In May 2023, the Financial Reporting Council (FRC) published its much-anticipated consultation on proposed revisions to the UK Corporate Governance Code (Code).
A full recap of the key components of the consultation can be found in this useful summary:
FRC launches consultation on changes to the UK Corporate Governance Code | Deloitte UK
Whilst the resulting changes are not likely to come into effect until 2025 at the earliest, the emerging requirements are now becoming increasingly clear, and the impact on organisations is likely to be felt enterprise wide. It is therefore important that organisations begin to consider their responses and readiness plans as soon as possible.
As a function with detailed knowledge of organisational governance, risk and controls, Internal Audit has been presented with a significant opportunity to further raise its profile through supporting organisations to navigate the new requirements: both in terms of supporting initial readiness activity; and then subsequently providing the ongoing assurance which gives leadership confidence over the governance and controls framework.
This blog focusses on four key areas where Internal Audit can play a pivotal role in supporting the organisation to prepare for the upcoming revisions to the Code, both in terms of initial readiness activity and then delivering ongoing business-as-usual requirements.
1. Directors’ declaration on Internal Controls- Internal Audit will have the opportunity to deliver a significant component of the assurance activity that will underpin the annual attestations, building on its existing assurance. There will be clear business advantage to ensuring there is clear alignment between assurance work and the attestations, and for internal audit functions to be able to clearly articulate holistic themes and insights which are generated by individual audit reviews for potential inclusion in the attestation.
2. Audit and Assurance Policy- The Audit and Assurance Policy Statement will likely be supported by a robust assurance map. Internal Audit is in a unique position to support the business to develop the assurance map and support the assessment of assurance outcomes. With specialist knowledge of governance, risk and controls, Internal Audit are well placed to serve as a trusted advisor to non-financial areas of the business looking to implement a defined control framework for the first time.
3. Directors’ obligations in relation to fraud- Directors will be required to report on the steps they have taken to prevent and detect material fraud. Internal Audit is well placed to assess the current fraud risk framework and complete Fraud Risk Assessments if these are not yet in place.
4. Resilience Statement- Companies will be required to report on matters that they consider a material challenge to resilience over the short and medium term. Internal Audit will have valuable insights relevant to key components of the Resilience Statement, including known vulnerabilities highlighted through assurance work.
The table below outlines specific activities which Internal Audit can support or deliver to aid the organisation to prepare for the upcoming reforms, as well as then deliver the ongoing business-as-usual requirements resulting from the reforms:
Corporate Reform Requirement | Internal Audit activities | |
Supporting initial readiness | Supporting ongoing requirements | |
Directors’ declaration on internal controls (FTSE 350) An explicit statement by Directors on the effectiveness of internal controls and the basis for that assessment to be included in the Annual Report. |
|
o Financial reporting controls; o Operational controls; o Fraud controls; and o IT general controls. |
Audit & Assurance Policy (Large PIEs) A policy is to be developed covering key reporting data and information, explain the nature of assurance to be obtained and rationale for this determination. |
o Conducting a series of workshops with key stakeholders to develop a strawman for the AAP including all the key elements to be captured. o Reviewing key documentation, including an assessment of the current assurance map to determine gaps and areas of efficiencies, as well as adaptability of the AAP.
|
|
Directors’ obligations in relation to fraud Directors will have to disclose and explain activities taken to prevent and detect fraud within the Annual Report. |
|
o Appropriate anti-fraud controls have been implemented. Where control gaps are identified, action plans should be put in place to mitigate such gaps; and o Perform testing to confirm key controls are operating effectively.
|
Resilience Statement (Large PIEs) A statement to report on matters which could materially challenge resilience over the short and medium term. |
|
|
In conclusion, the UK Corporate Governance reforms present Internal Audit with an exciting opportunity to support the organisation to further develop and embed enhanced governance and engagement. Whilst the new reforms will not be effective until 2025, much of the required readiness activity will need collaboration and alignment across the organisation and, as a result, will take time to co-ordinate and deliver. Internal Audit should engage leadership on these factors as soon as possible.
We are uniquely placed to deliver governance, risk and controls expertise to support internal audit functions to navigate new regulatory requirements. We help our clients develop their internal capability, skillset and tooling to support initial readiness and provide confidence in the execution of the governance and controls agenda.
If you would like to hear more about our Internal Audit capabilities or discuss any of the points highlighted above, please reach out to the contacts below.