minority background as future leaders in the business. Some also included the use of their diverse workforce to improve the skill set in the business more widely – for instance through reverse mentoring, or training on how to speak with local customers – with some informative and interesting case studies.The approach used to improve diversity and inclusion varied between companies, but the majority focused on both building from the ground up and external recruitment at more senior levels, with almost all including statements about developing diversity and inclusion throughout the business via culture change and bringing on the existing workforce.Where do companies incorporate disclosure on diversity and inclusion this year?To concludeAlmost all companies are reporting in line with the Listing Rule requirements and have updated their board diversity targets accordingly – with some setting more stretching targets to reflect their commitment to diversity at board and senior leadership levels.For some, diversity and inclusion both at board and workforce level is now "business as usual", leading to less overall disclosure as fewer changes are introduced year on year. Others are finding that regulatory and investor pressure to fully embed diversity and inclusion are leaving them running to catch up.Boards should continue to challenge themselves to monitor company culture and take action where warranted to embed diversity and inclusion more thoroughly. They should evaluate whether diversity and inclusion in the broadest sense are appropriately embedded into their companies’ culture, values, strategy, succession planning, reward, and board performance reviews – and into their annual report.
Assess whether the annual report explains in a clear and consistent way why diversity and inclusion at workforce, executive management, and board level is important to the business
Where the business has set diversity targets for workforce, executive management and the board, disclose and explain those targets and provide annual updates regarding progress and actions
Evaluate the board's existing approach for building diversity and inclusion into succession planning and board performance reviews and consider how to report transparently in this area
Ensure that all elements of the FCA Listing Rule are included and clearly identifiable:
a statement setting out that each of the targets in the Rule have been achieved or a plan to achieve them
both mandated tables on sex or gender identity and ethnicity
an explanation of how data has been gathered for the board and executive management
Corporate Reporting Insights 2024Climate Transition Plan Disclosures:Now and future
The background to our surveyTransition plans represent an important part of a company’s overall response to climate change. They help companies to develop credible actions, set milestones and put in place metrics consistent with their overall ambitions in relation to the transition to a low-carbon economy. Investors and regulators are calling for greater transparency on companies’ progress and performance against their climate-related commitments resulting in increased demand for comprehensive climate transition plan disclosures. In 2021, the Taskforce on Climate-related Financial Disclosures (TCFD) updated its Guidance for All Sectors to include disclosures on an organisation’s plans to transition to a low-carbon economy. UK listed companies, required to prepare a statement setting out whether they have made disclosures consistent with TCFD recommendations, must use this updated guidance in doing so. The UK government has expressed its intention to make UK-endorsed ISSB standards available in 2025. IFRS S2 Climate-related Disclosures – one of the ISSB standards – includes requirements for companies to report on their plans to transition to a low carbon economy. The ISSB has also recently announced that it is assuming responsibility for the UK’s Transition Plan Taskforce (TPT)’s disclosure framework and related guidance. The UK Government established the TPT as part of the delivery of the UK Government’s Roadmap for its strategy to green the financial system, and in particular the Sustainability Disclosure Requirements. As a strong supporter of the TPT, the UK FCA encourages listed companies to consider the TPT disclosure framework and related guidance.As the UK Government consults on making ISSB standards available for use in the UK and the FCA consults on bringing these into the disclosure requirements for UK listed companies, the focus on high quality transition plans disclosures is likely to remain. Our survey of annual reports1 looks at the first 50 annual reports issued by FTSE 100 reporters in 2024 and considers how their reporting compares with the TCFD recommended disclosures on targets and transition planning. The survey also considers the state of readiness of companies for the expected future requirements. 1 For the purposes of this survey, we considered disclosures included within the Annual Report and any other relevant document that was clearly referenced from the Annual Report, for example a separate TCFD report, sustainability report or standalone transition plan. Transition plan definitionA transition plan is ‘an aspect of an organization’s overall business strategy that lays out a set of targets and actions supporting its transition toward a low-carbon economy, including actions such as reducing its GHG emissions’ (TCFD)The Transition Plan Taskforce was set up by the UK government in 2022 with a two-year mandate to ‘develop the gold standard for private sector climate transition plans’. The final Disclosure Framework and Implementation Guidance were published in Autumn 2023. In June 2024, the IFRS Foundation announced that it is assuming responsibility for the TPT’s disclosure framework and related guidance. In the immediate term, the IFRS Foundation will host the TPT’s disclosure materials on its Sustainability Knowledge Hub. In the near-term, it intends to use the TPT disclosure-specific materials to develop educational materials to support users and preparers of transition plans disclosed under IFRS S2. In the longer-term, the ISSB will consider the need to enhance the application guidance within IFRS S2. In doing so, the ISSB will leverage the TPT-informed educational materials to update the formal guidance. Any respective changes to the IFRS S2, however, would be subject to the IFRS Foundation’s due process. Reporting against the TCFD guidanceClimate-related targetsAll companies disclosed one or more climate-related targets, up from 98% in 2022. We anticipated an increase in the number of companies that included some or all of their Scope 3 emissions - which often form the majority of an organisation's total emissions - in their GHG-related targets, however there had been no change since last year, at 88% of companies.In line with the TCFD’s recommended disclosures:
All companies disclosed the timeframe over which all the targets apply (92% in 2022)
98% of companies disclosed the base year from which progress is measured (98% in 2022)
94% of companies clearly identified if the target was absolute or intensity based (90% in 2022)
Section C of the TCFD’s 2021 Guidance for All Sectors includes the following recommendation relevant to transition plans: Strategy: Organizations that have made GHG emissions reduction commitments, operate in jurisdictions that have made such commitments, or have agreed to meet investor expectations regarding GHG emissions reductions should describe their plans for transitioning to a low-carbon economy, which could include GHG emissions targets and specific activities intended to reduce GHG emissions in their operations and value chain or to otherwise support the transition.The 2021 Guidance for All Sectors now includes an additional recommendation related to climate-related targets as follows: Metrics and Targets: Organizations disclosing medium-term or long-term targets should also disclose associated interim targets in aggregate or by business line, where available.This recommendation sits alongside TCFD’s pre-existing recommendations on targets, as set out below: In describing their targets, organizations should consider including the following:
whether the target is absolute or intensity based*;
time frames over which the target applies;
base year from which progress is measured; and
key performance indicators used to assess progress against targets.
Where not apparent, organizations should provide a description of the methodologies used to calculate targets and measures. The TCFD also published Guidance on Metrics, Targets and Transition Plans which includes information on the characteristics of effective climate-related targets and transition plans, as well as further guidance on disclosures. As required by the FCA’s Listing Rules, for financial years beginning on or after 1 January 2022, listed companies should use the TCFD’s 2021 Guidance for All Sectors and the Guidance on Metrics, Targets and Transition Plans when forming a conclusion as to whether they have made disclosures consistent with TCFD’s four recommendations and eleven recommended disclosures. *The objective of an absolute target is to reduce absolute emissions over time. The objective of an intensity target is to reduce the ratio of emissions related to a business metric over time, for example, emissions to revenue. Interim targetsThe TCFD’s 2021 Guidance for All Sectors also recommends that ‘organizations disclosing medium-term or long-term targets should also disclose associated interim targets in aggregate or by business line, where available’.Of the companies disclosing climate-related targets:
84% of companies had one or more interim target before 2030 (82% in 2022)
88% of companies had set 2030 as an interim target (up from 61% in 2022)
86% of companies had a long-term target of 2040 and above, with 26% also disclosing interim targets after 2030 (80% and 10% respectively in 2022)
Given the importance of interim targets to support early action on climate change, companies are encouraged to take action now on setting interim targets at appropriate intervals across the full target horizon. It is therefore encouraging to see the year on year increases in companies setting long-term targets and interim targets.The TCFD Guidance on Metrics, Targets and Transition Plans recommends that interim targets are ‘set at appropriate intervals (e.g., 5-10 years) covering the full medium- or long-term target horizon’. IFRS S2 Climate-related Disclosures requires companies to disclose 'any milestones and interim targets’.Disclosures about transition plans60% of companies included disclosures that were identifiable as plans to transition to a low carbon economy i.e., disclosures on targets and actions to support their transition toward a low-carbon economy. An additional 34% of companies provided some, but more limited, information, for example in the form of a high-level roadmap or disclosures that indicated how targets would be met but lacking sufficient granularity and specificity to be called a plan. These findings are broadly consistent with 2022 data, indicating no overall improvement in the number of companies disclosing information on transition plans. Consistent with 2022, 96% of companies referred to board level responsibilities for overseeing of the companies’ response to climate change. However, over half of companies now specifically referenced a transition plan as part of these responsibilities (58% compared to 25% in 2022). Identifying transition plan disclosures continued to be challenging as climate-related disclosures were included in various locations within the Annual Report, and, in many cases, in separate reports outside of the annual report. This issue was compounded by inconsistent use of terminology between companies to describe plans to transition to a low-carbon economy, for example, transition plans, net zero action plans, climate action roadmaps.Companies that made it easy for the user to navigate to transition plan disclosures provided:
Clear signposting to transition plan disclosures within the annual report
Clear cross-referencing from the annual report to any other reports where transition plan disclosures were included, with clear signposting of what is included in any additional content. Other reports referred to included separate TCFD reports, sustainability reports and transition plan reports
Did the companies disclose information on transition plans?The TCFD’s Guidance on Metrics, Targets and Transition Plans recommends that a transition plan ‘should describe the approval process and oversight and accountability responsibilities within an organization, including the role of the board and senior management in overseeing the plan’.Transition plan disclosures: expected future developments TPTGiven that the IFRS Foundation is assuming responsibility for the TPT Disclosure Framework and the FCA are already encouraging listed companies to consider the TPT Disclosure Framework and related guidance, it was encouraging to see that 22% of companies stated that they had considered either the proposed or finalised TPT Disclosure Framework when preparing their 2023 disclosures compared with 6% in 2022. An additional 18% stated that they intend to produce TPT aligned disclosures going forward (up from 12% in 2022). Of the companies that stated they prepared their disclosures in accordance with the TPT Disclosure Framework:
Just over two-thirds provided helpful signposting by using the five disclosure elements of the framework as sub-headings or by providing a table to indicate where the disclosures could be located.
The quality of transition plan disclosures was generally better compared to companies who did not reference the TPT Disclosure Framework,, with only one of the companies rated as having provided ‘some but limited information’ about their plans to transition to a lower carbon economy.
A key recommendation of the TPT Framework is that organisations publish a standalone transition plan. 34% of companies in the survey cross-referred from the annual report to a separate report described as a standalone transition plan (up from 20% in 2022). Another 10% of companies stated their commitment to publishing a separate transition plan in 2024 or 2025. However, two of the companies publishing standalone transition plans were rated as having ‘some but limited information’ about their plans to transition to a lower carbon economy, confirming that having a separate document does not automatically lead to better and more comprehensive content. The UK Government established the TPT as part of the delivery of the UK Government’s Roadmap for its strategy to green the financial system, and in particular the Sustainability Disclosure Requirements. As a strong supporter of the TPT, the UK FCA encourages listed companies to consider the TPT disclosure framework and related guidance. As the UK Government consults on making ISSB standards available for use in the UK and the FCA consults on bringing these into the disclosure requirements for UK listed companies, the focus on high quality transition plans disclosures is likely to remain. It is anticipated that the UK Governments will make UK-endorsed ISSB standards available in 2025. In 2023, the ISSB published its first two standards:
IFRS S2 sets out requirements for identifying, measuring, and disclosing climate related risks and opportunities and includes specific requirements related to targets and transition plans. The IFRS Foundation is assuming responsibility for the TPT Disclosure Framework and related guidance. In the near-term, it intends to use the TPT disclosure-specific materials to develop educational materials to support users and preparers of transition plans disclosed under IFRS S2. In the longer-term, the ISSB will consider the need to enhance the application guidance within IFRS S2. In doing so, the ISSB intends to leverage the TPT-informed educational materials to update the formal guidance. Did the company reference the UK's Transition Plan Taskforce in the Annual ReportHow ready are companies for transition plan disclosures under IFRS S2 Climate-related
Disclosures?50% of companies made some reference to the work of the ISSB, compared with 32% in 2022.
The most common type of reference we identified was an explanation that the board was monitoring developments and / or that the board was considering how to align disclosures to the ISSB’s first two standards (IFRS S1 and S2).
With the publication of these first two standards in June 2023, and the UK government’s commitment to adopt them, companies are encouraged to engage early with the new standards to understand where further work might be required to comply with any new disclosures that go beyond TCFD’s disclosure recommendations, including the two areas set out below. Validity of targetsIFRS S2 requires disclosures about the validity of climate-related targets. Survey findings on current disclosures in this area are set out in the table below.
IFRS S2 requires disclosure of:
Survey findings
How the latest international agreement on climate change, including jurisdictional commitments that arise from that agreement, has informed the target
Consistent with 2022, 64% of companies specifically referenced the Paris Agreement when explaining how targets had been set but very few referred to any jurisdictional commitments.
Whether the target and target methodology has been validated by a third party
54% of companies disclosed that their targets had been verified by a third party, compared with 44% in 2022. 22% of companies disclosed their intention to have their targets verified by a third party or had submitted the targets for review and were awaiting the outcome.In all but one case, the third party referenced was the Science Based Target Initiative (SBTI). The other company referred to an independent assessment by the Transition Plan Initiative (TPI).
Any revisions to the target and an explanation for those revisions
30% disclosed that targets had been revised during the year, compared to 22% in 2022. In most cases, an explanation was provided with many companies explaining that the revisions were the result of the availability of new or more relevant information to assist in target setting. Other companies stated that they had successfully achieved their short-term targets and/or had set new or improved long-term targets to match their progress.
The entity’s processes for reviewing the target
18% of companies stated that targets had been reviewed but with little information provided on how this review was performed.
Compliance with some of these disclosures will be relatively straightforward, for example, confirming if a target has been revised or validated by a third party. Other disclosure requirements may require more work and early consideration. For example, the ability to disclose the process for reviewing targets will depend on the maturity of a company’s approach to its transition plan and whether a process has been established and embedded into the organisation’s governance structure and internal control systems. Use of carbon offsets IFRS S2 requires disclosures on the planned use of carbon offsets to achieve greenhouse gas emissions targets (referred to as ‘carbon credits’ within the standard).12% of companies stated that they did not use carbon offsets or intend to use carbon offsets to meet their climate-related targets (up from 6% in 2022). 52% of companies referred to using carbon offsets (down from 64% in 2022). Just under a half of these companies provided some information on the extent to which targets are dependent on the offsets. This information was typically expressed as a percentage of the target that would need to be met with the use of offsets or an acknowledgement that any residual emissions would need to be offset. For 36% of companies, there was a lack of clarity around the use of carbon offsets, meaning additional information will need to be provided by companies to meet the disclosure requirements under IFRS S2. This includes a specific requirement to disclose ‘whether the target is a gross emissions target or net emissions target’. Where a net emissions target is disclosed, a separate gross emissions target will also need to be disclosed. 36. For each greenhouse gas emissions target disclosed in accordance with paragraphs 33–35, an entity shall disclose: (i) the extent to which, and how, achieving any net greenhouse gas emissions target relies on the use of carbon credits;(ii) which third-party scheme(s) will verify or certify the carbon credits;(iii) the type of carbon credit, including whether the underlying offset will be nature-based or based on technliogical carbon removals, and whether the underlying offset is achievedthrough carbon reduction or removal; and(iv) any other factors necessary for users of general purpose financial reports to understand the credibility and integrity of the carbon credits the entity plans to use (for example, assumptions regarding the permanence of the carbon offset).Does the company use, or intend to use, carbon offsets? Transition plan disclosuresConsistent with TCFD, IFRS S2 requires an entity to disclose its plans to transition to a lower carbon economy and, specifically, how it will achieve both the greenhouse gas emissions targets it has set for itself and those required by regulation or legislation. In its Guidance on Metrics, Targets and Transition Plans, TCFD states that organisations should ‘consider describing the assumptions, uncertainties, and key methodologies associated with their transition plans'. IFRS S2 formalised this, requiring disclosure of key assumptions that the entity has made and dependencies it has identified in developing the plan. In general, companies did not provide this information with many providing little or no information at all. As transition plans develop and evolve, companies will need to consider how this information is reflected in their disclosures.14 (a) Specifically, the entity shall disclose information about:(e) the entity’s planned use of carbon credits to offset greenhouse gas emissions to achieve any net greenhouse gas emissions target. In explaining its planned use of carbon credits the entity shall disclose information including, and with reference to paragraphs B70–B71:(iv) any climate-related transition plan the entity has, including information about key assumptions used in developing its transition plan, and dependencies on which the entity’s transition plan relies; and (v) how the entity plans to achieve any climate-related targets, including any greenhouse gas emissions targets, described in accordance with paragraphs 33–36.To concludeFor companies required to prepare a TCFD compliance statement under the FCA’s Listing Rules, it is clear that there is room for improvement in transition plan disclosures. With the FCA encouraging listed companies to consider the UK’s Transition Plan Taskforce’s (TPT) framework, and the ISSB’s announcement that it is assuming responsibility for the TPT disclosure framework and related guidance, it is also clear that enhanced transition plan disclosures will be expected in the future. To get ready for these changes, boards should consider whether the company has the governance structures and controls in place to develop, implement and monitor a robust transition plan. Boards should also take the opportunity to evaluate the ISSB’s Climate Standard, IFRS S2, and the TPT Disclosure Framework to understand where further disclosures may be required.
Establish clear lines of responsibility and reporting for the development, implementation, and monitoring of a transition plan
Evaluate existing commitments and transition plans to ensure interim targets are set at appropriate intervals across the full target horizon and clear actions are developed and agreed on how to achieve climate-related targets
Get ready for evolving transition plan disclosure requirements:
Assess existing disclosures to ensure information is consistent with the TCFD recommended disclosures on transition plans
Evaluate the ISSB’s Climate Standard (IFRS S2) and the TPT Disclosure Framework to identify any gaps with future requirements and opportunities to enhance current disclosures
Provide clear signposting and cross-referencing to transition plan disclosures
Use clearly defined and consistent terminology to describe transition plan information
Corporate Reporting Insights 2025Controls & AssuranceLaying the foundations for the new declaration on the effectiveness of internal controls
The background to our surveyThe 2024 Corporate Governance Code became effective from 1 January 2025, except for Provision 29 – the board’s declaration on the effectiveness of material controls – which will apply to reporting periods beginning on or after 1 January 2026. Until then, existing Provision 29 of the 2018 UK Corporate Governance Code continues to apply. As a reminder, the updated Provision 29 will require the board to provide the following disclosures in the annual report:
a description of how the board has monitored and reviewed the effectiveness of the risk management and internal control framework;
a declaration of effectiveness of material controls as at the balance sheet date; and
a description of any material controls which have not operated effectively as at the balance sheet date, the action taken, or proposed, to improve them and any action taken to address previously reported issues.
As companies are getting ready to report under this new Code requirement, we looked at how 50 FTSE 350 December 2024 reporters have approached preparation for the new declaration and considered various aspects related to the new Provision 29.How risk appetite is used in risk managementA board of directors is required to identify the principal risks which could impact delivery of their company purpose, strategy and business model. Establishment of an effective control framework requires there to be clarity of the board’s view of the amount of risk it is willing to take in achieving the purpose, strategy and business model. This is known as the risk appetite and should drive the level of control put in place to keep risk within the agreed risk appetite. The board should ensure that the risk appetite is also communicated at the appropriate levels throughout the company in a timely manner, including any changes to it. We looked at current reporting practices for describing risk appetite and its role in the risk management and internal control framework.88% (2024: 88%) of companies included some description of how risk appetite is used as part of the risk management framework but there was significant variation in the depth and quality of the information provided. For example, some companies only briefly mentioned the board’s responsibility for setting risk appetite without explaining how risk appetite is used in the risk management framework. This year we also looked at how these companies described the different risk appetite categories used or the factors affecting the level of risk appetite. 50% of those companies that included some description of how risk appetite is used also provided clear additional disclosure on risk appetite categories and/or factors. Some factors included: (i) financial objectives, (ii) strategic objectives set by the board and (iii) ethics, reputation & values. Better reporters demonstrated the risk management and internal control framework in a diagram, clearly explaining how risk and control cycles operate. Some companies disclosed the risk appetite for each principal risk, explaining the factors which impacted the level allocated. Some of those categories included: averse, limited, moderate and high; averse, curious, open, seeking; critically low, low, medium and high.Example disclosures which include the elements described above: Lloyds Banking Group PLC (page 141 2024 ARA), Aviva PLC (page 75 2024 ARA), RHI Magnesita (pages 48–49 2024 ARA), Intercontinental Hotels Group PLC (page 44 2024 ARA), Serco (pages 62–63 2024 ARA), Croda International Plc (page 30 2024 ARA), Shaftesbury Capital PLC (page 60 2024 ARA)Describing the control frameworkAs described above, a board should explain in the annual report how it has monitored and reviewed the effectiveness of the material controls. The monitoring and review activities may be supported by internal and/or external assurance. Effective use of internal controls and assurance delineate risk management roles across an organisation, improving clarity, accountability and effectiveness. A commonly used control framework, often referred to as the “three lines of defence”, includes the following elements:
first line – operational management, which handles day-to-day ownership and management of risks and controls.
second line – internal monitoring and oversight functions, including risk management and compliance.
third line – internal audit, which provides independent assurance and evaluation of risk management processes.
When describing their control framework, 48% (2024: 44%) of companies explained clearly how the three lines of defence operated within their organisation with a further 20% (2024: 24%) of companies providing explanation for some lines of defence. Better practice examples presented a diagram demonstrating how the three lines of defence interact and clearly explaining the responsibilities of each line. Some companies also referenced the work of external audit and/or other regulatory requirements which they referred to as a “fourth line of defence”.Example disclosures which include the elements described above: Weir Group PLC (The) (page 62 2024 ARA), Hiscox (page 42 2024 ARA), Bakkavor Group (page 67 2024 ARA), Breedon Group (page 48 2024 ARA), Mondi Group (page 61 2024 ARA)The board’s oversight roleKey to a proportionate and practical approach to the new declaration on the effectiveness of material controls is the identification of “material controls”. Importantly, the 2024 Code states that “material controls” should include “financial, operational, reporting and compliance controls”. The inclusion of a specific “reporting” control consideration is intended to cover controls over both financial and non-financial reporting. We looked at how companies explained the scope of the board’s current oversight activities.The description of the board’s monitoring and review activities did not always make clear which controls had been covered, with oversight of non-financial reporting controls being particularly unclear. These findings are broadly consistent with last year. The “IT and other” category in the graph largely related to specific reference to monitoring and review of IT controls, consistent with last year.This year, we also looked at where the responsibility for oversight over non-financial reporting lay and found that 72% of companies delegated oversight of the integrity of non-financial and financial reporting to the audit committee. When explaining how monitoring and review of non-financial reporting had been undertaken, audit committees referenced disclosures provided in accordance with various sustainability reporting requirements, e.g. the UK Listing Rule on the Task Force on Climate-related Financial Disclosures (“TCFD”); Corporate Sustainability Reporting Directive (“CSRD”). Only 4% of companies (2024: 6%) reported that they had updated the audit committee’s terms of reference to reflect an enhanced focus on the internal control framework and additional oversight responsibilities in relation to non-financial reporting, risk appetite and risk culture.As we get closer to the new declaration, we also looked at the audit committee chairs’ introductory letters to see whether they highlight or make any specific reference to oversight of risk, controls or assurance that goes beyond a reference to the audit committee’s standard responsibilities and found that 48% of companies did so. Most of those references were to the audit committee’s focus on laying the foundations for the new Provision 29 requirements from 1 January 2026.More generally, 82% (2024: 64%) of our sample referenced planned activities in preparation for the new declaration. Some companies presented case studies on the activities they have undertaken to prepare for the new declaration, including identifying the scope of material internal controls and undertaking an assurance gap analysis (see also section Assurance below).Establishing clear parameters and guidance internally on what constitutes a “material control” will be an important part of a company’s approach to the new declaration. 48% of companies in our sample clearly stated that monitoring and review activities over risk management and internal control are currently focused on material or significant controls, with a further 4% also explaining the approach to determining what constitutes a material or significant control, with some companies defining them as “those controls that have the most influence in mitigating a risk”. A number of companies also mentioned plans to strengthen material IT controls and bring them into scope for the future declaration.As a reminder, paragraph 272 of the FRC Guidance states that material controls are those that can include, but are not limited to, controls over:
risks that could threaten the company’s business model, future performance, solvency or liquidity and reputation (i.e. principal risks)
external reporting that is price sensitive or that could lead investors to make investment decisions, whether in the company or otherwise
fraud, including override of controls
information and technology risks including cybersecurity, data protection and new technologies (e.g. artificial intelligence).
Example disclosures which include the elements described above: Howden Joinery Group Plc (page 148 2024 ARA), Anglo American plc (page 190 2024 ARA)Scope of monitoring and review activitiesExplaining the outcome of the board’s oversight activityA further key step in the declaration readiness process is to agree what control effectiveness means for the organisation. The FRC Guidance (para 286) reiterates that when a control is effective that “does not mean that the risk is eliminated” but rather that the effective control should be working to keep an identified risk within the board’s risk appetite. The FRC has made it clear that it is for the board to determine its own levels of required assurance in relation to the effectiveness of the material controls.This year, we noted a shift away from companies providing positive conclusions on the effectiveness of the internal control framework and more providing confirmation that the internal control framework aligns with the FRC Guidance. For the SEC registrants in our sample, we noted that over two thirds, in addition to the required SOX attestation, provided a broader confirmation on the effectiveness of the internal control framework, including operational, compliance and financial controls.Whilst none of our sample reported that they had identified any significant failings or weaknesses, some companies have referenced immaterial control failures which have been remediated during the year. Most of those related to manual and IT controls and, in some cases, the identified deficiencies affected audit testing and resulted in more substantive procedures by the external auditor.SEC registrants breakdownSEC registrants breakdownAssurance
As part of the preparations for the, now withdrawn, requirement for an Audit & Assurance Policy, many companies had started an assurance mapping exercise to build an understanding of where different sources of assurance were obtained in relation to external reporting. To help boards prepare for the new declaration of the effectiveness of material controls, it would seem sensible to extend this mapping exercise to cover assurance over the effective operation of material controls beyond external reporting, e.g. material financial, operational, reporting and compliance controls. In this way, a full picture of assurance (from all sources – both internal and external) can be developed and assessed.
86% (2024: 84%) of companies in our population indicated or explained where assurance had been provided over certain data elements in the front half of the annual report, with almost all of those (98%) being from external assurance providers. Some companies used icons or symbols to indicate metrics which have been subject to external assurance, with a cross reference to further information on the nature of the assurance, the provider and the assurance report. Others used footnotes to provide similar information.
Having a clear policy on audit and assurance helps address a number of consideration points for reporting under Provision 29:
in publishing the policy, the directors convey to readers the extent of assurance over the information they communicate;
the policy helps provide clarity over the role of the auditor beyond that required for the financial statements; and
it facilitates dialogue between internal audit, external audit or another assurance provider.
In developing their policy, boards will consider the areas where assurance is required and who should provide it - internal audit, external audit or another assurance provider.
It was positive to see that 20% (2024: 14%) of companies in our survey had either introduced or were developing a policy on audit and assurance to assist boards with the upcoming declaration on the effectiveness of material controls. Better practice examples recognised the value of documenting an assurance plan and continued work in this area by developing a clear internal framework for audit and assurance, helping them to (re)evaluate material controls for the new declaration.
Example disclosures which include the elements described above: Rio Tinto (page 113 2024 ARA), Serco (page 64 2024 ARA)To conclude
The update to Provision 29 in the 2024 UK Corporate Governance Code focuses on the board’s monitoring and review activity and requires a board declaration on the effectiveness of material controls. Audit committees will need to undertake a formal re-assessment of the risk management and internal control framework, including revisiting risk appetite, approach to identifying and evaluating effectiveness of material controls for the declaration and ensuring that it covers all material operational, financial, reporting and compliance controls.
The FRC’s Corporate Governance Code Guidance is helpful in understanding what is expected from these processes and oversight activities. We have also updated our publication ‘Risk, controls and assurance: a framework for the new material controls declaration’ to reflect the insights we have gathered over the past year and to help boards and audit committees navigate the new requirement.
Review the processes related to risk appetite, risk culture and define ‘materiality’ in respect of controls to be covered by the declaration
Consider whether existing monitoring and review activities cover all aspects of the risk management and internal control framework, not just in relation to financial reporting
Ensure all responsibilities to support the declaration on the effectiveness of material controls (including communication with the rest of the board on the approach) are clearly defined and incorporated appropriately in the board committees’ terms of reference
Conduct an assurance mapping process across the different sources of assurance available to the organisation (both internal and external) to determine whether the appropriate level of assurance will be available for the purposes of the upcoming declaration and consider whether developing a policy on audit and assurance would be beneficial for internal and external stakeholders
Corporate Reporting Insights 2024Generative Artificial Intelligence:Developments in reporting
The background to our surveyA company’s strategic report is designed to be a summary of its purpose, strategy, business model, values, risks, opportunities and governance. The best strategic reports combine all of these elements into a clearly-structured, informative whole. Early in 2023, businesses were faced with the rapid rise of Generative AI, which can be briefly defined as AI that synthesises bodies of data to create original content that would previously have taken human skill and expertise. Since then, boards have been making decisions regarding the opportunities, risks, governance structures and policy choices associated with Generative AI. In this survey, we read the most recent annual reports published by the constituent companies of the FTSE 100 index to explore how they approached this topic and reported on risks, opportunities, policies and controls over AI and Generative AI.How do annual reports mention AI or Generative AI?91% of the FTSE 100 mentioned AI in their most recent annual report. More than half of these (57%) mentioned Generative AI.
Companies that discussed Generative AI often provided some detail on their existing and historical use of AI and the landscape they are now operating in. Examples of reporting included exploration of potential future strategies, detail regarding external and competitor trends and description of projects in pilot or developmental stages, each based on use of Generative AI. More than one company also mentioned conducting a review of their existing use of AI. Whereas in 2023 the main industries that identified business opportunities were media and technology companies, that has now expanded to include other sectors, including financial, telecommunications and consumer goods. We found the better disclosures were informative and reasonably detailed, going into the methods the companies were using to train or otherwise upskill employees, their expectation of changes to work structure for their employees, and their expectations of future developments in Generative AI and how it would impact the business model and external landscape. A handful of companies mentioned that they expected a positive impact from using AI to target emissions reductions or otherwise assist with their climate ambitions. Our reading of certain annual reports suggested some lack of clarity regarding the distinction between machine learning and Generative AI. In one case, the company had clearly determined to use “AI” in the annual report as a broad term to include all AI-related technologies and had reflected this in its internal policy documents.Involvement of the board This year, twelve companies in the FTSE 100 drew out in their disclosures that one or more directors had experience or expertise in AI, as set out either in director biographies or in the Nomination Committee report. Seven of those companies indicated that AI had been discussed by the board during the year. Indeed, a third of the boards in our survey mentioned AI or Generative AI in their corporate governance disclosures outside the context of board biographies or recruitment criteria – an increase from only four boards in 2023. Most of these mentions were in the context of the board’s activities or areas of focus for the year and only a handful of companies included any detailed disclosure around the board’s discussions. Where this was the case, it was generally in the context of strategic discussions, partnerships or deep-dives provided to the board by management experts. Some boards also mentioned board-specific training or bringing in external experts to discuss AI with the board. The majority of committee reports did not cover AI, although we saw some high-level mentions in audit committee or risk committee reports. One board had formed a separate technology committee to assess new technologies including AI. How does the annual report mention AI?Risk and control frameworkDevelopments in regulation of Generative AI, in particular those applying to large language models, are moving at pace.In the UK, in May an AI Security Code of Practice was published for consultation, and in July, the King’s Speech set out that the new Government “will seek to establish the appropriate legislation to place requirements on those working to develop the most powerful artificial intelligence models.” In the EU, the EU AI Act was formally approved in May and came into force in August this year. The Act takes effect in stages, starting from 6 months after it comes into force and applying in its entirety after 24 months (by August 2026). The Act is designed to be proportionate to the level of risk posed by the organisation/AI use-case. The higher the risk of harm to society, the more substantial the regulatory regime that applies. The Act also applies extraterritorially - for instance, where a provider or system is based outside the EU but the system or its outputs are intended to be used within the EU. 19 companies disclosed that they had identified forthcoming AI-related regulations, such as the EU AI Act, and a handful of these mentioned at least one impact on their business. Consistent with last year’s survey results, a majority of companies that mentioned regulation operated in financial services. The diagram illustrates how AI is reflected in risk disclosures, with 53 companies mentioning AI in their risk management disclosures, compared to 11 in 2023. 39 companies in total identified AI as an emerging risk to their business.How is AI reflected in risk disclosures?In several cases disclosures on emerging and principal risks went into some detail, focusing on areas including a risk of cyber attacks increasing in both quantity and precision through criminals employing AI tools, the risks posed by “deepfakes” in identity theft and social engineering and the risks of failing to comply with new regulatory regimes around AI. Some also mentioned the risks associated with adequate governance and ethics, and the risk of bias, around new opportunities or products. One company mentioned that although the risk of cyber attacks is higher due to AI, there is also an opportunity for improved detection methods, again using AI, and a handful of other companies also cited AI in risk mitigation, including risks outside the IT sphere such as corporate culture. The diagram illustrates the various controls companies have disclosed relating specifically to AI. There has been a noticeable shift since the approach companies described last year, when most companies had added elements of AI into an existing IT control framework. This year, the majority of companies that disclosed a controls framework described a separate AI controls framework and many included some discussion of the governance structure surrounding that framework.Some companies described whether their AI policies apply to the use of the company’s own proprietary AI products, the use of and sharing of data with external AI products, or both. Several companies also mentioned setting up a committee, oversight forum or working group with the responsibility to maintain and update company and employee policies. What controls are in place over AI?To concludeThe speed of development and adoption of new technologies has never been higher and increasingly is at the forefront of strategy. Companies are experimenting with AI and developing use cases, flexing their existing business models and exploring the value that can be created.Annual reports are reflecting this thinking, drawing out the way companies are evaluating future risks and opportunities. Increasingly they also provide a good level of detail on the policies they put in place and the governance structures that ensure AI is implemented effectively and ethically – helping shareholders to evaluate this information. Boards may wish to encourage management to monitor and provide regular updates on the advances in technology and the developing regulatory requirements that Generative AI poses, and they may wish to put thought to whether the annual report adequately reflects how the company is addressing this fast-evolving topic.
We encourage boards to make it clear to users of the annual report how they considered the opportunities offered and risks posed by Generative AI and any potential impact on their business model and strategy.
Providing a description of the controls and policy frameworks applicable to Generative AI, both used by the company in determining use cases and imposed on employees in their day to day activities, along with any training provided on the technology, regulation or ethical landscape, is also helpful to aid stakeholder understanding.
Boards may want to consider the need to have appropriate technical knowledge and expertise available to them in order to enable them to exercise their governance and oversight responsibilities in a rapidly developing digital landscape.
Get in touch
Veronica PooleGlobal IFRS Leader, NSE Head of Accounting and Corporate Reporting
