If you - like us - have been longing for clarification on the Audit and Assurance Policy (“AAP”) requirements, good news: the Government’s May 2022 response to the comments received from the consultation last year does include the AAP, and the guidelines are largely in line with our expectations. So why don’t we use this space to go through three key topics where there were changes or clarifications of requirements in the consultation, which will be important to keep in mind as your organisation pulls together the AAP?
- Publication: As supported by most of the respondents, the AAP will only require publication every three years. However, this triennial publication will be supported by an annual review to the Audit Committee on whether the assurance activity outlined in the AAP is working in practice. What this means for you will depend on the level of information maintained over the assurance activities undertaken across your organisation.
- Stakeholder involvement: The AAP will not be subject to an advisory shareholder vote. However, it will be mandatory that your organisation states within the AAP how you have taken account of shareholder views in its development. That includes considering how your organisation can use existing means of communication with shareholders, outside the AGMs, to obtain such views. In addition, you will also have to explain how they have considered employee views over the assurance obtained as well – this will be beyond the views of risk owners and will incorporate employees who work in critical areas of the business.
- Independent Assurance: Any independent assurance obtained by your organisation will need to state whether it is ‘reasonable’ or ‘limited’ assurance, in line with the FRC’s Glossary of Terms, or whether an alternative form of engagement or review, as agreed between the company and the external provider, will be undertaken. This is to enable investors to make more informed decisions on the reliability of the assurance obtained and allows for an explanation of the extent of assurance obtained based on the level of risk to the organisation.
Most of the proposals with respect to the AAP remain consistent with the consultation paper, including but not limited to:
- How your organisation intends to seek independent (external) assurance over any part of the Resilience Statement or over-reporting on its internal control framework.
- A description of their internal auditing and assurance process including an explanation of how they are ensuring the integrity of their internal assurance process.
- A description of your organisation’s policy in relation to the tendering of external audit services.
- A focus on how your organisation is ensuring the integrity of their annual statutory and voluntary disclosures beyond the financial statements – assurance over the robustness of the processes for such disclosures continues to be expected.
Clearer guidance on what an AAP should look like and how your organisation can document the assurance activities over corporate reporting is expected from ARGA, once it is set up. However, there are activities that you can start now to plan and develop your organisation’s AAP – and we will cover these activities in our next post of the “Audit and Assurance Policy – 101”.