Skip to main content

Seizing the opportunity

Internal Audit’s role in supporting the organisational response to UK Corporate Governance reform

In May 2023, the Financial Reporting Council (FRC) published its much-anticipated consultation on proposed revisions to the UK Corporate Governance Code (Code).

A full recap of the key components of the consultation can be found in this useful summary:

FRC launches consultation on changes to the UK Corporate Governance Code | Deloitte UK

Whilst the resulting changes are not likely to come into effect until 2025 at the earliest, the emerging requirements are now becoming increasingly clear, and the impact on organisations is likely to be felt enterprise wide. It is therefore important that organisations begin to consider their responses and readiness plans as soon as possible.

As a function with detailed knowledge of organisational governance, risk and controls, Internal Audit has been presented with a significant opportunity to further raise its profile through supporting organisations to navigate the new requirements: both in terms of supporting initial readiness activity; and then subsequently providing the ongoing assurance which gives leadership confidence over the governance and controls framework.

This blog focusses on four key areas where Internal Audit can play a pivotal role in supporting the organisation to prepare for the upcoming revisions to the Code, both in terms of initial readiness activity and then delivering ongoing business-as-usual requirements.

1. Directors’ declaration on Internal Controls- Internal Audit will have the opportunity to deliver a significant component of the assurance activity that will underpin the annual attestations, building on its existing assurance. There will be clear business advantage to ensuring there is clear alignment between assurance work and the attestations, and for internal audit functions to be able to clearly articulate holistic themes and insights which are generated by individual audit reviews for potential inclusion in the attestation.

2. Audit and Assurance Policy- The Audit and Assurance Policy Statement will likely be supported by a robust assurance map. Internal Audit is in a unique position to support the business to develop the assurance map and support the assessment of assurance outcomes. With specialist knowledge of governance, risk and controls, Internal Audit are well placed to serve as a trusted advisor to non-financial areas of the business looking to implement a defined control framework for the first time.

3. Directors’ obligations in relation to fraud- Directors will be required to report on the steps they have taken to prevent and detect material fraud. Internal Audit is well placed to assess the current fraud risk framework and complete Fraud Risk Assessments if these are not yet in place.

4. Resilience Statement- Companies will be required to report on matters that they consider a material challenge to resilience over the short and medium term. Internal Audit will have valuable insights relevant to key components of the Resilience Statement, including known vulnerabilities highlighted through assurance work.

The table below outlines specific activities which Internal Audit can support or deliver to aid the organisation to prepare for the upcoming reforms, as well as then deliver the ongoing business-as-usual requirements resulting from the reforms:

Corporate Reform Requirement

Internal Audit activities

Supporting initial readiness

Supporting ongoing requirements

Directors’ declaration on internal controls (FTSE 350)

An explicit statement by Directors on the effectiveness of internal controls and the basis for that assessment to be included in the Annual Report.

  • Perform a gap assessment against the new requirements to help management understand key gaps that need to be addressed as part of relevant compliance, controls, and assurance transformation programmes.
  • Review and understand the impact to existing processes and controls, including the need for new controls to address new or existing risk areas not adequately covered by existing assurance.
  • Assess whether all subsidiaries and entities that meet the definition of (Public Interest Entity) have been completely captured within the organisation’s gap assessment.
  • Internal Audit functions should clearly define their assurance role to support the declaration on internal controls, taking into consideration other assurance providers, Internal Audit’s’ role in supporting the attestation should clearly align with the AAP.
  • Assess the adequacy and effectiveness of the governance, risk and controls framework to confirm ongoing compliance. Where areas of non-compliance are identified, action plans should be agreed and followed up.
  • Assess the design and operating effectiveness of new and existing controls including:

o Financial reporting controls;

o Operational controls;

o Fraud controls; and

o IT general controls.

Audit & Assurance Policy (Large PIEs)

A policy is to be developed covering key reporting data and information, explain the nature of assurance to be obtained and rationale for this determination.

  • Develop a current state gap analysis and an implementation roadmap for the Audit and Assurance Policy (AAP) by:

o Conducting a series of workshops with key stakeholders to develop a strawman for the AAP including all the key elements to be captured.

o Reviewing key documentation, including an assessment of the current assurance map to determine gaps and areas of efficiencies, as well as adaptability of the AAP.

  • Produce a roadmap to include clear actions and activities that need to be addressed in developing a robust AAP.
  • Review the AAP on an ongoing basis to confirm it remains up to date and relevant.
  • Provide assurance over the adequacy of new and existing policies and procedures including the AAP.
  • Perform an assurance mapping exercise to clearly outline what assurance is to be provided.
  • Alongside other assurance providers, deliver independent assurance over key risk areas in line with the AAP requirements.

Directors’ obligations in relation to fraud

Directors will have to disclose and explain activities taken to prevent and detect fraud within the Annual Report.

  • Perform an enterprise-wide fraud risk assessment. The assessment should consider the key fraud risks faced across your organisation.
  • Review key anti-fraud strategies and policies to confirm they are in place, up to date and covering key risk areas.
  • Assess the appropriateness of the process in place to identify and prioritise potential fraud risks.
  • Identify key fraud risks (using results from risk assessments) and confirm:

o Appropriate anti-fraud controls have been implemented. Where control gaps are identified, action plans should be put in place to mitigate such gaps; and

o Perform testing to confirm key controls are operating effectively.

  • Assess the appropriateness of responsibility and accountability of those charged with governance on the prevention and detection of fraud.
  • Review the anti-fraud training programme to confirm appropriate training is provided and tailored for high-risk positions such as HR, finance and procurement.
  • Perform fraud-culture surveys to assess employees’ understanding of key anti-fraud policy requirements.
  • Assess the process to detect and report fraud risks and management overrides.

Resilience Statement (Large PIEs)

A statement to report on matters which could materially challenge resilience over the short and medium term.

  • Perform a gap assessment against requirements. Where gaps are identified, action plans should be agreed to mitigate those gaps.
  • Support the assessment of the completion of actions identified as part of the gap assessment to improve resilience.
  • Perform ongoing assessments to challenge assumptions and inputs into the resilience statement, against the evolving business activities.
  • Review actions taken to improve resilience to confirm appropriateness; and
  • Assess compliance with the key disclosed controls and activities.

In conclusion, the UK Corporate Governance reforms present Internal Audit with an exciting opportunity to support the organisation to further develop and embed enhanced governance and engagement. Whilst the new reforms will not be effective until 2025, much of the required readiness activity will need collaboration and alignment across the organisation and, as a result, will take time to co-ordinate and deliver. Internal Audit should engage leadership on these factors as soon as possible.

We are uniquely placed to deliver governance, risk and controls expertise to support internal audit functions to navigate new regulatory requirements. We help our clients develop their internal capability, skillset and tooling to support initial readiness and provide confidence in the execution of the governance and controls agenda.

If you would like to hear more about our Internal Audit capabilities or discuss any of the points highlighted above, please reach out to the contacts below.