Skip to main content

Five questions to consider when preparing your Audit and Assurance Policy

Rebuilding trust is at the forefront of the corporate governance reform agenda, encouraging companies to build confidence with an ever-growing list of stakeholders, from regulators and lawmakers to employees, investors and activist groups. One way in which companies can begin to rebuild this trust is by publishing an Audit and Assurance Policy (AAP).

While proposed changes to the UK Corporate Governance Code are in consultation and we wait for formal legislation to be passed by Parliament, many companies are already developing their own AAP. 65% of attendees at a recent Deloitte Academy event stated that their company was either planning to include an AAP in their next Annual Report or were currently working on a draft.

Wherever you are on the journey to producing your AAP, here are a few things to consider:

1. How will you determine which elements of corporate reporting to include? Have you considered materiality?

The AAP will be focused specifically on audit and assurance obtained over the contents of the annual report. According to a recent survey, annual reports have expanded in size by 46% over the past five years to 95,000 words, or 173 pages. This is a significant growth in a very short period and reflective of the increasing demands placed on companies to be transparent with their stakeholders and comply with the ever-evolving regulatory landscape.

Some of the information contained within those 173 pages will be covered by some form of assurance (internal or external), but there is very little transparency of this for stakeholders and often for boards themselves. Given the resources involved, companies need to be selective in their areas of focus. After identifying those areas required by law or regulation to have assurance over, there are still many other areas to consider. This is where a materiality assessment can be invaluable.

The FRC guides that “information is material if omitting it or misstating it could influence the decisions and assessments of annual report and accounts (“ARA”) users…What is material in any part of the ARA will be determined by quantitative and qualitative measures.”

Determining whether something is material is a matter of judgement. Quantitative factors assess the size of the impact of the transaction or event against measures of the company’s financial position. In contrast, qualitative factors are those factors other than size and might include an uncommon or non-standard feature of an event or condition.

2. Do the board and senior management have a good understanding of the different types of assurance?

Assurance is a complex area, with different levels of assurance offering different levels of confidence to stakeholders. For external assurance engagements the terms limited and reasonable assurance are often used, but what do those expressions mean, and is management confident in articulating the differences to stakeholders?

The FRC provides a fuller definition in its Glossary of terms, but in short, limited assurance provides a negative form of expression over the practitioner’s conclusion; for example, "based on the procedures performed, nothing came to our attention to indicate that the management assertion on XYZ is materially misstated". Reasonable assurance provides a positive expression of the practitioner's opinion; for example, "based on the procedures performed, in our opinion, the management assertion on XYZ is reasonably stated".

Limited assurance involves the practitioner performing less extensive procedures and is often more suitable for subject matter areas that are less mature. Limited assurance consequently provides less comfort over the subject matter to the users of the information than reasonable assurance. Whether a company chooses to obtain a limited or a reasonable assurance report over a particular element of corporate reporting will therefore depend on a number of factors including the nature of the subject matter and relative maturity of the relevant framework and control environment, as well as the cost benefit analysis when considering the priority areas under a company’s overall AAP agenda.

The AAP will need to explain the nature of assurance provided including whether any assurance has been carried out in accordance with a particular standard, so helping the board and senior management to fully understand these concepts is a good starting point.

3. Which internal teams are involved in preparing your AAP?

The Audit Committee are likely leading on the development of the AAP, but for the AAP to provide a holistic view, how are you engaging with other teams across the business? The significant increase in reporting requirements beyond the financial statements means valuable insights and data will likely come from groups outside the Finance function.

Some companies may have sustainability committees who could provide valuable input into the AAP. How has Internal Audit been engaged? What about the Risk Committee? And, of course, how are you working with the Board and Executive Team?

4. How are you consulting with stakeholders and gathering feedback?

Gathering stakeholder feedback is a key element of an AAP. It needs to be carefully considered to ensure that your AAP clearly outlines how stakeholder views have been considered in its preparation and that a regular feedback loop exists.

The FRC’s review of Corporate Governance Reporting concludes that “reporting on wider stakeholder engagement is generally of a good standard. However, there is often insufficient narrative on the outcomes from the engagement, including feedback received, or commentary on whether the board acted on any of the issues raised and how decisions align with company strategy, culture, purpose and values”.

And while Provision 3 (UK Corporate Governance Code) already states that “committee chairs should seek engagement with shareholders on significant matters related to their areas of responsibility”, there’s evidence to suggest that Audit Committee Chairs could be doing more. A recent review of the annual reports of 100 FTSE 350 and Small Cap companies by the FRC identified that none of the companies reviewed reported any shareholder meetings with the Audit Committee Chair, compared with 52 reporting meetings with the board's chair and 43 with the Remuneration Committee chair. Reaching out to shareholders for views on the AAP could represent a good opportunity for engagement by the Audit Committee Chair.

5. When is the right time to publish?

Some companies may wait for formal legislation to come into effect before publishing their AAP, but others may choose to publish ahead of any formal requirement, following the likes of 3i Group and Transport for Wales, who are both now on the second iteration of their Audit and Assurance Policies.

The latest insight from the Department for Business and Trade suggests that draft legislation may be laid before Parliament towards the middle of this year, where it will be voted upon by MPs. Assuming the vote is favourable, the earliest requirement for a large, listed PIE to publish an AAP is likely to apply from January 2025, with a potential alleviation for large, unlisted PIEs until January 2026. However, these dates are subject to change, and the exact timing for application will be dependent on parliamentary scheduling.

Our view is that it’s never too early to get started and begin preparing an AAP. We believe that leading audit committees will not wait until the introduction of an Audit and Assurance Policy becomes mandatory. They will recognise that developing such a policy will be worthwhile in itself, stimulating thinking and boardroom conversations in key areas such as the directors’ approach to obtaining assurance and the assurance processes around the handling of risk and internal controls.

Get the latest updates from the Deloitte Audit & Assurance blog