Skip to main content

Financial & Credit

Financial Services Internal Audit Planning Priorities 2023

Below we highlight new areas relevant to Internal Audit but also those areas we believe will have greater focus in 2023. We hope this informs your 2023 planning and assurance approach.

Back to Financial Services Internal Audit: Planning Priorities 2023

2.1. Pensions Dashboard

Why is it important?


With record numbers of people saving for retirement, it is more important than ever that people understand their pensions and prepare for financial security in later life.  It is widely understood that many people lack confidence when making decisions about their finances and it can be difficult to understand and keep track of multiple pensions. The introduction of Pensions dashboards, allowing individual savers to see all their pensions in one place is expected to revolutionise the way people interact with their pensions in a similar way to how open banking is helping savers through the provision of a holistic view of banking products held.   This will place the onus on pension schemes who will need to ensure they are able to support the implementation of dashboards through the maintenance of accurate and complete data. The timing by which schemes will be expected to provide pension information data is dependent on several factors, the primary one being the number of relevant members with staging dates commencing from April 2023. However, as at Summer 2022, research by The Pensions Regulator (PSR) has shown that only 37 percent of Defined Benefit (DB) and Defined Contribution (DC) schemes have discussed dashboards at their schemes trustee board meetings.

What's new?


Following the closure of the consultation on the draft Pensions Dashboards Regulations in March 2022 and subsequent guidance issued in June 2022, dashboard service providers and trustees or managers of relevant occupational pension schemes are looking to address the range of challenges that need to be overcome in order to make the Pensions Dashboard a reality

  • Data Quality: For the Pensions Dashboards to work as intended, the data held by schemes needs to be ‘Dashboard Compliant’ and held digitally. 51 percent of DC and 33 percent of DB schemes still hold some member data non-electronically. Guidance as to the data standards for Pensions Dashboards was released in late 2020.
  • Data Security: The approved dashboard providers will collectively have access to millions of member records via the dashboard ecosystem and any IT system / software with access to large amounts of personal data is a prime target for cyber criminals. Not only does this require the dashboard providers themselves to have robust and effective cyber security controls, the cyber security arrangements at individual schemes will also need to be enhanced to ensure they are able to detect and prevent cyber threats resulting from increased connectivity via the ecosystem.
  • Dashboard Information: The success of the dashboards will be heavily reliant on the accuracy and completeness of the data it produces with dashboards required to provide three categories of data:
    • Administrative data – scheme specific information;
    • Signpost data – links to important information about the scheme; and
    • Value data – details of how much pension has been built up and how much they may have when they retire.
  • Member Engagement: Ensuring users understand the scope and limitations of the information provided will be essential in assisting users to make informed financial decisions. For example, it is expected that at least initially, dashboards will have difficulty in articulating the true value of a certain pensions due to the nature of how these benefits are calculated. A significant increase in member communication is expected as members query the results of the pensions matching and it is therefore important that schemes have appropriate resources and procedures in place to handle the expected increased volume whilst ensuing day to day operations are not adversely impacted.

What should Internal Audit be doing?

Staging Dates
Size of Scheme

Large Schemes

1,000+ active and deferred members, and all master trusts, public service and collective defined contribution schemes. 
Connection Deadline

Between April 2023 and September 2024.​
Medium Schemes 100 to 999 active and deferred members. ​ Between October 2024 and October 2025.​
Area of Focus

Data Assurance

The regulatory environment related to AI is rapidly evolving and Regulators and industry bodies are still in the process of developing audit and assurance guidelines for AI systems. Therefore, Internal Audit should:
  • Develop a detailed understanding of the current and proposed regulations that impact the use of AI and the relevant audit and assurance guidelines.
  • Ensure that Internal Audit staff have the necessary skills, knowledge and experience to understand the requirements of a robust AI risk management framework.
  • Ensure that Internal Audit function is sufficiently resourced to oversee the growing number of AI systems in use and ensure compliance with relevant regulatory requirements.
Governance and Control Frameworks ​ Internal Audit should assess the extent to which scheme data is:
  • complete, accurate and contains the agreed scheme matching data;
  • recorded digitally; and 
  • able to be retrieved in the prescribed format and contains the relevant information
IT and Cyber Security ​ Internal Audit should assess IT and cyber security controls to determine the extent to which they are appropriate and whether they adequately address additional cyber risk associated with the opening up of member data via the ecosystem.
Member Engagement ​ Internal Audit should assess scheme preparedness for a large increase in member communications. Are member communications such as FAQ’s, direct mailings or website notifications in place both pre and post the staging date to minimise the number of members needing to speak to an administrator reducing the effect of business-as-usual operations?  Are appropriate contact details included within the dashboard signpost data?
Key contact: Rob Scott

2.2. The Pensions Regulator’s Single Code of Practice

Why is it important?


The landscape of pension saving has seen seismic changes over the past decade. The continuing shift from Defined Benefit to Defined Contribution accrual, the rise of Master Trusts, and success of automatic enrolment have each created new pressures on those governing pension schemes. The number of pension savers has increased massively, as have the standards expected of those running the schemes. Trustees and scheme managers need to have the right people, skills, structures and processes in place to facilitate scheme operations, enable effective and timely decisions, and to manage risks appropriately.In March 2021, The Pensions Regulator (TPR) published its Draft Single Code of Practice which not only looked to amalgamate 10 of the existing codes of practice into a single code, but it also enabled the Regulator to respond to the requirements of the ‘Occupational Pension Scheme (Governance) (Amendment) Regulations 2018’ which is the legal instrument introduced in the UK to reflect the requirements of the second European Pensions Directive (IORP II).

What’s new?


Whilst the new code is predominantly a consolidation and restructuring of the existing codes it looks to replace, it does introduce new expectations of governing bodies (the new term for referring to the trustees or managers of occupational pension schemes, managers of personal pension schemes, scheme managers and pension boards of public service schemes that TPR regulates). These include:

  • Effective System of Governance: As one of TPR’s primary objectives is to improve the governance of pensions schemes in the UK, within the new code the regulator has provided links to the relevant sections which set out expectations and which describe the minimum requirements for an effective system of governance (ESoG).
  • Internal Controls: Are defined as the policies, processes and procedures carried out in running a scheme. They are also the checks and balances that ensure those processes are operating correctly. Whilst the code does not look to provide details on how specific controls should operate there are several modules within the new code which focus on risk management and the specific controls which should be in place within schemes. Although the code recognises that most governing bodies are not directly involved in every aspect of the day-to-day operation of their scheme and instead delegate operational tasks to an internal administration team or outsource to professional service providers, it states that regardless of delegation, the governing body retains accountability for those functions.
  • Own Risk Assessment: For any scheme with over 100 members, the governance regulations introduce the requirement of an Own Risk Assessment (ORA) which recognises the Regulators belief that the risks faced by pension schemes are wide ranging and not solely related to investments. It is intended that the ORA will build on the principles of an ESoG within the code and will become a formalised process for the regular review and assessment of the management of risks.
  • Cyber Security: Whilst the Regulator has already addressed cyber security risks in specific guidance, it is acknowledged that cyber security processes are still rare and therefore the code has been used as a mechanism to reinforce previous guidance and place direct expectations on schemes.
  • Environmental, Social and Governance (ESG): The stewardship of a scheme’s investments is another new addition within the code which introduces two specific modules: 1) Stewardship that focuses on the governance responsibilities that come with financial investments, and 2) Climate change and the risks and opportunities it presents.

What should Internal Audit be doing?


Internal Audit needs to support the scheme in both the short-term to ensure that they are well placed to meet the requirements of the Single Code of Practice in line with the expected timescales but also over the longer-term to support the build out and maturity of the ORA process.

1) Short term readiness assessments: Internal Audit’s primary focus in advance of the effective date for the Single Code of Practice (expected to be H2 2023) should be to assess the firm’s readiness to meet the requirements set out by the Regulators. This may include a gap analysis against the Code of Practice, any supporting guidance and should consider the documentation and evidence the regulator expects to be in place by this date, for example as follows:

  • Review how the scheme has interpreted the Code of Practice and taken actions in response to this.
  • Assess the adequacy of the scheme’s code implementation project and programme governance.
  • Review the roles and responsibilities which relate to key aspects of the code, including the governing bodies’ understanding of its own responsibilities and where their sign-off is required. 
  • Challenge Management’s identification of internal controls and associated rationale. 
  • Where services are outsourced, assess the ability of the governing body to oversee the effectiveness of internal controls in operation at the third party provider.

2) Longer term ongoing effective system of governance: The role of Internal Audit should move to more holistic, thematic based format, providing risk-based assurance over internal controls which will then feed in to the schemes’ ORA process and annual review and attestation requirements.

Key contact: Rob Scott

2.3. Regulatory Reporting

Why is it important?


Regulated firms are required to submit a range of returns on a regular basis which allow regulators to monitor the financial performance and position of regulated entities, including a number of more operational aspects of their performance and to perform benchmarking to inform the focus of their regulatory activities. Regulatory reporting continues to be the subject of many s166 skilled person reviews and ’Dear CEO’ letters issued by both the Prudential Regulation Authority (PRA) and Financial Conduct Authority (FCA), the most recent of which was issued by the PRA in September 2021. The accuracy, completeness and timely submission of regulatory returns continues to be a key focus, including the governance framework around the process.

What’s new?


  • The FCA established a new Investment Firms Prudential Regime (IFPR) for UK investment firms which became effective 1 January 2022 and included changes to several areas including consolidation, own funds and Fixed Overheads Requirement (FOR). In addition, the FCA has also released a new Remuneration Policy Statement (RPS) template for firms in scope of the IFPR which may be used to record how their remuneration policies and practices comply with the new Remuneration Code. 
  • As of 1 January 2022, the PRA’s Capital Requirements Regulation 2 (CRR2) came into effect for CRR regulated institutions, the key changes of which related to the requirement for firms to report their Net Stable Funding Ratio (NSFR), new market risk requirements and changes to counterparty credit risk.
  • The PRA continues to develop proposals to implement all the remaining elements of Basel III (Basel 3.1) which is the final package of banking prudential reforms for CRR firms developed in response to the 2008/09 financial crisis. Basel 3.1 will result in significant changes to the way firms calculate Risk Weighted Assets under the Standardised Approach, and for firms who currently report under the Internal Ratings Based (IRB) Approach, they will be expected to apply a standardised output floor (OF). The OF will become a binding capital constraint for some UK Banks and introduce a new layer of complexity in capital planning and strategic decision-making for all. Banks should prepare now for the introduction of the OF, even while its design is still being debated by policymakers. Banks should be analysing the implications of the OF for internal capital allocation (understanding what we call “floor capacity”). Many Banks will also need to invest in the data and calculation infrastructure necessary to determine accurate revised standardised risk weights, which will be the basis for calculating the OF. The PRA intends to publish a Consultation Paper on Basel 3.1 implementation in the fourth quarter of 2022, and their current intention is to consult on a proposal that these changes will become effective on 1 January 2025.

What should Internal Audit be doing?


Area of Focus

Governance and Ownership

Senior accountability and ownership is fundamental to the production and integrity of a firm’s financial information and its regulatory reporting. Responsibilities should be clear for those involved in all stages of the end-to-end regulatory returns process, supported by robust processes, including independent testing and validation to ensure regulatory returns are reliable and accurate. Firms are also expected to have strong governance around key regulatory interpretations and should undertake work to identify the key interpretations and judgements, validate them and correct them where appropriate. Internal Audit should ensure that there is a well-defined regulatory reporting policy setting out the expectations of those charged with governance, including governance over key regulatory interpretations and judgements.
Controls ​ Firms’ governance arrangements for regulatory returns must be supported by an effective and robust control framework including controls around models, End User Computing (EUC) and reconciliation checks for errors. Internal Audit should assess whether operating models are clearly documented with effective controls at each stage of the process to ensure that returns are reliable, accurate and submitted on a timely basis. 
Information Systems ​ Some firms have outdated reporting system infrastructure and therefore require significant manual intervention to fill data and system gaps which in turn leads to a higher risk of data errors and misstatement of returns. The Regulator expects firms to place greater focus on robust sourcing of data supplemented by clear governance and sign off when incomplete data is used. Internal Audit should assess the controls over manual intervention and governance over incomplete data. 
Regulatory Change ​ Firms require robust horizon scanning practices and associated analyses to closely monitor regulatory change. Internal Audit should assess the ability of First and Second Lines of Defence to be able to do this in a timely and effective manner.
Key contact: Kim DeVries

2.4. ICARA Implementation

Why is it important?


Firms must have effective and comprehensive strategies, processes and systems to assess their financial resources and internal capital adequacy to identify and mitigate the nature and level of risk to which they are or might be exposed. This includes assessing the risk of non-compliance with the overall financial adequacy rule and the risk that the firm might not be able to meet in future the obligations in EU Capital Requirements Regulations (CRR). When assessing financial resources firms must (as part of the Pillar 2 rule) conduct periodical stress tests and scenario analyses that are appropriate to the nature, scale and complexity of the business and the major sources of risk that they are exposed to. Firms must identify the range of adverse circumstances of varying nature, severity and duration relevant to its business and risk profile and consider the exposure to those circumstances and maintain adequate (financial and non-financial) resources to minimise the risk of harm.

What’s new?


The new Investment Firms Prudential Regime (IFPR) was introduced for the Financial Conduct Authority (FCA) authorised Markets in Financial Instruments Directive (MIFID) from 1 January 2022. MiFID II includes Collective Portfolio Management Investment Firms (CPMIs) and regulated and unregulated holding companies of groups that contain either MiFID investment firms or CPMIs.

One of the key focus areas of FCA’s 2022 business plan is to deliver assertive action on reducing harm to investors and the market participants in the event of firm failure. When compared to the Internal Capital Adequacy Assessment Process (ICAAP), the IFPR includes a more explicit obligation on firms to identify potential sources of harm, demonstrate effective arrangements and adequate financial resources to mitigate this risk wherever it may arise. This extends to direct consideration of the potential for harm to consumers and market participants as well as the firm.

Further, the IFPR introduces the “K-factor” – a capital calculation based on the activities that an FCA investment firm undertakes. The applicability will differ depending upon the size and scale of the firm.

What should Internal Audit be doing?


Internal Audit should review the following:

  • Evaluate the appropriateness of the Risk Management Framework, including risk appetite and triggers. The Risk Management Framework should be reviewed in context of the firm’s strategy, business model, activities and operating environment (design and operating effectiveness).
  • Adequacy of the firm’s First and Second Line in complying with the risk appetite framework arrangements as per above, including monitoring against key risk metrics, early warning indicators and escalation thresholds.
  • Adequacy of the design, implementation and documented assessment of the firm’s ICARA process including identification and quantification of material risks relating to ICARA, scenario analysis, stress testing, reverse stress testing, recovery planning and wind-down planning arrangements.
  • Risk governance and oversight arrangements including the allocation of roles, responsibilities and reporting of risk and governance by the Board and Board Risk Committee.
  • Scope, application and accuracy of relevant rules based calculations including own funds, fixed overhead requirements, k-factor requirements, etc (as key reference points for the ICARA). This includes a review of the firm’s assessment of the extent to which these factors apply.
  • Assess if remuneration requirements of the IFPR require changes to be made to the existing framework and whether the firm has accordingly implemented the new requirements.
  • Disclosure as required under the new IFPR.

Key contact: Brian Thornhill

2.5. IFRS 17

Why is it important?


The IFRS 17 standards for accounting of insurance contracts continue to be a key focus area for insurers, with standards taking effect from 1 January 2023. Many insurers are at varying readiness-levels to ‘go live’ and for most, it is proving to be one of the most complex transformations due to the number of IT systems involved across actuarial, accounting, data and analytics systems. Most insurers are also planning to continue work on their IFRS 17 programmes after the “go live” date to compensate and implement enhancements required to confidently deliver compliance with the standards. Given the breadth and various milestones involved in such programmes, Internal Audit functions are reassessing their assurance approaches and timelines to ensure impactful assurance takes place to support implementation and post go-live.

What’s new?


In an ideal position at the final stages of delivering IFRS 17, many insurers should be able to produce and report on their balance sheet with IFRS 17 inputs. Delivering this will allow sufficient time for Insurers to perform revisions against accounting and actuarial assumptions, review the financial statements in consolidation with group-level entities, perform cosmetic-related IT enhancements, and consideration of key processes and controls for business-level adoption.

Whilst there have been no new requirements introduced since March 2021, where it was announced that IFRS 17 will defer to take effect until 1 January 2023, there continues to be a number of challenges in recognition of the scale and IT complexities involved that Insurers are facing as follows:

  1. Competing resource requirements in the market: Insurers are competing to secure the services of subject matter experts to backfill resourcing requirements, primarily due to a shortage of IT Specialists (e.g. Software Engineers and IT Developers) available to support on IT testing activities and post go-live. This has stalled some momentum on programme milestones and Insurers are now making up for lost time.
  2. Interim solutions to address unresolved IT dependencies: Insurers have been facing various degrees of IT challenges in order to implement the IFRS 17 solution into their existing IT infrastructures (e.g. IT legacy issues and data quality). There has been many sprints to build, develop, test and resolve issues over the course of the implementation phase, and IT have rarely fallen short of problems to address. However, where consistent delays have been experienced in relation to IT matters, this undoubtedly has put pressure on the programme’s overall progress, resulting in contingency planning and alternate workaround solutions at a higher cost to help prevent the risk of non-compliance with IFRS 17.
  3. Revised disclosure plans: Insurers that are not able to meet the 1 January 2023 timeline have revisited their plans to meet revised disclosure timelines. The extension of time (e.g. even if it is a delay by one quarter) has led to a significant increase in investment and funding requirements to cover operating and capital expenditure in order to comply with IFRS 17.

What should Internal Audit be doing?


Internal Audit continues to play a key role to provide assurance over the IFRS 17 programme between now and completion of implementation, and post-implementation activities in 2023. Over the progress of the IFRS 17 development journey, Internal Audit teams have provided various assurance to Audit and Steering Committee members in an advisory capacity, through regular continuous monitoring (or real-time assurance) audits, and control design and operating effectiveness reviews on key focus areas based on the progress that the business has made.

In the final year, and before go live, insurers will be focussed on producing comparative period financial results ready for publishing externally in their financial statements in the following year. At this stage, Internal Audit should provide assurance over the design and operating effectiveness of controls in the reporting process, in advance of external audit to identify and remediate any weaknesses. Internal Audit should also consider providing assurance on business readiness, including the below areas in 2022 and 2023:

  • Programme governance, benefits and change management;
  • Technology solutions including General IT Controls (GITCs);
  • Controls over dry runs / parallel runs;
  • Data migration and security;
  • Controls over modelling governance;
  • Financial planning, budgeting and reporting processes; and
  • Actuarial and risk management processes.

Key contact: Jennifer Yeo

2.6. ESG Risk Assessment and Disclosures

Why is it important?


As the need to address Environmental, Social and Governance (ESG) issues continues to evolve at increasing speed, it is essential that organisations have a comprehensive understanding of the ESG risks most material to their operations. Understanding and reporting on the issues important to consumers, investors and the wider society demonstrates commitment to contributing to a more positive, fair and sustainable environment. Whilst most organisations have begun their ESG journey with a focus on Climate Change, wider ESG issues such as Diversity and Inclusion (D&I), labour practices and human rights compliance are climbing up the agenda in Board rooms across the industry. However, the challenge remains of how to assess these risks and what exactly to disclose. Internal Audit can play a critical role by providing necessary challenge of ESG risk assessment design and methodology, as well as testing the design of the ESG disclosure framework, thus helping to improve investor and stakeholder transparency. ESG will be a key industry topic for many years to come and early engagement and commitment across an organisation will help shape the frameworks put in place to address the evolving and complex issues.

What’s new?


  • Taskforce on Nature-related Disclosures (TNFD): The Taskforce on Nature-related Financial Disclosures (TNFD) was established in 2021 in response to the growing appreciation of the need to factor nature into financial and business decisions. The TNFD aim is to compliment the growth of the Task Force on Climate-related Financial Disclosures (TCFD) and this year, the TNFD has expanded its beta framework for nature risk management and disclosure, including the Taskforce’s approach and specific sector guidance. Ongoing market feedback will support the further design and development of the TNFD recommendations due in September 2023. ​
  • UK Climate Stress Test: The Bank of England published in May 2022, the results of the Biennial Exploratory Scenario (BES) exercise on financial risks from climate change. Scenario analysis is a critical element of the ESG risk management framework and should be of interest to all banks, not just those that participated in the exercise. The results show that whilst the projected climate-related losses do not appear to threaten the solvency of banks, the size of losses may be underestimated. Furthermore, banks still have work to do with securing a better understanding of customers’ and counterparties’ climate transition plans (‘climate KYC’).​
  • Taskforce on Climate-related Disclosures (TCFD): As of 6th April 2022, TCFD based reporting will be mandated for more than 1,300 of the largest UK-registered companies and financial institutions. These include many of the UK’s largest traded companies, banks and insurers, with large private companies also caught by the new rules. Companies will be required to go through a formal process of identifying and then disclosing details of material risks and opportunities arising from climate change under differing future climate scenario. ​
  • International Sustainability Standards Board (ISSB): The ISSB released its exposure drafts on 31 March 2022 with comments to be received by 29 July 2022. The draft standards set out the requirements for disclosures over climate and general ESG reporting. It is expected to be adopted under UK law by 2024 or 2025. The exposure drafts set out the need for  sustainability reporting to be connected to and complement the financial statements. ​
  • Greenwashing: As concerns over misleading environmental information continues to rise, the FCA has stated there is a “clear rationale” for stricter regulation for ESG data and ratings providers, to help ensure they are accounting for the full impacts of the businesses they assess.​
  • Green-bleaching: As disclosure requirements continue to multiply, a new concept called ‘Green-bleaching’ is emerging. This term refers to instances where organisations invest in sustainable activities but refrain from making claims about this, to avoid the data reporting requirements and the scrutiny arising from disclosure obligations.​
  • Conference of the Parties (COP) 27: While COP26 saw many new commitments promised, COP27, scheduled for November 2022, will aim to assess the progress in reaching these goals. COP27 president commented that the event will focus on implementation of pledges made through identification and application of practical policies and practices, including climate finance and mitigation strategies.​

What should Internal Audit be doing?


Area of Focus

Materiality Assessment

  • ESG Risk Materiality Assessment is crucial to enabling a robust ESG risk framework. Internal Audit are well placed to challenge the methodology and data inputs into the exercise. Assessments should be informed by different areas of the business, consider stakeholder engagement and be re-performed on a periodic basis whilst the ESG landscape continues to evolve. 
  • Challenge whether the business has considered ‘Double Materiality’ which acknowledges that a company should report simultaneously on sustainability matters that are financially material and those which are material with regard to the wider society.
Data ​
  • Data continues to be one of the most significant challenges for organisations in carrying out reliable risk assessments and ensuring ESG related disclosures are complete and accurate. ESG data audits can provide valuable insight where a business must enhance data quality, data governance controls, capabilities of key systems, automation and integration into existing frameworks. 
  • Internal Audit should review the level of engagement the business has with third-parties throughout the value chain, recognising where data gaps exists, there should be active commitment and action plans to work with related parties in order to build an understanding of related ESG risk exposure and key data metrics.
Disclosures ​
  • Regulators and investors recognise there will be data gaps across the disclosure framework as every organisation continues to grapple with the complexities of ESG reporting. However, Internal Audit must challenge the transparency and presentation of ESG reporting where assumptions have been made. 
  • Challenge whether ESG reporting and related disclosures are subject to the same level of controls as financial disclosures.
  • Assess the control framework in place to monitor and adhere to multiple disclosure requirements across various regions. Internal Audit should evaluate whether there is an adequate disclosure strategy which is appropriately integrated and consistent across the business. 
Key contacts: Hetty van der Wal and Sarah Cook

2.7. UK Corporate Code Reforms

Why is it important?


The proposals in the Department for Business, Energy and Industrial Strategy’s (BEIS) Consultation Paper, ‘Restoring Trust in Audit and Corporate Governance’, represent the biggest shake-up of the UK’s corporate governance and audit framework in years. Whilst there are elements in the proposal that will be implemented through changes to the Corporate Governance Code rather than by legislation following the government’s Draft Audit Reform Bill and response in May 2022, the definition of Public Interest Entities (PIEs) has been expanded capturing a larger number of companies. Also the scale of the reforms is such that firms will need to establish change management programmes to comply with the proposed changes. The proposed requirement to strengthen internal controls by requiring Directors to attest to the effectiveness of their company’s internal controls will be delivered through the Corporate Governance Code and will therefore only apply to premium listed firms. Internal Audit has a role to play in providing assurance to the Board in respect of their organisation’s governance, risk and controls as well as programme assurance in respect of their firm’s compliance projects.

What’s new?


The proposals, as set out in the BEIS Consultation Paper and captured in the Draft Audit Reform Bill, Government’s Response paper and the Financial Reporting Council’s (FRC) subject position paper in July 2022, include numerous changes. These changes include the establishment of the Audit, Reporting and Governance Authority (ARGA) to enforce PIE Directors’ duties relating to corporate reporting and audit, and new measures to open the audit market. The following additional aspects are important for Internal Audit functions to be aware of to effectively support their organisations with initial and ongoing compliance in respect of the proposed reforms.

  • Definition of PIE: Although to a lesser extent than set out in the Consultation Paper, the definition of PIE will be widened beyond premium listed companies to include large private companies, AIM listed companies and LLPs with 750 or more employees and at least a £750m annual turnover.
  • Strong Internal Company Controls: Directors will be required to provide an explicit statement about the effectiveness of their company’s internal controls and the basis for that assessment. This aspect of the proposals will be delivered through the Corporate Governance Code which makes it optional on a “comply or explain” basis and not by legislation. Also, the provisions will only apply to premium listed firms.
  • The Resilience Statement: All PIEs will be required by law to publish an annual Resilience Statement which sets out the company’s approach to managing risk and matters that they consider a material challenge to resilience over the short, medium and long term, together with an explanation as to how they have arrived at this judgement.
  • The Audit and Assurance Policy (AAP): PIEs will be required to publish an AAP which sets out their approach to assuring the quality of the information reported to shareholders beyond that contained in the financial statements. This should cover a three-year period and include, inter alia (i) how companies have taken account of shareholders’ views in the development of their AAP; (ii) how companies intend to seek independent external assurance over any part of the Resilience Statement or over reporting on their internal control frameworks; and (iii) a description of the internal auditing and assurance process.
  • Malus and Clawback: There will be new transparency requirements within the Corporate Governance Code about the malus and clawback arrangements that companies have in place.
  • Directors’ Obligations in Relation to Fraud: Boards would be expected to report on actions they have taken to prevent and detect fraud.

What should Internal Audit be doing?

Area of Focus

Readiness Assessments

Internal Audit should be a key partner to the business in assessing readiness, through:
  • Performing a gap assessment against the new requirements to help management understand key gaps that need to be addressed as part of the compliance programme / project.
  • Reviewing and understanding the impact to existing processes and controls, including the need for new controls to address new or existing risk areas.
  • Assessing whether all subsidiaries and entities that meet the definition of PIE have been completely captured within the organisation’s gap assessment.
Governance, Risk and Controls Framework Assessment ​ Internal Audit can assess the adequacy and effectiveness of the governance, risk and controls framework of their firms to ensure that they are in compliance with changes to be introduced by the proposed reforms and provide recommendations for improvement.
Programme Assurance ​ Internal Audit can review and challenge management’s project plans to deliver compliance, review project effectiveness and provide recommendations for continuous improvement throughout the implementation journey.
Controls Assurance ​ Internal Audit can provide independent assurance over the design and operating effectiveness of new and existing controls including financial reporting controls, operational controls, fraud controls and IT General Controls. For premium listed companies, this assurance can assist Directors in their responsibilities to attest to the effectiveness of their internal controls.
Policies and Procedures Review ​ Internal Audit can provide assurance over the adequacy of new and existing policies and procedures including the AAP. Internal Audit can also consider its own role in providing assurance on certain key information as part of the assurance required by the AAP. Keeping more assurance in-house could prove more efficient and cost-effective. They can also review and challenge the effectiveness of the Resilience Statement, the malus and clawback arrangements in place and assess the accuracy of Directors’ reports around fraud prevention and detection measures.
Technology ​ Internal Audit can assess and challenge whether management has the right technology and tools to help them comply in an effective and efficient manner.


Key contacts: Ololade Adesanya and Aaron Oxborough

Did you find this useful?

Thanks for your feedback

If you would like to help improve further, please complete a 3-minute survey