The much anticipated consultation on changes to the UK Corporate Governance Code (“the Code”) was issued today in the latest stage of the ‘Restoring trust in audit and corporate governance’ reform package.
Last year the Government Response to the BEIS White Paper asked the FRC to use a Code-based approach to strengthen boardroom focus on internal control matters rather than introducing a legislative requirement and that represents one of the most significant changes proposed. Other proposals which boards should focus on are:
Each of these areas are discussed in more detail below.
Declaration on the effectiveness of the risk management and internal control systems
With the ultimate aim of strengthening board accountability for the effectiveness of the risk and internal control frameworks, the first proposed amendment is to the relevant Principle: “The board should establish a framework of prudent and effective controls, which enable risk to be assessed and managed” is replaced by “The board should establish and maintain an effective risk management and internal control framework”.
This amended Principle is reinforced by an extension of the existing Code provision (Provision 29) in relation to the board’s responsibility to monitor the company’s risk management and internal control systems and, at least annually, carry out a review of their effectiveness. Building on this review and monitoring activity, it is proposed that the board provides the following disclosure in the annual report:
Importantly, there is also a proposal to amend what was previously considered to make up “all material controls” from “financial, operational and compliance” to “operational, reporting and compliance”. So replacing “financial” with a wider “reporting” control consideration. The paper explains that this has been done because FRC engagement with stakeholders has made clear that narrative reporting increasingly includes materially important information, in the context of each company, which is used by investors for capital allocation decisions. So this change is intended to recognise the importance of narrative reporting on for example strategy, principal risks, corporate governance and environmental and social matters in addition to financial reporting.
In relation to a description of material weaknesses or failures identified, the consultation paper states that the FRC does not envisage that companies will report on all weaknesses identified during the reporting period but that they will be transparent about those weaknesses considered by the company to be material, such as those events which could have a significant impact on a company’s strategy, operations, reporting or compliance objectives. The revised Guidance which will follow will discuss what may constitute a material weakness, but the FRC says that it will ultimately be for the board to determine which weaknesses are material to their specific situation and should be reported in the annual report.
Finally on internal controls, the paper states that the revised Code will not ask for reporting on whether the board intends to obtain external assurance over the effectiveness of the company’s risk management and internal control framework. That will be a matter for companies to determine when setting their Audit and Assurance Policy.
ESG and sustainability matters
Recognising that the Code should reflect the importance of ESG and sustainability matters and that good governance will play an essential role in assessing sustainability-related risks, opportunities and impacts, setting targets, using appropriate internal controls and commissioning assurance where necessary, the following additions to the Code are being proposed:
The Audit & Assurance Policy and the Resilience Statement
The FRC has reached the view that all companies reporting against the Code should consider producing an AAP on a ‘comply or explain’ basis, using the future legislation as a guide to what should be included. This reflects the fact that not all companies reporting against the Code will be within the scope of the new legislative requirement (UK companies with annual turnover greater than £750m and 750 or more employees).
To achieve this they have added “developing, implementing, and maintaining the audit and assurance policy” to the list of audit committee responsibilities and have cross-referenced to the future legislative requirement. In addition, the audit committee reporting requirement has been expanded to include the “approach to developing the triennial audit and assurance policy and the annual implementation report”.
In relation to the new Resilience Statement, which will also only be a legislative requirement for some companies reporting against the Code due to the size criteria, the proposed approach is to make clear that compliance with the new reporting requirement for a Resilience Statement will also mean compliance with the relevant Code provisions. The existing Code provision on going concern is retained unamended but the viability statement provision has been amended to just call for an explanation of how the board has assessed the future prospects of the company including its ability to meet its liabilities as they fall due.
So presentation of a Resilience Statement would remove the need to present separate disclosures to meet the Code provisions on going concern and future prospects. Conversely, companies below the size threshold for the Resilience Statement will still, under the Code, be required to report on an assessment of going concern and future prospects in order to meet those remaining Code provisions.
Audit committees and the external audit: Minimum Standard
A new Standard for audit committees in relation to external audit was issued on 22nd May 2023. The Standard contains several sections which are identical to existing Code Provisions, specifically where these Provisions cover the work of the audit committee in relation to external audit, and the requirement for the audit committee to report on this. To avoid duplication, the FRC is proposing that these aspects are removed, and that the new Code instead refers companies to the Standard.
The paper recognises that, as the Standard was intended to apply to FTSE 350 companies only, there will be some non-FTSE 350 companies who will be brought into the scope of the Standard because of this proposal. However, the FRC notes that non-FTSE 350 companies can approach implementation of the Standard on a ‘comply or explain’ basis.
Reporting on malus and clawback arrangements
It is proposed that the following new reporting is required in relation to malus and clawback arrangements:
The intention is to include further guidance on the suggested format for this disclosure in an update to the Guidance on Board Effectiveness.
Other proposed changes
The consultation includes a number of other proposed changes designed to enhance and/or clarify existing disclosure requirements where the FRC has observed weak reporting in past reviews. These include:
Supporting guidance
The revised Code will be supported by updated guidance, and the paper notes that work is currently underway to revise the Guidance on Audit Committees and Guidance on Board Effectiveness so that these can be aligned with the revised Code and Audit Committee Standard. The FRC will also be amending the Guidance on Risk Management, Internal Control and Related Financial and Business Reporting specifically to take account of changes to the principles and provisions on risk management and internal control.
Next steps
This is a 16 week consultation closing on 13th September 2023. The paper confirms that the intention is that the revised Code will apply to accounting years commencing on or after 1 January 2025 to allow sufficient time for implementation.
We are hosting a Deloitte Academy event for audit committees on 13th June 2023 and Mark Babington from the FRC will join us to discuss the Code consultation. Please see below for further details on the Deloitte Academy.
To access the full consultation paper click here.