We have waited patiently as a long period of consultation concluded over what UK corporate governance will look like. And despite the Financial Reporting Council (FRC) publishing a position paper last week, I am sure we are all thinking about the same burning questions around controls
- What will be the scope of the “sign-off” required over internal controls?
- Will, it just be restricted to “year-end reporting controls”; or is it wider?
- Do I just focus on financial controls, or do I consider operational and compliance controls as well?
- When will we get some clarity?
The lack of clarity over scope; along with a shorter timeline for implementation (Code revisions are expected to apply from 1 Jan 2024, and no primary legislation is required) is leading to genuine confusion.
So what do we do now?
We believe there are some clear, key actions you can undertake already to ensure that you are ready for compliance in 2024. We have summarised some key actions below
·Think about your control workstreams as three distinct areas
- Financial controls over year-end reporting (typical “SOX” scope)
- Controls over key disclosures in the front half of the annual report (e.g. Sustainability Report, Director’s Renumeration, Critical KPIs, etc)
- Controls over your principal risks (including operational and compliance controls)
· For each “control workstream”, consider your existing documentation and think about the assurance strategy.
· Whilst assurance strategies for financial controls are well established, a couple of no-regret recommendations for other controls are documented below. These will not “boil the ocean” but help you kick-start activity until there is further guidance:
- Controls over “front-half disclosures”: Select your top 10 disclosures and undertake a good old “tick & bash” to give you comfort over data flows.
- Controls over principal risks: Reliance on your existing Risk Management and annual internal audit plans to provide comfort
By considering the above actions, you will have a clear view of where most of your effort should be focused, and there are existing best practices that just need to be highlighted and documented.
With limited capacity & budgets, where do we start?
We advise briefing your executive leadership and board; they need to understand the new scope and what this means for your organisation.
The most common starting point for most organisations is finance controls, as this is the natural comfort zone. I believe having a financial control programme is a “minimum viable product” now, as good financial control practice will naturally lend itself to stronger controls in other areas.
However the direction of travel is clear, and therefore you must start thinking about other controls on your overall roadmap.
I would be very happy to have a conversation about the above; so please feel free to reach out.