The corporate reporting landscape is changing fast. We are seeing several new reporting requirements emerge – disclosure requirements on Risk Management and Internal Control systems, Resilience Statement, Audit & Assurance Policy, Fraud Statement and Director’s Distribution Statement, as well as incoming reporting requirements on climate change and cyber security risk-related disclosures. Let’s look at who’ll be impacted and what the changes could mean for business. Just last month we saw an update from the Department for Business and Trade (DBT, formerly BEIS) on the legislative instrument (Companies Act) which will drive four of the five new disclosure requirements (excluding the Directors’ Statement on Internal Controls). Though the effective date of the regulation is now 1 January 2025, there is still much to work on in the interim.
Next month we’re expecting an update from the FRC on the proposed UK Corporate Governance Code revisions, to be followed by a period of consultation. It remains possible that this update may include a “through the year” sign off approach to internal controls, meaning any material control breaches through the year would be reportable.
Which entities should prepare for change?
New reporting requirements will have varying impact, depending on listing status and size:
UK premium listed companies or those that have adopted the Corporate Governance Code in the form of declaration on the effectiveness of risk management and internal control systems financial, operational and compliance risk, recognising the importance of ESG as well as financial reporting. The scope of the Board’s monitoring, review and disclosure requirements will therefore cover material controls relating to financial, operational and compliance risk. It’ll not be restricted to financial reporting as per US SOX. Also, by comparison to US SOX, nor will accountability be restricted to just the CEO and CFO, instead this will be held by the Board.
UK-based entities that breach the ‘750 rule’ (public and private companies that have 750 employees or more and an annual turnover equal to or above £750 million) in the form of four new disclosure requirements; Resilience Statement, Audit & Assurance Policy, Fraud Statement and Director’s Distribution Statement; and
US listed companies in the form of climate change and cyber security risk-related disclosures.
Understanding the broad trends and getting ready
Overall, we see that the nature and scope of disclosure requirements is expanding. Disclosures are increasingly being driven by the societal impact of an organisation in addition to its capital structure, as seen in the ‘750 rule’. There’s also more accountability for disclosure. And compliance will be monitored by an evolving enforcement regime led by a regulatory body which is not fully established yet – Audit Reporting and Governance Authority (ARGA).
Based on what we are seeing, corporate governance reporting requirements will not stay still. Once these changes take effect there will likely be more coming. You might lean towards holding off on further action until there’s absolute clarity on what the new requirements will be. However, given the scale of change anticipated, now is the time to start. This should remain a priority for leaders.
We can help you establish what a good control environment looks like, including governance, culture and the role of technology. We can provide a gap analysis between your desired and current state and design a road map for bridging this gap. We can support you in delivering your controls transformation journey and we can provide assurance over the effectiveness of your control framework thereafter.
To discuss what the new disclosure requirements could mean for your business and your roadmap to readiness, you can reach out to Craig Wright or Riah Norgrove.