Over the past few years, the UK government has been challenging the FRC to strengthen the UK’s audit and corporate governance framework in a bid to encourage investment and drive growth across the UK.
The Financial Reporting Council (FRC) have released their consultation on the UK Corporate Governance Code. Unlike the wide-ranging review in 2018, this consultation is focused on the legislative and governance reforms the Government proposes, which support the FRC’s transition into the Audit, Reporting and Governance Authority (ARGA).
Key messages from the consultation
- Increased focus on environmental, social and governance reporting including both new disclosures and clarification of the audit committee’s role
- New disclosures to address investor concern about the number of board positions held by listed company directors (over-boarding)
- Enhanced transparency around succession and senior appointments, including any targets or initiatives designed to achieve greater diversity and inclusion
- Strengthened board accountability for the effectiveness of the risk and internal control framework
- An explicit board declaration on the effectiveness of risk management and internal control systems
- New disclosures around malus and clawback arrangements
- Further clarity on the draft secondary legislation on corporate reporting that will cover the 4 new disclosures (resilience statement, audit and assurance policy, fraud statement, distributable profit statement). These will apply to UK public and private companies with more than 750 employees and an annual turnover greater than £750 million.
- Proposal that the Chair of the Board should commission, rather than consider having a Board performance review to reflect the increased maturity of the board performance review market.
The consultation document is structured into 5 sections
- Board leadership and company purpose
- Division of responsibilities
- Composition, succession, and evaluation
- Audit, risk, and internal controls
- Remuneration
The proposed changes deal with the need for a more robust framework of prudent and effective risk management and internal controls. They are aimed at providing a stronger basis for reporting on, and evidencing the effectiveness of, the framework during the reporting period.
The rest of this entry will focus on audit, risk, and internal controls.
What is changing for internal controls?
With a potential scope wider than internal controls over financial reporting - traditional “SOX”; these changes will significantly impact the way organisations manage, assess and report on the effectiveness of their systems of risk and internal controls.
The key changes are:
- The new scope is broader than financial controls and will now cover material controls over “reporting, operations and compliance”. With the change from “financial” to “reporting “there is a clear steer towards controls over broader narratives within the annual report and sustainability reporting.
- Board accountability is a fundamental component – the code requires an explicit statement from the board on the following three areas:
- “A declaration on the effectiveness of the company’s risk management and internal control systems through the reporting period and up to the date of the annual report.” This differs to the as of year end requirement of US SOX.
- An evidence-based explanation of the basis for the declaration.
- A description of any material weaknesses or failures and the remedial action taken.
- A requirement for audit committees for monitoring the integrity of narrative reporting, including sustainability matters, and reviewing any significant reporting judgements.
How much time do I have?
The revised code will apply to accounting periods commencing on or after 1 Jan 2025. For December year end companies, this means 18 months before the effective period to assess your existing arrangements and implement any enhancements and remediation activities needed. Unlike with US SOX, there won’t be the in-year buffer to prepare before disclosing effectiveness as of year-end.
Immediate next steps
We recommend the following next steps:
- Brief the Board and the Audit Committee on the consultation, your current position and planned improvement activities.
- Determine if you will be responding to the consultation with responses to all or some of the questions the FRC have asked.
If you’ve already started on your controls journey:
- Perform a high-level assessment with your target end state in mind and compare to the requirements of the new code. For the first time you can plan from ‘right to left’ knowing you will have to make a disclosure.
- Will your current internal controls programme allow you to reach this target (and on time?!). If not, now is the time to course correct with clear change requirements in scope and resource needs.
If you’ve been waiting for the proposals:
- The typical implementation timeline for a full-scale controls’ transformation is 18-24 months. To be ready to evidence and report on the effectiveness of your internal control and risk management framework by FY25 you will need to begin your controls improvement plan immediately.
- Start the programme with industry recognised standards and frameworks to get going (e.g., COSO).
In summary, complying with the new Corporate Governance Code will significantly impact the way you manage, assess and report on your systems of risk and internal controls. Now is the time to re-evaluate your risk management and internal controls framework to create long-term and sustainable value to your stakeholders.
More guidance will follow from the FRC – the direction of travel is clear it is time to get moving on controls….
Link to the full Corporate Governance Code consultation document.
More questions? Sign up for our webinar to hear from our subject experts and other industry leaders.